Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data Management - The Implications Of The EU Global Data Protection Regulation On Every Business And Their Digital Service Providers

1. © 2016 Cognizant © 2017 Cognizant Confidential The Big Scary Thing! - How the EU General Data Protection Regulation (GDPR) will affect your business! Ian West – Head of Digital Information Innovation

2. © 2016 Cognizant Confidential 2 A few teaser questions to ease you in: • Do you remember the Millennium Bug? • Have you already heard about GDPR? • What is the significance of 25th May 2018? • Would fines of €20m, or 4% of your global revenue, whichever is the higher damage your company? • Does your business have customers? • Does your company buy things from suppliers? • Does your organisation employ people? • Is Data Privacy designed in at source into everything you do? • Have you heard about BREXIT?

3. © 2016 Cognizant3 “If you have European residents as contacts, customers, partners, suppliers or employees, you are affected” INDIVIDUAL RIGHTSGDPR OBLIGATIONS ENFORCEMENT OTHERS FACTORS SCOPE GDPR | Overview – why should you listen

7. © 2016 Cognizant Confidential What's driving GDPR? TECHNOLOGY SHIFT CUSTOMER SHIFT COMPETITOR SHIFT WORKFORCE SHIFT 28 Billion connected devices by 2020 :IDC Manufacturing stands top followed by Healthcare and public services :Gartner IoT to add 10- 15 Trillion to Global GDP :GE By 2025, global GDP Impact of IoT will be 11 Trillion :McKinsey Google acquired Nest Labs, a smart thermostat maker for $3.2 billion Samsung took over SmartThings, a connected home expert for $200 million

8. © 2016 Cognizant Confidential Threat or Opportunity? Benefits Automated processing / re-engineering Customer on-boarding IT and/or Back office rationalisation New business lines / models Single customer view / Next Best Action Connected devices / Internet of Things Customer loyalty Customer experience Customer centricity Cost Reduction Digital Transformation Client Centricity Risks Future cost of compliance Complex, costly remediation activities How secure does it have to be? Sanctions 4444 Up to 4% of revenue fines Cessation of data flows Loss of licence to conduct business Reputational damage Loss of customer confidence Loss of market share to competition Drop in share price

9. © 2016 Cognizant Confidential Barriers to consumer confidence https://tbgsecurity.com/wordpress/wpcontent/uploads/2016/01/World-biggest-data-breaches-2015.png Disclosure in error - 700 data subjects Fined £180,000 by the ICOCyber breach - 157,000 customers - Fined £400,000 by the ICO

12. © 2016 Cognizant Confidential More explicit rights for data subjects Transparent demonstration of fulfilment of accountabilities The Legislation • Personal & Sensitive Data • to be told what data you have about them • to request a copy, or for it to be deleted • to demand to be corrected • Processing • to know how you are processing their data and under what consent • Security • from unauthorised or unlawful processing • from accidental loss, destruction or damage • Transparently demonstrate personal data is captured and managed in a controlled, lawful and fair manner • Respond quickly to data subject rights requests (within 72 hours) • Ensure personal and sensitive data is secure • Ensure appropriate agreements in place for transfer to 3rd countries or international organisation • Demonstrate active senior involvement and appropriate governance mechanisms are in place • React quickly and effectively in the event of data breaches or failure to execute data subjects rights Companies need to know where PII data is, why they have it, how they’re using it, who is accessing it, how they’re protecting it … AND be able to demonstrate it to an external Regulator…

13. © 2016 Cognizant Confidential 13 GDPR – The Legislation |Territorial Variances Forrester, Source: US Department of Commerce and country specific legislation • GDPR is an overarching regulation for organisations inside and/or outside of the EU that process EU citizen data • it does not supersede national laws, it adds to them • sector specific regulations also need to be considered • the heat map below provides an overview of national laws, globally

14. © 2016 Cognizant Confidential Typical Client responses Ignore and increase risk of considerable fines; loss of customer confidence… Project mode embarked upon to appease immediate buzz around the panic Adopt good practice and embed sustainable, robust processes for ongoing compliance Embrace the intention of consumer confidence to support brand and build on-line/ digital presence Leverage the opportunity by adopting best practice to move along the digital journey: single view of the customer; market segmentation; differentiate services … Maturity

15. © 2016 Cognizant Confidential A Typical Timeline - “GDPR is a journey that doesn’t stop in May 2018” 15  Allocate DPO responsibility  Gap Assessment  Prioritise and Plan  Ensure budget / Sponsorship  Information Inventory Oct Nov Dec  GDPR Readiness Assessment 2016 Data Governance Subject Right Processes Data Protection Jan Mar Protect Workflows 2017 Preserve Workflows Containment & Recovery Breach Reporting Continuous Improvement Mobilisation& Enablement Dec Detailed Planning Design -----------Build --------------Test --------- Accept 2018 Training&Awareness May GDPR enforcement date Prepare Implement Train/ Maintain Based on the ICO recommended timeline. Your journey will be different, but we believe there is still sufficient time to establish a defensible position…

17. ‹#› © 2016 Cognizant17 GDPR GDPR Compliance Requires a 360° Perspective GDPR impacts the enterprise  GDPR is an enterprise wide business problem and it requires enterprise solutions  Approached in the right way, GDPR will allow organisations to build trust with its customers/ stakeholders and positively differentiate within the digital age Fragmented Approach  GDPR requires a 360 degree perspective and organisations that approach GDPR from a single view point are liable to an increased risk exposure  There are over 20 defined areas to the GDPR, all of which require a distinct solution  Cognizant has a comprehensive framework that covers all the required GDPR areas and which can be traced back to each individual component of the legislation There is no silver bullet to GDPR  GDPR is the most complex piece of regulation in recent times and impacts everybody  The depth and breadth of activity required to demonstrate and maintain compliance is significant  There is no single solution to GDPR GDPR aims to protect the personal data of EU residents and not just secure it. There is no single solution for GDPR due to its complex remit and enterprise-wide impact.

18. © 2016 Cognizant18 GDPR | There is no silver bullet • Data Quality • Data Governance • Master Data Management • Metadata Management PEOPLE PROCESS TECHNOLOGY INFORMATION • Data Security • Data Protection • Data Loss Prevention • Categorization • Retention / Archiving • Sensitivity Classification • Digital Rights Management • Business Process Change • Change Management • Etc… • Governance • Policy • Audit • Education and Awareness Information governance, data ownership and quality management Cultural shift to data protection by everybody - with defined rules and responsibilities Improved processes to respond to data subject rights and manage data processing Technology to monitor activities and deliver forensic detection Hitting these 4 dimensions enhances consumer confidence…

19. © 2016 Cognizant19 Cognizant’s Approach Internal engagement • Identify key sponsorship and internal stakeholders • Engage with 3rd parties • Appoint DPO where required Assessment • Initial risk assessment of exposure • Detailed analysis across People, Processes, Data and Technology against good practice. Planning • Prioritisation • Road mapping Execution of process changes • Data subject requests • Consent Good Data Governance • Data architecture • Data quality • Data transparency Protection • Privacy by design • Security Demonstrating accountability • Governance • Management • Audit Containment and recovery • Immediate response to suspected non-compliance issues Assessment of impact and risk • Penalties and reputation Breach Reporting • Fulfilling regulatory obligations Evaluation and Response • Root Cause Analysis Continuous Improvement • Periodic reviews • New developments PRESERVEPREPARE Implement Intervene Improve PROTECT

20. ‹#› © 2016 Cognizant20 Cognizant’s Four Dimensional GDPR Framework People: Governance and Oversight Process: Consent and Rights Data: Data Management and Security Technology: Data Architecture Assessments/ Deep Dives Journey mapping and data analysis Delivery mobilization, execution and oversight Organizational design covering people and processes Technology enablement Tools and Accelerators We are currently working with clients across various stages of GDPR implementation We are on our own compliance journey, applying the changes required for GDPR through a digital lens GDPR Assistance Services GDPR Readiness Framework

21. ‹#› © 2016 Cognizant21 Cognizant’s GDPR Compliance Solutions Suite Assessments to demonstrate “Privacy by Design” across geographies using assisted automation Current scenario assessment, compliance gap analysis & roadmap Readiness Assessment Data governance best practices, policies, data stewardship, change management and communication Data Governance Advisory Data discovery, accuracy, classification & lineage identification Personal Data Maps Data security solution deployment across data at rest and in motion 360° Secured Data Automated monitoring and notification system for security breaches Breach Assist Technology implementation to manage data subject consent, subject access and rights Rights & Consent Manager Policy and contract repository for maintaining audit trails of personal data usage Legal Warehouse Consulting and Implementation Program PRIVACY IMPACT ASSESSMENT

22. © 2016 Cognizant The 5 golden keys 22 1 – Know where your personal information is located, who is using it, for what purpose and how it is being protected 4 - Educate your personnel 3 – Review and manage your Security and Privacy Policies and review all relevant 3rd party contracts 5 - Formulate a defensible position 2 - Modify your processes Consent, subject access requests

24. © 2016 Cognizant Confidential 24 Summary • 25th May 2018 is 56 weeks away • GDPR is coming whether you like it or not – so start getting ready now! • Unlike Year 2000, GDPR is not a one off IT problem, it’s a Business Issue and its for life – just like a Puppy and it will **** on your carpet unless you take the necessary precautions • GDPR is not just for Big Companies because Big Companies will not use the services of Small Companies unless they can prove they are taking Data Privacy seriously • The fines for getting GDPR wrong are very large - €20m or 4% of your global revenue, whichever is the higher! • It doesn’t matter that you are a sub contractor to a client organisation. You may come into contact with the personal data they control and that makes you a Processor and equally culpable. • GDPR requires Data Privacy to be designed in at source.

28. © 2016 Cognizant Confidential 28 GDPR - The Legislation | How will it affect you? Consider your information chains/flows: • understand who is the Controller - or if there is a joint Controller setup • understand who your Processors are - and whether any Sub-Processors are involved Ask yourself the following: 1. Do you know where personal and sensitive data is stored and who has access to it? 2. Do you perform any profiling, or automated decision making, about individuals? 3. Have you the right to hold and process an individual’s data and can you prove that? 4. Is any of your data shared outside of the EU? 5. Can you provide auditable evidence of usage and processing?

29. © 2016 Cognizant Confidential 29 GDPR – Cognizant’s View | Controller/Processor scenarios Responsibilities Internally hosted Externally hosted Controller (Accountable) • Full responsibility • Data protection by design …and by default • Codes of Conduct • Data Protection Impact Assessment • EU Representation • Data Protection Officer (DPO) • Cooperation • Record Processing • Security • Notify e.g. internal HR systems, shared service platforms, CRM data on individual laptops • identify data sources • review GDPR readiness (data, process, security) • set-up new data subject rights processes • implement new governance/management / CoC / technology e.g. HR/Payroll cloud services, Salesforce.com • identify data sources • review service/contracts to ensure ability of 3rd party to comply. • set up 3rd party auditing verification Processor (Obligated) • Guarantees and safeguards • Cooperation • Record Processing • Security • Notify e.g. credit data (Experian / Equifax), debt history, etc. • identify key client data services • review service/contracts to understand exposure • review GDPR readiness (data, process, security) • Implement new ways of working (data, process, technology) • communications plan to existing data service clients • renegotiation/reassurance of existing service • internal awareness for communications to clients e.g. client services you’re processing held on AWS • identify key client data services subcontracted out • review service/contracts to ensure ability of 3rd party to comply. • set up 3rd party auditing verification • communications plan to existing data service clients • renegotiation/reassurance of existing service • internal awareness for communications to clients

Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data Management - The Implications Of The EU Global Data Protection Regulation On Every Business And Their Digital Service Providers

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data Management - The Implications Of The EU Global Data Protection Regulation On Every Business And Their Digital Service Providers

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data Management - The Implications Of The EU Global Data Protection Regulation On Every Business And Their Digital Service Providers (20)

Plus par CIO Edge (20)

Plus récents (20)