1. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
The EU General Data Protection Regulation
and how Oracle can help
Niklas Hjorthen
CX Sales Executive

2. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle. Not
all technologies identified are available for all cloud services.
Disclaimer
The information in this document may not be construed or used as legal advice about the
content, interpretation or application of any law, regulation or regulatory guideline.
Customers and prospective customers must seek their own legal counsel to understand
the applicability of any law or regulation on their processing of personal data, including
through the use of any vendor’s products or services.
2

3. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
What does GDPR stand for?
Confidential – Oracle Highly Restricted 3
General Data Protection Regulation
When will it be enforced?
May, 25th 2018
*Approved in April 2016
11/21/2017

4. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |11/21/2017 Confidential – Oracle Highly Restricted 4
What is the aim of the GDPR?
Harmonize Data Privacy
Laws across Europe
Protect and Empower all
EU Citizens Data Privacy
Reshape the Way Organizations Across
the Region Approach Data Privacy
1
2 3

5. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
• Granting Data Subject Data Security • Granting Data Subject Rights
11/21/2017 Confidential – Oracle Highly Restricted 5
What is the GDPR all about?
Right to be Informed
1 2Right of Access
3Right to Rectification
4Right to Erasure
5Right to Restrict
Processing
6Right to Data
Portability
7Right to Object
8Right in Relation to
Automated Decision
Making and Profiling
Protect the Data
1 2Access Control
3Monitor, Block and
Audit
4Secure
Configurations

6. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |11/21/2017 Confidential – Oracle Highly Restricted 6
What if an Organization is not aligned with GDPR?
This is the maximum fine that can be imposed for the most serious infringements
e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
Under GDPR, organizations (both processors and controllers!) in breach of GDPR can be fined up to:
• 4% of annual global turnover
• €20 Million
(whichever is greater)

7. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
• GDPR compliance requires a set of
coordinated actions by different
departments in every company.
• Requires the following coverage:
– Organization
– Legal and Contracts
– Information Technology
• Good technology can help to
achieve compliance
• Oracle provides technology that
– Defines sensitive data, discovers and tracks it
across its lifecycle, identifies risk situations
– Minimises data, eliminates redundancy and
duplication, improves data quality
– Masters and governs sensitive data, consents
and rules across all of the entrprise systems
– Implements business rules based checks
around sensitive data usage and enforces them
in all enterprise processes
– Improves confidentiality, security, integrity and
availability
– Mitigates security incidents
• Oracle can help put technology in
the right context
GDPR & Oracle technology
Confidential Oracle - i-Faber - Please DO NOT share outside of Oracle or i-Faber

8. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
A path towards GDPR – technology domains
Several Oracle products or
security cloud services can
help to achieve
compliance to GDPR.
We can help to:
1. Discover sensitive data
with data governance
solutions
2. Enforce data, software,
identity security and
policies
3. Govern sesitive data &
Enrich application
functions with policies
checks to guarantee rights
of data subjects
4. Support a foundation that
includes good IT practices,
and high availability and
resilience
Discovery Enforcement
Foundation
Government & Enrichment
Data Governance Security
System
Data Governance
Storage
Policy Automation
MDM
Data Management
Manageability
Data Integration
Analytics
Confidential – Oracle Highly Restricted11/21/2017 8Confidential – Oracle Highly Restricted

9. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
A path towards GDPR – tasks and activitiesMAINTAIN(CREATE)ARECORD
OFPROCESSING(A.30)
DOCUMENT AND KEEP TRACK (A.24)
INTRODUCE SENTITIVE DATA GOVERNANCE, GDPR POLICIES ENFORCEMENT AND
EVALUATE REQUIRED APPLICATION MODIFICATIONS (A.5-34)
ENFORCE GOOD IT AND GOOD SECURITY ACROSS THE STACK (A.32, A.25)
DISCOVER SENSITIVE DATA
CREATE SYSTEMS AND
SOFTWARE INVENTORY
ADAPT INCIDENT RESPONSE PROCESS (A.33; A.34) AND COMPANY RISK
PRACTICES INCLUDING DPIA (A.35)
APPLICATION AND
DATA SCOPE IS
AVAILABLE AND
INCREMENTALLY
DEFINED
ACCESS CONTROL
PROTECT THE DATA
MONITOR, BLOCK AND AUDIT
SECURE CONFIGURATION
IMPLEMENT
APPROPRIATE
SECURITY
MEASURES
(A.32,A.25)
Discovery Enforcement
Foundation
Government & Enrichment
PERSONAL DATA INTEGRATION & ORCHESTRATION
PERSONAL DATA QUALITY GOVERNANCE
PERSONAL DATA SUBJECT CENTRAL MASTER (INCLUDING CONSENTS)
DATA SUBJECT CONSENTS AND RIGHTS ENFORCEMENT - ENTERPRISEWISE
Create a centralized record
of processing, including all
Systems, Software and
Processes Inventory, plus
additional info coming
from security assessment.
Data Glossary and Data
Lineage can be
incrementally updated with
delta information.
Metadata and Data
Discovery completely
automatable.

10. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
A path towards GDPR – tasks and activitiesMAINTAIN(CREATE)ARECORD
OFPROCESSING(A.30)
DOCUMENT AND KEEP TRACK (A.24)
INTRODUCE SENTITIVE DATA GOVERNANCE, GDPR POLICIES ENFORCEMENT AND
EVALUATE REQUIRED APPLICATION MODIFICATIONS (A.5-34)
ENFORCE GOOD IT AND GOOD SECURITY ACROSS THE STACK (A.32, A.25)
DISCOVER SENSITIVE DATA
CREATE SYSTEMS AND
SOFTWARE INVENTORY
ADAPT INCIDENT RESPONSE PROCESS (A.33; A.34) AND COMPANY RISK
PRACTICES INCLUDING DPIA (A.35)
APPLICATION AND
DATA SCOPE IS
AVAILABLE AND
INCREMENTALLY
DEFINED
ACCESS CONTROL
PROTECT THE DATA
MONITOR, BLOCK AND AUDIT
SECURE CONFIGURATION
IMPLEMENT
APPROPRIATE
SECURITY
MEASURES
(A.32,A.25)
PERSONAL DATA INTEGRATION & ORCHESTRATION
PERSONAL DATA QUALITY GOVERNANCE
PERSONAL DATA SUBJECT CENTRAL MASTER (INCLUDING CONSENTS)
DATA SUBJECT CONSENTS AND RIGHTS ENFORCEMENT - ENTERPRISEWISE
Discovery Enforcement
Foundation
Government & Enrichment
Modernize identity
management to guarantee
authentication and
authorization both for
business user and IT
personnel
Protect the data wherever
it is (encryption A.32) and
avoid using real data
where non necessary (A.5
and W.26)
Collect, secure and analyze
audit logs and implement
boundary defenses
Secure configurations,
remediate vulnerabilities,
and control production
baselines

11. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Security Solutions That Can Help Address GDPR
Oracle Product Security Measure Cloud Short Description
Advanced Security Protect the data Encrypt Oracle Databases transparently and redact sensitive application data
Key Vault Protect the data Securely manage encryption key lifecycle as well as passwords, certificates and more.
Data Masking and Subsetting Protect the data Anonymize production data for testing and development environments.
Database Vault Access controls Control privileged user access using least privilege and separation of duties enforcement.
Identity Cloud Service Access controls X Manage identities from the cloud for hybrid access, authorization, authentication, provisioning,
and SSO.
Identity Governance Access controls Manage the identity lifecycle: user administration, privileged account management, and identity
intelligence.
Access Management Access controls IT asset protection and identity federation for multiple scenarios.
Directory Services Access controls Manage large, fast read-write user directories.
Label Security Access controls Allow individual data records to be labeled with metadata that describes the characteristics of
the data, and then enforces access to those records based on the metadata.
Audit Vault and Database Firewall Monitor, Block and Audit Centralized auditing, monitoring, reporting and alerting of anomalous database activity
management.
Security Monitoring and Analytics Cloud
Service
Monitor, Block and Audit X Monitor security incidents across heterogeneous and hybrid cloud environments.
CASB Cloud Service Monitor, Block and Audit X Discover unsanctioned cloud services and implement consistent security policies across
sanctioned SaaS, PaaS, and IaaS environments.
Configuration and Compliance Cloud
Service
Secure compliance X Implement and maintain continuous configuration and compliance for IT assets.
Enterprise Manager: Configuration Mgmt Secure compliance Check that IT assets are properly installed and securely configured.
11/21/2017 Confidential – Oracle Highly Restricted 11
Discovery Enforcement
Foundation
Government & Enrichment

12. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
A path towards GDPR – tasks and activitiesMAINTAIN(CREATE)ARECORD
OFPROCESSING(A.30)
DOCUMENT AND KEEP TRACK (A.24)
INTRODUCE SENTITIVE DATA GOVERNANCE, GDPR POLICIES ENFORCEMENT AND
EVALUATE REQUIRED APPLICATION MODIFICATIONS (A.5-34)
ENFORCE GOOD IT AND GOOD SECURITY ACROSS THE STACK (A.32, A.25)
DISCOVER SENSITIVE DATA
CREATE SYSTEMS AND
SOFTWARE INVENTORY
ADAPT INCIDENT RESPONSE PROCESS (A.33; A.34) AND COMPANY RISK
PRACTICES INCLUDING DPIA (A.35)
APPLICATION AND
DATA SCOPE IS
AVAILABLE AND
INCREMENTALLY
DEFINED
ACCESS CONTROL
PROTECT THE DATA
MONITOR, BLOCK AND AUDIT
SECURE CONFIGURATION
IMPLEMENT
APPROPRIATE
SECURITY
MEASURES
(A.32,A.25)
Discovery Enforcement
Foundation
Government & Enrichment
Batch/real-time Integration
with adapters to databases,
applications and protocols.
Complete business process
automation across systems.
Personal data profiling,
continuous data auditing
with contextual issue
remediation, restructing,
repurposing, enrichment,
and lineage. Data quality
dashboards and case mgmt
to involve business users.
Central Personal Data
Master, including record
cross-references, profile
history, detailed consents
and data subject request
tracking.
Natural language based
rule checks vs. regulations
and data subject consents
and rights.
PERSONAL DATA INTEGRATION & ORCHESTRATION
PERSONAL DATA QUALITY GOVERNANCE
PERSONAL DATA SUBJECT CENTRAL MASTER (INCLUDING CONSENTS)
DATA SUBJECT CONSENTS AND RIGHTS ENFORCEMENT - ENTERPRISEWISE

13. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Core Solution Foundation for GDPR
Data Integration
& Orchestration
Integration Adapters, Data
Mapping, Data
Transformation, Data
Movement
Metadata & Data
Discovery
Data Lineage, Data
Dictionary, Metadata
Management, Impact
Analysis, Semantic
Usage Analysis
Policy Automation
Business Rules Modeling, Business
Rules execution (Business Users
and Applications), Business Rules
Monitoring and Impact Analysis
Data Quality
Governance
Data Profiling, Data Discovery, Data
Assesment, Data Enrichment, Data
Remediation, Data Standardization,
Data Quality Case Management,
Data Quality Dashboards
Personal Data
Master
Master Data Model &
Extensibility, Data
Consolidation, Data Validation,
Data De-duplication, Data
Enrichment, Data Sharing
Marketing
Sales
Service
Financials
HCM
E-Commerce
Supply Chain Mgmt
Marketing
Sales
Service
Financials
HCM
E-Commerce
Supply Chain Mgmt
Confidential – Oracle Highly Restricted11/21/2017 13Confidential – Oracle Highly Restricted
Discovery Enforcement
Foundation
Government & Enrichment

14. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
A path towards GDPR –parallelizable tasks
... You can start security projects
as you go
MAINTAIN(CREATE)ARECORD
OFPROCESSING(A.30)
DISCOVER
SENSITIVE DATA
CREATE SYSTEMS
AND SOFTWARE
INVENTORY
APPLICATION
AND DATA SCOPE
IS AVAILABLE
AND
INCREMENTALLY
DEFINED
IMPLEMENT
APPROPRIATE
SECURITY
MEASURES
(A.32,A.25)
While you increment the scope....
IMPLEMENT
GOVERNNANCE
AND
ENRICHMENT
(A.5-A.34)

15. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Establishing Oracle Core Foundation for GDPR (1)
• Principles relating to processing of personal data (A.5)
– Specific, explicit, legitimate Purpose
– Data minimisation vs. Purposes
– Data Accuracy & Freshness
• Lawfulness of processing (A.6)
• Conditions for consent (A.7)
STEP 0 - Data Discovery & Quality Assessment
Oracle
CDM
Discover, Identify, Profile & Catalogue
Verify, Remediate & Enrich
Standardize & Repurpose
Map & Load
Oracle EMM + EDQ 



• Personal Master Definition
Discovery Enforcement
Foundation
Government & Enrichment

16. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Establishing Oracle Core Foundation for GDPR (2)
• Right to be informed (A.12)
• Right of access by the data subject (A.15)
• Right to rectification (A.16)
• Right to data portability (A.20)
Oracle
CDM
Consolidation MDM Style
•Access to Profile
•Rectification of Profile
•Consents & Retention Management
•Requests (erasure, restriction, portability)




STEP 1 - Data Consolidation
• Master Data Subject Profile
• Profile History
• Consents (with History)
• Restrictions (with History)
• Retention (with History)
• Requests (with History)
• Data Sources
Oracle EMM + EDQ
Oracle Data Integration
Discovery Enforcement
Foundation
Government & Enrichment

17. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Establishing Oracle Core Foundation for GDPR (3)
• Right in relation to Automated decision-making & profiling
(A.22)
• Right to rectification (A.16)
• Right to restriction of processing (A.18)
Need process
based data
propagation!!!
STEP 2 – Backward Integration
Oracle
CDM




Transactional MDM Style
OPA




















• Master Data Subject Profile
• Profile History
• Special Categories
• Consents (with History)
• Restrictions (with History)
• Retention (with History)
• Requests (with History)
• Data Sources
• Usage check
• Data retention check
• Special cases check
OracleEMM+EDQ
OracleDataIntegration
Discovery Enforcement
Foundation
Government & Enrichment

18. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Establishing Oracle Core Foundation for GDPR (4)
• Notification obligation
– when personal data collected from the data subject (A.13)
– when personal data have not been obtained from the data subject (A.14)
– regarding rectification or erasure of personal data or restriction of
processing (A.19)
• Responsibility of the controller (A.24)
STEP 3 – Integration Extension
Oracle EMM + EDQ
Oracle Data Integration
























Transactional MDM Style
3° Party
System
OPA
• Master Data Subject Profile
• Profile History
• Special Categories
• Consents (with History)
• Restrictions (with History)
• Retention (with History)
• Requests (with History)
• Data Sources
• 3° Parties
• Usage check
• Data retention check
• Special cases check
• Data sharing check
Oracle
CDM




Needs BPM
Discovery Enforcement
Foundation
Government & Enrichment

19. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Establishing Oracle core foundation for GDPR (5)
• Processing of special categories of personal data (A.9)
• Right to rectification (A.16)
• Right to object (A.21)
• Right to erasure (‘right to be forgotten’) (A.17)
• Right to restriction of processing (A.18)
STEP 4 – Integration Extension
Oracle EMM + EDQ
Oracle BPM
























Transactional MDM Style
3° Party
System
OPA
• Master Data Subject Profile
• Profile History
• Special Categories
• Consents (with History)
• Restrictions (with History)
• Retention (with History)
• Requests (with History)
• Data Sources
• 3° Parties
• Usage check
• Data retention check
• Special cases check
• Data sharing check
• Erasure check
Oracle
CDM




Needs BPM
Discovery Enforcement
Foundation
Government & Enrichment

20. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Solution for GDPR - Differentiators
11/21/2017 Confidential – Oracle Highly Restricted 20
Leader in Security and good
IT for many years
1 2
Standard-based, Open &
Modular Solution with many
Adapters to Systems,
Databases & Applications
3
Maximum Availability
Architectures
4
Best in class Security
Solutions, starting with
Security on Silicon
6
Ability to perform both
Metadata and Data
Discovery
7
Easy, Quick, Affordable
Personal Data Master to
consolidate the best version
person record and consents
8Business Oriented businss
rule engine working with
Natural Language, providing
web services and business
user UI for rule check
9
Oracle Best Practices for
GDPR Solution
Implementation
5
Complete Personal data
Governance Solution, from
Discovery to Govern
10
Smooth and Phased
Approach, with minimal
initial impact on existing
systems and operations

21. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 2111/21/2017 Confidential – Oracle Highly Restricted