Embed Size (px)
Citation preview
SAS for Personal Data ProtectionFACT SHEET
In the digital age, protecting personal data security and integrity has become a key priority for the European Union (EU). EU General Data Protection Regulation (GDPR) is a comprehen-sive reform of the EU laws on data protection. The regulation has the stated intent of ‘giving citizens back control of their personal data, and to simplify the regulatory environment for businesses.’
Personal data is any data related to a living person, and sensitive personal data is about ethnicity, religious belief, sexual preference, medical records etc. The GDPR comes into force in May 2018 and provides every EU citizen the right to know how personal data is being used, kept, protected and deleted.
Companies failing to comply with the GDPR may incur fines up to 20 million
EUR or 4% of their annual global turnover. The size of the fine and the short time to become GDPR compliant are two motivational factors that drive companies to review their policies, procedures and technologies.
The implications for all public and private organizations are significant. Most of them will have to go back to the drawing board to ensure that they have the appropriate data manage-ment and governance framework in place. With 40 years of experience in Data Management, SAS is ideally suited to support customers in their compliance journey and to provide the required technology.
SAS Institute has defined this five-step approach to support organisations’ efforts toward handling personal data in a GDPR compliant manner, using SAS® technology.
Get ready for EU General Data Protection Regulation (GDPR) with SAS Institute
PAGE 1/4
SAS for Personal Data Protection5 steps to prepare your data for new regulation FACT SHEET
• Access data sources for personal data investigation or business usage.
• Access workflows that define actions, policies and processes for personal data.
• Access audit, monitor and risk reports on personal data.
• Find and catalogue personal data.
• Analyze personal data attributes, patterns and contexts to evaluate need for deidentification.
• Analyze personal data for risk assessment.
• Define personal data terms to align Business & IT.
• Link systems, processes and business owners in data flows.
• Ensure integrity of personal data so that it is accurate, complete and consistent.
• Implement data protection safeguards.
• Apply privacy-spe-cific measures such as pseudonymiza-tion, anonymization and encryption.
• Minimize data to the purpose for which it is being collected.
• Log and monitor usage of personal data.
• Audit usage of personal data to demonstrate compliance with privacy controls.
• Analyze and report to prove that personaldata is not at risk.
ACCESS IDENTIFY GOVERN PROTECT AUDIT
PAGE 2/4
SAS for Personal Data ProtectionFive steps to prepare for the EU General Data Protection Regulation (GDPR) – our recommended approach FACT SHEET
ACCESS
Step 1
The GDPR states that the company is responsible for ensuring physical access to all stored data that is accessible. However, data often comes in unstructured or poorly structured formats including social media or weblog data. Many data managers might prefer to rely on existing data management processes and tools in their quest to search and protect personal data.
If you are required to segre-gate compliance processes from business processes, or you simply want to avoid disrupting current data flows and avoid degrading perfor-mance of existing, business critical production jobs, an implementation of SAS® Federation Server for personal data investigation might prove to be your fastest option to get ready in time.
IDENTIFY
Step 2
With SAS Institute’s data analytics software, it is possible to search for terms and references that will help clarify the nature of the data, for example social security numbers, health care informa-tion, or the like.
Depending on the quality of your data, identifying and cataloguing personal data is probably not without effort. Couple that with programmers having to spend time writing programs with complex logic, your company might find the process of becoming GDPR compliant daunting and time-consuming.
A potential time-saver is the SAS Quality Knowledge Base (QKB), a box of pre-pack-aged data quality logics and rules such as identification analysis, pattern matching and extraction.
GOVERN
Step 3
When data has been iden-tified, roles and definitions must be established in a governance model.
There must be a common ground of understanding across the organisation of the definitions of personal data, who in the organisation has the right to access these and with what purpose this is done.
This common ground is then used to tie physical data from the identification stage to business terms and IT defini-tions, creating clarity across the organisation.
PROTECT
Step 4
Once the location and gover-nance model are established, it is time to set up the correct level of protection for the data. There are three ways of ensuring the protection; either through encryption, pseudonymization, or anonymization.
Protection of personal data is about authentication, authorization and the security auditing and monitoring of users who access personal data. Importantly, protection is also about not compromising the identity of the persons you process and store infor-mation about in your growing need for analysis, forecasting, querying and reporting. SAS® technology has strong security capabilities in general.
One of the many good reasons to single out SAS® Federation Server is that its security framework provides you with easy to implement methods to mask and encrypt content.
AUDIT
Step 5
In this final step, you are able to form the reports, in visual format, of the data discoveries, using built-in SAS® reporting tools.
Auditing the data and being able to document their status is crucial to ensuring that the various projects become a program of GDPR compliance.
PAGE 3/4
Ready to take action? Then SAS Institute is ready to help!SAS Institute has the insight and tools to help you get your data manage-ment procedures straight in order to meet the GDPR deadline.
To find out more please contact:
Daniel Aunvig Phone +45 513 87 509 Email [email protected]
To contact your local SAS office, please visit: sas.com/dk sas.com/fi sas.com/no sas.com/se
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright © 2017, SAS Institute Inc. All rights reserved. 108772_0317
PAGE 4/4
