O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
SACONSensitivity: Internal & Restricted
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
Pe...
SACON 2020
Sensitivity: Internal & Restricted
1. Challenges in Building Data Map
2. Approach & Methodologies for Data Mapp...
SACON 2020
Sensitivity: Internal & Restricted
Challenges in Building Data
Map
SACON 2020
Sensitivity: Internal & Restricted
In a world of hyper connected ecosystem
✓ Personal data is generated and cap...
SACON 2020
Sensitivity: Internal & Restricted
The foundational step in data protection journey is to understand the
lifecy...
SACON 2020
Sensitivity: Internal & Restricted
Need for data mapping and creating an inventory of personal data
• A data in...
SACON 2020
Sensitivity: Internal & Restricted
However there are some challenges in building a data map
Challenges in
Build...
SACON 2020
Sensitivity: Internal & Restricted
Approach & Methodologies for
Data Mapping
SACON 2020
Sensitivity: Internal & Restricted
In order to build a data map and inventory, start with an understanding of
t...
SACON 2020
Sensitivity: Internal & Restricted
There are 2 approaches to do data mapping in an enterprise
Top-Down Approach...
SACON 2020
Sensitivity: Internal & Restricted
Leverage a combination of Top Down and Bottom Up approach for
building the d...
SACON 2020
Sensitivity: Internal & Restricted
Tools & Techniques for Data
Mapping
SACON 2020
Sensitivity: Internal & Restricted
Data Flow Mapping Techniques
Inspect existing
documents
Observation
Question...
SACON 2020
Sensitivity: Internal & Restricted
Automate the discovery of personal data in the enterprise
Data Discovery thr...
SACON 2020
Sensitivity: Internal & Restricted
PII Data Discovery – Approach & Methodology
Challenges in PII Data Discovery...
SACON 2020
Sensitivity: Internal & Restricted
Personal Data Discovery – Approach & Methodology
• Personal Data Discovery s...
SACON 2020
Sensitivity: Internal & Restricted
Tools Used for Data Mapping
Usage
Storage
Transfer
Archival
RetentionCollect...
SACON 2020
Sensitivity: Internal & Restricted
Create a “Single Source of Truth” for Personal Information Processing
Busine...
SACON 2020
Sensitivity: Internal & Restricted
Sustenance of Data Mapping
& Data Inventory
SACON 2020
Sensitivity: Internal & Restricted
Keep Your Data Map & Data Inventory Current
Integrate & Automate PIA / DPIA
...
SACON 2020
Sensitivity: Internal & Restricted
Case Studies
SACON 2020
Sensitivity: Internal & Restricted
SACON 2020
Sensitivity: Internal & Restricted
SACONSensitivity: Internal & Restricted
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
Th...
Próximos SlideShares
Carregando em…5
×

(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges faced, Methodologies & Tools employed​

621 visualizações

Publicada em

This session is about how to implement any privacy program in any organization - big or small - the foundational step is to understand what Personal Data an organization deals with, where it lies, how it flows (within & outside the organization), who does what with that data, what are the underlying assets involved, etc. Without this foundation, the organization cannot build the necessary controls required to implement and manage Privacy. However, this is not an easy probem to address. This session does a deep dive into the challenges faced, the methodologies used and tools that can be employed to build AND sustain an organization's data map.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges faced, Methodologies & Tools employed​

  1. 1. SACONSensitivity: Internal & Restricted SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur Personal Data Discovery & Mapping #SACON Ramkumar Narayanan Wipro Limited Practice Partner – Data Privacy
  2. 2. SACON 2020 Sensitivity: Internal & Restricted 1. Challenges in Building Data Map 2. Approach & Methodologies for Data Mapping 3. Tools & Technologies for Data Mapping 4. Sustenance of Data Mapping & Data Inventory 5. Case Studies Agenda
  3. 3. SACON 2020 Sensitivity: Internal & Restricted Challenges in Building Data Map
  4. 4. SACON 2020 Sensitivity: Internal & Restricted In a world of hyper connected ecosystem ✓ Personal data is generated and captured across multiple channels. ✓ Personal data is proliferated across different infrastructures and platforms. Enterprise Storage Systems Databases End Points Cloud Unstructured Data ✓ Personal data is being used and shared by many. Organizations are unable to follow the footprint of data to apply required controls to protect personal data.
  5. 5. SACON 2020 Sensitivity: Internal & Restricted The foundational step in data protection journey is to understand the lifecycle of personal data Understanding the flow of personal data in an enterprise is critical and is easier said than done.
  6. 6. SACON 2020 Sensitivity: Internal & Restricted Need for data mapping and creating an inventory of personal data • A data inventory is a record of the data flows and assets that an organization handles and a data map is a visual representation of the data inventory. It is generated based on the same underlying data inventory, and the maps may contain varying degree of detail. GDPR Requirements Article 30 of GDPR requires data controllers and data processors to build and maintain a record of their data processing activities. 01 Privacy Statements To make privacy statements accurate based on what the organization is doing with the personal data. Individual Rights Management Data Privacy regulations gives individuals the ability to request to correct, port, access and delete the data organizations have about them. 02 04 Data Breach Preparation & Response Having a data map can help respond more appropriately to data breach and understand what data may have been exposed. 05 Security Understanding where the personal data is located and flowing is the first step to understand the security risks which allows to implement appropriate safeguards to be put in place. 03 Building a data inventory and map can help organizations proactively manage and protect personal data.
  7. 7. SACON 2020 Sensitivity: Internal & Restricted However there are some challenges in building a data map Challenges in Building a Data Map Poor Information Available Lack of Precision & Expertise Time Consuming Outdated Quickly Poor Information Available Lack of knowledge available within the various business teams in an enterprise about the data flows Lack of Precision & Expertise The accuracy of data mapping depends on how comprehensive it is. It must account for things like mobile devices and cloud based applications etc.. Time Consuming Building data maps through an interview based approach is time consuming. Outdated Quickly Data mapping patterns need to be constantly updated, evaluated and verified for quality. If not it becomes obsolete very quickly. Need for an automated approach for data mapping & inventory
  8. 8. SACON 2020 Sensitivity: Internal & Restricted Approach & Methodologies for Data Mapping
  9. 9. SACON 2020 Sensitivity: Internal & Restricted In order to build a data map and inventory, start with an understanding of the 5W’s of personal data “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu, The Art of War • are we? (Controller or Processor) • are our data subjects? (Customers / Employees etc.) • are the categories of recipients to whom data will be disclosed? • do we keep their personal data? (Databases, File Servers, Cloud storage etc.) • do we transfer their personal data to? (Jurisdictions) • is personal data under our control? (purpose for which data is collected and stored) • are we keeping the personal data until? (Retention Period) • do we share personal data with others (Partners, Regulators, Governement authorities etc.) • data types are involved in the processing? • jurisdictions are involved in the processing? • technical security measures and organizational security measures do we have to safeguard the personal data? WHO WHERE WHY WHEN WHAT
  10. 10. SACON 2020 Sensitivity: Internal & Restricted There are 2 approaches to do data mapping in an enterprise Top-Down Approach QUESTIONNAIRE INTERVIEWS BUSINESS PROCESS DATA ELEMENTS DATA DATA SOURCES DATA CLASSIFICATION Bottom-Up Approach DATA ELEMENTS DATA DATA DISCOVERY
  11. 11. SACON 2020 Sensitivity: Internal & Restricted Leverage a combination of Top Down and Bottom Up approach for building the data map and data inventory Identify purpose of processing (Example Customer Support, Billing, Charge Calculation, Marketing Research, Credit Check, Goods & Services, Statistical Analysis etc. 7 81 2 4 53 6 Identify Business Unit data mapping owners from each of the Business Units like Finance, Consumer, Technology, Retail, HR, Enterprise, Consumer Operations etc. Identify key stakeholders from each business unit that have information on the processing activities in each purpose of processing Capture information on the source and location of personal data using personal data discovery solutions, the entry point for personal data, format in which data is stored, where is it getting stored, countries in which it is getting stored, locations from which it is accessed and to whom it is being disclosed, retention etc. Manage the data inventory and data mapping in a Privacy Management Platform or a GRC solution to keep it alive in an ongoing manner. Identify Business Processes such as customer acquisition, Provisioning & Welcome, Customer service, Billing, Collection & Retention, Terminate, Recruitment, Hiring, Pre-On-boarding, Post- joining, Retire / Exit etc. Conduct data mapping interviews to Identify the categories of data subjects (Consumer, Enterprise customer, Subscriber, Employees etc.) and sub categories of personal data (Recruitment data, account data, call data, location data, device data etc.) processed Document data maps & Validate data flow and sign off on the personal data inventory.
  12. 12. SACON 2020 Sensitivity: Internal & Restricted Tools & Techniques for Data Mapping
  13. 13. SACON 2020 Sensitivity: Internal & Restricted Data Flow Mapping Techniques Inspect existing documents Observation Questionnaire Post-it Notes Template drawings Facilitation Workshops Whiteboard – Freeform Diagrams
  14. 14. SACON 2020 Sensitivity: Internal & Restricted Automate the discovery of personal data in the enterprise Data Discovery throughout the enterprise is easier said than done. Data Discovery Personal Data Discovery • Personal Data Discovery solutions searches for personal data across the enterprise and cloud and correlates them to the identities. It relies on data values and context to find primary and related or connected data. Types of Data Sources • Structured Data Sources (Oracle, MySQL, MSSQL, Redshift etc. • Semi-Structured Data Sources (Cassandra, MongoDB etc.) • Unstructured (Google Drive, OneDrive, O365, SharePoint, Salesforce etc. PII Data Discovery • PII Data Discovery solutions helps you find Personally Identifiable Information (PII) on enterprise systems based on data values and data patterns (regular expressions). Types of Data Sources • Structured • Unstructured
  15. 15. SACON 2020 Sensitivity: Internal & Restricted PII Data Discovery – Approach & Methodology Challenges in PII Data Discovery 1. False Positives – Time consuming to eliminate them. 2. Discovery Output – Discovery output is what type of data, but not whose data it is. 3. Continuous Compliance – Compliance requirements are continuous and hence one time scans not sufficient. PII Data Discovery Tools
  16. 16. SACON 2020 Sensitivity: Internal & Restricted Personal Data Discovery – Approach & Methodology • Personal Data Discovery solution is pointed to examples of whatever identity data being discovered. • System uses seed data as learning set to then scan other data sources, initially looking for learned data and then other nearby data with high correlation back to identities. The system then reiterates on this, building a map of individual’s data across all kinds of data sources ranging from database to file share, to mainframe to Hadoop to SAP to cloud etc. Agentless Any data type Cloud Mine Machine Manage API Reporting Analysis Machine Learning driven correlation Personal Data Discovery Tools
  17. 17. SACON 2020 Sensitivity: Internal & Restricted Tools Used for Data Mapping Usage Storage Transfer Archival RetentionCollection Collection Purge A visual representation of the end-to-end data flows of personal information processing activities identified across the enterprise. Data Mapping Tools
  18. 18. SACON 2020 Sensitivity: Internal & Restricted Create a “Single Source of Truth” for Personal Information Processing Business units / functions Business process Contracts Supplier / 3rd party vendor PII processing activity records PII Country Contacts Assets Comprehensive Privacy Reporting GRC Platform / Privacy Management Platform Privacy Governance Alerts & Notifications Workflows Metrics & Reporting Privacy Incident Management Breach Notifications DPO Report System / App Report Top 100 DB Report BU / Function ReportPIA Report Privacy impact Assessment(s) Vendor Privacy Questionnaire Data Discovery Scanning Feeds Privacy audits Inventory Framework • A comprehensive, accurate and sustainable source of information regarding the PII that an enterprise holds, with details of its collection, use, disclosure, retention and disposal • Demonstrate compliance to wider Privacy legal and regulatory requirements with the data privacy inventory
  19. 19. SACON 2020 Sensitivity: Internal & Restricted Sustenance of Data Mapping & Data Inventory
  20. 20. SACON 2020 Sensitivity: Internal & Restricted Keep Your Data Map & Data Inventory Current Integrate & Automate PIA / DPIA process into Data Inventory PIA / DPIA Integration Conduct periodic audits to ensure data flows remain up to date. Re-audit certain data flows or applications on a different time scale. Automate Audits Leverage data discovery solutions to dynamically populate the inventory based on discovery scan output. Ongoing Data Discovery Get attestation of records in data inventory by the record owner Record Attestation Feed the ongoing vendor assessments into the inventory Ongoing Vendor Assessments Leverage technology to automate the data flow maps dynamically. Update Visual Maps
  21. 21. SACON 2020 Sensitivity: Internal & Restricted Case Studies
  22. 22. SACON 2020 Sensitivity: Internal & Restricted
  23. 23. SACON 2020 Sensitivity: Internal & Restricted
  24. 24. SACONSensitivity: Internal & Restricted SACON International 2020 India | Bangalore | February 21 - 22 | Taj Yeshwantpur Thank You

×