Everything is about to change…

GDPR becomesenforceable

One ring to rule them all*…

*With up to 50 areas of local variation in 28 Member States

PenaltiesPenalties

• Failure to implement appropriate securitymeasures

• Failure to implement Data Protection byDesign/by Default

• Failure to ensure governance of dataprocessors

• Failure to conduct a PIA where required• Failure to maintain records of processing

activities• Failure to have processes to support Data

Subject rights

• Breach of core Data Protectionprinciples

• Failure to ensure lawful basis forprocessing

• Failure to meet conditions for consent• Failure to respect/comply with rights of

data subject• Failure to ensure data transfers on valid

basis• Failure to comply with order of the DPC

Administration & Governance Offences Fundamental Rights & Duties Offences

2% of Global Turnover (or €10,000,000)[which ever is greater]

4% of Global Turnover (or €20,000,000)[which ever is greater]

LiabilityLiability

Civil liability for both material damage and immaterialdamage

Data Protection breaches can get you sued!

An evolution of existing rights

The Problem with how most organisations do Data PrivacyThe Problem with how most organisations do Data Privacy

The Need for Holistic ThinkingThe Need for Holistic Thinking

Need to consider the entire environment

Information EnvironmentEthical Environment

Legal can’t fix broken process designs

Bad Tyre Swing Design

The Global Legislative TrendThe Global Legislative Trend

717

36

68

110

1970s 1980s 1990s 2000s 2010-2016

Total Global Data Privacy Law

Within this, there is also continued evolution of existing Data Privacy laws(e.g. EU Data Protection Regulation)

castlebridge associates |www.castlebridge.ie | www.dataprotectionofficer.ie

Castlebridgechanging how people think about information

The GDPR and DMBOKThe GDPR and DMBOK

GDPR SummarisedGDPR Summarised

Regulatory“One Stop Shop”

Core Principles

IncreasedPenalties

Risk based approach toData Protection

ExplicitFocus on

Governance

PrinciplesDriven

PrinciplesDriven

Stricter Consent(where consent

only basis)

Enhanced Rights:Data Portability;

RTBF;

Risk & PenaltyMitigation

Documentation

Data ProtectionOfficer

Evidence ofEffectiveness

Risk & PenaltyMitigation

Enforcementagainst DataProcessors

Extraterritoriality

Fines as % ofGlobal

Turnover

MitigatingFactors

1. Lawfulness, fairness, transparency2. Purpose Limitation3. Data Minimisation4. Accuracy5. Storage Limitation6. Integrity & Confidentiality7. Accountability

+ Article 1, 7, and 8 ECHR

Privacy byDesign/Default

The GDPR Principles – An evolution…The GDPR Principles – An evolution…

Fair Obtaining

Purpose Specification

Purpose Limitation

Security

Accuracy

Adequate / Relevant

Retention

Data Subject Rights

Lawfulness, fairness, transparency

Purpose Limitation

Data Minimisation

Accuracy

Storage Limitation

Integrity & Confidentiality

Accountability

The Accountability PrincipleThe Accountability Principle

“The Controller shall be responsible for, and be able to demonstratecompliance with…”

Article 5(2) General Data Protection Regulation

“The Controller shall be responsible for, and be able to demonstratecompliance with…”

Article 5(2) General Data Protection Regulation

Creates a positive duty to actively monitor and govern the management of personal data

“Shelf-ware” policies and reactive responses to issues do not demonstrate compliance

One key change: Some new definitionsOne key change: Some new definitions

Personal Data: any information relating to an identified or identifiable natural person who can beidentified either directly or indirectly, in particular by reference to an identifier such as a name,identification number, location data, online identifier, or one or more factors specific to physical,physiological, genetic, mental, economic, cultural, or social identity of that person

Processing: any operation or set of operations which is performed upon personal data or sets ofpersonal data, whether or not by automated means, such as collection, recording, organising,structuring, use, disclosure, transmission, dissemination or otherwise making available, alignmentor combination, restriction, erasure or destruction;

Definition of processing is slightly broader in terms of the things that might constitutepersonal data…

HOARDS still valid as a way of remembering what Processing is…

One key change: Some new definitionsOne key change: Some new definitions

Profiling: any form of automated processing consisting of using data to evaluate certain personalaspects relating to a natural person, in particular to analyse or predict aspects concerning thatnatural person’s performance at work, economic situation, health, personal preferences,interests, reliability, behaviour, location or movements

Personal data breach: a breach of security leading to the accidental or unlawful destruction,loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, orotherwise processed

A broad category of activity – “automated processing” now clearly defined

Current Irish DPC Code of Practice includes “risk of breach”

A clearly defined test for “Compatible Purpose”A clearly defined test for “Compatible Purpose”

Is there a link between the purposes?

What was the context of collection, in particularrelationship between Controller & Data Subjects

What is the data?

What are the risks/possible consequences to thedata subject?

What safeguards are being put in place to protectfundamental rights?

New Duties: Privacy By Design/DefaultNew Duties: Privacy By Design/Default

Privacy is the default setting for processes.Must ensure appropriate controls are in place in design and

developmentMust ensure appropriate tech and organisational measures are in

place to minimise access to data for particular purposes

Privacy is the default setting for processes.Must ensure appropriate controls are in place in design and

developmentMust ensure appropriate tech and organisational measures are in

place to minimise access to data for particular purposes

New(ish) Duty: Data Security BreachNew(ish) Duty: Data Security Breach

Largely as per current DPC Code of Practice

Must notify DPC “without undue delay” or within 72 hours, unless breach is unlikely to resultin risk to individuals rights/freedoms

Any delay over 72 hours will require a reasoned justification

Communication to Data Subject required if there is a high risk to rights and freedoms. Not required if data is unintelligible (e.g. encrypted)

Not required if controller has taken steps to eliminate risk of impact to rights/freedoms

Not required if a disproportionate effort

DPC has final say.

New Role: The Data Protection OfficerNew Role: The Data Protection Officer

Not mandatory in all cases, but recommended Will be mandatory for public authorities or organisations that engage in systematic monitoring on

a large scale or process sensitive personal data on a large scale

Member States may set their own rules locally

DPO must have “expert knowledge of data protection law and practices and an ability tofulfil tasks” of the DPO.

May be a member of staff or may be a contractor

Contact details should be published and communicate to the DPC.

New Role: The Data Protection OfficerNew Role: The Data Protection Officer

A public facing role (can be contacted by Data Subjects) Must be involved in a “timely manner” in all issues relating to processing of personal data

E.g. system design and specification

Must be supported by Data Controller in execution of tasks and maintaining knowledge. Must be able to act independently in relation to Data Protection tasks ( Should report to the most senior executive level Role is to

Inform and advise Monitor compliance with externa legislation and internal policies and procedures, including training Supporting Privacy Impact Assessments Acting as contact point for DPC

Cannot be dismissed or penalised for performing Data Protection tasks

A Focus on Governance & ControlsA Focus on Governance & Controls

Article 23:Privacy by Design & Default

Article 33:Data Protection Impact Assessment

Article 28:Documentation

Article 35:Data Protection Officer

Article 37:Tasks of DPO

Article 33(8):Data Protection Compliance

Review

Article 37:Tasks of DPO

Data Privacy in the DMBOK WheelData Privacy in the DMBOK Wheel© DAMA International, used with permission

DataGovernance Data

Protection

Data Quality

TRUST

The Anatomy of the StoolThe Anatomy of the Stool

Internal Uses(e.g. Analytics)

Customer “value” perception

External Uses(e.g. Open

Data)

Data Privacy: PrinciplesData Privacy: Principles

GDPR Data Governance Data QualityLawfulness, fairness, and transparencyPurpose LimitationData MinimisationAccuracyStorage LimitationIntegrity and ConfidentialityAccountabilityData Subject Rights

Relevant Dimensions of Information QualityRelevant Dimensions of Information Quality

Information Quality Dimension 95/46/EC ePrivacy Regs EUDATAPAccuracy X X XCompleteness X X XTimeliness X X XConsistency X XConformity X XRelevance/Not Excessive X XAdequacy (for purpose) X XDuplication X XQuality of Data Definition (business & tech) X XInformation Product Specification X X X

Defining Information Quality & Information QualityManagementDefining Information Quality & Information QualityManagement

Overview of an IQM FrameworkOverview of an IQM Framework

The Ten Steps™ Process© Danette McGilvray

Based on 9-box model developed by Abcouwer, A.W., Maes, R. Truijens, J, Amsterdam Univeristy (1997-2003)

Data Privacy in the DMBOK WheelData Privacy in the DMBOK Wheel

© DAMA International, used withpermission

What is Data Governance in DMBOK?What is Data Governance in DMBOK?

Definition:The exercise of authority and control (planning,monitoring, and enforcement) over themanagement of data assets..

Goals:• To define, approve, and communicate data strategies, policies, standards, architecture, procedures, and metrics.• To track and enforce regulatory compliance and conformance to data policies, standards, architecture, and

procedures.• To sponsor, track, and oversee the delivery of data management projects and services.• To manage and resolve data related issues.• To understand and promote the value of data assets.

Activities:1. Data Management Planning• Understand Strategic Enterprise Data Needs• Develop and Maintain the Data Strategy• Establish Data Professional Roles and Organizations• Identify and Appoint Data Stewards• Establish Data Governance and Stewardship Organizations• Develop and Approve Data Policies, Standards, and Procedures• Review and Approve Data Architecture• Plan and Sponsor Data Management Projects and Services• Estimate Data Asset Value and Associated Costs2. Data Management Control• Supervise Data Professional Organizations and Staff• Coordinate Data Governance Activities• Manage and Resolve Data Related Issues• Monitor and Ensure Regulatory Compliance• Monitor and Enforce Conformance With Data Policies, Standards, and Architecture• Oversee Data Management Projects and Services• Communicate and Promote the Value of Data Assets

Inputs Outputs

Inputs:• Business Goals• Business Strategies• IT Objectives• IT Strategies• Data Needs• Data Issues• Regulatory Requirements

Primary Deliverables:• Data Policies• Data Standards• Resolved Issues• Data Management Projects

and Services• Quality Data and

Information• Recognized Data Value

Data Privacy: Data GovernanceData Privacy: Data Governance

Principle Governance QualityPersonal data which is being processed must be fairlyobtained and processed XPersonal Data shall be obtained for a Specified and LawfulPurpose XPersonal Data shall not be processed in a mannerincompatible with the specified purpose XPersonal Data shall be kept accurate and complete and,where necessary, kept up to date X

Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and notexcessive X XPersonal data should not be kept for longer thannecessary for the specified purpose or purposes X X

Data Subjects have a right of Access. X

Understanding Information/Data StewardshipUnderstanding Information/Data Stewardship

Information Stewardship is:An ethic that embodies responsible planning and

management of Information Resources through…

The acceptance or assignment of responsibility toshepherd and safeguard the Information Assets ofothers, both inside the organisation and beyond

A Holistic Framework?A Holistic Framework?

Based on 9-box model developed by Abcouwer, A.W., Maes, R. Truijens, J, AmsterdamUniveristy (1997-2003)

Data Protection Officer

Documentation & Controls

Evidence of Effective Operation

Privacy Expectation met orexceeded!

Different Types of Data StewardDifferent Types of Data Steward

Strategic

Operational

Tactical

Doers Definers Deciders Co-ordinators

The D3C Model™ © 2013 Castlebridge Associates

The Data Protection/Privacy Officer RoleThe Data Protection/Privacy Officer Role

• Reporting to ExecutiveBoard

• Must be Independent

• Technical and Business skills

• Accountable for the System ofGovernance

• “Statutory Tenure”

• Relationship to CDO,CPO, CIO etc.

A Data Stewardship Mind Map – Standards?A Data Stewardship Mind Map – Standards?

Governance& Stewardship

Data Use Steward(Doer/Definer)

UX Requirements

Privacy Reporting

Screens & Reports Quality

Screen & Reports Content

Design & Aesthetics

Data GovernanceReqts (Co-ordinator)

Data Standards Compliance

Use of Metadata Documentation

Metric Driven Quality Assurance

Data Management Structure

Data CollectionSteward

(Doer/Definer)

Data Classification (PII, Sensitive)

Encryption

Business Content Rules

Privacy Rules

Privacy ReqtsSteward

(Decider/Definer)

Purpose

Notice

Consent

Transfer (3rd Party)

Access/Correction/Deletion

Proportionality

Retention

Responsible Action

Based on M. Dennedy & Tom Finneran

Castlebridgechanging how people think about information

Data Privacy & Data QualityData Privacy & Data Quality

Data Privacy in the DMBOK WheelData Privacy in the DMBOK Wheel

© DAMA International, used with permission

What is Data Quality in DMBOK?What is Data Quality in DMBOK?

Definition:Planning, implementation, and control activities that applyquality management techniques to measure, assess,improve, and ensure the fitness of data for use..

Goals:• To measurably improve the quality of data in relation to defined business expectations.• To define requirements and specifications for integrating data quality control into the

system development lifecycle.• To provide defined processes for measuring, monitoring, and reporting conformance to

acceptable levels of data quality.

Activities:1. Develop and Promote Data Quality Awareness2. Define Data Quality Requirements3. Profile, Analyze, and Assess Data Quality4. Define Data Quality Metrics5. Define Data Quality Business Rules6. Test and Validate Data Quality Requirements7. Set and Evaluate Data Quality Service Levels8. Continuously Measure and Monitor Data Quality9. Manage Data Quality Issues10. Clean and Correct Data Quality Defects11. Design and Implement Operational DQM Procedures12. Monitor Operational DQM Procedures and Performance

Inputs OutputsInputs:• Business Requirements• Data Requirements• Data Quality Expectations• Data Policies and Standards• Business Metadata• Technical Metadata• Data Sources and Data Stores

Primary Deliverables:• Improved Quality Data• Data Management• Operational Analysis• Data Profiles• Data Quality Certification

Reports• Data Quality Service Level• AgreementsMetrics:• Data Value Statistics• Errors / Requirement Violations• Conformance to Expectations• Conformance to Service Levels

Tools:• Data Profiling Tools• Statistical Analysis Tools• Data Cleansing Tools•

• Data Integration Tools• Issue and Event Management Tools

Data Protection: Quality PrinciplesData Protection: Quality Principles

Principle Governance QualityPersonal data which is being processed must be fairlyobtained and processed XPersonal Data shall be obtained for a Specified and LawfulPurpose XPersonal Data shall not be processed in a mannerincompatible with the specified purpose XPersonal Data shall be kept accurate and complete and,where necessary, kept up to date X

Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and notexcessive X XPersonal data should not be kept for longer thannecessary for the specified purpose or purposes X X

Data Subjects have a right of Access. X

Relevant Dimensions of Information QualityRelevant Dimensions of Information Quality

Information Quality Dimension 95/46/EC ePrivacy Regs EUDATAPAccuracy X X XCompleteness X X XTimeliness X X XConsistency X XConformity X XRelevance/Not Excessive X XAdequacy (for purpose) X XDuplication X XQuality of Data Definition (business & tech) X XInformation Product Specification X X X

Case Study: Online customer registration process, UK bankCase Study: Online customer registration process, UK bank

Register forSMS alert

Displayproposednumber

UpdateContactDetails

SelectPreferredContactNumber

Send SMSUpdates

***9901(no option for 2nd

number)

Message

Case StudyCase Study

Issues:*****9901 was a number that hasn’t been used for >5 years by

that account holder.Mobile phone numbers are recycled – usually 12- 18 months after

termination of contractSMS containing bank details of this customer potentially being

sent to a 3rd partyCustomer complained to UK Data Privacy RegulatorCustomer knows a bit about data modelling

What is Data Quality in DMBOK?What is Data Quality in DMBOK?

Definition:Planning, implementation, and control activities that applyquality management techniques to measure, assess,improve, and ensure the fitness of data for use..

Goals:• To measurably improve the quality of data in relation to defined business expectations.• To define requirements and specifications for integrating data quality control into the

system development lifecycle.• To provide defined processes for measuring, monitoring, and reporting conformance to

acceptable levels of data quality.

Activities:1. Develop and Promote Data Quality Awareness2. Define Data Quality Requirements3. Profile, Analyze, and Assess Data Quality4. Define Data Quality Metrics5. Define Data Quality Business Rules6. Test and Validate Data Quality Requirements7. Set and Evaluate Data Quality Service Levels8. Continuously Measure and Monitor Data Quality9. Manage Data Quality Issues10. Clean and Correct Data Quality Defects11. Design and Implement Operational DQM Procedures12. Monitor Operational DQM Procedures and Performance

Inputs OutputsInputs:• Business Requirements• Data Requirements• Data Quality Expectations• Data Policies and Standards• Business Metadata• Technical Metadata• Data Sources and Data Stores

Primary Deliverables:• Improved Quality Data• Data Management• Operational Analysis• Data Profiles• Data Quality Certification

Reports• Data Quality Service Level• AgreementsMetrics:• Data Value Statistics• Errors / Requirement Violations• Conformance to Expectations• Conformance to Service Levels

Tools:• Data Profiling Tools• Statistical Analysis Tools• Data Cleansing Tools

• Data Integration Tools• Issue and Event Management Tools

Legal requirementsEthical Requirements

“The Creepy Line”

A Data Privacy KPI?A Data Privacy KPI?

EU E-Marketing rules require data to be usedwithin 12 months from consent having beenobtained or consent is nullified.

Client organisation had no assessment of howmuch trust they could place in their marketingdata

Was facing prosecutions for breaches of rules

Developed a Dashboard

Associated a financial “Business Impact” KPI

Senior Executive were shocked at impact of notmanaging their customer data…

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

12 months orover

10 -12 Months 6-9 months 3-6 months 0-3 months

Marketing Months since last contact

ePrivacy Directive Consent TrackerAverage revenue uplift of €10/ Month per campaign, 10% success rate, 1.2 million customers

Opportunity Lost: €1,440,000 Value at Risk: €4,320,000