Data Privacy - Learn What It Takes to Protect Your Information

Underwritten by: Presented by:
#AIIMInformationIs Your MostImportant Asset.
Learn the Skills to Manage It.
Data Privacy:
Learn What It Takes to
Protect Your Information
Presented July 26, 2017
Data Privacy – Learn What It Takes
to Protect Your Information
An AIIM Webinarpresented
July 26, 2017

Greg Reid
CEO
InFuture LLC
Rich Lauwers
InfoGovSME
HewlettPackard
Enterprise
Host: Theresa Resek, CIP
Director
AIIM
Today’s Speakers

Data Privacy = InfoSec + InfoGov + ‘The Law’
Access &understand Leverage &take action
Unstructured enterprise
datarepositories
Structured enterprise
datarepositories
Cloud-based
repositories
Otherkeyrepositories
Offsiteorremovable
datarepositories
Addressbusiness&
operational objectives
Cross-silo analytics
Enterprise search
Content management
Legal holdsRegulatory compliance
Records managementeDiscovery
Addresslegal&
compliance objectives
Server data protection
Endpoint information management
Addressdataprotection
objectives
Commonpolicies
Organize &control
Virtual machine backup
Long-term retention
Employee productivity
ManageRiskDeriveValue
Serve the organization'scompleteinformation management & governance needs
Informationinsights

Policy-Based Privacy Framework
5
Statutes
Regulations
Application Level
Operations Level
Enterprise Policy Engine
Security and
Control
Retention Disposition
Classification&
Management
Policies
Hold and
Discovery
Identification &
Analysis
Monitoring
and
Reporting
Records
Policy
Business
Policy
IT
Policy

Privacy Makes Information Governance a
Regulatory Issue
Federal Trade Commission
 The FTC has made “reasonable datasecurity and informationgovernance” a
legal requirement. The FTC’sdocumented obligationsfor companies include:
1. Take Stock (Inventory your PI and know where it is located)
2. Scale Down (Minimize the data that you store to is business purpose)
3. Lock It (Self-explanatory: Physical, Electronic, Processes, Administrative,
Education)
4. Pitch It (A good case for a solid Electronic Records Management implementation)
5. Plan Ahead (for the eventual data breach in the organization)
 The FTC does “bite hard”: Unfair or deceptive trade practices related to data
security

GDPR Enacted to Help Protect EU Citizen Data from Risk

Regulatory Issue
European Union
 The General Data ProtectionRegulation (GDPR) specifically
outlines data security and Info Gov. obligations within its legal framework:
1. Data protections must be built into the system
“By Design and by Default.” (Recital 78 and Article 25)
2. Data must be secured using technical means
(Recital 49 and Articles 5-1(f), 32-1(b-d))
3. A determination must be made almost immediately as to whether a data breach is likely
to have a “high risk to the rights and freedoms of the natural person,” as such a
technical environment must be in place to identify, track and assess such breaches.
(Recitals 85, 87 and numerous GDPR Articles).You have 72 hours to alert data subjects.
4. Numerous other Recitals and Articles have Info Gov. expectations and demands
 Infringement fines can range up to €20,000,000 or 4% of the global revenue of the
organization,whichever is higher, PER breach incident or data processing mistake.

Regulatory Issue
 One of the greatest challenges in Privacy to legallysupport are the greatly
divergent laws, regulations, and expectations:
 Industries: e.g., Healthcare(HIPAA /HITECH), Financial(Gramm-Leach-Bliley Act)
 US States: e.g., Massachusetts (201 CMR17.00), California (numerous…)
 US Regulatory Bodies: e.g., FederalTradeCommission, FederalCommunications Commission,
DHHS Officeof Civil Rights, etc.
 Other Countries andRegions: e.g., EUDirectiveand GDPR, Canadian PIPEDA, China’s CPL
Each statute andregulationcanindividually impact:
 The definition of “personaldata.” And there can be morethan one type of personaldata...
 How personaldata (of various types…) mustbe secured, stored, located, managed, accessed,
controlled, and processed physically and electronically.
 And…the legally required breach preparations, breach responsesand timings.
 The key is understandingwhat laws the companyis accountable to follow.

Regulatory Issue
However, there are key security and technical commonalities across many of the
privacy laws and regulations that can be leveraged and reused:
 Most privacy laws demand administrativePIdata controls (e.g., polices,procedures,notices)
 System designs and builds that integrate privacyand info gov as an early part of the SDLC
 AnonymizingorPseudonymizingdata structures/columns
 Data minimization/retentionpolicies and automated data deletion/disposal(ERM)
processes.Again,back to informationgovernance…
 Accurate inventories ofpersonal datatypes,theirlocations/technologies,and their owners
 Technical environmentssecured using“reasonable,”“practicable,”“industry-standard,”
“state-of-the-art,”“readilyavailable”technologies and procedures(e.g., two-factor
authentication foradministrators)
 Breach prevention,preparation,notification,and response technologies and processes
implemented
 Data access minimizationand limitations,segmentingserverenvironments,etc.

How Do We Better ConnectLegal Regulationsand
Operational Requirementsto Our Content?
The first and last mile of retention
The First Mile:
Retention Considerations
The Last Mile:
Policy Execution
Government regulations
Industry specific
regulations
IT Operations
Business Needs
Email
Cloud
Desktop
Physical
Content
SAP
Structured
Repositories
Unstructured
repositories
File Shares
Auto collection
of laws
Translate to
retention rules
Centralized
policy
Apply at scale
Audit logs
Connect

Personal Data is Insidious!
(Definition: Gradual, Subtle, Treacherous…)
 PI and Sensitive PI seems to exist just about everywhere… It creeps:
1. Typical RDBMS transactionalenvironments (ERP, HR, G/L, etc.)
2. User Laptops (in all types of locations such as email clients, HD folders, Evernote, screenshots, etc.)
3. User Mobile Devices (BYOD and company provided)
4. Shared Drive/Folder Servers
5. External Shared Drives (Box, Dropbox, Box, Egnyte, Googledocs, etc.)
6. Email Systems (InternalExchange, Gmail, Yahoo)
7. Content and “Sharing” services (SharePoint, Office365, Livelink, Documentum, Skype, Jive, Slack)
8. Paper notebooks
9. PLUS all of your third-party information partners and outsourcers
(e.g., HIPAA “business associates” and GDPR “data processors”)
 Privacy laws still cover all these physical and electronic locations, with very few exceptions
 These locations need to be technically, procedurally, and administratively secured

Be Mindful of What You Collect, Store, and Process
 Data minimiz(s)ation
 You can’t lose or have stolen what doesn’t exist
 Multiplejurisdictions– U.S., EU, and more – emphasize this point
 AIIM’s materialson Records and Information Managementare a great place
to help jumpstart your data minimisationand datainventoryefforts
 Watch your vendors, too
 If you’re sharing data,you’re can be responsible if they lose it or misuse it
 Are you auditingthem on a regular basis?
 How are those agreements…?

Watch What You Collect
 Log files and authentication
 When you create an account, you create PII
 Dataretention: How long do you need to keep that log file?
 Physical security issues
 Single credentials and
employee monitoring
 Theft prevention and customer monitoring

System Privacy by Design, Privacy by Default
The Discussion of Privacy’s
and Info Gov’s Impact on
Development Begins Here
Source: Wikipedia
Not Here…!

The Intersectionof the SDLC,Information
Governance,and Privacy
 You design for security and governance; take one step further for privacy
by working with the Developers on their efforts:
 Impacting the Software Development Lifecycle (SDLC) early directly supports your
ability to make your technical environment secure and privacy compliant.
 Your developers’ data architecture designs and data transport layer designs may
directly impact your ability to secure them. Examples: Table layouts and designs vis-à-
vis encryption capabilities for PI-containing columns within the RDBMS.
 Irrespective of the SDLC that your company uses (e.g., Agile©), privacy is a key part of
the upfront planning and design phases as much as security and usability.

HPE Policy Based Secure ContentManagement
offering
Policy Based Secure Content Management
File &contentanalysis
ID
sensitive
data
PII, PCI,
PHI
ROT
Analysis
Enterprise
policy
application
Manage-
in-place
Classification
Security&
access
Redaction Retention Disposition
Data extraction& applicationretirement
Access Reporting
ID
sensitive
data PII,
PCI, PHI
Redaction
Data
masking
Encryption
Decryption

Complete Content Platform “Privacy by Design”
Analyse
Record
Repository
Classify
Data Repositories
Messaging
EmailFiles Read
SharePoint
Action
Applications
Data
Warehouses
Document
Management
Data ArchiveSocial
Media
Web
Content
Apply
Store
Eligible Records
Declare
Data
Encryption
Find Govern
Apply Retention
Rules
Compliance, Legal
Hold & Audit

Summary Points
 The Info Governancecapability is critical to privacy efforts. Withoutit, privacy operations would be
impossibleto conduct.
 Coordination and clarity between the CIO, theGC, Privacy, and the Info Gov. groups arerequired to meet
privacy obligations. No Person is an island where privacy isconcerned.
 Nolaws or regulations require“Superhuman” or “Extraordinary” information governanceor security
efforts. Thewords “Practical,” ”Reasonable,” “Industry-standard” arecommonly used. “Proactive” and “By
Design” are common themes, however.
 Many of the laws and regulations have similar, if not the same, technical, proceduraland administrative
security requirements. Leverage them.
 There are significantidiosyncrasies, even between U.S. States let alone across countries and industries.
Know what is applicable toyour organization. Ask your GeneralCounsel!(and they may not know…).
 PI can be in any number of differentrepositories. You’reresponsiblefor securing all of them according to
regulatory and legal jurisdictions; not justthe obvious data elements inside of the RDBMS.
 If there is incremental $ to spend on privacy and security, you may consider spending it on training and
communications for the employees.

Greg Reid, CEO
CIP, CIPP/US,CIPP/EU, CIPM,ACEDS/eDiscovery
Master of Jurisprudence: Information Security and Privacy
InFutureLLC
Gregory.Reid@InFutureLLC.com
https://www.linkedin.com/in/gregoryreid/
Rich Lauwers, Information Governance SME
Hewlett Packard Enterprise
Rich.Lauwers@hpe.com
+1 847.232.3566CST, Chicago
Thank You!

Take a look at what HPE has to offer www.hpe.com/software/scm
HPE GDPR Solutions https://www.hpe.com/us/en/campaigns/gdpr-compliance.html

#AIIMInformationIs Your MostImportant Asset.
Learn the Skills to Manage It.Information is your most important asset.
Learn the skills to manage it.

Data Privacy - Learn What It Takes to Protect Your Information

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Data Privacy - Learn What It Takes to Protect Your Information

Semelhante a Data Privacy - Learn What It Takes to Protect Your Information (20)

Mais de AIIM International

Mais de AIIM International (20)

Último

Último (20)

Data Privacy - Learn What It Takes to Protect Your Information