Data Privacy, Data Protection, and GDPR.

What Does This Mean for Your Organisation?

14 September, 2017
Information is your most important asset.
Learn the skills to manage it.
Thank You To Our Sponsors
 Today’s Presenters

Moderator:
Theresa Resek, CIP Thomas LaMonte Ralph T. O'Brien Hazel Grant
Director Analyst Principal Partner
AIIM AIIM REINBO Consulting Ltd Fieldfisher, London
 Today’s Presenters

Ben Miller Bryant Bell Julian Cook Andrea Chiappe

Business Development Product Mktg Mgr – VP of UK Business Dir of Innovation & Strategy
Konica Minolta Archiving & GDPR M-Files Systemware
OpenText
 Today’s Presenters

Reynold Leming Marc Stephenson Robert Perry Paul Lanois

Managing Director CTO VP, Product Management VP & Senior Legal Counsel
Informu Solutions Ltd Metataxis ASG Credit Suisse
Thomas LaMonte, Analyst
AIIM
 GDPR
We’re All Going to be Fine(d)!
The Information used in this presentation is based on an AIIM survey conducted May, 2017
 Time Left till DOOMSDAY
GDPR Comes into Force

252 : 11 : 9 : 38
Days Hours Minutes Seconds
…What Was Life Like Before GDPR?
Not So Fast… What does GDPR Stand for?

a) Grains, Dairy, Produce, and Ramen

b) Graduate Degree Progress Report

c) Gross Domestic Product by Region

d) Grateful Dead Public Radio

e) General Data Protection Regulation

How would you rate the level of understanding your executives have of
the implications of GDPR non-compliance?

• 21% feel their 35%

executives fully 30%

understand the
implications of GDPR 25%

20%

• 8% say their 15%

executives have no 10%

idea of GDPR 5%
implications
0%
They have no idea They have little They have some They are aware of They fully
what it means awareness of GDPR idea of the the non- understand the
implications complicance implications
implications
What’s the Big Deal? Sanctions
• A warning in writing in cases of first and non-intentional
non-compliance.
• Regular periodic data protection audits.
• A fine up to 10,000,000 EUR or up to 2% of the annual
worldwide turnover of the preceding financial year in
case of an enterprise, whichever is greater (Article 83,
Paragraph 4).
• A fine up to 20,000,000 EUR or up to 4% of the annual
worldwide turnover of the preceding financial year in
case of an enterprise, whichever is greater (Article 83,
Paragraph 5 & 6).
No Sweat…Everybody's Ready Right?
Yeah, We Got This
How would you rate the readiness of your organization in meeting the
GDPR requirements now?

• 6% say they are

35%

30%

fully prepared 25%

20%

• 7% have not even 15%

begun to prepare 10%

5%

0%
Not at all We are thinking We are planning We have a We are fully
about it for it project in place prepared
How would you rate the readiness of your organization in meeting the
GDPR requirements when it is enforced in May of 2018?

35%

30%
• 6% say they will not
25%
even be close
20%

15%

• 23% feel they will 10%

be fully prepared 5%

0%
Not at all We are thinking We are planning We have a project We are fully
about it for it in place prepared
Keeping Tabs On Our Digital DNA
Understanding that there is PII data already managed within databases and
Line-of-Business applications like Salesforce, etc., where do you feel GDPR
impacted content is being sorted within the following:
Email and Email servers

• 77% cite email and PC and network drives drives

email servers ECM System

Cloud applications

Mobile devices

• 67% cite PCs and Enterprise File Sync and Share (EFSS) silos

network drives ERM System

Third parties (Partners, suppliers, etc.)

• 59% equally cite ECM Removable storage devices

systems and cloud Unmanaged file servers

applications Unknown

Other

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

The Security Risks You Don’t Account For Hurt the Most
Has your organization suffered any of the following in the last 12
months?
0% 10% 20% 30% 40% 50% 60%

A data loss or exposure due

to staff negligence or bad
• 31% cite loss or practice

A data breach involving

exposure due to internal staff or ex-staff

staff negligence or Internal or HR incidents due

to unauthorized access
bad practice A data breach from external
hacking or intrusion

Other

Don’t know
Prepare Methodically, But Please Pick Up The Pace
What actions will you be taking to prepare for May 2018 and
compliance with GDPR?
Develop stronger governance policies

• 74% will develop Develop and conduct regular training and…

Ensure data quality and integrity are maintained…

stronger IG policies Design standardized processes for managing GDPR…

Establish and implement regular audit practices

Design standardized processes for managing…

• 57% will conduct Using information policy and data/content…

training and data Identify international risk factors and develop a…

Incorporate a means of monitoring the information…

cleansing exercises
equally Implement a notification communications system…

Other

0% 10% 20% 30% 40% 50% 60% 70% 80%

The Next Step Isn’t Always Clear—Seek Out Help
Best Practices:
• Know what you have for PII
• Create a “Helicopter” view
• Maximize metadata use
• Apply encryption technologies
• Control and monitor

Remember:
• GDPR is global; everyone is affected
• If you’re not sure where to turn, seek out trusted advisors in the supplier community
or professional associations
• Pursue quick wins and realistic goals. GDPR compliance is a process
• Thomas LaMonte, Analyst
– [email protected]
– @TomLaMonte
– www.linkedin.com/in/tlamonte

• Bob Larrivee, VP/Chief Analyst

– [email protected]
– @BobLarrivee
– www.linkedin.com/in/boblarrivee
Ralph T. O'Brien, Principal
REINBO Consulting Ltd
GDPR – A Strategic Approach
&
some HEADLINES busted
 HEADLINE #1

“I’m a GDPR Expert”

 Ralph T O’Brien FIP CIPP/E CIPM MBCS CiISMP

Ralph has spent nearly two decades working at the intersection of privacy, security and
risk management.
Assisted global organisations to improve their privacy governance as part of sustainable
management systems across global enterprises
Completed customer projects such as Data Inventory, Data Mapping, GDPR Strategic
Priorities Assessments, detailed GDPR assessments, and advisories around specific
products and services privacy implications
Experienced speaker including at IAPP, IRMS, BCS, Data Protection Forum, NADPO and
other conferences
Developed bespoke training materials for privacy and security, and worked with several
vendors to develop tools and products in the privacy industry and introduce them to
market
Utilises and creates governance frameworks including work on the ACPO Data Principal, REINBO Consulting Ltd
Protection Audit Manual, British and international standards such as work on the BSi
committees to create BS 10012 (the standard for Personal Information Management Previous: TrustArc, KPMG, BSi,
Systems) Control Risks, Ultima Risk
Management, IT Governance
 GDPR Experts?
No Accredited “GDPR” qualifications exists as yet.
Certification bodies (UK) are UKAS and the ICO only. Neither have approved any
accredited qualifications.

Many organizations are provide privacy/GDPR training courses – these provide limited
assurance.
One week does not make a privacy pro!
Look for practical experience, track record of delivery and references.
Legal Advice and Consultancy are different skills, and provide different things!

All we have is the GDPR text, Recitals, and Regulator guidance.

All compliance programmes are untried and untested.
 HEADLINE #2

“I must be compliant by May 2018”

 Most Look at the Timeline Like This

25 May 2018
NOW

Current state Gap Analysis Remediation Compliance

 Privacy Is Not “One and Done”

PLAN

INCREASED MATURITY
REQUIRMENTS &
EXPECTATIONS
STAKEHOLDER

DELIVERY and
MANAGED
ACT DO

CHECK
 GDPR Enforcement – May 2018
What is compliance? Is there a binary YES/NO answer?
Controllers and Processors must comply to the law.
However, the law uses words like “adequate, relevant, necessary, appropriate” etc.
This means the focus in on the organization to prove it has “done its homework”

It is a risk management activity:

Valid options are to take, treat, tolerate, terminate or transfer
the risk
Your response will vary based on who you are
Focus on High risk personal data processing areas first!
You may not want the “Gold Standard” in all areas
 Proactive Demonstration of Compliance
GDPR Article 22 (extract)
The controller shall adopt policies and implement appropriate measures to ensure,
and be able to demonstrate, that the processing of personal data is performed in
compliance with this Regulation.

New Requirement to “Proactively demonstrate” – Keep Records of Evidence

 HEADLINE #3

“I will be fined 4% of global turnover or

20,000,000 euros”
 Regulators
Regulators have different compliance options:
Will normally work with you during investigation
Can serve enforcement notices, stop notices, reach informal agreements,
The maximum fine is unlikely as it represents “the worst privacy thing you can do ever”
Regulators will not arrive in May 2018 (or ever!) unless;
You are a known target
You have had a data breach
You hit the headlines
They receive complaints
Layer of Defense
1 – Not getting on regulators Radar (see above!)
2 – Having good records of compliance activities when they so
3 – Having plans to improve and mature going forwards
4 – The regulator could be a “critical friend”
 HEADLINE #4

“I Need to get …
Explicit consent,
A data protection officer,
Do data mapping,
Right to be forgotten,
etc., etc…”
Get Out of the Specifics, Into the Programme…
Strategic
• Set up a Continually Improving Privacy Programme
• Risk Based maturity model

Tactical
• Ensure each business process complies with privacy
principles
• Risk Based Prioritization
 Review Each Element for Your Maturity
TOPIC Desired Current TOPIC Desired Current
Operating Model Third Party Management
Governance Model Supplier Due Diligence

Privacy Office Management Contracts Clauses

Privacy Office Planning Assurance and Audit

Privacy Risk Management Stakeholder Management

Policies and Procedures Roles, Training and Competency

Internal Privacy Policies Awareness

External Privacy Policies Public Relations

Document Control Monitoring and Improvement

Security for Privacy Privacy control Monitors

Information security Security Control Monitors

Breach management Independent Assurance and Corrective

Action
Investigation/E discovery
 Review Each Element for Your Maturity
TOPIC Desired Current TOPIC Desired Current
Information Management Key Privacy Processes
Anonymization processes Data Inventory and Mapping

Legal Basis/Purpose identification PIA and PbD

Minimization processes Regulator Interactions

Validation and Accuracy Regulator Filings and registrations

Notices and obtaining consent International Transfer mechanisms

Withdrawing consent Rights Management

Children’s data Complaints Process

Classification processes Subject access Requests

Retention processes 3rd party disclosure requests

Disposal processes Rectification requests

Portability requests

Erasure Requests
 Tactical – Business Processes vs Principles
Processes for Data Inventory, Risk management, Privacy Impact Assessment, Privacy by Design, Rights will drive compliance

NOTICES/ ADEQUATE, RELEVANT, APPROPRIATE ACCOUNTABILITY

ACCURACY
FAIR PROCESSING NOT EXCESSIVE SECURITY

Collection Storage Use Disclosure Transfer Retention Disposal

LEGAL BASIS PURPOSE(s) DATA SUBJECT ADEQUACY RETENTION

RIGHTS/CHOICES MECHANISM NECESSITY
Please Enjoy GDPR Responsibly
• Ralph T O’Brien
• FIP CIPP/E CIPM MCBS CiISMP
• Principal, REINBO Consulting
• Tel: +44 (0) 7920 107 959
• [email protected]
Hazel Grant, Partner
Fieldfisher, London
GDPR – 5 Hot Questions
Hazel Grant, Partner
Fieldfisher, London
 Q1: What’s the real date?
• May 25, 2018
• The transitional/implementation period is
now
• EU regulators expect to enforce starting
immediately after May 25
– Likely first actions against breaches?
 Q2: What about Brexit?
• GDPR in full effect 10 months before Brexit
• UK Government has said it will “implement”
GDPR
• UK (and other Member States) will have local
laws to “fill in the gaps/top up” GDPR
– E.g., Data protection officer (DPO)
 Q3: What’s the big deal?
• GDPR:
– puts all the “best practice” guidance into law
– means that vendors/service providers are now
directly liable under data protection law
– applies to businesses outside the EU, if they are
targeting or monitoring EU residents
 Q4: What if I just ignore it?
• Possible fines of up to 4% global annual turnover
or 20million euro, whichever is the higher
• Possible claims from individuals affected
• Possible orders from data protection authorities
– E.g., to stop processing or stop international data
transfers
 Q5: OK, so what do I do first?
• Know your data and data flows – carry out data
mapping
• Review your policies, consent wording and
contracts – they all need to be updated
• Document everything – you are now
“accountable” for data protection compliance, so
must prove your compliance
• Hazel Grant
• Partner, Fieldfisher, London
• [email protected]
• +44 207 861 4217
• +44 777 572 8838
Ben Miller, Business Development
Konica Minolta
 Konica Minolta | UK
Debunking the top 3 GDPR myths
 GDPR – the whole story
GDPR does cover ‘data security’

But, GDPR also requires -

• Data breach management and reporting

• Data destruction
• Data migration
• Explicit consent
• The right to be forgot
• Processes and best practice
• Appointment of a Data Protection Officer
3 Myths about GDPR

1. GDPR is just about stopping data breaches

 Single point solutions
GDPR is multi-faceted – no one piece of software will ensure
compliance

Achieving GDPR compliance can be complex -

• Identification where PII data rests

• Securing existing content
• Access management around content
• Consent management and tracking
• Ongoing analysis of compliance
• Culture of good governance from the top down
3 Myths about GDPR

1. GDPR is just about stopping data breaches

2. GDPR compliance can be achieved with a single piece of software

 There isn’t a finish line
GDPR compliance is not a project that has an end date

Even for those who are fully GDPR compliant in May 2018 the
journey is just beginning -

• Ongoing checks
• Continued evaluation
• Reporting and monitoring
3 Myths about GDPR
1. GDPR is just about stopping data breaches

2. GDPR compliance can be achieved with a single piece of software

3. GDPR is a project with an end date

 But it needs to begin
Every business will adopt it’s own philosophy in achieving
GDPR compliance -

• Take a consultative approach

• Identify the data you have
• identify potential areas of non-compliance
• Prioritise those areas based on potential impact
Ben Miller
Konica Minolta
[email protected]
https://www.linkedin.com/in/ben-luke-miller
Bryant Bell, Product Marketing
Manager – Archiving & GDPR
OpenText
Privacy by Design & Default

The Case for a Central Information

Repository
 Agenda
• GDPR – The New Data Owner
• Personal Data – A Broader Perspective
• Privacy by Design & Default
• Compliance Option – Centralized Repository
 New Data Owner
• The Digital Economy
– Data is a business asset
– Personal data is leveraged everywhere
• GDPR makes it clear that:
– Personal data is the property of the data subject
– The data subject has new rights of visibility, erasure
and portability
Personal Data & Content
Personal Data & Content
 People – Process – Technology
People Process Technology

• Changing • Means to • Find GDPR

Behaviors address data
• Consent inquiries • Classify
• Data lifecycle • Control
management • Ensure
compliance
People – Process – Technology
Technology

• Find GDPR data

• Classify
• Control
• Ensure compliance
People – Process – Technology
Technology EU Citizen’s Rights

• Find GDPR data • Access

• Classify • Portability
• Control • Erasure “Right to
• Ensure be Forgotten”
compliance
 Privacy by Design & Default
• Consolidated Repository – A Strategic Component
– Secure access and control
– Consistent retention and disposition
– Quickly respond to Data Subject’s requests
– Streamline Audit and reporting
– Future proof data
– Compliant data source for analytics
– Elimination of costly legacy systems
 Act Now

• Don’t Delay
• Get Educated
• Seize the Opportunity
Bryant Bell
OpenText – Product Marketing
[email protected]
@bell2bry
https://www.linkedin.com/in/bryantbell/
More GDPR Info: http://www.opentext.com/what-we-
do/business-needs/information-governance/ensure-
compliance/gdpr-are-you-ready
Julian Cook, VP of UK Business
M-Files
A Process-Based Approach
to GDPR
Lowering the Risk
While Keeping it Simple
31
of organisations experienced
data loss caused by staff negligence

%
or bad practices
AIIM & M-Files, GDPR Readiness Research 2017

This is a process problem

Not a technology problem
Getting started: Is it difficult?
• Is GDPR compliance really that different?
– Apply lessons learned from other compliance projects

• Is it simply the breadth of the issue?

– Rank your risk exposure by business unit, system, vendor, etc.

• How to simplify?
– Reduce the scale of the problem; Prioritise and address incrementally
Is Excel the answer?
SYSTEMS DATA FLOWS VENDORS RISKS TRAINING

ETC.

DPIA AUDITS & FINDINGS MITIGATION ROLES & RESP. SUBJECT REQUESTS

• Unmanageable relationships and interdependencies

• Multiple versions of documents in different locations
• Information silos with no workflow or process automation
• Impossible to audit and prove – so what's the point?
Follow a simple, process-based approach
• Understand what you have and where it resides using
a personal data registry

• Link processes, documents, events, and activities to

the registry

• Define and communicate policies and procedures

through automated training

• Ensure all actions are recorded for audit and reporting

purposes
How can this approach benefit you?
• Starting with a Personal Data or Information Asset Registry
– Enables incremental roll-out of GDPR, based on vulnerability and risk

• Streamlining and automating GDPR related processes

– Minimizes staff time and effort on compliance
– Reduces risk of human error

• Built-in activity monitoring and recording

– Proves to auditors that you are following best practices
– Alerts you of potential GDPR non-compliance
Key takeaways
• A simple, process-based approach to information governance provides a
practical foundation for GDPR compliance

• No need to strive for perfect compliance right away. Focus on the

foundation and best practices first

• Building in auditability from the ground up dramatically reduces the risk of

GDPR non-compliance
Julian Cook
Vice President of UK Business, M-Files
[email protected]
 Andrea Chiappe,
Director of Innovation & Strategy
Systemware
 GDPR A FORCE
FOR
TRANSFORMATION
9.14.2017
Andrea Chiappe
Systemware, Inc.

MAY 25, 2018

@ChiappeAndrea | @systemware |[email protected]
REALITY CHECK: BUSINESS INFORMATION
LANDSCAPES ARE COMPLEX AND MESSY

Over 400 IM If it ain’t

Systems Globally Cloud System
broke don’t
fix it….
Enterprise
System

Core System

@ChiappeAndrea | @systemware |[email protected]

REALITY CHECK: BUSINESS INFORMATION
LANDSCAPES ARE COMPLEX AND MESSY

Over 400 IM
Systems Globally Cloud System

Enterprise
System

Core System

@ChiappeAndrea | @systemware |[email protected]

REALITY CHECK: BUSINESS INFORMATION
LANDSCAPES ARE COMPLEX AND MESSY

• Encrypt data at rest

• Realize storage reduction of 90%
• Interrogate your information
• Do not disrupt end users and customers

@ChiappeAndrea | @systemware |[email protected]

 Step back

@ChiappeAndrea | @systemware |[email protected]

Which regulation requirements are the
same or similar, and which are different?

Gaming
Dodd–Frank
Regulatory Act

@systemware |[email protected]
 MAP CONTROLS TO A
REGULATION MATRIX

Gaming
Dodd–Frank
Regulatory Act

@systemware |[email protected]
Preparing for GDPR
AWARENESS CONSENT
You should make sure that decision makers You should review how you are
and key people in your organization are seeking, obtaining and recording
aware that the law is changing to the GDPR. consent and whether you need to
They need to appreciate the impact it is likely make any changes.
to have.
INFORMATION YOU HOLD
CHILDREN
Document what personal data you hold, where it
came from and who you share it with. You may You should start thinking now about putting systems
need to organize an information audit. in place to verify individual’s ages and to gather
parental or guardian consent for the data
COMMUNICATING processing activity.
72
PRIVACY INFORMATION
Hours DATA BREACHES
You should review your current privacy notices You should make sure you have the right
and put a plan in place for making any Many 1 procedures in place to detect, report and
necessary changes in time for GDPR Month investigate a personal data breach.
implementation.
INDIVIDUALS RIGHTS DATA INTEGRITY BY DESIGN AND DATA
You should check your procedures to PROTECTION IMPACT ASSESSMENTS
ensure they cover all the rights individuals
You should familiarize yourself now with the guidance the ICO
have, including how you would delete
has produced on privacy impact assessments and work out
personal data or provide data
how and when to implement them in your organization
electronically and in a commonly used
format. DATA PROTECTION OFFICERS
SUBJECT TO ACCESS REQUESTS Your should designate a data protection officer, if required, or
someone to take responsibility for data protection compliance
You should update your procedures and plan LEGAL BASIS FOR and assess where this role will sit within your organization
how you will handle requests within the new structure and governance arrangements.
time scales and provide any additional
PROCESSING PERSONAL
DATA INTERNATIONAL
information.
You should look at the various If your organization operates
types of data processing you internationally, you should
carry out, identify your legal basis determine which data protection
for carrying it out and document supervisory authority you come ICO.org.uk the 12 steps to take now
it. under.
Preparing for Compliance
The Individual’s Rights
to be informed to rectification

to restrict processing of access

to data portability to erasure

in relation to
to object automated decision
making and profiling

@ChiappeAndrea | @systemware |[email protected]

ASSESS PROCESSES AND SYSTEMS

@ChiappeAndrea | @systemware |[email protected]

 USERS HAVE LEARNED TO BUILD
PROCESSES AROUND LIMITATIONS

OUR ULTIMATE
INTEGRATORS
Preparing for GDPR
Data Portability
DELIVER THE RIGHT INFO TO THE RIGHT PLACE

To Another
Organization’s
Systems

To Individuals

@ChiappeAndrea | @systemware |[email protected]

Preparing for GDPR
Meta Data

HAVING THE RIGHT

META DATA MATTERS
FOR NEW
COMPLIANCE
REGULATIONS

@ChiappeAndrea | @systemware |[email protected]

Preparing for GDPR
Data Portability

SUB SECONDS

@ChiappeAndrea | @systemware |[email protected]

 OPPORTUNITY

• DATA MINING DIRECTLY OFF OF DOCUMENTS/AUTOMATION/SCRIPTING

• AMPLIFY BUSINESS REPORTING AND ANALYTICS
• CUSTOMER SELF-SERVICE

@ChiappeAndrea | @systemware |[email protected]

• Connect Silos
– IDENTIFY THE GO FORWARD VS. LEGACY OR UNDERPERFORMING SYSTEMS

• Ranking Regulations
– DEFINE REGULATION AND COMPLIANCE MATRIX TO FEED RISK ASSESSMENTS

• User Processes
– INVOLVE CROSS FUNCTIONAL TEAMS LEGAL, BUSINESS, AND IT AS SOON AS POSSIBLE

• Beyond Porting
– TAKE ADVANTAGE OF THE CAPABILITIES GDPR GIVES YOUR BUSINESS
Andrea Chiappe
Director of Strategy & Innovation
Email: [email protected]
Twitter: @ChiappeAndrea

NoSQL

@systemware |[email protected] | 844-343-0200

Thank You To Our Sponsors
Reynold Leming, Managing Director
Informu Solutions Ltd
 Information Audit
What are we storing? How to Conduct an
Information Audit of Personal Data and
Content and Form an Action Plan
 Lots of Personal Data!
What? Who? Where?
• Personal details, contact, • Document, messaging,
• Children
profiling or ID AV, graphical, web,
• Complainants
• Genetic and Biometric database content
• Consumers
• Criminal convictions, Across
• Contractors
offences • Corporate Physical Filing
• Customers
• Education & training • Offsite Archives
• Enquirers
• Employment details • Corporate Digital Estate
• Funders
• Financial details • Cloud
• Marketing Prospects
• Health information • Personal and Mobile
• Staff
• Images, voice recordings Devices
• Suppliers
• IP address, Mobile • Suppliers, Partners,
• Visitors
Device ID Outsourced Contracts
 The Need for an Audit

Ensures activities involving personal data are identified for embedding Data
Protection by design and default into business processes and systems

Ensures an organisation is accountable, transparent and can create the

necessary records of processing activities for GDPR compliance
Questions and Answers
 Data About Personal Data
Asset Data: Location Country • Data Subject Location • Purpose of Access
• Business Function & • Security Controls • Sensitive Personal Data Sharing:
Activity • Business Continuity Data? • Sharing Status
• Asset Name Controls • Data Elements • Shared With
• Description • Retention Rule Collected • Sharing Agreement
• Asset Owner • Long Term Storage • Last updated • Purpose of Sharing
• Asset Administrator Location • Number of PI Records • How Shared?
• Format • Disposal Method • Data Source • Data Elements Shared
• Status Personal Data: • When is data obtained? • Shared Processing
• Utilisation • Personal Data Category • When is it updated? Location
• Data Repository • Processing Reason • Data Accessors • Processor Security
• Data Repository Owner • Processing Condition • Means of Access Controls
• Data Repository • Data Subject Type • Data Elements Accessed
 What is an Information Asset?
The National Archives:
"Assessing every individual file, database entry or piece of information isn’t realistic. You need to
group your information into manageable portions"
"An information asset is a body of information, defined and managed as a single unit so it can be
understood, shared, protected and exploited effectively"

Paper – the file types maintained both onsite and at archive storage (for which there may be
many instances within a series) and important individual documents, such as unique certificates
/ consents.
Electronic Files – ranging from, for example, an important individual control spreadsheet, to a
whole collection of digital records sharing same profile and business purpose.
System Data – could be a whole database serving a single primary purpose or alternatively
distinct sub sets of data within a line of business application that delivers a range of functionality
(such as an ERP system).
 The Audit Process
Suggested steps to conducting the audit:
1. Agree the questionnaire design, including scope of controlled lists within drop-
down selections.
2. Identify the participants (information asset owners / administrators).
3. Conduct a pilot audit, subsequently refining the questionnaire.
4. Conduct a series of business seminars to introduce and explain the audit.
5. Self-audit by teams, with advisory resource available to support upon request.
6. Re-visits following initial audit as required of clarifications required.
7. Analysis of findings to identify both opportunity and risk.
8. Interviews and observation would be valuable if data mapping.
9. Use of file analysis tool if desired for deeper dive assessment of digital content.
10. Physical file / box inventory if required to catalogue legacy records.
The Outcome!
• Reynold Leming
• Informu Solutions Ltd
• +44 (0)7966 397417
• [email protected]
Marc Stephenson, CTO
Metataxis
Get Doing Privacy Right now!
A case study in implementing GDPR for a global
services organisation

September 2017
 The Organisation

● USA parent company

● Revenue $60 billion
● UK-based
● International
Recently ● Global services
acquired ● 700 employees
● No RM or IM
● IT and IM tools patchy

• Security audit revealed range of issues, including no GDPR programme

• Programme started to remediate and improve governance, incl. GDPR
 Steps Taken
• Parent company already supported by global law firm for legal
GDPR issues
• Metataxis provided support on information management GDPR
issues
• Aim was to meet the needs and concerns of Legal, IT and IM teams
and translate them into operational, practical steps for GDPR
compliance
• Additional aim was to provide the basis for wider IM and
governance regime
• Needed extensive file analysis – significant volumes of unstructured
information, so used Active Navigation (leaders in the space)
• A GDPR capability architecture was developed to operationalize the
required steps, and identify the tools to achieve them
 GDPR Capability Architecture
Structured Information Unstructured Information
1 2
Information
repositories
Databases ERP Systems Cloud Services Content Management Network Drives Email Paper

❶Unstructured or ❷And other physical

structured. Initial media.
Gets data from 6 discovery and 6 Gets data from
Informs Informs
ongoing monitoring
IT Team can be difficult, but IM Team
3
tools exist. 4 ❻Automatic tools 7
IT discovery IT Information 5 Information
can only do so much,
and analysis Populates Asset Register Integrates Asset Register Populates discovery and Inform
some manual input is
tools (ITAR) (IAR) analysis tools
needed.
❸A number of tools ❹Contains physical ❺Post GDPR,
Part of
will ❼ Active Navigation
are available. items but also contain all assets. was essential.
Initial software systems.
Record of 8
Controlled
9
Classification
13
Processing Informs Informs
discovery Part of
(RoP)
Vocabularies rules

❽RoP detail only ❾Post GDPR, will ⓭A common set of

UsesGDPR
needed for contain all Inform GDPR
rules to classify
relevant assets. vocabularies and information, manage
10 11 taxonomies. 10 ongoing retention,14
Real-time
Ongoing Real-time IT
auditing tools
Informs
Investigation
Repository
Informs information controlRecords
DLP,
Management
auditing tools augment search etc.
monitoring Active Navigation can
12 define these rule sets
Data Loss Part of and use them.
Part of Prevention Inform
tools (DLP)
 Diagram Key
1. Could be unstructured or structured. Discovery and real-time auditing can be difficult, but tools exist.
2. And other physical media.
3. A number of tools are available.
4. Contains physical items but also software systems.
5. Post GDPR, will contain all assets.
6. Automatic tools can only do so much, some manual input is needed.
7. Active Navigation was essential.
8. RoP detail only needed for GDPR relevant assets.
9. Post GDPR, will contain all vocabularies, taxonomies and maybe ontologies.
10. Monitor relevant activity and may detect immediate issues.
11. Most likely a collection of documents or evidence grouped by incident.
12. Generate alerts on data breaches.
13. A common set of rules to classify GDPR information, manage ongoing retention, control DLP, augment search
etc. Active Navigation can define these rule sets and use them.
14. Could be an explicit system or a coordinated use of tools.
 Status and Next Steps
Status
• Initial RoP complete – fields, taxonomies, some data
• Discovery phase complete – file analysis and structured analysis

Next Steps
• A solution architecture to be created – a project in itself
– Tools? Costs? Deployment? Integration? Configuration?
• Controlled vocabularies (taxonomies)
• Wider information architecture
• Information management policies and governance framework
• Retention and disposal schedules
– Includes defensible deletion by Active Navigation
• Change management and training initiatives
 @Metataxis @ActiveNav

Presenter, Metataxis Active Navigation

Marc Stephenson, CTO Patrick Cardiello, Marketing Manager

[email protected] [email protected]
www.metataxis.com www.activenavigation.com
+44 (0)7870 345378 1 (914) 262 6131
Robert Perry, VP, Product Management
ASG
 The Four P’s of GDPR
Readiness
Robert Perry
Vice President, Product Management
ASG Technologies
 Are You on the Path to GDPR Compliance?
What
Do personal
I need todata is
update
stored
any and how are
contractual
we language?
using it?
Can I quickly locate all Are processes in place
private
How information
is my and
organization to dealiswith
What data basis
our lawful
related data
affected by thetoGDPR?
support subject
for requests
collecting for
personal
new requests? information?
data?

Have we reviewed consent

processes for allenough
Are we making of our business
progress
Do I need a Data processes that handle personal
towards compliance today?
Protection officer for information?
compliance?
GDPR Preparation is Underway but a Challenge
Requirement for DPO is being met Private data is difficult to identify and sustain

Have appointed Data Protection Nearly ¾’s of respondents said private

85% Officer1 73% data is either very or somewhat
difficult to identify or sustain2

Preparation is moving forward in many Few use systematic, organized approach for
companies2 Privacy Impact Assessments1
Use automated system (in-house
A little more than half 25% or commercial)
respondents feel very or
53% somewhat prepared for GDPR2
Have procedure or framework to
36% identify and classify risk to individuals
Sources:
1. Organisational Readiness for the European Union General Data Protection Regulation (GDPR), Center for Information Policy Leadership and Avepoint.
2. How to Tackle the Challenges of GDPR Readiness, The A-Team Group for Data Management Review. Commissioned by ASG Technologies
 Four P’s of GDPR Compliance
reparation: educate teams and create baseline view of current data, business processes,
P and data flows that use personal data

roduction: adapt practices for data collection, data processing, application design within
P regulations

erformance: implement oversight and be prepared for supervisory audits, breach

P notification requirements

ersistence: use reporting to maintain compliance through monitoring and continued

P education and prove knowledge of data processed and how
 Preparing for GDPR Compliance
Action
Education
Evaluate infrastructure
Identify personal data currently stored; how
you got it; and business processes it touches
Determine lawful basis for processing
personal data
Update processes for gaining consent
Appoint Data Protection Officer
Prepare for data breaches
Build processes with privacy by design
Implementation
Internal training programs, certifications for staff handling personal data.
Assure data governance, content management, data management capabilities can
support new requirements for archival, records, processes and data management
Inventory data and application estates to know data is stored and what processes
use it. Delete unused data where no lawful basis for use exists.
Review the ways to lawfully collect data, determine which is appropriate for
private data collected and document for supervisory authorities if asked.
Assure all forms include language for consent when consent is lawful basis.
Determine how to capture and store consent.
Determine if needed and if so, hire. Establish roles throughout organization.
Organize process for identifying breached data and all affected individuals
Establish approach to data collected, anonymize as possible, review processing
and data transfers with goal to minimize and consider security of data.
 Identifying Personal Data
“WHERE IS ALL PERSONAL DATA?”
ADDRESS_ID
EMAIL_ID

INPUT: EMAIL USER_ID

 ASG Solutions for Compliance
Zero-Gap Data Lineage Transparent Data Flow Visualization Policy-based data management

Understand data source and Manage all content types with

Identify location of private
data across enterprise
Standards-based APIs
destination and how processes encryption, archiving, redaction and
manipulate it deletion
Comprehensive Metadata and Robust Data Governance
Content Repositories

Maintains mapping of data estate Issue management, tracking and

Integrate with extended
and manages content lifecycle in status dashboards for audit ready
compliance ecosystem
compliance with regulations environment
Robert Perry
Vice President, Product Management
[email protected]
Paul Lanois, VP & Senior Legal Counsel
Credit Suisse
EU’s General Data Protection Regulation:
How will this impact how you manage
information in your organization?

Paul Lanois, LL.M.

Global Data Privacy and Technology Lawyer
Fellow of Information Privacy, CIPP US/C/E/A, CIPM, CIPT, PCIP
Vice President and Senior Legal Counsel, Credit Suisse
 Paul Lanois, CIP, FIP, CIPP
Paul is a global privacy, data protection and information security law expert. He is Vice President and
Senior Legal Counsel working at a leading international bank (Credit Suisse) and is an attorney admitted
to the Bars of the District of Columbia (DC-USA), New York (NY-USA) and the Supreme Court of the
United States (SCOTUS). He has spoken at numerous conferences across Europe, the United States and
Asia.

He received the 2017 AIIM Leadership Social Buzz at the AIIM Conference 2017. He was also named a
"Cybersecurity & Data Privacy Trailblazer" by the National Law Journal and an "Innovative Corporate
Counsel" by Law 360. In addition, he was recognized as a leading lawyer in The Legal 500’s GC Powerlist
and was awarded the 2017 Advocacy Award from the Association of Corporate Counsel (ACC).

He has been recognized as a Fellow of Information Privacy (FIP) by the International Association of
Privacy Professionals (IAPP) and is a Certified Information Privacy Professional, with concentrations in
[email protected] Asian law (CIPP/A), US law (CIPP/US), European law (CIPP/E) and Canadian law (CIPP/C). He is a Certified
Information Professional (CIP), a Certified Information Privacy Manager (CIPM) and a Certified
Information Privacy Technologist (CIPT). He also holds certifications in information security, including the
CCSK, PCIP, CISMP, SSCP and Security+.

Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.
 The GDPR
• The EU Commission presented its proposal in
January 2012 as a replacement of the Data
Protection Directive 95/46.
• After negotiating with the EU Council, the draft
GDPR was adopted by the European Parliament on
April 14th 2016 and published on May 4th 2016 in
the EU Official Journal.
• The GDPR entered into force 20 days after its
publication in the EU Official Journal.
• Its provisions will be directly applicable in all
Member States two years after this date.
 Impacts of the GDPR
• Increased enforcement powers:
Previously, fines vary by Member State, and are comparatively low (ICO
maximum fine is 500k GBP). The GDPR will significantly increase the
maximum fine to €20 million, or 4% of annual worldwide turnover,
whichever is greater. In addition, national data protection supervisory
authorities are expected to coordinate supervisory and enforcement
powers across the Member States, likely to lead to a more pronounced
enforcement impact and risk for businesses.
• Expanded territorial scope:
Non-EU businesses will be subject to the GDPR if they: (i) offer goods
or services to persons within the EU; or (ii) monitor the behavior of
persons within the EU.
Many non-EU businesses that were not clearly required to comply
with the Directive will be required to comply with the GDPR.
 Personal Data
• ‘Personal Data’ means any information relating to
an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who
can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
• The GDPR applies to both automated personal data
and to manual filing systems where personal data is
accessible.
 GDPR Action Plan
• Ensure the support from the board & business units
• Establish inventory of personal information held
• Privacy Notice & Information
• Individuals’ rights
• Data subjects’ access requests
• Data protection impact assessments (DPIA)
• Consent
• Children
• Personal data breaches
• Security of data processing & data protection by design
• Data protection governance
 Stakeholder Support
• Decision makers and key people in your
organization must be aware of their
accountability and appreciate the impact
GDPR is likely to have so that they can
identify areas and processes that will need
to change.
• Implementation could require significant
resources, especially for larger and more
complex organizations.
 Inventory of Personal
Information
You should document:
• what personal data
you hold
• where it came from
and
• who you share it with
 Privacy Notice & Information
You must give notice that:
• Provides details of the grounds that are used
to justify processing
• highlights that consent may be withdrawn,
the existence of the data subject rights and
the right to lodge a complaint with the
Supervisory Authority, and
• is concise, transparent, intelligible and in an
easily accessible form using clear and plain
language.
 Individuals’ Rights
The main rights for individuals under the GDPR will be:
• access to their personal data,
• to have inaccuracies corrected,
• to have information erased,
• to object to the processing of personal data for
direct marketing purposes,
• to prevent automated individual decision-making
and profiling, and
• data portability.
 Data Subjects’ Access
Requests
• Data subjects will have a right to request a copy of
their personal data undergoing processing. They
may also request:
the purpose of processing, the period of time for which
data will be stored, any recipients of the data, the logic
of automated decision-making, including profiling, and
the envisaged consequences of any such processing.
• The controller must take the appropriate action
“without undue delay” or at the latest within a
month of the request.
 Privacy Impact Assessments
• The GDPR introduces Data Protection Impact
Assessments (DPIA) as a means to identify
and deal with high risks, notably to the
privacy rights of individuals when processing
their personal data.
• The DPIA requirement is linked to processing
“likely to result in a high risk for the rights and
freedoms of natural persons,” taking into
account “the nature, scope, context and
purposes of the processing.”
 Consent
• Consent must be “freely given, specific, informed
and unambiguous.”
• Consent has to be specific to the processing
operations. The controller cannot request open-
ended or blanket consent to cover future
processing.
• GDPR requires the data subject to make a statement
or clear affirmative action removing the possibility
of “opt-out” consent or the interpretation of
silence, inactivity, and pre-ticked boxes as a means
of providing consent.
 Children
• GDPR introduces specific protections for children
who are identified as “vulnerable individuals” and
deserving of “specific protection”. This applies to
children under the age of 16, unless a Member
State has made provision for a lower age limit
(lowest age limit is 13).
• Where online services are provided to a child and
consent is relied on as the basis for the lawful
processing of his or her data, consent must be given
or authorized by a person with parental
responsibility for the child.
 Personal Data Breaches
• A “personal data breach” is “a breach of security leading
to the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed.”
• In the event of a personal data breach, as a general rule,
data controllers must notify the supervisory authority.
• Notice must be provided “without undue delay and,
where feasible, not later than 72 hours after having
become aware of it.” If notification is not made within 72
hours, the controller must provide a “reasoned
justification” for the delay.
Security & Data Protection
• Controllers and processors are required to
“implement appropriate technical and
organizational measures” taking into
account “the state of the art and the costs
of implementation” and “the nature,
scope, context, and purposes of the
processing as well as the risk of varying
likelihood and severity for the rights and
freedoms of natural persons.”
 Data Protection Governance
• GDPR requires all organizations to implement a wide
range of measures to reduce the risk of contravening
GDPR requirements and to prove that they take data
governance seriously.
• Accountability measures include: Data Protection Impact
Assessments, audits, policy reviews, keeping records of
processing activities and (potentially) appointing a Data
Protection Officer (DPO).
• For those organizations which have not already allocated
responsibility and budget for data protection compliance,
these requirements will impose a heavy burden.
Paul Lanois, Credit Suisse
Theresa Resek, CIP, Director
AIIM
What GDPR Means for
US Companies
Common Questions
Non-EU Businesses are Asking
 How do I know if I need to worry
about GDPR compliance?
• The rules follow the data
• US companies that are not located in the EU
but do offer goods or services to EU citizens
must be in compliance with GDPR
• Employee data for employees in the EU
 Are the fines the same for
US Companies?
• Yes – EU regulators can fine US companies for violating GDPR,
and they can do it with the help of US authorities
• Yes – this also applies to companies based in any other region
of the world
• Penalties/fines (calculated on the company’s global annual
turnover of the preceding financial year) of up to 4% for non-
compliance with the regulation
• Theresa Resek, CIP, AIIM
• [email protected]
• https://www.linkedin.com/in/theresaresek
• @tmresek
• www.aiim.org/webinars
• www.aiim.org/podcast
Thank You To Our Sponsors
info.aiim.org/understanding-gdpr-readiness-in-2017
info.aiim.org/governance-and-compliance-in-2017-a-real-world-view