GDPR 25 MAY 2018
THE FIRST THREE STEPS TO GETTING GDPR READY
Agile Solutions is a specialist Information Management
and Data Analytics consultancy.
We provide applications, technology
and support services across the UK,
with offices in Glasgow, Manchester and Milton Keynes.
As an independent UK company,
we are passionate about using agile methods
and automation to help clients manage, comply,
safeguard and derive value from their data.
4 Can GDPR be pain free?
6 How to approach GDPR readiness
8 What we offer
10 Preparing for success
11 Delivering success
13 Step 1 Raise GDPR awareness and assess impact on business areas
16 Step 2 Create a program roadmap
17 Step 3 Address technology architecture
18 IBM Solutions Architecture
19 IBM Product Solutions that can help and support a GDPR Program Data Governance Data Mapping
20 Data profiling and quality Data integration
21 Archiving Data management and lineage Data analytics
22 Data security Systems security
23 Useful links and contact
CONTENTS
CAN GDPR BE PAIN FREE?
Agile Solutions4
However, GDPR can be part of a strategy to become more data-driven as it requires data governance across all areas: both business-led and IT-led.
This makes agile methodologies ideally suited to tackling GDPR. It identifies where you are now and where you need to be on 25 May 2018. Then it breaks it up into manageable steps.
GETTING READY FOR GDPR CAN FEEL OVERWHELMING.THE TEMPTATION TO BURY ONE’S HEAD IN THE SAND PROBABLY NEVER HAD SUCH APPEAL.
Figure 1: Data Governance Domains
The advantages are:
• Even if you are already on your GDPR journey, you can apply agile methodologies to take stock and ensure you are on track to meet compliance.
• Agile methodologies allow you to change, adapt and evolve your Data management practices to meet your organisational needs.
• You can combine agile methodologies with other methods. If you’re using agile at the outset, you create a data governance framework and roadmap to follow. But to deliver you can switch to waterfall or hybrid.
• Agile is results-driven. By working in sprints, you see results fast. This helps ensure you get the full support of key stakeholders in your organisation and that your results meet best practice.
• You can scale an agile approach to focus on: - a particular data governance issue (such as data quality) - an entire organisation to develop an Enterprise approach, or - a specific business, department or region
The success to any approach is to engage the key people.
A comprehensive Data Governance Frame-work encompasses all the following data governance domains (as identified by DAMA, Data Management Association International). We use the DAMA Governance model and the Gartner Maturity Model to analyse your data governance and data maturity. The principles of DAMA DMBOK provide a data quality as-sessment framework to use as a starting point to understand where you are on your data governance journey.
5The first three steps to getting GDPR ready
DataGovernance
Strategy
DataSecurity
Management
MetadataManagement
DataDevelopment
Data Quality
Management
Data ArchitectureManagement
Data Warehousingand BusinessIntelligence
Development and Content Management
Data OperationsManagment
Referenceand
Master Data Management
HOW TO APPROACH GDPR READINESS We show you how to address GDPR
compliance within existing or planned business and IT projects as well as embedding it into new projects.
Compliance with GDPR has to be a cross functional initiative. It involves input from all parts of the organisation and requires investment in people, data and technology. There is no one widget or commercial-off-the-shelf (COTS) application you can purchase to become compliant, and if you were to request funding outside of BAU activities for a standalone GDPR program, the investment involved could be eye watering.
Your data governance framework has to have the ability to evolve and respond to changes in your organisation (specifically movement of key stakeholders and sponsors), development in technology (big data, cloud, IoT) and changes in your business model (e.g. new strategic initiatives, acquisitions, divestitures). Our pragmatic approach when developing a data management strategy focuses on the short to medium term priorities and plans accordingly.
We recommend a phased approach to implementation. This involves prioritising domains, process and technology to operationalise the data stewardship model. This needs to be accompanied by a strong change management plan to sustain your GDPR compliance program.
Agile Solutions6
FUNDAMENTALLY GDPR SIMPLY SEEKS TO ENFORCE RESPONSIBLE DATA MANAGEMENT PRACTICES.
Figure 2: Example of Change Management Plan
An example of this approach is shown below:
7The first three steps to getting GDPR ready
Personal Data
Consent
Privacy Model
Privacy Officers
Data Access
Data Breaches
Suppression
Data Profiling
Data Portability
People
Data Design
Technology
Level 1
InformalProcess
Level 2
EmergingProcess
Level 3
EngineeredProcess
Level 4
ControlledProcess
Level 5
OptimisedProcess
INFORMATION MANAGEMENT MATURITYAND GDPR
100%GDPR applies to all
companies worldwide that process personal data
of European Union (EU) citizens.
WHAT WE OFFER
Agile Solutions8
SYSTEMS
•We assess the systems landscape
and document system owners
•We identify any significant IT projects that a data governance program could leverage
•We look at the escalation structure
for systems-related issues
•Where required for understanding,
we deep dive into the current systems associated with data management
DATA
•We identify the data to be governed
•We document the ownership
for each data set •
We document the administrators,stewards and end users of the data
•We seek to understand the nature and
utility of data (frequency of data transfer, rate of change, number of downstream
consumers, etc.)
1001
0001
1100
0101
To support you in your GDPR journey, we can hit the ground running by providing you with our proven templates and GDPR-enhanced Agile toolkit. These assets have been produced by our team to help many Tier 1 organisations implement robust and scalable Data Management practices over the last 16 years. These Agile Solutions templates have helped many Tier 1 organisations implement very strong data management practices over the last 16 years.
9The first three steps to getting GDPR ready
PEOPLE
•We identify key stakeholders
•We document the various roles in GDPR:
data controller, data processor, data steward, etc, and identify who currently occupies these roles
•We analyse whether the systems and
processes in place ensure people are carrying out their roles without unknowingly contravening GDPR
•We assess current and future
training requirements
PROCESSES
•We examine existing standard operating procedures (to determine to what extent documentation related to business rules
and data management rules exists)
•We seek to understand how
the business rule is formalised
•We document any best practice as a template for consolidation
of business rules
•We seek to understand business processes
driving data management
•For key data processes, we walk
through the Create, Read, Update, De-activate/Delete (CRUD) cycle
Agile Solutions10
PREPARING FOR SUCCESS THE AGILE INFORMATION MANAGEMENT (AIM) FRAMEWORK HAS BEEN DEVELOPED BY AGILE SOLUTIONS.
An innovative structured methodtowards achieving the goals of Business Agility through applying a strategic approach to data management solutions and services delivery.
The framework selectively overlays a number of proven management methods, system design techniques and technology types over a data centric architecture, design and delivery capability, in order to allow companies to evolve, capturing opportunities and reacting to market threats quickly.
For further information please download our AIM ebook
44%incorrectly believe
GDPR will not apply to UK business
after Brexit
11The first three steps to getting GDPR ready
This means the data governance roadmap and strategy can be scaled in a number of ways:
• focused to address a particular data governance issue (such as data quality)
• employed across an entire organisation to develop an Enterprise approach
• applied within a line of business, department or region
Multiple business and functional areas will be impacted by GDPR and early engagement with key stakeholders to solicit their input is vital.
Our initial exercise (in the form ofworkshops) with the program sponsors, focuses on the following objectives:
1. Prioritise data governance domains
2. Prioritise business areas
3. Prioritise data management processes
4. Prioritise systems landscape
Fundamental to this is to agree with our clients a backlog that forms a program of work that we can organise into sprint cycles.
Whether true agile or a hybrid or waterfall approach is used for the delivery of the program of work, agreeing priorities up front and setting limits on scope to avoid creep in delivery is key to success.
DELIVERING SUCCESS
WE USE AGILE METHODOLOGIES.
Agile Solutions12
24%of UK companies are incorrectly no longer
preparing for GDPR post Brexit
We carry out a pre-workshop (electronic)survey of stakeholders in order to:
• Get people engaged with a GDPR and Data Governance roadmap in advance of the overview session
• Gain insight into the understanding of GDPR and current compliance / known risks per business domain to tailor the contextual workshop content
• Collect quantitative data on the current level of understanding and possible risks
13The first three steps to getting GDPR ready
STEP 1RAISE GDPR AWARENESS AND ASSESS IMPACT ON BUSINESS AREAS
An electronic survey conducted a week in advance of the workshops to assess GDPR knowledge.
In step 1, we run two workshops to:
• Identify and engage key stakeholders
• Evaluate and establish awareness
• Assess GDPR readiness by undertaking a GAP Analysis to assess risk and current capability across people, process and technologies
Using the DAMA Data Governance Framework and Gartner maturity models linked to our own AIM methods, we run exercises that allow us to examine your data governance and check data quality. This provides an objective assessment of your data maturity.
1
Recommended reading prior to workshops:12 Essential stepsto help you prepare for GDPR
Agile Solutions14
Figure 3: Business areas impacted by GDPR
WORKSHOP 1
OVERVIEW PRESENTATION
Agile Solutions provides an overview of GDPR.
Workshop 1 Designed for C-level
Location onsite. Duration 1 hour
Audience
• Chief Data Officer (CDO), related DQ/DM functions and other data consumers
• Ops and technology services management
• Legal counsel, risk and compliance management
• Supply chain/vendor management
Agenda
• Key elements of GDPR
• Overview of 12 steps to prepare for GDPR
BUSINESS AREAS IMPACTED BY GDPR
Sales
Legal
Compliance
OperationsIT
HR
Finance
SupplyChain
Marketing
ASSESS GDPR IMPACT ON BUSINESS AREAS Workshop 2 examines the impact GDPR has on business areas.
Workshop 2 Business Area Level
Location onsite
Duration 2 hours
Audience
• CDO, related DQ/DM functions
• Business function management
• Ops and technology services management
• Legal counsel, risk and compliance management
• Supply chain/vendor management
Agenda
• Outline activities relevant for each business area
• Map personal data within each business area
• Identify current high, medium and low risk data management practices
Outcomes
• Each business area creates an overarching plan and identifies the key people to implement it.
15The first three steps to getting GDPR ready
WORKSHOP 2
40%admit to being lessthan fully prepared
to comply with GDPR requirements
STEP 2
Agile Solutions16
WORKSHOP 3
CREATE A PROGRAM ROADMAP
Each individual business function area requires a minimum one-day program backlog refinement workshop.
We demonstrate what good governance looks like in this area. This enables participants to identify all the things they want to achieve (defined in Scaled Agile terminology as Themes, Epics, Capabilities, Features). These are categorised into order of priority, as well as, short-term, medium-term and long-term projects.
Workshop 3 Business Function Level
Location onsite
Duration one day workshop, followed by a follow-up session to be arranged
Audience
• Business function management
• Data stewards within each business function
• Enterprise architect
Agenda
• Create a list of Themes, Epics, Capabilities, Features and Enablers (the program backlog)
• Create a roadmap to undertake the program backlog development
• Identify data and data flow prioritisation
• Identify existing and planned technology stack and its function
FOLLOW-UP SESSION – PRESENTATION OF PROGRAM ROADMAP
• A program roadmap across all functions with the capabilities or features that require addressing. This identifies any duplication that could be addressed simultaneously.
• A clear view of who needs to help achieve each milestone on the roadmap
2
Tasks
• Assess existing and planned technology stack
• Run our fit for purpose tool to recommend any changes or improvements
• Offer strategic advice on which technologies could fulfil current and future needs
Outcomes
• We provide a report on the current state of your technology and advise on what we believe to be the best technology selection as appropriate
• Create a technology adoption plan
• Create a training plan
• Prepare a budget plan and business case for approval
STEP 3 317The first three steps to getting GDPR ready
ADDRESS TECHNOLOGY ARCHITECTURE
Having identified any issues regarding technology architecture currently in use or which you plan to adopt, we carry out an assessment.
Agile Solutions has an ‘agnostic’ approach to technology. In other words, we are completely neutral as regards technology, and only give advice based on what we believe works best for your business requirements and budget. As we are partnered with a number of leading technologies (including Informatica, IBM, SAS, and Experian), we are able to provide robust, scalable and future-proofed architectures.. In this paper we showcase IBM’s GDPR solutions.
Penalties up to
€20mor 4% of global turnover
for failure to comply with GDPR
requirements
Agile Solutions18
It includes a methodology that can scale both for GDPR and clients’ own specific regulatory demands.
IBM’s portfolio of technology addresses data management, data governance, analytics and security, as well as bespoke research assets. IBM’s GDPR solution framework (Figure 4) is a reference point for the technical capabilities required for aspects of GDPR.
Clients often use a combination of products for structured and unstructured data, all with business mapping capability.
TO HELP PREPARE FOR THE CHANGES THAT MAY 2018 IS BRINGING, IBM HAS DEVELOPED AN ENTERPRISE-WIDE SOLUTION ARCHITECTURE.
Key areas IBM products can help with are:
• Discovering and documenting what personal data is held, where it came from and with whom it is shared.
• Supporting requests from data subjects such as right of access and right to be forgotten within the new GDPR timeframes.
• Documenting the legal basis for each type of data processing activity.
• Applying techniques such as anonymisation and pseudonymisation to personal data.
• Handling and governing personal data more efficiently and safely.
IBM SOLUTION ARCHITECTURE
Figure 4: IBM’s GDPR Solution Framework
GDPR Solution Framework
Rights of EU Data Subjects
Security of Personal Data
Lawfulness and Consent
Accountability of Compliance
Design and Default
Policies Rules Audit Processes Analyses
Data Management
Dynamic Policy Management:
Define what, why, how long
Implementation Services:
Distribute policies to data sources
Data Infrastructure: Control use,
align cost to value
Com
pliance m
onitoring
Datab
ases and
Data
Warehouse
EC
M and
Collab
oration
Archive
Platform
Had
oop
Platform
Master
Data
Em
ail S
ervers
User D
evices and
File S
hares
Cloud
and
Social
IBM PRODUCT SOLUTIONS THAT CAN HELP AND SUPPORT A GDPR PROGRAM
19The first three steps to getting GDPR ready
DATA GOVERNANCE
InfoSphere Information Governance Catalog
• Policy and metadata management
• Business and technical glossary
• Searchable catalog of information assets
• Point of access and control for data stewardship tasks
Encourages a standardised approach to discovering IT assets and defining a common business language.
DATA MAPPING
Atlas (Data Mapping)
• Management of retention and disposition policies and rules
• Point of access for legal and records management personnel
Helps improve information economics and reduce risk by defensibly disposing of data debris.
Agile Solutions20
DATA INTEGRATION
InfoSphere Optim Suite
a) InfoSphere Optim Archive
• Archives / disposes of personal data in accordance with retention / disposition policies defined in GDPR solution policy management layer
Manages the volume, speed and complexity of data growth for reduced storage costs and improved performance.
b) InfoSphere Optim Data Privacy
• Obfuscates / redacts personal data in accordance with policies defined in GDPR solution policy management layer
De-identifies confidential data on demand throughout the enterprise including big data platforms. It masks data statically or dynamically in applications, databases and reports across production and nonproduction environments.
c) InfoSphere Optim Test Data Management
• Applies subsetting, anonymisation and pseudonymisation to production data to create realistic test data sets while minimising risks associated with any breach of test environments
Optimises and automates the test data management process.
DATA PROFILING AND QUALITY
InfoSphere Information Analyser(structured data)
• Discovers structured data sources, to reverse engineer the data model and feed into catalog
• Locates personal data within the information landscape
Provides data quality assessment, data quality monitoring and data rule design and analysis capabilities.
StoredIQ (Un-structured data) Policy and Legal
• Automates discovery and classification of unstructured content within the information landscape
• Identifies personal information subject to GDPR controls
Identifies, classifies and manages enterprise information according to business value in order to reduce risk and cost.
IBM StoredIQ for Legal
• Manages data discovery and collection for legal processes
Streamlines the eDiscovery process for legal stakeholders to gain efficiency and transparency in custodian identification, legal hold notification, and eDiscovery collection and preservation.
DATA ANALYTICS
Watson Explorer
• Able to search for personal data across the data landscape and combine results in a single portal tailored to their needs
• Uses natural language processing, content analytics and cognitive techniques to present a single view
Accesses and analyses structured and unstructured content and presents data, analytics and cognitive insights.
The first three steps to getting GDPR ready
ARCHIVING
Enterprise Records
• Archives / disposes of unstructured information as per retention / disposition policies defined in GDPR solution policy management layer
Addresses, maintains and provides a record of compliance for electronic and physical
records.
DATA MANAGEMENT AND LINEAGE
InfoSphere MDM
• Provides of a single source of truth for citizen data and linkage to operational systems
• Point of access and control for stewardship
Manages master data for single or multiple domains – customers, patients, citizens, suppliers, locations, products, services offerings, accounts, etc.
21
90%believe GDPR will
impact the way they collect, use and process
personal data
Agile Solutions22
SYSTEMS SECURITY
Security QRadar Security Information and Event Management
• Monitors systems involved in processing of personal data, to provide early identification of attack and potential data breaches.
Consolidates log source event data from thousands of devices, endpoints and applications distributed throughout a network.
DATA SECURITY
Security Guardium Data Activity Monitor
• Monitors and audits access to personal data, detection and alerting of non compliant access.
Prevents unauthorised data access, alerts on changes or leaks to help ensure data integrity, automates compliance controls and protects against internal and external threats.
Security Guardium Data Encryption
• Provides encryption capabilities to safeguard on-premises structured and unstructured data to comply with industry and regulatory requirements.
This software performs encryption and decryption operations with minimal performance impact and requires no changes to databases, applications or networks.
Security Guardium File Activity Monitoring
• Continuously monitors files, detecting and blocking suspicious activity.
Monitors unstructured data such as documents, spreadsheets, web pages, presentations, chat logs and multimedia ensuring sensitive data is secure. 46%
are highly confidentthat they’ll be ready by
May 2018 and 88% report technological
challenges
23
USEFUL LINKS AND CONTACTS
THE INFORMATION COMMISSIONERS’S OFFICE IS THE UK’S INDEPENDENT AUTHORITY SET UP TO UPHOLD INFORMATION RIGHTS IN THE PUBLIC INTEREST, PROMOTING OPENNESS BY PUBLIC BODIES AND DATA PRIVACY FOR INDIVIDUALS.
ICO: Information Commissioner’s Office
To find out more about Agile Solutions and our approach to making GDPR a positive experience, get in touch.
Agile Solutions GB LtdOcean Chambers190 West George StreetGlasgowG2 2NR
0203 587 7831