Dennis Waldron

rghogg@us.ibm.com

Richard Hogg , CITP ERMp

Are you Ready?

May 25, 2018

GDPR – What is it? 4%

Or

€20M Potential Penalty

Per Incident

Global Impact

5 Key General Data Protection Regulation Obligations

Rights of EU Data Subjects

Security of Personal Data

Consent Accountability of Compliance

Data Protection by Design and by Default

Concern Toxicity potential in unstructured data.

Need Approach to ID, tag and delete toxic data.

Solution Storage management tool that allows metadata tagging.

Result 53% of data identified as dormant for > 5 years with a big portion possibly toxic.

Next steps Work with data owners to choose to delete or otherwise address flagged data.

53% of unstructured data flagged

“any information relating to an identified or identifiable natural person” (Art. 2(a))

Direct identifier – E.g. name, passport number, phone number

Indirect identifier – E.g. IBM Global GDPR Evangelist

Personal Data?

*2016 survey of NA Financial Services

GDPR Client Observations

“We understand what

needs to be done and

we’ll make the

necessary incremental

changes.”

A European bank

“Where do we begin, the

regulations are so confusing,

what solutions does IBM

provide?”

Multinational transportation org

Multinational logistics org

“We have heard of GDPR, but

we are going to take a wait and

see approach until an

enforcement action.”

Multinational airline

Multinational pharma org

The Hare The Tortoise The Ostrich

GDPR Takes More Than Just Technology

There are five key areas that need to be addressed

Governance People & Communication

Processes Data Security

•  Conduct GDPR risk & privacy assessments across governance, people, processes, data, security

•  Develop GDPR Readiness Roadmap

•  Identify & Map personal data

Assess

Assessments and roadmap

Identify GDPR impact and plan Technical and

Organisational Measures (TOM)

•  Design governance, training, communication, and process standards

•  Design privacy, data management and security management standards

Design

Defined implementation

plan

Includes Data Protection controls, processes and

solutions to be implemented

•  Develop and embed procedures, processes and tools

•  Deliver GDPR training

•  Develop & embed standards & policies using Privacy by Design, Security by Design

•  Detailed Data Discovery

Transform

Process enhancements

completed

TOMs in place: Personal Data discovery,

classification and governance in place

•  Execute all relevant business processes

•  Monitor security and privacy using TOMs

•  Manage Consent & data subject access rights

Operate

Operational framework in

place

Begin the new GDPR ready way of working

•  Monitor, assess, audit, report and evaluate adherence to GDPR standards

Conform

Ongoing monitoring and

reporting

Monitor TOMs execution; deliver compliance

evidence to internal and external stakeholders

Act

ivity

O

utco

me

Phas

e IBM’s Overall GDPR Framework: 5 Phases to Readiness

Program and Data Governance goals • policies • rules • compliance • vendor management • terminology • people

Data Lifecycle identification • classification • masking • archiving

Data Catalog metadata mgmt. • IT objects • impact analysis

Data Subject Services enquiry • correction • erasure • portability •

notification

Data Protection privacy program design • risk assessment • access management

identity governance • monitoring & audit • incident response

Orchestration

Processes

Rules

Consent

Personal Data

structured

unstructured

physical info assets

printed documents

…

Data Subjects

Data Privacy Officer

Data Steward

InfoGov Capabilities Needed for GDPR

IBMCommitmenttoGDPRReadinessStatement TrustinDataDataanditsprotec9onarebecomingincreasinglyimportanttoindividualsandsociety.Enterprisesmustearnthepublic’strustintheirabilitytostewardinforma9on.AsIBM’slonghistoryofsecurityandprivacyleadershipdemonstrates,IBMunderstandsthatprotec9ngprivacyisessen9altogainingtrust.IBMwasoneofthefirstcompaniestoappointaChiefPrivacyOfficer,todevelopandpublishagene9csprivacypolicy,tobecer9fiedundertheAPECCrossBordersPrivacyRulessystem,andtosigntheEUDataProtec9onCodeofConductforCloudServiceProviders.Now,IBMiscon9nuingitslong-standingleadershipintheareaofdataprivacybyrespondingproac9velytotheGeneralDataProtec9onRegula9on(GDPR).IBMCommitstoGDPRReadinessIBMcurrentlycomplieswithprivacylawsaroundtheworld.IBMisalsopreparingtocomplywiththeEuropeanUnion’snewGeneralDataProtec9onRegula9on(GDPR)whichwillgointoeffectinMay2018.IBMhasestablishedaglobalprojecttoprepareforGDPR,bothforourinternalprocessesandforourcommercialofferings.IBMrecognisesthatourcustomerswillrelyonIBM’sofferingsandtechnicalassistancetoachieveGDPRcompliancewithintheirownorganisa9onsandIBMiswell-posi9onedtomeetthiscri9calneed.AspartofitsGDPRproject,IBMisenhancingitsongoingcommitmenttoprivacybydesign.IBMisworkingtoembeddataprotec9onprinciplesevenmoredeeplyintoitsbusinessprocesses,withtheobjec9vethattechnicalandorganisa9onalsecuritymeasureslimit,bydefault,theamountanduseofpersonaldatatowhatisspecificallyrequired.Thisworkwillalsostrengthencontrolsalreadyinplacetolimitaccesstopersonaldata,includingwithrespecttomobileapplica9onsthatrelyonsensibledefaultseWngstopreventpersonaldatafrombeinginadvertentlysharedwithothers.IBMiscommittedtoprovidingourclientsandpartnerswithinnova9vedataprivacy,securityandgovernancesolu9onstoassistthemontheirjourneytoGDPRcompliance.LearnmoreaboutIBM'sownGDPRreadinessjourneyandourGDPRcapabili9esandofferingstosupportyourcompliancejourneyhere.

Most Personal Data not discoverable via Patterns

New IBM GDPR Accelerators Improved insight with the ability to load contracts for Watson to analyze & consider the key language, clauses or paragraphs driving the need for further analysis or change.

Compare & Comply IBM Regulatory Compliance Analytics,

with IBM Watson Digest GDPR and identity Controls & Obligations.

Cognitive Insights

Plug-in Extensive unstructured personal data discovery rules using Both RegEx and Machine Learning.

GDPR Cartridges Structured personal data discovery & classification. Personal data

access & data subject rights audit trails; GDPR reports; GDPR data

risk dashboard.

Data Protection

GDPR Supportive Content taxonomy with Predefined terms, data model elements, Against each Article.

GDPR Industry Model GDPR program preparatory guide,

GDPR incident simulation,& GDPR-enhanced Privacy module.

Incident Response

Discover and register data sources and the Personal Data they contain. Golden record identification with Workflows for all citizen SAR requests.

Subject 360 Access Consent Service available enterprise wide, linking

Data to usage and specific per-citizen consent.

Purposeful Consent By Design

Security

Regulations & Contracts

Personal Data

Find Personal

Data

Unified Catalog

9Billion4%

Ofthe

only

breachedsince2013

wereencrypted3

records

$4MAveragecostofadata

breachin20162

Likelihoodofanorganiza9onhavingadatabreachinthe

next24months1

26%“It’s no longer a matter of if, but when …”

HealthInsurancePortabilityandAccountabilityAct(HIPAA)

EuropeanUnionGeneralDataProtec9on

Regula9on(GDPR)

PaymentCardIndustryDataSecurityStandard(PCI-DSS)

1, 2 Source: 2016 Ponemon Cost of Data Breach Study: Global Analysis -- http://www.ibm.com/security/data-breach/ 3 Source: Breach Level Index -- http://breachlevelindex.com/

Data protection and compliance are business imperatives

100DaysOver

Onaveragetodiscoverthebreach

What does information governance mean and why is it critical

Informa(onGovernanceistheprocessbywhichanorganiza>onwillbehaveoracttoensuretheappropriateexecu>onofitsmandate,andtypically,protectandmaximizethebenefitsinherentinitsdataassets

83%oforganiza>onssufferproblemscausedbypoormasterdata,withthetopthreeproblemsbeinginaccuraterepor9ng(81%),argumentsoverwhichdataisappropriate(78%),andbaddecisionsbasedonincorrectdefini9ons(54%)

$3TrillionisthetotalannualimpactofpoordataqualityInforma9onGovernanceOrganiza9onensuressustainablebusinessvalueofdataover9me.Standalonecleanupsnomacerhowheroichavediminishedvaluesover9me.

AStrongDGFunc(onIsEssen(alToDeliveringReliableAndUsableBusinessInforma(on

35%ofcustomerinforma>oninenterprisesystemsmaybeinaccurate,andupto30%duplicatedduetolackofproperdatagovernancepoliciesandprocedures

Source: IBM Institute for Business Value 2015 Analytics research survey. Administered by the Economist Intelligence Unit.

© 2015 IBM Institute for Business Value. www.ibm.biz/2015analytics

•  Uniformcommunica9ons•  Commonunderstanding•  Rapidcrossbusiness

Implementa9on•  Singledefini9on•  Qualitydata•  Crossbusinessdatausage•  EfficientInvestments

ProcessPeoplePoliciesTools

WithDataGovernance

•  Complex•  Silodriven•  Slowtomarket•  Inconsistentdefini9on•  Poordataaccuracy•  LOBfocuseddata•  Re-solveproblemsforeach

LOB

WithoutDataGovernance

30-40%oftheITbudgetisallocatedtoexecu9onofdatatransforma9onprogramswithinITledFinancialServicescompanies

GSIBswillincreasespendonnewdataandanaly9csini9a9vesby10%in2017

§  How to easily find relevant information ~ books, authors ?

§  How to go about archiving important content – Micro Film?

§  How to go about Life Cycle Management of books ?

§  How to restrict access to important content (Policy Mgmt.) ?

CAT

ALO

G

AR

CH

IVE

DIS

POSE

A

CC

ESS

Library Analogy

GOVERNANCE FOR COMPLIANCE

Discover, classify and manage information in ways that meet the

obligations enforced by both regulatory and corporate mandates

Regulations (e.g. GDPR) Privacy & Protection

eDiscovery Records & Retention

Archiving Audit Readiness

GOVERNANCE FOR INSIGHTS Provide safe access to trusted, high

quality, fit-for-purpose data while facilitating effective collaboration

among team members

Self-Service Access to Data & Analytics

Governed Enterprise Information Repositories (such as Data Lakes)

Use Cases Driving a Unified Governance Strategy

High Quality, Timely information for All

Empowered Data Scientists Uncovering Unique Insights

Empowered Organization

Better Business Outcomes

•  Leverage the value of your data unlocking insight driving competitive advantage every single time you access data.

•  Capitalize on the data and derive revenue based on solid information governance foundation making data simplified and actionable.

Make Data Make Money

GOVERNANCE FOR COMPLIANCE

Helps ensure data privacy and facilitate compliance with regulations such as the GDPR

50% faster creation of test datasets helps to accelerate development cycles

Cuts storage costs by significantly reducing the size of test datasets

View case study: Link

Eases compliance with data-retention regulations

94.2% reduction in amount of data unnecessarily stored cuts costs and risk

Takes the headache out of audits by providing a clear track record and reporting

View case study: Link

GOVERNANCE FOR INSIGHTS

Enables a smoother user experience for shoppers across channels and brands

10 times faster response times for the 1-800-Flowers.com mobile app

Improves the quality of customer data and enables deeper insight

View case study: Link

Empowers IT and business users to collaborate in establishing and using common terminology

Supports business intelligence and confident decision-making

Accelerates analytics for faster insight

View video: Link

What our customers are saying

Strategic vision for metadata to support regulatory issues

•  NT Metadata Registry •  Benefits •  Approach •  Timeline

•  Metadata Strategy •  Data Models, Standards, & Policies •  NT ISO Initiative

EXECUTIVE SUMMARY

NT METADATA REGISTRY BENEFITS What’s in it for me? •  Increased understanding of NT’s data. •  Create a searchable catalog of Northern Trust’s data assets. •  Provide transparency into the location, definition and usage of

NT’s data assets. •  Promote the standardization of NT’s data designs, shared

definition and asset reuse. Why do we care? •  Increase collaboration. •  Expose data lineage through all layers (e.g. CCAR, EDP, AML) •  Reduce project delivery time and scope creep. •  Reduce Risk •  Reduce Development Time What I need your help on? •  Granting connections to system catalog(s) and to reverse engineer

physical schema for IIS lineage •  We are not looking at the transactional data

•  SME help for SOR, BPM, inflow and outflows

High Level Design

NT METADATA REGISTRY - APPROACH

NT METADATA FOUNDATION & STRATEGY

NT METADATA REGISTRY

Metadata Registry o  Central location in an organization where metadata definitions are

stored. Metadata Management o  End to end process and governance framework for the creation,

controlling, enhancing, attributing, defining and management of structured and unstructured data.

Design Metadata o  Information about the structure, description, relationship and

administration of assets. Operational Metadata o  Point of view metadata on runtime variables, statistical processes,

matrix operations that explain how data was created and/or transformed.

METADATA LIFECYCLE

DATA MODELS, STANDARDS, & POLICIES Rolled out in Q1- 2017

NT ISO Model Management Process The process for creating, maintaining, and publish a complete and consistent “single version of the truth” for the NT ISO data model Standards & Policies Library A repository for data policies and standards across all pillars of enterprise data services Enterprise Data Services VISA An EPMO vehicle to govern and provide clear requirements to project teams to achieve data standards and existing processes

•  Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

•  IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

•  Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

•  The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract.

•  The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

•  Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

None of the statements contained herein constitutes legal advice – it is process advice only.

Disclaimer

Appendix

WHAT IS ENTERPRISE DATA ARCHITECTURE AND WHAT IS THE VALUE? The purpose of Enterprise Data Architecture is to define data tools strategy, modeling standards, and conceptual/logical models for Northern Trust enterprise data.

ü  U9lizesenterprisetoolsthatsupporttrusted,relevant,andgovernedinforma9on

ü  EnablesNorthernTrusttomeetorexceedclientandregulatorexpecta>onsandobliga>onsthroughdatalineagevisualiza9onfromsourcetoconsump9on

ü  ReusesarchitecturaldesignpaQernsandu9lizesacentralizedmetadatarepositoryandinforma9ongovernancecataloguetoreducedevelopment>me

ü  Providesstandardinforma>onmodelsthatenhancemessagingformatsanddrivedownrisk

ü  Buildsaculturewithintheorganiza9ontotreatdataasaNorthernTrustasset

ü  Capitalizesoncurrentdesignpacernstospeeddevelopmentanddataconsump9on

What it is

The value

Theprocessesandprac9cesthatleverageinforma9onassets,rules,policies,standards,models,andtoolstosupportmetadatamanagementandinforma9onarchitecture,forsuccessfulintegra9onandwithenterpriseprograms.

DATA TOOLS REFERENCE ARCHITECTURE DataToolsReferenceArchitecture

Operational

DataSources

ServicesTier

FlatFiles

Oracle

ClientTierWebClients

DesktopClients

EngineTier

XML

DB2

DataStage

QualityStage

Connectors

Packs

ServiceAgents

QualityStageServices

InformationAnalyzerServices

InformationServicesDirectorServices

DataStageServices

WorkbenchServices

ConnectorAccessServices

CommonServices

MetadataExchange

MetadataServices

DataManagement\Design

ERStudioDataArchitectRationalArchitect

RepositoryTier

IARepository

MetadataRepository

EngineTier

DataStage

QualityStageInformationAnalyzer

InformationServicesDirector

MetadataWorkbench

RepositoryTier

MDMAERepository

MDMAE

MDMServices

MDMCE

MDMServices

MDMRDM

MDMServices

MDMCERepository MDMRDMRepository

MSSQL

NoSQL

Hadoop

Blueprint Blueworks

ERStudioRepository

DataArchitectRepositoryRARepository Blueprint

RepositoryBlueworksRepository

Composite

Hive

NTRSApplication

SQL,TSQL,BTEQ,JCL

LoadUtilities,StoredProcedures,Functions

Iteraplan

IteraplanRepository

Composite

Messages

Sybase

DATA TOOLS CONCEPTUAL ARCHITECTURE DataToolsConceptualArchitecture

DataModeling

Logical/PhysicalModelingTool

OperationalRepository

DataIntegration

DataGovernance

DataProfiling

DataRules

ReferenceRepository

DataLineage

BusinessGlossary

InformationModeling

InformationModelingTool

OperationalRepository

AssetManagement

AssetManagement

Tool

OperationalRepository

SDLC

VersionControlRepository

Discovery

AnalysisRepository

DataManagement

SemiRelational

Non-Relational

Relational

Business\ProcessModeling

BPMTool

OperationalRepository

BI

AnalyticsTool

OperationalRepository

KnowledgeCenter

ThinClients

ThickClients

ETL/ELT

DataReplication

DataServices

OperationalRepository

Virtualization/Federation

Publish

Exchange

Store

Browse

Implemented

Capable

2017 Implementation