This session is about how to implement any privacy program in any organization - big or small - the foundational step is to understand what Personal Data an organization deals with, where it lies, how it flows (within & outside the organization), who does what with that data, what are the underlying assets involved, etc. Without this foundation, the organization cannot build the necessary controls required to implement and manage Privacy. However, this is not an easy probem to address. This session does a deep dive into the challenges faced, the methodologies used and tools that can be employed to build AND sustain an organization's data map.
How to Troubleshoot Apps for the Modern Connected Worker
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges faced, Methodologies & Tools employed
1. SACONSensitivity: Internal & Restricted
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
Personal Data Discovery &
Mapping
#SACON
Ramkumar Narayanan
Wipro Limited
Practice Partner – Data Privacy
2. SACON 2020
Sensitivity: Internal & Restricted
1. Challenges in Building Data Map
2. Approach & Methodologies for Data Mapping
3. Tools & Technologies for Data Mapping
4. Sustenance of Data Mapping & Data Inventory
5. Case Studies
Agenda
4. SACON 2020
Sensitivity: Internal & Restricted
In a world of hyper connected ecosystem
✓ Personal data is generated and captured across
multiple channels.
✓ Personal data is proliferated across different
infrastructures and platforms.
Enterprise Storage Systems
Databases End Points
Cloud Unstructured
Data
✓ Personal data is being used and shared by many.
Organizations are unable to follow the footprint of data to apply required controls to protect personal data.
5. SACON 2020
Sensitivity: Internal & Restricted
The foundational step in data protection journey is to understand the
lifecycle of personal data
Understanding the flow of personal data in an enterprise is critical and is easier said than done.
6. SACON 2020
Sensitivity: Internal & Restricted
Need for data mapping and creating an inventory of personal data
• A data inventory is a record of the data flows and assets that an organization handles and a data map is a visual representation of the data
inventory. It is generated based on the same underlying data inventory, and the maps may contain varying degree of detail.
GDPR Requirements
Article 30 of GDPR requires data
controllers and data processors to build
and maintain a record of their data
processing activities.
01
Privacy Statements
To make privacy statements accurate
based on what the organization is doing
with the personal data.
Individual Rights Management
Data Privacy regulations gives individuals the ability
to request to correct, port, access and delete the
data organizations have about them.
02
04
Data Breach Preparation & Response
Having a data map can help respond more
appropriately to data breach and understand
what data may have been exposed.
05
Security
Understanding where the personal data
is located and flowing is the first step to
understand the security risks which
allows to implement appropriate
safeguards to be put in place.
03
Building a data inventory and map can help organizations proactively manage and protect personal data.
7. SACON 2020
Sensitivity: Internal & Restricted
However there are some challenges in building a data map
Challenges in
Building a Data
Map
Poor Information Available
Lack of Precision &
Expertise
Time Consuming
Outdated Quickly
Poor Information Available
Lack of knowledge available within the various business
teams in an enterprise about the data flows
Lack of Precision & Expertise
The accuracy of data mapping depends on how
comprehensive it is. It must account for things like
mobile devices and cloud based applications etc..
Time Consuming
Building data maps through an interview based
approach is time consuming.
Outdated Quickly
Data mapping patterns need to be constantly
updated, evaluated and verified for quality. If not it
becomes obsolete very quickly.
Need for an automated approach for data mapping & inventory
9. SACON 2020
Sensitivity: Internal & Restricted
In order to build a data map and inventory, start with an understanding of
the 5W’s of personal data
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu, The Art of War
• are we?
(Controller or
Processor)
• are our data
subjects?
(Customers /
Employees etc.)
• are the categories
of recipients to
whom data will be
disclosed?
• do we keep their
personal data?
(Databases, File
Servers, Cloud
storage etc.)
• do we transfer their
personal data to?
(Jurisdictions)
• is personal data
under our control?
(purpose for which
data is collected and
stored)
• are we keeping the
personal data until?
(Retention Period)
• do we share
personal data with
others (Partners,
Regulators,
Governement
authorities etc.)
• data types are
involved in the
processing?
• jurisdictions are
involved in the
processing?
• technical security
measures and
organizational
security measures
do we have to
safeguard the
personal data?
WHO WHERE WHY WHEN WHAT
10. SACON 2020
Sensitivity: Internal & Restricted
There are 2 approaches to do data mapping in an enterprise
Top-Down Approach
QUESTIONNAIRE
INTERVIEWS
BUSINESS
PROCESS
DATA
ELEMENTS
DATA
DATA SOURCES
DATA
CLASSIFICATION
Bottom-Up Approach
DATA
ELEMENTS
DATA
DATA
DISCOVERY
11. SACON 2020
Sensitivity: Internal & Restricted
Leverage a combination of Top Down and Bottom Up approach for
building the data map and data inventory
Identify purpose of processing
(Example Customer Support,
Billing, Charge Calculation,
Marketing Research, Credit Check,
Goods & Services, Statistical
Analysis etc.
7 81 2 4 53 6
Identify Business Unit data
mapping owners from each of
the Business Units like Finance,
Consumer, Technology, Retail,
HR, Enterprise, Consumer
Operations etc.
Identify key stakeholders from each
business unit that have information
on the processing activities in each
purpose of processing
Capture information on the source
and location of personal data using
personal data discovery solutions,
the entry point for personal data,
format in which data is stored, where
is it getting stored, countries in which
it is getting stored, locations from
which it is accessed and to whom it
is being disclosed, retention etc.
Manage the data inventory and
data mapping in a Privacy
Management Platform or a GRC
solution to keep it alive in an
ongoing manner.
Identify Business Processes such
as customer acquisition,
Provisioning & Welcome, Customer
service, Billing, Collection &
Retention, Terminate, Recruitment,
Hiring, Pre-On-boarding, Post-
joining, Retire / Exit etc.
Conduct data mapping interviews to
Identify the categories of data
subjects (Consumer, Enterprise
customer, Subscriber, Employees
etc.) and sub categories of personal
data (Recruitment data, account
data, call data, location data, device
data etc.) processed
Document data maps & Validate
data flow and sign off on the
personal data inventory.
14. SACON 2020
Sensitivity: Internal & Restricted
Automate the discovery of personal data in the enterprise
Data Discovery throughout the enterprise is easier said than done.
Data
Discovery
Personal Data Discovery
• Personal Data Discovery solutions
searches for personal data across the
enterprise and cloud and correlates them
to the identities. It relies on data values
and context to find primary and related
or connected data.
Types of Data Sources
• Structured Data Sources (Oracle,
MySQL, MSSQL, Redshift etc.
• Semi-Structured Data Sources
(Cassandra, MongoDB etc.)
• Unstructured (Google Drive, OneDrive,
O365, SharePoint, Salesforce etc.
PII Data Discovery
• PII Data Discovery solutions helps you
find Personally Identifiable Information
(PII) on enterprise systems based on
data values and data patterns (regular
expressions).
Types of Data Sources
• Structured
• Unstructured
15. SACON 2020
Sensitivity: Internal & Restricted
PII Data Discovery – Approach & Methodology
Challenges in PII Data Discovery
1. False Positives – Time consuming to eliminate them.
2. Discovery Output – Discovery output is what type of data, but not whose data it is.
3. Continuous Compliance – Compliance requirements are continuous and hence one time scans not sufficient.
PII Data Discovery Tools
16. SACON 2020
Sensitivity: Internal & Restricted
Personal Data Discovery – Approach & Methodology
• Personal Data Discovery solution is pointed to examples of whatever identity data being discovered.
• System uses seed data as learning set to then scan other data sources, initially looking for learned data and then other nearby data with high correlation
back to identities. The system then reiterates on this, building a map of individual’s data across all kinds of data sources ranging from database to file
share, to mainframe to Hadoop to SAP to cloud etc.
Agentless
Any data type
Cloud
Mine Machine Manage
API
Reporting
Analysis
Machine Learning
driven correlation
Personal Data Discovery Tools
17. SACON 2020
Sensitivity: Internal & Restricted
Tools Used for Data Mapping
Usage
Storage
Transfer
Archival
RetentionCollection
Collection
Purge
A visual representation of the end-to-end data
flows of personal information processing
activities identified across the enterprise.
Data Mapping Tools
18. SACON 2020
Sensitivity: Internal & Restricted
Create a “Single Source of Truth” for Personal Information Processing
Business units
/ functions
Business
process
Contracts
Supplier / 3rd party
vendor
PII processing
activity records
PII
Country Contacts Assets
Comprehensive Privacy Reporting
GRC Platform /
Privacy Management
Platform
Privacy
Governance
Alerts &
Notifications
Workflows
Metrics &
Reporting
Privacy Incident
Management
Breach
Notifications
DPO Report System / App Report Top 100 DB Report BU / Function ReportPIA Report
Privacy impact
Assessment(s)
Vendor Privacy
Questionnaire
Data Discovery
Scanning Feeds
Privacy
audits
Inventory Framework
• A comprehensive, accurate
and sustainable source of
information regarding the PII
that an enterprise holds, with
details of its collection, use,
disclosure, retention and
disposal
• Demonstrate compliance to
wider Privacy legal and
regulatory requirements with
the data privacy inventory
20. SACON 2020
Sensitivity: Internal & Restricted
Keep Your Data Map & Data Inventory Current
Integrate & Automate PIA / DPIA
process into Data Inventory
PIA / DPIA Integration
Conduct periodic audits to
ensure data flows remain up to
date. Re-audit certain data
flows or applications on a
different time scale.
Automate Audits
Leverage data discovery solutions to
dynamically populate the inventory
based on discovery scan output.
Ongoing Data Discovery
Get attestation of records in
data inventory by the record
owner
Record Attestation
Feed the ongoing vendor
assessments into the
inventory
Ongoing Vendor
Assessments Leverage technology to
automate the data flow
maps dynamically.
Update Visual Maps