Learn what the EU Global Data Protection Regulation means for your business – Carrot or Stick its your choice but with fines of €20m or up to 4% of Global Revenue (whichever is the larger) being applied for every data breach and every data mis-use after May 2018 the carrot is the better option. Are you aware? Are you prepared? Do you comply? To book a free non sales consultation about GDPR with Ian West contact us enquiry@digitalenterprisefest.com

1. © 2016 Cognizant
© 2017 Cognizant
Confidential
The Big Scary Thing! - How the EU General Data
Protection Regulation (GDPR) will affect your
business!
Ian West – Head of Digital Information Innovation

2. © 2016 Cognizant
Confidential
2
A few teaser questions to ease you in:
• Do you remember the Millennium Bug?
• Have you already heard about GDPR?
• What is the significance of 25th May 2018?
• Would fines of €20m, or 4% of your global revenue, whichever
is the higher damage your company?
• Does your business have customers?
• Does your company buy things from suppliers?
• Does your organisation employ people?
• Is Data Privacy designed in at source into everything you do?
• Have you heard about BREXIT?

3. © 2016 Cognizant3
“If you have European
residents as contacts,
customers, partners,
suppliers or employees,
you are affected”
INDIVIDUAL
RIGHTSGDPR
OBLIGATIONS ENFORCEMENT
OTHERS
FACTORS
SCOPE
GDPR | Overview – why should you listen

4. © 2016 Cognizant
Client Confidential

5. © 2016 Cognizant
Confidential
3
GDPR Introduction
3

6. © 2016 Cognizant6
Are you aware of the type of personal data you are holding?
GDPR
impacts
the
collection
and use of
Personal
Data

7. © 2016 Cognizant
Confidential
What's driving GDPR?
TECHNOLOGY SHIFT
CUSTOMER SHIFT COMPETITOR SHIFT
WORKFORCE SHIFT
28 Billion
connected
devices by
2020
:IDC
Manufacturing
stands top followed
by Healthcare and
public services
:Gartner
IoT to add 10-
15 Trillion to
Global GDP
:GE
By 2025, global
GDP Impact of
IoT will be 11
Trillion
:McKinsey
Google acquired Nest Labs, a smart thermostat maker for $3.2 billion
Samsung took over SmartThings, a connected home expert for $200 million

8. © 2016 Cognizant
Confidential
Threat or Opportunity?
Benefits
Automated processing / re-engineering
Customer on-boarding
IT and/or Back office rationalisation
New business lines / models
Single customer view / Next Best Action
Connected devices / Internet of Things
Customer loyalty
Customer experience
Customer centricity
Cost Reduction
Digital Transformation
Client Centricity
Risks
Future cost of compliance
Complex, costly remediation activities
How secure does it have to be?
Sanctions
4444
Up to 4% of revenue fines
Cessation of data flows
Loss of licence to conduct business
Reputational damage
Loss of customer confidence
Loss of market share to competition
Drop in share price

9. © 2016 Cognizant
Confidential
Barriers to consumer confidence
https://tbgsecurity.com/wordpress/wpcontent/uploads/2016/01/World-biggest-data-breaches-2015.png
Disclosure in error - 700 data subjects
Fined £180,000 by the ICOCyber breach - 157,000 customers - Fined £400,000 by the ICO

10. © 2016 Cognizant
Confidential
10
A simple example of how easily a breach can happen
The Lord - Baron John Prescott
Deputy Prime Minister from 1997 to 2007
Right Honourable Labour MP for Hull East

11. © 2016 Cognizant
Confidential
11
GDPR - Legislation
7

12. © 2016 Cognizant
Confidential
More explicit rights for data subjects Transparent demonstration of
fulfilment of accountabilities
The Legislation
• Personal & Sensitive Data
• to be told what data you have about them
• to request a copy, or for it to be deleted
• to demand to be corrected
• Processing
• to know how you are processing their data and
under what consent
• Security
• from unauthorised or unlawful processing
• from accidental loss, destruction or damage
• Transparently demonstrate personal data is captured
and managed in a controlled, lawful and fair manner
• Respond quickly to data subject rights requests
(within 72 hours)
• Ensure personal and sensitive data is secure
• Ensure appropriate agreements in place for transfer
to 3rd countries or international organisation
• Demonstrate active senior involvement and
appropriate governance mechanisms are in place
• React quickly and effectively in the event of data
breaches or failure to execute data subjects rights
Companies need to know where PII data is, why they have it, how they’re using it, who is accessing it, how they’re protecting
it … AND be able to demonstrate it to an external Regulator…

13. © 2016 Cognizant
Confidential
13
GDPR – The Legislation |Territorial Variances
Forrester, Source: US Department of Commerce and country specific legislation
• GDPR is an overarching regulation for organisations inside and/or outside of the EU that process EU citizen data
• it does not supersede national laws, it adds to them
• sector specific regulations also need to be considered
• the heat map below provides an overview of national laws, globally

14. © 2016 Cognizant
Confidential
Typical Client responses
Ignore
and increase risk of
considerable fines; loss
of customer confidence…
Project
mode
embarked upon to
appease immediate
buzz around the
panic
Adopt good
practice
and embed
sustainable, robust
processes for ongoing
compliance
Embrace
the intention of
consumer
confidence to
support brand and
build on-line/ digital
presence
Leverage
the opportunity by
adopting best
practice to move
along the digital
journey: single view
of the customer;
market
segmentation;
differentiate
services …
Maturity

15. © 2016 Cognizant
Confidential
A Typical Timeline - “GDPR is a journey that doesn’t stop in May 2018”
15
 Allocate DPO
responsibility
 Gap
Assessment
 Prioritise
and Plan
 Ensure budget
/ Sponsorship
 Information
Inventory
Oct Nov Dec
 GDPR
Readiness
Assessment
2016
Data Governance
Subject Right Processes
Data Protection
Jan Mar
Protect Workflows
2017
Preserve Workflows
Containment & Recovery
Breach Reporting
Continuous Improvement
Mobilisation&
Enablement
Dec
Detailed
Planning
Design -----------Build --------------Test --------- Accept
2018
Training&Awareness
May
GDPR
enforcement date
Prepare Implement Train/ Maintain
Based on the ICO recommended timeline.
Your journey will be different, but we believe there is
still sufficient time to establish a defensible position…

16. © 2016 Cognizant
Confidential
16
Cognizant’s Approach
14

17. ‹#› © 2016 Cognizant17
GDPR
GDPR Compliance Requires a 360° Perspective
GDPR impacts the enterprise
 GDPR is an enterprise wide business problem and it requires enterprise solutions
 Approached in the right way, GDPR will allow organisations to build trust with its customers/ stakeholders and
positively differentiate within the digital age
Fragmented Approach
 GDPR requires a 360 degree perspective and organisations that approach GDPR from a single view point are liable
to an increased risk exposure
 There are over 20 defined areas to the GDPR, all of which require a distinct solution
 Cognizant has a comprehensive framework that covers all the required GDPR areas and which can be traced back
to each individual component of the legislation
There is no silver bullet to GDPR
 GDPR is the most complex piece of regulation in recent times and impacts everybody
 The depth and breadth of activity required to demonstrate and maintain compliance is significant
 There is no single solution to GDPR
GDPR aims to protect the personal data of EU residents and not just secure it.
There is no single solution for GDPR due to its complex remit and enterprise-wide impact.

18. © 2016 Cognizant18
GDPR | There is no silver bullet
• Data Quality
• Data Governance
• Master Data
Management
• Metadata Management
PEOPLE
PROCESS
TECHNOLOGY
INFORMATION
• Data Security
• Data Protection
• Data Loss Prevention
• Categorization
• Retention / Archiving
• Sensitivity Classification
• Digital Rights Management
• Business Process Change
• Change Management
• Etc…
• Governance
• Policy
• Audit
• Education and Awareness Information governance, data
ownership and quality
management
Cultural shift to data protection by
everybody - with defined rules and
responsibilities
Improved processes to respond to
data subject rights and manage
data processing
Technology to monitor activities
and deliver forensic detection
Hitting these 4 dimensions
enhances consumer confidence…

19. © 2016 Cognizant19
Cognizant’s Approach
Internal engagement
• Identify key sponsorship and internal
stakeholders
• Engage with 3rd parties
• Appoint DPO where required
Assessment
• Initial risk assessment of exposure
• Detailed analysis across People,
Processes, Data and Technology
against good practice.
Planning
• Prioritisation
• Road mapping
Execution of process changes
• Data subject requests
• Consent
Good Data Governance
• Data architecture
• Data quality
• Data transparency
Protection
• Privacy by design
• Security
Demonstrating accountability
• Governance
• Management
• Audit
Containment and recovery
• Immediate response to suspected
non-compliance issues
Assessment of impact and risk
• Penalties and reputation
Breach Reporting
• Fulfilling regulatory obligations
Evaluation and Response
• Root Cause Analysis
Continuous Improvement
• Periodic reviews
• New developments
PRESERVEPREPARE
Implement Intervene
Improve
PROTECT

20. ‹#› © 2016 Cognizant20
Cognizant’s Four Dimensional GDPR Framework
People:
Governance
and Oversight
Process:
Consent and
Rights
Data:
Data
Management
and Security
Technology:
Data
Architecture
Assessments/
Deep Dives
Journey
mapping and
data analysis
Delivery
mobilization,
execution and
oversight
Organizational
design covering
people and
processes
Technology
enablement
Tools and
Accelerators
We are currently working with clients across
various stages of GDPR implementation
We are on our own compliance journey,
applying the changes required for GDPR
through a digital lens
GDPR Assistance Services
GDPR
Readiness
Framework

21. ‹#› © 2016 Cognizant21
Cognizant’s GDPR Compliance Solutions Suite
Assessments to demonstrate “Privacy by Design” across geographies using assisted automation
Current scenario assessment,
compliance gap analysis &
roadmap
Readiness Assessment
Data governance best
practices, policies, data
stewardship, change
management and
communication
Data Governance Advisory
Data discovery, accuracy,
classification & lineage
identification
Personal Data Maps
Data security solution
deployment across data at
rest and in motion
360° Secured Data
Automated monitoring and
notification system for security
breaches
Breach Assist
Technology implementation
to manage data subject
consent, subject access and
rights
Rights & Consent Manager
Policy and contract
repository for maintaining
audit trails of personal data
usage
Legal Warehouse
Consulting and Implementation Program
PRIVACY IMPACT ASSESSMENT

22. © 2016 Cognizant
The 5 golden keys
22
1 – Know where your
personal information
is located, who is
using it, for what
purpose and how it is
being protected
4 - Educate
your personnel
3 – Review and
manage your
Security and
Privacy Policies
and review all
relevant 3rd party
contracts
5 - Formulate
a defensible
position
2 - Modify your processes
Consent, subject access
requests

23. © 2016 Cognizant
Confidential
Are you ready for Action?
Understand your exposure and opportunity
Pick the right partners and build a plan
Create a defensible position




24. © 2016 Cognizant
Confidential
24
Summary
• 25th May 2018 is 56 weeks away
• GDPR is coming whether you like it or not – so start getting ready
now!
• Unlike Year 2000, GDPR is not a one off IT problem, it’s a Business
Issue and its for life – just like a Puppy and it will **** on your carpet
unless you take the necessary precautions
• GDPR is not just for Big Companies because Big Companies will not
use the services of Small Companies unless they can prove they are
taking Data Privacy seriously
• The fines for getting GDPR wrong are very large - €20m or 4% of
your global revenue, whichever is the higher!
• It doesn’t matter that you are a sub contractor to a client organisation.
You may come into contact with the personal data they control and
that makes you a Processor and equally culpable.
• GDPR requires Data Privacy to be designed in at source.

25. © 2016 Cognizant
Client Confidential
……… It’s a matter of perception and delivery

26. © 2016 Cognizant
Confidential
26
Ian West
Ian.West@cognizant.com
uk.linkedin.com/in/ianwest1
twitter.com/IanWest12

27. © 2016 Cognizant
Confidential
27
Appendix
14

28. © 2016 Cognizant
Confidential
28
GDPR - The Legislation | How will it affect you?
Consider your information chains/flows:
• understand who is the Controller - or if there is a joint Controller setup
• understand who your Processors are - and whether any Sub-Processors are involved
Ask yourself the following:
1. Do you know where personal and sensitive data is stored and who has access to it?
2. Do you perform any profiling, or automated decision making, about individuals?
3. Have you the right to hold and process an individual’s data and can you prove that?
4. Is any of your data shared outside of the EU?
5. Can you provide auditable evidence of usage and processing?

29. © 2016 Cognizant
Confidential
29
GDPR – Cognizant’s View | Controller/Processor scenarios
Responsibilities Internally hosted Externally hosted
Controller
(Accountable)
• Full responsibility
• Data protection by design
…and by default
• Codes of Conduct
• Data Protection Impact
Assessment
• EU Representation
• Data Protection Officer (DPO)
• Cooperation
• Record Processing
• Security
• Notify
e.g. internal HR systems, shared service platforms,
CRM data on individual laptops
• identify data sources
• review GDPR readiness (data, process, security)
• set-up new data subject rights processes
• implement new governance/management / CoC /
technology
e.g. HR/Payroll cloud services, Salesforce.com
• identify data sources
• review service/contracts to ensure ability of 3rd
party to comply.
• set up 3rd party auditing verification
Processor
(Obligated)
• Guarantees and safeguards
• Cooperation
• Record Processing
• Security
• Notify
e.g. credit data (Experian / Equifax), debt history, etc.
• identify key client data services
• review service/contracts to understand exposure
• review GDPR readiness (data, process, security)
• Implement new ways of working (data, process,
technology)
• communications plan to existing data service
clients
• renegotiation/reassurance of existing service
• internal awareness for communications to clients
e.g. client services you’re processing held on AWS
• identify key client data services subcontracted out
• review service/contracts to ensure ability of 3rd
party to comply.
• set up 3rd party auditing verification
• communications plan to existing data service
clients
• renegotiation/reassurance of existing service
• internal awareness for communications to clients

30. © 2016 Cognizant30
The next steps
Comprehensive Coverage Confidence through traceability Underpinned by Solutions