Follow along with these webinar slides as we take a close look at what it takes to prepare for all kinds of data privacy regulations – learn how to protect your data in order to be compliant with regulators or for healthy business practices in general.
Want to follow along with the webinar replay? Download it here for free: http://info.aiim.org/protect-your-information
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Data Privacy - Learn What It Takes to Protect Your Information
1. Underwritten by: Presented by:
#AIIMInformationIs Your MostImportant Asset.
Learn the Skills to Manage It.
Data Privacy:
Learn What It Takes to
Protect Your Information
Presented July 26, 2017
Data Privacy – Learn What It Takes
to Protect Your Information
An AIIM Webinarpresented
July 26, 2017
5. Underwritten by: Presented by:
Policy-Based Privacy Framework
5
Statutes
Regulations
Application Level
Operations Level
Enterprise Policy Engine
Security and
Control
Retention Disposition
Classification&
Management
Policies
Hold and
Discovery
Identification &
Analysis
Monitoring
and
Reporting
Records
Policy
Business
Policy
IT
Policy
6. Underwritten by: Presented by:
Privacy Makes Information Governance a
Regulatory Issue
Federal Trade Commission
The FTC has made “reasonable datasecurity and informationgovernance” a
legal requirement. The FTC’sdocumented obligationsfor companies include:
1. Take Stock (Inventory your PI and know where it is located)
2. Scale Down (Minimize the data that you store to is business purpose)
3. Lock It (Self-explanatory: Physical, Electronic, Processes, Administrative,
Education)
4. Pitch It (A good case for a solid Electronic Records Management implementation)
5. Plan Ahead (for the eventual data breach in the organization)
The FTC does “bite hard”: Unfair or deceptive trade practices related to data
security
8. Underwritten by: Presented by:
Privacy Makes Information Governance a
Regulatory Issue
European Union
The General Data ProtectionRegulation (GDPR) specifically
outlines data security and Info Gov. obligations within its legal framework:
1. Data protections must be built into the system
“By Design and by Default.” (Recital 78 and Article 25)
2. Data must be secured using technical means
(Recital 49 and Articles 5-1(f), 32-1(b-d))
3. A determination must be made almost immediately as to whether a data breach is likely
to have a “high risk to the rights and freedoms of the natural person,” as such a
technical environment must be in place to identify, track and assess such breaches.
(Recitals 85, 87 and numerous GDPR Articles).You have 72 hours to alert data subjects.
4. Numerous other Recitals and Articles have Info Gov. expectations and demands
Infringement fines can range up to €20,000,000 or 4% of the global revenue of the
organization,whichever is higher, PER breach incident or data processing mistake.
9. Underwritten by: Presented by:
Privacy Makes Information Governance a
Regulatory Issue
One of the greatest challenges in Privacy to legallysupport are the greatly
divergent laws, regulations, and expectations:
Industries: e.g., Healthcare(HIPAA /HITECH), Financial(Gramm-Leach-Bliley Act)
US States: e.g., Massachusetts (201 CMR17.00), California (numerous…)
US Regulatory Bodies: e.g., FederalTradeCommission, FederalCommunications Commission,
DHHS Officeof Civil Rights, etc.
Other Countries andRegions: e.g., EUDirectiveand GDPR, Canadian PIPEDA, China’s CPL
Each statute andregulationcanindividually impact:
The definition of “personaldata.” And there can be morethan one type of personaldata...
How personaldata (of various types…) mustbe secured, stored, located, managed, accessed,
controlled, and processed physically and electronically.
And…the legally required breach preparations, breach responsesand timings.
The key is understandingwhat laws the companyis accountable to follow.
10. Underwritten by: Presented by:
Privacy Makes Information Governance a
Regulatory Issue
However, there are key security and technical commonalities across many of the
privacy laws and regulations that can be leveraged and reused:
Most privacy laws demand administrativePIdata controls (e.g., polices,procedures,notices)
System designs and builds that integrate privacyand info gov as an early part of the SDLC
AnonymizingorPseudonymizingdata structures/columns
Data minimization/retentionpolicies and automated data deletion/disposal(ERM)
processes.Again,back to informationgovernance…
Accurate inventories ofpersonal datatypes,theirlocations/technologies,and their owners
Technical environmentssecured using“reasonable,”“practicable,”“industry-standard,”
“state-of-the-art,”“readilyavailable”technologies and procedures(e.g., two-factor
authentication foradministrators)
Breach prevention,preparation,notification,and response technologies and processes
implemented
Data access minimizationand limitations,segmentingserverenvironments,etc.
11. Underwritten by: Presented by:
How Do We Better ConnectLegal Regulationsand
Operational Requirementsto Our Content?
The first and last mile of retention
The First Mile:
Retention Considerations
The Last Mile:
Policy Execution
Government regulations
Industry specific
regulations
IT Operations
Business Needs
Email
Cloud
Desktop
Physical
Content
SAP
Structured
Repositories
Unstructured
repositories
File Shares
Auto collection
of laws
Translate to
retention rules
Centralized
policy
Apply at scale
Audit logs
Connect
12. Underwritten by: Presented by:
Personal Data is Insidious!
(Definition: Gradual, Subtle, Treacherous…)
PI and Sensitive PI seems to exist just about everywhere… It creeps:
1. Typical RDBMS transactionalenvironments (ERP, HR, G/L, etc.)
2. User Laptops (in all types of locations such as email clients, HD folders, Evernote, screenshots, etc.)
3. User Mobile Devices (BYOD and company provided)
4. Shared Drive/Folder Servers
5. External Shared Drives (Box, Dropbox, Box, Egnyte, Googledocs, etc.)
6. Email Systems (InternalExchange, Gmail, Yahoo)
7. Content and “Sharing” services (SharePoint, Office365, Livelink, Documentum, Skype, Jive, Slack)
8. Paper notebooks
9. PLUS all of your third-party information partners and outsourcers
(e.g., HIPAA “business associates” and GDPR “data processors”)
Privacy laws still cover all these physical and electronic locations, with very few exceptions
These locations need to be technically, procedurally, and administratively secured
13. Underwritten by: Presented by:
Be Mindful of What You Collect, Store, and Process
Data minimiz(s)ation
You can’t lose or have stolen what doesn’t exist
Multiplejurisdictions– U.S., EU, and more – emphasize this point
AIIM’s materialson Records and Information Managementare a great place
to help jumpstart your data minimisationand datainventoryefforts
Watch your vendors, too
If you’re sharing data,you’re can be responsible if they lose it or misuse it
Are you auditingthem on a regular basis?
How are those agreements…?
14. Underwritten by: Presented by:
Watch What You Collect
Log files and authentication
When you create an account, you create PII
Dataretention: How long do you need to keep that log file?
Physical security issues
Single credentials and
employee monitoring
Theft prevention and customer monitoring
15. Underwritten by: Presented by:
System Privacy by Design, Privacy by Default
The Discussion of Privacy’s
and Info Gov’s Impact on
Development Begins Here
Source: Wikipedia
Not Here…!
17. Underwritten by: Presented by:
HPE Policy Based Secure ContentManagement
offering
Policy Based Secure Content Management
File &contentanalysis
ID
sensitive
data
PII, PCI,
PHI
ROT
Analysis
Enterprise
policy
application
Manage-
in-place
Classification
Security&
access
Redaction Retention Disposition
Data extraction& applicationretirement
Access Reporting
ID
sensitive
data PII,
PCI, PHI
Redaction
Data
masking
Encryption
Decryption
18. Underwritten by: Presented by:
Complete Content Platform “Privacy by Design”
Analyse
Record
Repository
Classify
Data Repositories
Messaging
EmailFiles Read
SharePoint
Action
Applications
Data
Warehouses
Document
Management
Data ArchiveSocial
Media
Web
Content
Apply
Store
Eligible Records
Declare
Data
Encryption
Find Govern
Apply Retention
Rules
Compliance, Legal
Hold & Audit
19. Underwritten by: Presented by:
Summary Points
The Info Governancecapability is critical to privacy efforts. Withoutit, privacy operations would be
impossibleto conduct.
Coordination and clarity between the CIO, theGC, Privacy, and the Info Gov. groups arerequired to meet
privacy obligations. No Person is an island where privacy isconcerned.
Nolaws or regulations require“Superhuman” or “Extraordinary” information governanceor security
efforts. Thewords “Practical,” ”Reasonable,” “Industry-standard” arecommonly used. “Proactive” and “By
Design” are common themes, however.
Many of the laws and regulations have similar, if not the same, technical, proceduraland administrative
security requirements. Leverage them.
There are significantidiosyncrasies, even between U.S. States let alone across countries and industries.
Know what is applicable toyour organization. Ask your GeneralCounsel!(and they may not know…).
PI can be in any number of differentrepositories. You’reresponsiblefor securing all of them according to
regulatory and legal jurisdictions; not justthe obvious data elements inside of the RDBMS.
If there is incremental $ to spend on privacy and security, you may consider spending it on training and
communications for the employees.
20. Underwritten by: Presented by:
Greg Reid, CEO
CIP, CIPP/US,CIPP/EU, CIPM,ACEDS/eDiscovery
Master of Jurisprudence: Information Security and Privacy
InFutureLLC
Gregory.Reid@InFutureLLC.com
https://www.linkedin.com/in/gregoryreid/
Rich Lauwers, Information Governance SME
Hewlett Packard Enterprise
Rich.Lauwers@hpe.com
+1 847.232.3566CST, Chicago
Thank You!
21. Underwritten by: Presented by:
Take a look at what HPE has to offer www.hpe.com/software/scm
HPE GDPR Solutions https://www.hpe.com/us/en/campaigns/gdpr-compliance.html
22.
23. Underwritten by: Presented by:
#AIIMInformationIs Your MostImportant Asset.
Learn the Skills to Manage It.Information is your most important asset.
Learn the skills to manage it.