70% of employees have access to data they should not…and that’s going to be a problem when GDPR takes affect in May 2018.
A strong data governance program ensures that you have the policies, standards, and controls in place to protect data effectively and access it for decision making. Data governance may become one of the most important functions of your data integration architecture when it comes to data agility.
Watch this on-demand webinar describing practical steps to data governance:
- Map personal data elements to data fields across systems using metadata
- Create workflows for data stewardship and manage end user computing
- Establish a data lake with native data quality for consent processing
- Track and manage data with audit trails and data lineage
4. 4
About us
Sunil Soares, Information Asset, @sunilsoares1
• Founder & Managing Partner
• Thought leader in the Data Governance industry
• Authored eight books on Data Management, Data
Governance, and Data Sovereignty
• Information Asset is a boutique consulting firm
focused on delivering Data Governance to diverse
clients in multiple industries
Jean-Michel Franco, Talend, @jmichel_franco
• Sr Product Marketing Director, Data governance
• 25 years of experience in Data Management and BI
• Authored 4 books, and regular publications and
blogs on data governance
• Talend is a next-generation leader in cloud and big
data integration software that helps companies
make data a strategic asset.
5. 5
• The EU published the General Data
Protection Regulation (GDPR) in May 2016
• After a two-year transition period, the GDPR
will go into effect on May 25, 2018
• The GDPR applies to the processing of
personal data of all data subjects, including
customers, employees, and prospects
• Non-compliance with the GDPR may result in
huge fines, which can be the higher of €20M
or four percent of the organization’s
worldwide revenues
About the EU General Data Protection Regulation
6. 6
• Multiple subject areas
• Customer, Employee, Citizen, Vendor…
• Emerging data types
• Internet of Things, Biometrics…
• Multiple jurisdictions
• EU, Canada, Australia, U.S….
• Rapidly changing regulations
• GDPR, CASL, HIPAA…
Global Data Privacy is Multi-Dimensional
7. 7
Poll #1 : How Far Along Are You with GDPR?
Not started
48%
Conducting risk
assessment
32%
Doing data mappings
18%
Further along
2%
8. 8
A 16 Step Data Governance Plan for GDPR Compliance
1. Develop Policies,
Standards &
Controls
2. Create Data
Taxonomy
3. Confirm Data
Owners
4. Identify Critical
Datasets & Critical
Data Elements
5. Establish Data
Collection
Standards
6. Define
Acceptable Use
Standards
7. Establish Data
Masking
Standards
8. Conduct Data
Protection Impact
Assessments
9. Conduct Vendor
Risk Assessments
10. Improve Data
Quality
11. Stitch Data
Lineage
12. Govern
Analytical Models
13. Manage End
User Computing
14. Govern the
Lifecycle of
Information
15. Set up Data
Sharing
Agreements
16. Enforce
Compliance with
Controls
9. 9
Operationalizing the 16 steps plan with Talend
Goal Talend solution(s)
Map the critical data elements across your datasets Metadata Manager
Track and trace data with audit trails and data linage
Metadata Manager
Master Data Management
Anonymize data for controlled privacy protection
Data Quality
(incl. Data masking and shuffling)
Establish a data lake for trusted data & consent mgmt.
Big Data
Master Data Management
Foster accountability for governance and stewardship
Data Preparation
Data Stewardship
Share data with your data subjects
Data Integration
Data Services
10. 10
• Collaborate with data architecture to
classify data into categories and sub-
categories
• Customer, employee, prospect, vendor, franchisee
• Example for employees:
Step 2: Create Data Taxonomy
Employee
Salary &
Benefits
Identity Contacts
Health
infor-
mation
Social
media
Employee
Perfor-
mance
11. 11
Have you agreed on a consistent definition of 'personal data' for GDPR purposes?
Poll #2
No
53%
Yes
47%
12. 12
• GDPR Article 4 defines ‘personal data’ as any
information relating to an identified or
identifiable natural person… by reference to an
identifier such as name, identification number,
location data, an online identifier…
• GDPR Article 9 restricts the processing of data
revealing racial or ethic origin, political
opinions, religious or philosophical beliefs,
trade union membership…
• Data Governance must work with Legal and
Privacy to define ‘personal data’ for the GDPR
• Example: an item code ‘Halal’ may be covered
by Article 9 because it may point to a data
subject’s religion
Step 4: Identify Critical Datasets & Critical Data Elements
13. 13
• GDPR Article 6 – Lawfulness of Processing
• GDPR Article 7 – Conditions for Consent
• Data Governance must establish controls so that Legal and Privacy sign off on data collection for any
new project during the design phase
• Example: creating an Enterprise Consent Repository with MDM
Step 5 & 6: Data Collection & Acceptable Use Standards
14. 14
• GDPR Recital 26 & Article 11 state that
the principles of data protection
should not apply to anonymous
information
• GDPR Article 32 deals with the security
of personal data
• Example: anonymizing salary benefits
data for data science and analytics
Step 7: Establish Data Masking Standards
15. 15
• GDPR Article 30 requires organizations to
maintain a record of processing activities
• This record must include
• a description of the categories and the categories of
recipients of personal data, including those in third
countries or international organizations;
• transfers of personal data to a third country or an
international organization
• The recordkeeping requirements also
extend to so-called processors who process
data on behalf of an organization
• Critical Step Mapping of personal data
elements to applications
Step 11: Stitch Data Lineage
16. 16
• GDPR Article 22 deals with Automated individual decision-making
• Under many privacy laws, Automated Processing is required to be disclosed and results
are subject to data subject access
• “Disparate Treatment” versus “Disparate Impact”
• Example :
• predictive models may highlight that employees who live closer to work may stay
longer in their jobs but the models may discriminate against minority candidates in
certain zip codes
Step 12: Govern Analytical Models
17. 17
• User Computing (EUC) applications are
outside the control of the IT department
• EUCs include Microsoft Excel
spreadsheets, Microsoft Access
databases and SharePoint repositories
• EUCs may contain personal data that is
still subject to GDPR compliance
including data masking requirements
• Example: reclaiming control over user
managed personal data with self –
service tools
Step 13: Manage End User Computing
18. 18
• GDPR Article 17 deals with Right to
Erasure or the ‘Right to be Forgotten’
• Manage information throughout its
lifecycle (ILM), from creation through
disposal, including compliance with
legal, regulatory, and privacy
requirements
• Manage retention schedules
• Example: How do you forget a data
subject if you do not know where their
information resides in the first place?
Step 14: Govern the Lifecycle of Information
19. 19
Step 16: Enforce Compliance with GDPR Controls
GDPR Article
(Sample)
GDPR Description GDPR Controls Talend Tooling
Article 6 Lawfulness of processing • Sign-offs by legal and compliance during the design
phase of any new project that requires the processing
of personal data
• Talend Metadata
Manager
• Talend MDM
Article 7 Conditions for consent • Obtain informed consent of data subjects • Talend MDM
• Talend Big Data
• Talend Data Quality
Article 9 Processing of special
categories of personal
data, such as race and
ethnic origin
• Identification of special data categories as CDEs
• Sign-off by legal and compliance on usage of special
categories of data during the design phase of a
project
• Talend Metadata
Manager
• Talend MDM
Article 11 Processing which does
not require identification
• Data masking • Talend Data Quality
• Talend Data Preparation
Article 30 Records of processing
activities
• Data lineage for sensitive data within the enterprise
and extending to processors and sub-processors
• Talend Metadata
Manager
20. 20
Poll #3 : Considering Tools for GDPR Compliance?
0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00%
Data Governance
Data Masking
Data Quality & integration
Data Stewardship
Metadata Management
21. 21
Suggested next steps towards GDPR Compliance
• Read our White paper: 16 Practical Steps towards GDPR Compliance
• Evaluate Talend tools at www.talend.com
• Define ‘personal data’ for GDPR with respect to your organization
• Map personal data elements to applications
• Above all, drive alignment between Legal, Compliance, Privacy and Enterprise
Data Management to re-use existing data governance program to support
GDPR compliance