SlideShare une entreprise Scribd logo

Build Trust Into Data & Tech Stacks With Privacy Compliance

Cillian Kieran
Cillian Kieran

A presentation at FirstMark's CodeDriven event in AWS Loft in New York on how to think about Data Privacy Compliance if you work in engineering, data or product teams.

Technologie
1  sur  28
Télécharger pour lire hors ligne
How To Build Trust Into Data & Tech Stacks or, Data Privacy for Eng. & Data Folks
Ethyca
E T H I C S D A T A Ethyca A Technology Platform Built To Make It Easy for Engineers, Product and Data Teams To Do the 'Right Thing’ With Data Without Adding Friction To CI/CD.
Overview 1. Data Privacy & Compliance 2. Abstract Compliance Model 3. Data Mapping & Inventory 4. Data Subject Requests 7. Consent & Objection 8. Data Minimization 9. Data Protection Impact Assessments 10.Summary
Data Privacy & Compliance
Data Privacy Putting in place appropriate technical and organizational measures or ‘baking in’ data protection to your processing and business practices, from the design stage throughout the product lifecycle. The Determination of What Data in a System May Be Shared With Third Parties. Data Privacy Compliance »
Active & Pending Privacy Regulations in Nearly all Major Markets Majority of Large Tech Markets Will Be Regulated Within 3 Years CCPA PIPEDA FED GDPR APPI PPB LGPD POPI APP
Data Privacy Compliance Principles 1. Lawfulness, fairness and transparency - Process personal data lawfully, fairly and in a transparent manner in relation to the data subject. 2. Purpose limitation - Only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose. 3. Data minimization - you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose. 4. Accuracy - you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month. 5. Storage limitation - You must delete personal data when you no longer need it. The timescales in most cases aren't set. They will depend on your business’ circumstances and the reasons why you collect this data. 6. Integrity and confidentiality - You must keep personal data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Data Privacy Compliance Abstraction
Simple Privacy Compliance Model Abstraction of Global Regulations for Data Privacy Compliance * * Note: There are substantive differences between definitions and obligations for Data Privacy but in seeking a blueprint for strong data privacy we believe these can be applied across markets. Inventory of personal information processed, including activities, access and storage. Ability to execute Data Subject Requests, incl. access, rectify, erase and portability. Strong and clear consent for every processing activity conducted with a users personal data. Minimize access to data based on approved activities to reduce data exposure and risks. Continuous evaluation of product for impact to your users in relation to data use/processing. Inventory & Mapping DSR Consent & Objection Data Minimization DPIA
Data Inventory & Flow Mapping
Data Inventory & Flow Mapping A continuously updated inventory of personal information held based on: • Categories of personal information • Categories of subjects for whom data is held • Who has access (users/systems) • Related business activities • Basis for processing • Duration data is held (ttl)
Data Inventory & Flow Mapping Manual Mapping Data Discovery Active Data Lineage » Aggregate schema, audit unstructured stores, document processes and map data rights for all personal information. Establish cadence for regular review. Automate with data discovery tools to identify personal information and generate 'map' of areas of risk. Ensure manual review as automation is imperfect. Connect rights management, transaction analysis and system metadata to generate map of personal information. Significant infrastructure & ops refactoring to achieve. » 1 2 3
Data Subject Requests (DSR)
Data Subject Requests (DSR) Your systems should have the ability to: • Access: retrieve, categorize and provide to requesting user all of their data. • Rectify: edit an attribute of personal information that may be deemed incorrect. • Delete: delete an attribute of personal information. • Erase: completely erase a users personal information. • Portability: retrieve, categorize and provide users data in interoperable format.
Scripts & Runbook Write scripts for data retrieval against identity for each data store and prepare runbook of steps to execute regularly. Not scalable, prone to error and not readily audit-able. » 1 2 Data Subject Requests (DSR) Build SR Service Build service for data retrieval based on provided identity types and expose across application layer for subject requests. Significant cycles to design, implement & maintain.
Consent & Objection Management
Consent & Objection Management You must provide the ability for your user to: • opt-in: opt-in with clear understanding of what you're doing with their data. • opt-out: modify consents for each activity you undertake with their data. • object: object to having their data processed in any way. • manage data sales: opt out of having their data sold to third parties. • Ensure users are notified of changes to data processes so they can manage their consent. • Ensure that a users change to consent flows through all your business processes.
Manual Management Consent Manager Map Consent & Rights » Capture consent upfront and manually map flags across 3rd party systems with data residency for given identities. Difficult to maintain parity across systems. Implement (buy or build) consent manager to unify consent across data processing systems. Best solution for 3rd party systems, less suitable for owned infrastructure. Treat rights management, processing activities and consent as graph of relationships for data privacy compliance. Significant infrastructure & ops refactoring to achieve. » 1 2 3 Consent & Objection Management
Data Minimization
Data Minimization Employ strong data rights management by: • encryption of all data in flight and at rest. • ensure access to data is only provided for a given business activity. • limit access to data for the duration of a given business activity. • comprehensively log data access across business users and systems.
Fine Grained RBAC Map Consent & Rights Institute fine grained access control based on specific business activities which reflect permitted data processing activities. Easiest to initiate, labor intensive to enforce at scale. Map activities, consent and rights together to manage data access controls for systems and users across organization. Significant infrastructure & ops refactoring to achieve. » 1 2 Data Minimization
Data Protection Impact Assessments (DPIA)
Data Protection Impact Assessments (DPIA) Conduct impact assessments as part of product design and development: • Assess risk threshold of intended data process to your users. • Reduce unnecessary risk wherever possible when identified. • Provide clear documentation of ongoing assessment for any product or service development process.
Data Protection Impact Assessments (DPIA) Workflow for DPIA: • Create template assessment form for product, eng. and data teams. • Privacy specialist to review impact of product or services data activities. • Low impact features can proceed. • High impact/risk proposals should be de-risked where possible and that process of remediation documented. • No new product/service or process should proceed without a DPIA
Summary
Simple Privacy Compliance Model Abstraction of Global Regulations for Data Privacy Compliance * Inventory & Mapping DSR Consent & Objection Data Minimization DPIA Ensure your team and stack have implemented a scalable solution for each.
Thank You @cillian Cillian Kieran CEO

Recommandé

Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Data protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protectionData protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protectionAujas Networks Pvt. Ltd.
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentialsCraig Mullins
 
IT6701-Information Management Unit 5
IT6701-Information Management Unit 5IT6701-Information Management Unit 5
IT6701-Information Management Unit 5SIMONTHOMAS S
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianDoreen Christian
 

Recommandé

Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykData Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
Data Protection Indonesia: Basic Regulation and Technical Aspects_ErykEryk Budi Pratama
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Data protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protectionData protection services lifecycle approach to critical information protection
Data protection services lifecycle approach to critical information protectionAujas Networks Pvt. Ltd.
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentialsCraig Mullins
 
IT6701-Information Management Unit 5
IT6701-Information Management Unit 5IT6701-Information Management Unit 5
IT6701-Information Management Unit 5SIMONTHOMAS S
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianDoreen Christian
 
Data Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data InsightData Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data InsightSymantec
 
Post-Mainframe Managed Services
Post-Mainframe Managed ServicesPost-Mainframe Managed Services
Post-Mainframe Managed ServicesModern Systems
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification PresentationDerroylo
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiEryk Budi Pratama
 
Big Data Expo 2015 - Trillium software Big Data and the Data Quality
Big Data Expo 2015 - Trillium software Big Data and the Data QualityBig Data Expo 2015 - Trillium software Big Data and the Data Quality
Big Data Expo 2015 - Trillium software Big Data and the Data QualityBigDataExpo
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacyrajab ssemwogerere
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
The Merger is Happening, Now What Do We Do?
The Merger is Happening, Now What Do We Do?The Merger is Happening, Now What Do We Do?
The Merger is Happening, Now What Do We Do?DATUM LLC
 
Case Study For Data Governance Portal
Case Study For Data Governance PortalCase Study For Data Governance Portal
Case Study For Data Governance PortalMike Taylor
 
Health Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehousesHealth Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehousesSi Nahra
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure IslandsSecure Islands - Data Security Policy
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Jonathan Sinclair
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policyCoi Xay
 
Five Elements of Effective Data Access Governance
Five Elements of Effective Data Access Governance Five Elements of Effective Data Access Governance
Five Elements of Effective Data Access Governance Privacera
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRCorporater
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysCustomer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysDigital Guardian
 
Symantec Data Insight
Symantec Data InsightSymantec Data Insight
Symantec Data InsightSymantec
 
Unit 5 v2
Unit 5 v2Unit 5 v2
Unit 5 v2ShubhraGoyal4
 
Big Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinBig Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinSridhar Karnam
 
#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process
#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process
#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD ProcessCillian Kieran
 
GDPR Noncompliance: Avoid the Risk with Data Virtualization
GDPR Noncompliance: Avoid the Risk with Data VirtualizationGDPR Noncompliance: Avoid the Risk with Data Virtualization
GDPR Noncompliance: Avoid the Risk with Data VirtualizationDenodo
 

Contenu connexe

Tendances

Data Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data InsightData Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data InsightSymantec
 
Post-Mainframe Managed Services
Post-Mainframe Managed ServicesPost-Mainframe Managed Services
Post-Mainframe Managed ServicesModern Systems
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification PresentationDerroylo
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiEryk Budi Pratama
 
Big Data Expo 2015 - Trillium software Big Data and the Data Quality
Big Data Expo 2015 - Trillium software Big Data and the Data QualityBig Data Expo 2015 - Trillium software Big Data and the Data Quality
Big Data Expo 2015 - Trillium software Big Data and the Data QualityBigDataExpo
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
The Merger is Happening, Now What Do We Do?
The Merger is Happening, Now What Do We Do?The Merger is Happening, Now What Do We Do?
The Merger is Happening, Now What Do We Do?DATUM LLC
 
Case Study For Data Governance Portal
Case Study For Data Governance PortalCase Study For Data Governance Portal
Case Study For Data Governance PortalMike Taylor
 
Health Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehousesHealth Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehousesSi Nahra
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Jonathan Sinclair
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policyCoi Xay
 
Five Elements of Effective Data Access Governance
Five Elements of Effective Data Access Governance Five Elements of Effective Data Access Governance
Five Elements of Effective Data Access Governance Privacera
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRCorporater
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysCustomer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysDigital Guardian
 
Symantec Data Insight
Symantec Data InsightSymantec Data Insight
Symantec Data InsightSymantec
 
Big Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinBig Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinSridhar Karnam
 

Tendances (20)

Data Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data InsightData Sheet - Manage unstructured data growth with Symantec Data Insight
Data Sheet - Manage unstructured data growth with Symantec Data Insight
 
Post-Mainframe Managed Services
Post-Mainframe Managed ServicesPost-Mainframe Managed Services
Post-Mainframe Managed Services
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification Presentation
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
 
Big Data Expo 2015 - Trillium software Big Data and the Data Quality
Big Data Expo 2015 - Trillium software Big Data and the Data QualityBig Data Expo 2015 - Trillium software Big Data and the Data Quality
Big Data Expo 2015 - Trillium software Big Data and the Data Quality
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
The Merger is Happening, Now What Do We Do?
The Merger is Happening, Now What Do We Do?The Merger is Happening, Now What Do We Do?
The Merger is Happening, Now What Do We Do?
 
Case Study For Data Governance Portal
Case Study For Data Governance PortalCase Study For Data Governance Portal
Case Study For Data Governance Portal
 
Health Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehousesHealth Decisions Webinar: January 2013 data warehouses
Health Decisions Webinar: January 2013 data warehouses
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policy
 
Five Elements of Effective Data Access Governance
Five Elements of Effective Data Access Governance Five Elements of Effective Data Access Governance
Five Elements of Effective Data Access Governance
 
Data Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPRData Protection Officer Dashboard | GDPR
Data Protection Officer Dashboard | GDPR
 
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 DaysCustomer Spotlight: Deploying a Data Protection Program in less than 120 Days
Customer Spotlight: Deploying a Data Protection Program in less than 120 Days
 
Symantec Data Insight
Symantec Data InsightSymantec Data Insight
Symantec Data Insight
 
Unit 5 v2
Unit 5 v2Unit 5 v2
Unit 5 v2
 
Big Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy FranklinBig Data Security Analytics (BDSA) with Randy Franklin
Big Data Security Analytics (BDSA) with Randy Franklin
 

Similaire à Build Trust Into Data & Tech Stacks With Privacy Compliance

#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process
#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process
#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD ProcessCillian Kieran
 
GDPR Noncompliance: Avoid the Risk with Data Virtualization
GDPR Noncompliance: Avoid the Risk with Data VirtualizationGDPR Noncompliance: Avoid the Risk with Data Virtualization
GDPR Noncompliance: Avoid the Risk with Data VirtualizationDenodo
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
What is Big Data - Edvicon
What is Big Data - EdviconWhat is Big Data - Edvicon
What is Big Data - Edviconedviconin
 
Estuate EDM Checklist
Estuate EDM ChecklistEstuate EDM Checklist
Estuate EDM ChecklistEstuate, Inc.
 
Intro to big data and applications -day 3
Intro to big data and applications -day 3Intro to big data and applications -day 3
Intro to big data and applications -day 3Parviz Vakili
 
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipeline
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipelineQlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipeline
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipelineSrikanth Sharma Boddupalli
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help Niklas Hjorthen
 
GDPR Compliance Made Easy with Data Virtualization
GDPR Compliance Made Easy with Data VirtualizationGDPR Compliance Made Easy with Data Virtualization
GDPR Compliance Made Easy with Data VirtualizationDenodo
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Andy Talbot
 
A Logical Architecture is Always a Flexible Architecture (ASEAN)
A Logical Architecture is Always a Flexible Architecture (ASEAN)A Logical Architecture is Always a Flexible Architecture (ASEAN)
A Logical Architecture is Always a Flexible Architecture (ASEAN)Denodo
 
Transforming GE Healthcare with Data Platform Strategy
Transforming GE Healthcare with Data Platform StrategyTransforming GE Healthcare with Data Platform Strategy
Transforming GE Healthcare with Data Platform StrategyDatabricks
 
Big data – A Review
Big data – A ReviewBig data – A Review
Big data – A ReviewIRJET Journal
 
Sensitel infrastructure optimization services
Sensitel infrastructure optimization servicesSensitel infrastructure optimization services
Sensitel infrastructure optimization servicesmsikka
 
KASHTECH AND DENODO: ROI and Economic Value of Data Virtualization
KASHTECH AND DENODO: ROI and Economic Value of Data VirtualizationKASHTECH AND DENODO: ROI and Economic Value of Data Virtualization
KASHTECH AND DENODO: ROI and Economic Value of Data VirtualizationDenodo
 
Breakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsBreakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsDrew Madelung
 
Big Data LDN 2017: Data Governance Reimagined
Big Data LDN 2017: Data Governance ReimaginedBig Data LDN 2017: Data Governance Reimagined
Big Data LDN 2017: Data Governance ReimaginedMatt Stubbs
 

Similaire à Build Trust Into Data & Tech Stacks With Privacy Compliance (20)

#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process
#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process
#DEVWEEK2020 Data Privacy in the Tech Stack & CI/CD Process
 
GDPR Noncompliance: Avoid the Risk with Data Virtualization
GDPR Noncompliance: Avoid the Risk with Data VirtualizationGDPR Noncompliance: Avoid the Risk with Data Virtualization
GDPR Noncompliance: Avoid the Risk with Data Virtualization
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
What is Big Data - Edvicon
What is Big Data - EdviconWhat is Big Data - Edvicon
What is Big Data - Edvicon
 
Estuate EDM Checklist
Estuate EDM ChecklistEstuate EDM Checklist
Estuate EDM Checklist
 
Sgcp14dunlea
Sgcp14dunleaSgcp14dunlea
Sgcp14dunlea
 
Intro to big data and applications -day 3
Intro to big data and applications -day 3Intro to big data and applications -day 3
Intro to big data and applications -day 3
 
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipeline
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipelineQlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipeline
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipeline
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help
 
GDPR Compliance Made Easy with Data Virtualization
GDPR Compliance Made Easy with Data VirtualizationGDPR Compliance Made Easy with Data Virtualization
GDPR Compliance Made Easy with Data Virtualization
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)
 
A Logical Architecture is Always a Flexible Architecture (ASEAN)
A Logical Architecture is Always a Flexible Architecture (ASEAN)A Logical Architecture is Always a Flexible Architecture (ASEAN)
A Logical Architecture is Always a Flexible Architecture (ASEAN)
 
Transforming GE Healthcare with Data Platform Strategy
Transforming GE Healthcare with Data Platform StrategyTransforming GE Healthcare with Data Platform Strategy
Transforming GE Healthcare with Data Platform Strategy
 
Big data – A Review
Big data – A ReviewBig data – A Review
Big data – A Review
 
Sensitel infrastructure optimization services
Sensitel infrastructure optimization servicesSensitel infrastructure optimization services
Sensitel infrastructure optimization services
 
KASHTECH AND DENODO: ROI and Economic Value of Data Virtualization
KASHTECH AND DENODO: ROI and Economic Value of Data VirtualizationKASHTECH AND DENODO: ROI and Economic Value of Data Virtualization
KASHTECH AND DENODO: ROI and Economic Value of Data Virtualization
 
Breakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsBreakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview Solutions
 
NZS-4555 - IT Analytics Keynote - IT Analytics for the Enterprise
NZS-4555 - IT Analytics Keynote - IT Analytics for the EnterpriseNZS-4555 - IT Analytics Keynote - IT Analytics for the Enterprise
NZS-4555 - IT Analytics Keynote - IT Analytics for the Enterprise
 
Big Data LDN 2017: Data Governance Reimagined
Big Data LDN 2017: Data Governance ReimaginedBig Data LDN 2017: Data Governance Reimagined
Big Data LDN 2017: Data Governance Reimagined
 

Dernier

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 

Dernier (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 

Build Trust Into Data & Tech Stacks With Privacy Compliance

  • 1. How To Build Trust Into Data & Tech Stacks or, Data Privacy for Eng. & Data Folks
  • 3. E T H I C S D A T A Ethyca A Technology Platform Built To Make It Easy for Engineers, Product and Data Teams To Do the 'Right Thing’ With Data Without Adding Friction To CI/CD.
  • 4. Overview 1. Data Privacy & Compliance 2. Abstract Compliance Model 3. Data Mapping & Inventory 4. Data Subject Requests 7. Consent & Objection 8. Data Minimization 9. Data Protection Impact Assessments 10.Summary
  • 5. Data Privacy & Compliance
  • 6. Data Privacy Putting in place appropriate technical and organizational measures or ‘baking in’ data protection to your processing and business practices, from the design stage throughout the product lifecycle. The Determination of What Data in a System May Be Shared With Third Parties. Data Privacy Compliance »
  • 7. Active & Pending Privacy Regulations in Nearly all Major Markets Majority of Large Tech Markets Will Be Regulated Within 3 Years CCPA PIPEDA FED GDPR APPI PPB LGPD POPI APP
  • 8. Data Privacy Compliance Principles 1. Lawfulness, fairness and transparency - Process personal data lawfully, fairly and in a transparent manner in relation to the data subject. 2. Purpose limitation - Only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose. 3. Data minimization - you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose. 4. Accuracy - you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month. 5. Storage limitation - You must delete personal data when you no longer need it. The timescales in most cases aren't set. They will depend on your business’ circumstances and the reasons why you collect this data. 6. Integrity and confidentiality - You must keep personal data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
  • 10. Simple Privacy Compliance Model Abstraction of Global Regulations for Data Privacy Compliance * * Note: There are substantive differences between definitions and obligations for Data Privacy but in seeking a blueprint for strong data privacy we believe these can be applied across markets. Inventory of personal information processed, including activities, access and storage. Ability to execute Data Subject Requests, incl. access, rectify, erase and portability. Strong and clear consent for every processing activity conducted with a users personal data. Minimize access to data based on approved activities to reduce data exposure and risks. Continuous evaluation of product for impact to your users in relation to data use/processing. Inventory & Mapping DSR Consent & Objection Data Minimization DPIA
  • 11. Data Inventory & Flow Mapping
  • 12. Data Inventory & Flow Mapping A continuously updated inventory of personal information held based on: • Categories of personal information • Categories of subjects for whom data is held • Who has access (users/systems) • Related business activities • Basis for processing • Duration data is held (ttl)
  • 13. Data Inventory & Flow Mapping Manual Mapping Data Discovery Active Data Lineage » Aggregate schema, audit unstructured stores, document processes and map data rights for all personal information. Establish cadence for regular review. Automate with data discovery tools to identify personal information and generate 'map' of areas of risk. Ensure manual review as automation is imperfect. Connect rights management, transaction analysis and system metadata to generate map of personal information. Significant infrastructure & ops refactoring to achieve. » 1 2 3
  • 15. Data Subject Requests (DSR) Your systems should have the ability to: • Access: retrieve, categorize and provide to requesting user all of their data. • Rectify: edit an attribute of personal information that may be deemed incorrect. • Delete: delete an attribute of personal information. • Erase: completely erase a users personal information. • Portability: retrieve, categorize and provide users data in interoperable format.
  • 16. Scripts & Runbook Write scripts for data retrieval against identity for each data store and prepare runbook of steps to execute regularly. Not scalable, prone to error and not readily audit-able. » 1 2 Data Subject Requests (DSR) Build SR Service Build service for data retrieval based on provided identity types and expose across application layer for subject requests. Significant cycles to design, implement & maintain.
  • 17. Consent & Objection Management
  • 18. Consent & Objection Management You must provide the ability for your user to: • opt-in: opt-in with clear understanding of what you're doing with their data. • opt-out: modify consents for each activity you undertake with their data. • object: object to having their data processed in any way. • manage data sales: opt out of having their data sold to third parties. • Ensure users are notified of changes to data processes so they can manage their consent. • Ensure that a users change to consent flows through all your business processes.
  • 19. Manual Management Consent Manager Map Consent & Rights » Capture consent upfront and manually map flags across 3rd party systems with data residency for given identities. Difficult to maintain parity across systems. Implement (buy or build) consent manager to unify consent across data processing systems. Best solution for 3rd party systems, less suitable for owned infrastructure. Treat rights management, processing activities and consent as graph of relationships for data privacy compliance. Significant infrastructure & ops refactoring to achieve. » 1 2 3 Consent & Objection Management
  • 21. Data Minimization Employ strong data rights management by: • encryption of all data in flight and at rest. • ensure access to data is only provided for a given business activity. • limit access to data for the duration of a given business activity. • comprehensively log data access across business users and systems.
  • 22. Fine Grained RBAC Map Consent & Rights Institute fine grained access control based on specific business activities which reflect permitted data processing activities. Easiest to initiate, labor intensive to enforce at scale. Map activities, consent and rights together to manage data access controls for systems and users across organization. Significant infrastructure & ops refactoring to achieve. » 1 2 Data Minimization
  • 23. Data Protection Impact Assessments (DPIA)
  • 24. Data Protection Impact Assessments (DPIA) Conduct impact assessments as part of product design and development: • Assess risk threshold of intended data process to your users. • Reduce unnecessary risk wherever possible when identified. • Provide clear documentation of ongoing assessment for any product or service development process.
  • 25. Data Protection Impact Assessments (DPIA) Workflow for DPIA: • Create template assessment form for product, eng. and data teams. • Privacy specialist to review impact of product or services data activities. • Low impact features can proceed. • High impact/risk proposals should be de-risked where possible and that process of remediation documented. • No new product/service or process should proceed without a DPIA
  • 27. Simple Privacy Compliance Model Abstraction of Global Regulations for Data Privacy Compliance * Inventory & Mapping DSR Consent & Objection Data Minimization DPIA Ensure your team and stack have implemented a scalable solution for each.