The General Data Protection Regulation and the DAMA DMBOK – Tools you can use for Compliance
Abstract: The General Data Protection Regulation will be the law governing data privacy in Europe in 2018. Surveys show that less than 50% of organisations are aware of the changes within the legislation, and even fewer have any plan for achieving compliance. In this session, Daragh O Brien takes us on a high level overview of the GDPR and how the disciplines of the DMBOK can help compliance.
Notes: DMBOK is an abbreviation for the "Data Management Book of Knowledge" which is published by DAMA International (The Data Management Association)
3. One ring to rule them all*…
*With up to 50 areas of local variation in 28 Member States
4. PenaltiesPenalties
• Failure to implement appropriate security
measures
• Failure to implement Data Protection by
Design/by Default
• Failure to ensure governance of data
processors
• Failure to conduct a PIA where required
• Failure to maintain records of processing
activities
• Failure to have processes to support Data
Subject rights
• Breach of core Data Protection
principles
• Failure to ensure lawful basis for
processing
• Failure to meet conditions for consent
• Failure to respect/comply with rights of
data subject
• Failure to ensure data transfers on valid
basis
• Failure to comply with order of the DPC
Administration & Governance Offences Fundamental Rights & Duties Offences
2% of Global Turnover (or €10,000,000)
[which ever is greater]
4% of Global Turnover (or €20,000,000)
[which ever is greater]
5. LiabilityLiability
Civil liability for both material damage and immaterial
damage
Data Protection breaches can get you sued!
An evolution of existing rights
6. The Problem with how most organisations do Data PrivacyThe Problem with how most organisations do Data Privacy
7. The Need for Holistic ThinkingThe Need for Holistic Thinking
Need to consider the entire environment
Information Environment
Ethical Environment
Legal can’t fix broken process designs
Bad Tyre Swing Design
8. The Global Legislative TrendThe Global Legislative Trend
7
17
36
68
110
1970s 1980s 1990s 2000s 2010-2016
Total Global Data Privacy Law
Within this, there is also continued evolution of existing Data Privacy laws
(e.g. EU Data Protection Regulation)
10. GDPR SummarisedGDPR Summarised
Regulatory
“One Stop Shop”
Core Principles
Increased
Penalties
Risk based approach to
Data Protection
Explicit
Focus on
Governance
Principles
Driven
Principles
Driven
Stricter Consent
(where consent
only basis)
Enhanced Rights:
Data Portability;
RTBF;
Risk & Penalty
Mitigation
Documentation
Data Protection
Officer
Evidence of
Effectiveness
Risk & Penalty
Mitigation
Enforcement
against Data
Processors
Extra
territoriality
Fines as % of
Global
Turnover
Mitigating
Factors
1. Lawfulness, fairness, transparency
2. Purpose Limitation
3. Data Minimisation
4. Accuracy
5. Storage Limitation
6. Integrity & Confidentiality
7. Accountability
+ Article 1, 7, and 8 ECHR
Privacy by
Design/Default
11. The GDPR Principles – An evolution…The GDPR Principles – An evolution…
Fair Obtaining
Purpose Specification
Purpose Limitation
Security
Accuracy
Adequate / Relevant
Retention
Data Subject Rights
Lawfulness, fairness, transparency
Purpose Limitation
Data Minimisation
Accuracy
Storage Limitation
Integrity & Confidentiality
Accountability
12. The Accountability PrincipleThe Accountability Principle
“The Controller shall be responsible for, and be able to demonstrate
compliance with…”
Article 5(2) General Data Protection Regulation
“The Controller shall be responsible for, and be able to demonstrate
compliance with…”
Article 5(2) General Data Protection Regulation
Creates a positive duty to actively monitor and govern the management of personal data
“Shelf-ware” policies and reactive responses to issues do not demonstrate compliance
13. One key change: Some new definitionsOne key change: Some new definitions
Personal Data: any information relating to an identified or identifiable natural person who can be
identified either directly or indirectly, in particular by reference to an identifier such as a name,
identification number, location data, online identifier, or one or more factors specific to physical,
physiological, genetic, mental, economic, cultural, or social identity of that person
Processing: any operation or set of operations which is performed upon personal data or sets of
personal data, whether or not by automated means, such as collection, recording, organising,
structuring, use, disclosure, transmission, dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction;
Definition of processing is slightly broader in terms of the things that might constitute
personal data…
HOARDS still valid as a way of remembering what Processing is…
14. One key change: Some new definitionsOne key change: Some new definitions
Profiling: any form of automated processing consisting of using data to evaluate certain personal
aspects relating to a natural person, in particular to analyse or predict aspects concerning that
natural person’s performance at work, economic situation, health, personal preferences,
interests, reliability, behaviour, location or movements
Personal data breach: a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or
otherwise processed
A broad category of activity – “automated processing” now clearly defined
Current Irish DPC Code of Practice includes “risk of breach”
15. A clearly defined test for “Compatible Purpose”A clearly defined test for “Compatible Purpose”
Is there a link between the purposes?
What was the context of collection, in particular
relationship between Controller & Data Subjects
What is the data?
What are the risks/possible consequences to the
data subject?
What safeguards are being put in place to protect
fundamental rights?
16. New Duties: Privacy By Design/DefaultNew Duties: Privacy By Design/Default
Privacy is the default setting for processes.
Must ensure appropriate controls are in place in design and
development
Must ensure appropriate tech and organisational measures are in
place to minimise access to data for particular purposes
Privacy is the default setting for processes.
Must ensure appropriate controls are in place in design and
development
Must ensure appropriate tech and organisational measures are in
place to minimise access to data for particular purposes
17. New(ish) Duty: Data Security BreachNew(ish) Duty: Data Security Breach
Largely as per current DPC Code of Practice
Must notify DPC “without undue delay” or within 72 hours, unless breach is unlikely to result
in risk to individuals rights/freedoms
Any delay over 72 hours will require a reasoned justification
Communication to Data Subject required if there is a high risk to rights and freedoms.
Not required if data is unintelligible (e.g. encrypted)
Not required if controller has taken steps to eliminate risk of impact to rights/freedoms
Not required if a disproportionate effort
DPC has final say.
18. New Role: The Data Protection OfficerNew Role: The Data Protection Officer
Not mandatory in all cases, but recommended
Will be mandatory for public authorities or organisations that engage in systematic monitoring on
a large scale or process sensitive personal data on a large scale
Member States may set their own rules locally
DPO must have “expert knowledge of data protection law and practices and an ability to
fulfil tasks” of the DPO.
May be a member of staff or may be a contractor
Contact details should be published and communicate to the DPC.
19. New Role: The Data Protection OfficerNew Role: The Data Protection Officer
A public facing role (can be contacted by Data Subjects)
Must be involved in a “timely manner” in all issues relating to processing of personal data
E.g. system design and specification
Must be supported by Data Controller in execution of tasks and maintaining knowledge.
Must be able to act independently in relation to Data Protection tasks (
Should report to the most senior executive level
Role is to
Inform and advise
Monitor compliance with externa legislation and internal policies and procedures, including training
Supporting Privacy Impact Assessments
Acting as contact point for DPC
Cannot be dismissed or penalised for performing Data Protection tasks
20. A Focus on Governance & ControlsA Focus on Governance & Controls
Article 23:
Privacy by Design & Default
Article 33:
Data Protection Impact Assessment
Article 28:
Documentation
Article 35:
Data Protection Officer
Article 37:
Tasks of DPO
Article 33(8):
Data Protection Compliance
Review
Article 37:
Tasks of DPO
23. Data Privacy: PrinciplesData Privacy: Principles
GDPR Data Governance Data Quality
Lawfulness, fairness, and transparency
Purpose Limitation
Data Minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality
Accountability
Data Subject Rights
24. Relevant Dimensions of Information QualityRelevant Dimensions of Information Quality
Information Quality Dimension 95/46/EC ePrivacy Regs EUDATAP
Accuracy X X X
Completeness X X X
Timeliness X X X
Consistency X X
Conformity X X
Relevance/Not Excessive X X
Adequacy (for purpose) X X
Duplication X X
Quality of Data Definition (business & tech) X X
Information Product Specification X X X
25. Defining Information Quality & Information Quality
Management
Defining Information Quality & Information Quality
Management
29. What is Data Governance in DMBOK?What is Data Governance in DMBOK?
Definition:
The exercise of authority and control (planning,
monitoring, and enforcement) over the
management of data assets..
Goals:
• To define, approve, and communicate data strategies, policies, standards, architecture, procedures, and metrics.
• To track and enforce regulatory compliance and conformance to data policies, standards, architecture, and
procedures.
• To sponsor, track, and oversee the delivery of data management projects and services.
• To manage and resolve data related issues.
• To understand and promote the value of data assets.
Activities:
1. Data Management Planning
• Understand Strategic Enterprise Data Needs
• Develop and Maintain the Data Strategy
• Establish Data Professional Roles and Organizations
• Identify and Appoint Data Stewards
• Establish Data Governance and Stewardship Organizations
• Develop and Approve Data Policies, Standards, and Procedures
• Review and Approve Data Architecture
• Plan and Sponsor Data Management Projects and Services
• Estimate Data Asset Value and Associated Costs
2. Data Management Control
• Supervise Data Professional Organizations and Staff
• Coordinate Data Governance Activities
• Manage and Resolve Data Related Issues
• Monitor and Ensure Regulatory Compliance
• Monitor and Enforce Conformance With Data Policies, Standards, and Architecture
• Oversee Data Management Projects and Services
• Communicate and Promote the Value of Data Assets
Inputs Outputs
Inputs:
• Business Goals
• Business Strategies
• IT Objectives
• IT Strategies
• Data Needs
• Data Issues
• Regulatory Requirements
Primary Deliverables:
• Data Policies
• Data Standards
• Resolved Issues
• Data Management Projects
and Services
• Quality Data and
Information
• Recognized Data Value
30. Data Privacy: Data GovernanceData Privacy: Data Governance
Principle Governance Quality
Personal data which is being processed must be fairly
obtained and processed
X
Personal Data shall be obtained for a Specified and Lawful
Purpose
X
Personal Data shall not be processed in a manner
incompatible with the specified purpose
X
Personal Data shall be kept accurate and complete and,
where necessary, kept up to date
X
Personal Data should be kept Safe & Secure X
Data processed must be adequate, relevant and not
excessive
X X
Personal data should not be kept for longer than
necessary for the specified purpose or purposes
X X
Data Subjects have a right of Access.
X
31. Understanding Information/Data StewardshipUnderstanding Information/Data Stewardship
Information Stewardship is:
An ethic that embodies responsible planning and
management of Information Resources through…
The acceptance or assignment of responsibility to
shepherd and safeguard the Information Assets of
others, both inside the organisation and beyond
32. A Holistic Framework?A Holistic Framework?
Based on 9-box model developed by Abcouwer, A.W., Maes, R. Truijens, J, Amsterdam
Univeristy (1997-2003)
Data Protection Officer
Documentation & Controls
Evidence of Effective Operation
Privacy Expectation met or
exceeded!
34. The Data Protection/Privacy Officer RoleThe Data Protection/Privacy Officer Role
• Reporting to Executive
Board
• Must be Independent
• Technical and Business skills
• Accountable for the System of
Governance
• “Statutory Tenure”
• Relationship to CDO,
CPO, CIO etc.
35. A Data Stewardship Mind Map – Standards?A Data Stewardship Mind Map – Standards?
Governance
& Stewardship
Data Use Steward
(Doer/Definer)
UX Requirements
Privacy Reporting
Screens & Reports Quality
Screen & Reports Content
Design & Aesthetics
Data Governance
Reqts (Co-ordinator)
Data Standards Compliance
Use of Metadata Documentation
Metric Driven Quality Assurance
Data Management Structure
Data Collection
Steward
(Doer/Definer)
Data Classification (PII, Sensitive)
Encryption
Business Content Rules
Privacy Rules
Privacy Reqts
Steward
(Decider/Definer)
Purpose
Notice
Consent
Transfer (3rd Party)
Access/Correction/Deletion
Proportionality
Retention
Responsible Action
Based on M. Dennedy & Tom Finneran
38. What is Data Quality in DMBOK?What is Data Quality in DMBOK?
Definition:
Planning, implementation, and control activities that apply
quality management techniques to measure, assess,
improve, and ensure the fitness of data for use..
Goals:
• To measurably improve the quality of data in relation to defined business expectations.
• To define requirements and specifications for integrating data quality control into the
system development lifecycle.
• To provide defined processes for measuring, monitoring, and reporting conformance to
acceptable levels of data quality.
Activities:
1. Develop and Promote Data Quality Awareness
2. Define Data Quality Requirements
3. Profile, Analyze, and Assess Data Quality
4. Define Data Quality Metrics
5. Define Data Quality Business Rules
6. Test and Validate Data Quality Requirements
7. Set and Evaluate Data Quality Service Levels
8. Continuously Measure and Monitor Data Quality
9. Manage Data Quality Issues
10. Clean and Correct Data Quality Defects
11. Design and Implement Operational DQM Procedures
12. Monitor Operational DQM Procedures and Performance
Inputs Outputs
Inputs:
• Business Requirements
• Data Requirements
• Data Quality Expectations
• Data Policies and Standards
• Business Metadata
• Technical Metadata
• Data Sources and Data Stores
Primary Deliverables:
• Improved Quality Data
• Data Management
• Operational Analysis
• Data Profiles
• Data Quality Certification
Reports
• Data Quality Service Level
• Agreements
Metrics:
• Data Value Statistics
• Errors / Requirement Violations
• Conformance to Expectations
• Conformance to Service Levels
Tools:
• Data Profiling Tools
• Statistical Analysis Tools
• Data Cleansing Tools
•
• Data Integration Tools
• Issue and Event Management Tools
39. Data Protection: Quality PrinciplesData Protection: Quality Principles
Principle Governance Quality
Personal data which is being processed must be fairly
obtained and processed
X
Personal Data shall be obtained for a Specified and Lawful
Purpose
X
Personal Data shall not be processed in a manner
incompatible with the specified purpose
X
Personal Data shall be kept accurate and complete and,
where necessary, kept up to date
X
Personal Data should be kept Safe & Secure X
Data processed must be adequate, relevant and not
excessive
X X
Personal data should not be kept for longer than
necessary for the specified purpose or purposes
X X
Data Subjects have a right of Access.
X
40. Relevant Dimensions of Information QualityRelevant Dimensions of Information Quality
Information Quality Dimension 95/46/EC ePrivacy Regs EUDATAP
Accuracy X X X
Completeness X X X
Timeliness X X X
Consistency X X
Conformity X X
Relevance/Not Excessive X X
Adequacy (for purpose) X X
Duplication X X
Quality of Data Definition (business & tech) X X
Information Product Specification X X X
41. Case Study: Online customer registration process, UK bankCase Study: Online customer registration process, UK bank
Register for
SMS alert
Display
proposed
number
Update
Contact
Details
Select
Preferred
Contact
Number
Send SMS
Updates
***9901
(no option for 2nd
number)
Message
42. Case StudyCase Study
Issues:
*****9901 was a number that hasn’t been used for >5 years by
that account holder.
Mobile phone numbers are recycled – usually 12- 18 months after
termination of contract
SMS containing bank details of this customer potentially being
sent to a 3rd party
Customer complained to UK Data Privacy Regulator
Customer knows a bit about data modelling
43. What is Data Quality in DMBOK?What is Data Quality in DMBOK?
Definition:
Planning, implementation, and control activities that apply
quality management techniques to measure, assess,
improve, and ensure the fitness of data for use..
Goals:
• To measurably improve the quality of data in relation to defined business expectations.
• To define requirements and specifications for integrating data quality control into the
system development lifecycle.
• To provide defined processes for measuring, monitoring, and reporting conformance to
acceptable levels of data quality.
Activities:
1. Develop and Promote Data Quality Awareness
2. Define Data Quality Requirements
3. Profile, Analyze, and Assess Data Quality
4. Define Data Quality Metrics
5. Define Data Quality Business Rules
6. Test and Validate Data Quality Requirements
7. Set and Evaluate Data Quality Service Levels
8. Continuously Measure and Monitor Data Quality
9. Manage Data Quality Issues
10. Clean and Correct Data Quality Defects
11. Design and Implement Operational DQM Procedures
12. Monitor Operational DQM Procedures and Performance
Inputs Outputs
Inputs:
• Business Requirements
• Data Requirements
• Data Quality Expectations
• Data Policies and Standards
• Business Metadata
• Technical Metadata
• Data Sources and Data Stores
Primary Deliverables:
• Improved Quality Data
• Data Management
• Operational Analysis
• Data Profiles
• Data Quality Certification
Reports
• Data Quality Service Level
• Agreements
Metrics:
• Data Value Statistics
• Errors / Requirement Violations
• Conformance to Expectations
• Conformance to Service Levels
Tools:
• Data Profiling Tools
• Statistical Analysis Tools
• Data Cleansing Tools
• Data Integration Tools
• Issue and Event Management Tools
Legal requirements
Ethical Requirements
“The Creepy Line”
44. A Data Privacy KPI?A Data Privacy KPI?
EU E-Marketing rules require data to be used
within 12 months from consent having been
obtained or consent is nullified.
Client organisation had no assessment of how
much trust they could place in their marketing
data
Was facing prosecutions for breaches of rules
Developed a Dashboard
Associated a financial “Business Impact” KPI
Senior Executive were shocked at impact of not
managing their customer data…
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
12 months or
over
10 -12 Months 6-9 months 3-6 months 0-3 months
Marketing Months since last contact
ePrivacy Directive Consent Tracker
Average revenue uplift of €10/ Month per campaign, 10% success rate, 1.2 million customers
Opportunity Lost: €1,440,000 Value at Risk: €4,320,000