PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset...
Transcript of PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset...
![Page 1: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/1.jpg)
PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE
MARCH, 14TH
![Page 2: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/2.jpg)
2
WELCOMEA few logistical points.
• All participants are muted
• You may ask questions using the Q&A panel located on bottom or GoToWebinar applet
• Answers will be provided after the presentation
• If time is too short to address all questions, answers will be provided via email
• To receive a replay of our webinar today, please send us an email to [email protected]
• If you are experiencing connection problems, please use the Q&A panel to communicate
![Page 3: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/3.jpg)
PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE
MARCH, 14TH
![Page 4: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/4.jpg)
4
ABOUT USSunil Soares, Information Asset @sunilsoares1
• Founder & Managing Partner• Thought leader in the Data Governance industry• 8 books on Data Mgmt., Data Governance and Data Sovereignty • Information Asset is a boutique consulting firm focused on
delivering Data Governance to diverse clients in multiple industries
• Sr Product Marketing Director, Data governance • 25 years of experience in Data Management and BI • Authored 4 books, and regular publications• Talend is a next‐generation leader in cloud and big data
integration software that helps companies make data a strategic asset.
Jean‐Michel Franco, Talend, @jmichel_franco
Exec summary : White Paper: https://info.talend.com/dataprivacycompliance.html
![Page 5: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/5.jpg)
5
GLOBAL DATA PRIVACY: THE STAKES ARE HIGH
• Jurisdictions everywhere
• Rapidly changing regulations
• Multiple subject areas
• Data Privacy meets Big Data NORAM: CASL (Canada), HIPAA, GLBA (USA)…
EMEA: GDPR (EU), PoPI (South Africa)…
APAC: APP (Australia), NZ‐IPP (New Zealand), PDPA (Singapore), PIPA (South Korea)…
![Page 6: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/6.jpg)
6
POLL #1 : WHAT’S YOUR SCOPE FOR DATA PRIVACY?
1. No Data Privacy initiative in place2. Initiative is up and running for NORAM3. Initiative is being extended for GDPR compliance4. Initiative is already GDPR compliant5. Initiative has a global reach across NORAM, EMEA and APAC
![Page 7: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/7.jpg)
7
OPERATIONALIZING DATA PRIVACY COMPLIANCEA 16 Step Data Governance Plan
1. Develop Policies, Standards & Controls
2. Create Data Taxonomy
3. Confirm Data Owners
4. Identify Critical Datasets & Critical Data Elements
5. Establish Data Collection Standards
6. Define Acceptable Use Standards
7. Establish Data Masking Standards
8. Conduct Data Protection Impact Assessments
9. Conduct Vendor Risk Assessments
10. Improve Data Quality
11. Stitch Data Lineage
12. Govern Analytical Models
13. Manage End User Computing
14. Govern the Lifecycle of Information
15. Set up Data Sharing Agreements
16. Enforce Compliance with Controls
![Page 8: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/8.jpg)
8
STEP 4: IDENTIFY CRITICAL DATASETS & DATA ELEMENTS
• GDPR Article 4 defines ‘personal data’ as any information relating to an identified or identifiable natural person… by reference to an identifier such as name, identification number, location data, an online identifier…
• GDPR Article 9 restricts the processing of data revealing racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership…
• Data Governance must work with Legal and Privacy to define ‘personal data’ for the GDPR
• Example: an item code ‘Halal’ may be covered by Article 9 because it may point to a data subject’s religion
Example for GDPR
![Page 9: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/9.jpg)
9
STEP 5 & 6: DATA COLLECTION & ACCEPTABLE USE STANDARDS
• Most privacy regulations address Data Protection by Design and default• GDPR, Article 25• Australian Privacy Act, Principle 3 • Singapore Personal Data Protection Act, Section 24 • South Korean Personal Information Protection Act, Article 24
• Data Governance must establish controls so that Legal and Privacy sign off on data collection for any new project during the design phase
Example: creating an Enterprise Consent Repository with Talend MDM
![Page 10: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/10.jpg)
10
STEP 7: ESTABLISH DATA MASKING STANDARDS
• Canada’s PIPEDA 4.7, Principle 7 states that personal information shall be protected by appropriate security safeguards
• GDPR Recital 26 & Article 11 state that the principles of data protection should not apply to anonymous information
• GDPR Article 32 deals with the security of personal data
• Example: anonymizing salary benefits data for data science and analytics
![Page 11: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/11.jpg)
11
STEP 11: STITCH DATA LINEAGE
• GDPR Article 30 requires organizations to maintain a record of processing activities
• This record must include • a description of the categories and the categories of recipients of personal data, including those in third countries or international organizations;
• transfers of personal data to a third country or an international organization
• The recordkeeping requirements also extend to so‐called processors who process data on behalf of an organization
• Critical Step Mapping of personal data elements to applications
![Page 12: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/12.jpg)
12
STEP 12: GOVERN ANALYTICAL MODELS
• GDPR Article 22, French Data Protection Act Article 10, or Philippine’s NPC Circular 17‐01 of Data Privacy Act all deal with Automated individual decision‐making
• Under many privacy laws, Automated Processing is required to be disclosed and results are subject to data subject access
• “Disparate Treatment” versus “Disparate Impact”
• Example :
• predictive models may highlight that employees who live closer to work may stay longer in their jobs but the models may discriminate against minority candidates in certain zip codes
![Page 13: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/13.jpg)
13
STEP 13: MANAGE END‐USER COMPUTING
• User Computing (EUC) applications are outside the control of the IT department
• EUCs include Microsoft Excel spreadsheets, Microsoft Access databases and SharePoint repositories
• EUCs may contain personal data that is still subject to Data Privacy compliance including data masking requirements
• Example: reclaiming control over user managed personal data with self –service tools
![Page 14: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/14.jpg)
14
STEP 14: GOVERN THE LIFECYCLE OF INFORMATION
• GDPR Article 17 deals with Right to Erasure or the ‘Right to be Forgotten’
• Manage information throughout its lifecycle (ILM), from creation through disposal, including compliance with legal, regulatory, and privacy requirements
• Manage retention schedules
• Example: How do you forget a data subject if you do not know where their information resides in the first place?
![Page 15: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/15.jpg)
15
STEP 16: ENFORCE COMPLIANCEAutomate controls with a unified data platform Regulation Example Description Controls Talend Tooling
Australia Privacy Act, Principle 8
Cross‐border disclosure of personal information
Sign‐offs by legal and compliance during the design phase of any new project that requires the processing of personal data
• Talend Metadata Manager
• Talend MDM
Singapore PDPA, Second Schedule
Conditions for consent Collection, processing, keeping, use, and disclosure of personal dataObtain informed consent of data subjects
• Talend MDM• Talend Big Data• Talend Data Quality
GDPR, Article 9
Processing of special categories of personal data, such as race and ethnic origin
Identification of special data categories as CDEsSign‐off by legal and compliance on usage of special categories of data during the design phase of a project
• Talend Metadata Manager
• Talend MDM
HIPAA Privacy Rule’s deidentification standard
Processing which does not require identification
Data masking • Talend Data Quality• Talend Data Preparation
GDPR, Article 30
Records of processing activities
Data lineage for sensitive data within the enterprise and extending to processors and sub‐processors
• Talend Metadata Manager
![Page 16: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/16.jpg)
16
POLL #2 : CONSIDERING TOOLS FOR DATA PRIVACY COMPLIANCE?
1. Metadata Management2. Data Stewardship3. Data Quality & Integration4. Data Masking5. Data Governance
Multiple responses are possible
![Page 17: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/17.jpg)
17
THE 5 PILLARS FOR DATA PRIVACY COMPLIANCE WITH TALEND
Map yourPersonal Data
Build yourData Subject
360°
Protect your mostSensitive Data
Delegate Accounta‐
lities
ManageData Location,Movement &Portability
![Page 18: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/18.jpg)
18
YOUR NEXT STEPS FOR COMPLIANCE
• Read our White paper
• Join our Part 2 webinar on March, 27th
• Define ‘personal data’ with respect to your organization
• Map personal data elements to applications
• Above all, drive alignment between Legal, Compliance, Privacy and Enterprise Data Management to re‐use existing data governance program to support GDPR compliance
![Page 19: PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE...4 ABOUT US Sunil Soares, Information Asset @sunilsoares1 • Founder & Managing Partner • Thought leader in the Data Governance industry](https://reader034.fdocuments.us/reader034/viewer/2022052006/601a9e121608b33c5d1a0fc0/html5/thumbnails/19.jpg)
PRACTICAL STEPS FOR DATA PRIVACY COMPLIANCE
QUESTIONS ?