Embed Size (px)
Citation preview
PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE
MARCH, 14TH
2
WELCOMEA few logistical points.
• All participants are muted
• You may ask questions using the Q&A panel located on bottom or GoToWebinar applet
• Answers will be provided after the presentation
• If time is too short to address all questions, answers will be provided via email
• To receive a replay of our webinar today, please send us an email to [email protected]
• If you are experiencing connection problems, please use the Q&A panel to communicate
PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE
MARCH, 14TH
4
ABOUT USSunil Soares, Information Asset @sunilsoares1
• Founder & Managing Partner• Thought leader in the Data Governance industry• 8 books on Data Mgmt., Data Governance and Data Sovereignty • Information Asset is a boutique consulting firm focused on
delivering Data Governance to diverse clients in multiple industries
• Sr Product Marketing Director, Data governance • 25 years of experience in Data Management and BI • Authored 4 books, and regular publications• Talend is a next‐generation leader in cloud and big data
integration software that helps companies make data a strategic asset.
Jean‐Michel Franco, Talend, @jmichel_franco
Exec summary : White Paper: https://info.talend.com/dataprivacycompliance.html
5
GLOBAL DATA PRIVACY: THE STAKES ARE HIGH
• Jurisdictions everywhere
• Rapidly changing regulations
• Multiple subject areas
• Data Privacy meets Big Data NORAM: CASL (Canada), HIPAA, GLBA (USA)…
EMEA: GDPR (EU), PoPI (South Africa)…
APAC: APP (Australia), NZ‐IPP (New Zealand), PDPA (Singapore), PIPA (South Korea)…
6
POLL #1 : WHAT’S YOUR SCOPE FOR DATA PRIVACY?
1. No Data Privacy initiative in place2. Initiative is up and running for NORAM3. Initiative is being extended for GDPR compliance4. Initiative is already GDPR compliant5. Initiative has a global reach across NORAM, EMEA and APAC
7
OPERATIONALIZING DATA PRIVACY COMPLIANCEA 16 Step Data Governance Plan
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
8
STEP 4: IDENTIFY CRITICAL DATASETS & DATA ELEMENTS
• GDPR Article 4 defines ‘personal data’ as any information relating to an identified or identifiable natural person… by reference to an identifier such as name, identification number, location data, an online identifier…
• GDPR Article 9 restricts the processing of data revealing racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership…
• Data Governance must work with Legal and Privacy to define ‘personal data’ for the GDPR
• Example: an item code ‘Halal’ may be covered by Article 9 because it may point to a data subject’s religion
Example for GDPR
9
STEP 5 & 6: DATA COLLECTION & ACCEPTABLE USE STANDARDS
• Most privacy regulations address Data Protection by Design and default• GDPR, Article 25• Australian Privacy Act, Principle 3 • Singapore Personal Data Protection Act, Section 24 • South Korean Personal Information Protection Act, Article 24
• Data Governance must establish controls so that Legal and Privacy sign off on data collection for any new project during the design phase
Example: creating an Enterprise Consent Repository with Talend MDM
10
STEP 7: ESTABLISH DATA MASKING STANDARDS
• Canada’s PIPEDA 4.7, Principle 7 states that personal information shall be protected by appropriate security safeguards
• GDPR Recital 26 & Article 11 state that the principles of data protection should not apply to anonymous information
• GDPR Article 32 deals with the security of personal data
• Example: anonymizing salary benefits data for data science and analytics
11
STEP 11: STITCH DATA LINEAGE
• GDPR Article 30 requires organizations to maintain a record of processing activities
• This record must include • a description of the categories and the categories of recipients of personal data, including those in third countries or international organizations;
• transfers of personal data to a third country or an international organization
• The recordkeeping requirements also extend to so‐called processors who process data on behalf of an organization
• Critical Step Mapping of personal data elements to applications
12
STEP 12: GOVERN ANALYTICAL MODELS
• GDPR Article 22, French Data Protection Act Article 10, or Philippine’s NPC Circular 17‐01 of Data Privacy Act all deal with Automated individual decision‐making
• Under many privacy laws, Automated Processing is required to be disclosed and results are subject to data subject access
• “Disparate Treatment” versus “Disparate Impact”
• Example :
• predictive models may highlight that employees who live closer to work may stay longer in their jobs but the models may discriminate against minority candidates in certain zip codes
13
STEP 13: MANAGE END‐USER COMPUTING
• User Computing (EUC) applications are outside the control of the IT department
• EUCs include Microsoft Excel spreadsheets, Microsoft Access databases and SharePoint repositories
• EUCs may contain personal data that is still subject to Data Privacy compliance including data masking requirements
• Example: reclaiming control over user managed personal data with self –service tools
14
STEP 14: GOVERN THE LIFECYCLE OF INFORMATION
• GDPR Article 17 deals with Right to Erasure or the ‘Right to be Forgotten’
• Manage information throughout its lifecycle (ILM), from creation through disposal, including compliance with legal, regulatory, and privacy requirements
• Manage retention schedules
• Example: How do you forget a data subject if you do not know where their information resides in the first place?
15
STEP 16: ENFORCE COMPLIANCEAutomate controls with a unified data platform Regulation Example Description Controls Talend Tooling
Australia Privacy Act, Principle 8
Cross‐border disclosure of personal information
Sign‐offs by legal and compliance during the design phase of any new project that requires the processing of personal data
• Talend Metadata Manager
• Talend MDM
Singapore PDPA, Second Schedule
Conditions for consent Collection, processing, keeping, use, and disclosure of personal dataObtain informed consent of data subjects
• Talend MDM• Talend Big Data• Talend Data Quality
GDPR, Article 9
Processing of special categories of personal data, such as race and ethnic origin
Identification of special data categories as CDEsSign‐off by legal and compliance on usage of special categories of data during the design phase of a project
• Talend Metadata Manager
• Talend MDM
HIPAA Privacy Rule’s deidentification standard
Processing which does not require identification
Data masking • Talend Data Quality• Talend Data Preparation
GDPR, Article 30
Records of processing activities
Data lineage for sensitive data within the enterprise and extending to processors and sub‐processors
• Talend Metadata Manager
16
POLL #2 : CONSIDERING TOOLS FOR DATA PRIVACY COMPLIANCE?
1. Metadata Management2. Data Stewardship3. Data Quality & Integration4. Data Masking5. Data Governance
Multiple responses are possible
17
THE 5 PILLARS FOR DATA PRIVACY COMPLIANCE WITH TALEND
Map yourPersonal Data
Build yourData Subject
360°
Protect your mostSensitive Data
Delegate Accounta‐
lities
ManageData Location,Movement &Portability
18
YOUR NEXT STEPS FOR COMPLIANCE
• Read our White paper
• Join our Part 2 webinar on March, 27th
• Define ‘personal data’ with respect to your organization
• Map personal data elements to applications
• Above all, drive alignment between Legal, Compliance, Privacy and Enterprise Data Management to re‐use existing data governance program to support GDPR compliance
PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE
QUESTIONS ?
