Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
Summary
TLDRThe webinar transcript focuses on the General Data Protection Regulation (GDPR), emphasizing the importance of data mapping and inventory for compliance. It discusses the challenges of record-keeping under the Data Protection Directive and the benefits of GDPR, such as reduced registration requirements. The script highlights the necessity of maintaining detailed records of data processing activities, including data subject rights, third-party vendor management, and information security. It also underscores the importance of appointing Data Protection Officers (DPOs) and leveraging data inventories for GDPR compliance, including breach notifications and data subject access requests.
Takeaways
- 📊 Data mapping and classification are crucial for meeting GDPR requirements and replacing manual processes with automated ones for efficiency.
- 🔄 Under the Data Protection Directive, controllers had to register with each member state, a process that was tedious, time-consuming, and costly.
- 🆕 GDPR has streamlined the process by eliminating the need for controllers to register with individual member states, centralizing the requirements.
- 📋 Controllers and processors are now required to maintain records of processing activities, as outlined in Article 30 of the GDPR.
- 🔍 Data inventory involves identifying specific data fields, data subjects, recipients, data transfers outside the EU, and the mechanisms for data transfer.
- 🏢 The data inventory should include the application owner, technical and business aspects, and relevant security measures to ensure data protection.
- 🤔 Challenges in building a data inventory include defining the scope of personal data, which can be broader than initially thought, including online identifiers.
- 🔑 Special categories of personal data, such as health information or religious beliefs, require extra attention and protection under GDPR.
- 🛡 Data discovery and classification tools can assist in identifying and managing personal data across an organization, supporting compliance with GDPR.
- 📝 Data inventory serves as a foundation for responding to data subject access requests (DSARs), managing third-party vendors, ensuring information security, and facilitating breach notifications.
- ⏱ GDPR enforces a 72-hour deadline for breach notifications, emphasizing the importance of having up-to-date and accessible data inventories.
Q & A
What is the main focus of the webinar presented by Scott Giordano?
-The webinar focuses on the General Data Protection Regulation (GDPR) requirements around data mapping and how data discovery and classification can help organizations meet these requirements more efficiently than manual processes.
What was the previous process for data controllers under the Data Protection Directive?
-Under the Data Protection Directive, data controllers were required to register with every member state's Data Protection Authority (DPA), which involved answering numerous questions about data processing, and this process was described as tedious, time-consuming, and expensive.
How does GDPR change the registration requirements for data controllers?
-GDPR eliminates the need for data controllers to register with individual DPAs. Instead, it requires controllers and processors to maintain records of processing activities, as outlined in Article 30 of the regulation.
What are some examples of applications that might be included in a data inventory?
-Examples of applications that might be included in a data inventory are HR systems like 'Employee Central', CRM systems like 'Sell Me Stuff', and expense report systems like 'Reimburse Me'.
What are the challenges in building a data inventory for GDPR compliance?
-Challenges in building a data inventory include identifying what data is in scope, understanding the wide definition of personal data under GDPR, including online identifiers, and finding all the data fields that are being captured by various applications and processes.
What is considered as 'personal data' under GDPR?
-Under GDPR, 'personal data' is broadly defined and includes any information relating to an identified or identifiable natural person. This can range from obvious data like names and addresses to more nebulous identifiers like IP addresses, cookies, and other online identifiers.
What is the importance of maintaining a data inventory for GDPR compliance?
-Maintaining a data inventory is crucial for GDPR compliance as it helps organizations understand what personal data they hold, where it comes from, who has access to it, how it is protected, and how it is shared or transferred, which is essential for responding to data subject requests and potential data breaches.
What are the implications of GDPR for third-party vendors or processors of data?
-GDPR holds third-party vendors or processors to the same standards as data controllers. They must maintain their own records of data processing activities, delete or return all personal data after processing, and provide information necessary to demonstrate compliance with GDPR obligations.
What is the 'Right to be Forgotten' under GDPR?
-The 'Right to be Forgotten' under GDPR allows data subjects to request the erasure of their personal data when it is no longer necessary for the purpose for which it was collected or processed. Organizations must comply with this right, considering the reasonableness of the request.
How does GDPR affect data breach notification requirements?
-GDPR requires organizations to notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of it. This is a significant change from previous regulations and highlights the importance of having a robust data inventory for quick identification of affected data.
What role does a Data Protection Officer (DPO) play in an organization's GDPR compliance?
-A Data Protection Officer (DPO) plays a critical role in an organization's GDPR compliance by overseeing and informing the organization's data protection strategy and measures, interacting with supervisory authorities, and ensuring that the organization's data privacy program is effectively managed.
Outlines
📈 Introduction to GDPR and Data Mapping
The webinar begins with an introduction to the General Data Protection Regulation (GDPR) and its requirements for data mapping. It highlights the importance of data discovery and classification in facilitating compliance with GDPR. Scott Giordano is introduced as the speaker who will discuss the specifics of GDPR, the need for data mapping, and how these processes can streamline and replace manual tasks associated with GDPR compliance. The audience is encouraged to submit questions throughout the presentation.
📝 Record-Keeping Responsibilities Under Data Protection Directive
This section delves into the responsibilities of data controllers under the Data Protection Directive, discussing the cumbersome process of registering with various data protection authorities (DPAs) across EU member states. The time-consuming and expensive nature of this process is emphasized, along with the challenges of dealing with different registration requirements and the outdated nature of some questions. The speaker shares personal experiences from working at a defense contractor, detailing the tedious tasks involved in registration filings.
🔍 Transitioning to GDPR: Changes in Record-Keeping Obligations
The discussion shifts to the GDPR's impact on record-keeping, highlighting the shift from individual DPA registrations to maintaining records of processing activities as mandated by Article 30 of the GDPR. The new requirements for both data controllers and processors are outlined, emphasizing the need for processors to now officially maintain their own records. The section also provides an overview of what a data inventory might look like, referencing common applications and the types of data they process.
🗂️ Building a Data Inventory: Challenges and Importance
The presenter discusses the challenges of building a comprehensive data inventory, including identifying what data is in scope and the broad definition of personal data under GDPR. The importance of understanding the types of personal data, including online identifiers, is stressed. The section also addresses the need to identify data subjects, specific data fields, and recipients, as well as the mechanisms for data transfer outside the EU.
🤝 The Role of Application Owners in Data Inventory Management
This part of the script focuses on the role of application owners in managing the data inventory. It explains the distinction between technical and business owners and the importance of their involvement in the process. The challenges of finding and documenting data processing activities are discussed, along with the use of data discovery and classification to assist in this process.
🔑 Data Protection Officer (DPO) and Organizational Data Privacy
The script addresses the role of the Data Protection Officer (DPO) in an organization's GDPR compliance efforts. It discusses the circumstances under which a DPO is mandatory and the importance of appointing a DPO early in the GDPR project. The DPO's role in managing data privacy and liaising with supervisory authorities is highlighted, along with the need for the DPO to have access to the data inventory.
🛡️ Data Subject Rights and Third-Party Vendor Management
This section covers the rights of data subjects under GDPR, including the right to access and rectification of their personal data. It also touches on the 'right to be forgotten' and the challenges organizations face in complying with these rights. Additionally, the script discusses the importance of managing third-party vendors to ensure GDPR compliance, especially regarding data processing agreements and the deletion or return of personal data post-processing.
🚨 Information Security and Breach Notification
The importance of information security in the context of GDPR is emphasized, with a focus on Article 32, which requires organizations to implement appropriate technical and organizational measures to protect personal data. The script also discusses the need for regular testing and evaluation of these measures. Furthermore, it outlines the breach notification requirements of Article 33, including the 72-hour deadline for notifying supervisory authorities in the event of a data breach.
📊 Conclusion: The Vital Role of Data Inventory in GDPR Compliance
In conclusion, the script reiterates the critical role of a data inventory in an organization's GDPR compliance strategy. It highlights the data inventory as a living document that must be regularly updated and maintained in collaboration with application owners. The use of data discovery and classification tools to ensure the accuracy and relevance of the data inventory is also stressed.
Mindmap
Keywords
💡GDPR
💡Data Controllers
💡Data Processing
💡Data Mapping
💡Data Classification
💡Data Subject Access Requests (DSARs)
💡Right to be Forgotten
💡Data Protection Officer (DPO)
💡Third-Party Vendor Management
💡Data Breach Notification
💡Data Inventory
Highlights
Data controllers are required to register with each member state's data protection authority (DPA), which varies by country and can be a tedious, time-consuming, and expensive process.
GDPR has shifted the responsibility of maintaining records of processing activities to both data controllers and processors, as outlined in Article 30.
Data mapping and classification are crucial for identifying and protecting sensitive data across organizations, which can help streamline compliance with GDPR requirements.
Under GDPR, processors must now officially maintain their own records, which was not a requirement before.
Data inventory should include processing activities, purposes, data subjects, specific data fields, recipient lists, data transfers, and the application owner's information.
Identifying data transfers outside the EU is essential, and mechanisms like Privacy Shield or model contract clauses must be in place for legitimate data transfer.
Data inventory challenges include defining the scope of personal data, which now includes online identifiers like IP addresses, cookies, and MAC addresses under GDPR.
Special categories of data, such as health data and religious beliefs, require extra attention and protection under GDPR.
Data discovery and classification can help automate the process of finding personal data, including in unstructured data like emails and documents.
Log files and system-generated data may also contain personal data and should be considered in data inventory and GDPR compliance.
Data subjects' rights under GDPR include access to their data (Article 15), rectification (Article 16), and the right to erasure or 'right to be forgotten' (Article 17).
Breach notification under GDPR requires organizations to inform the supervisory authority within 72 hours of becoming aware of a breach.
The appointment of a Data Protection Officer (DPO) is recommended for organizations processing sensitive data or at a large scale, to manage data privacy programs.
Third-party vendor management is crucial under GDPR, as processors are held to the same standards as controllers and must demonstrate compliance.
Data inventory should be a living document, regularly updated and maintained in collaboration with application owners and using data discovery tools.
Transcripts
all right well go ahead and get started
so welcome to today's webinar data
inventories and data Maps the
cornerstone to GDP are compliance all
right first of all I'd like to point out
here at spier on we've been getting a
lot of customers that have been asking
about GDP our our customers have been
successful in doing data discovery and
classification monitor and protect their
sensitive data across your organization
in this presentation
Scott Giordano will be talking about the
GDP our requirements around data mapping
and how data discovering cloud
classification helps accelerate and
replace manual processes related to
meeting the GDP our requirements so at
this point I'd like to introduce you to
Scott wonderful thank you dad
yeah I do want to reiterate you had the
audience that if you have questions
while I'm doing the presentation please
send them in we love getting questions
all right so first up let's talk about
record-keeping just in general this
whole idea of record-keeping for for
data controllers so Scott what's the
current responsibilities for data
controllers under the Data Protection
Directive the way it works right now is
that every every controller has to
register or at least has to be liable to
register with every member state so for
example the ICO which is the Information
Commissioner's Office in the UK has
registration requirements for for data
controllers the kaneo which is the the
essentially the equivalent of the ICO in
France they have their own registration
requirements the Belgium EPA has their
own everyone has their own some nations
don't have them at all Germany doesn't
really have much of the registration
requirement at all to speak of so right
now all of the EU Member States either
have individual requirements of some
form or fashion or may not have any but
the issue is that data controllers are
required to do all these just crazy
questions they have to answer
with respect to data processing and this
is I'm talking from my own experience
here that every single DTA that required
us I'm speaking when I was at a defense
contractor we had to register with all
these different GPAs and everyone had a
Niek set of questions and the problem
was that it was hugely hugely tedious
and time-consuming I think for for one
DPA we spent the better part of a month
doing all of our registration filings
because for every third party that you
had as part of your information
ecosystem if you will that was
processing data you had to put a
separate annex for them and then for
every subsidiary of your organization
you had to also file a separate document
so you may file several hundred
documents in one jurisdiction just for
registration
so it was a extraordinarily tedious and
time-consuming and expensive endeavor
just not only for internal person time
but for outside Council time we burned
up a small fortune on outside council
expenses which is great if you're in a
you know outside council but it really
it just didn't really serve us very well
especially since a lot of the questions
we were asked were ridiculous questions
that were more fit for the 1980s when
when data protection was starting to be
taken seriously then then today they
just were outdated and you really
couldn't answer them very effectively so
just as it as a practical matter under
the directive record-keeping was just a
nightmare there and it really was not
something I look forward to and
certainly I think DPAs didn't like it as
well because it was a lot of wasted time
and there was really no value in it if
you had something go wrong for example
if you did have a breach they aren't
going to look at the records they're
just gonna call you and ask you what
happened anyway so it's just I
understand why they made this
requirement but the net-net of it was
that it didn't really serve anyone well
and we're well rid of it as we'll talk
about in a minute
okay Scott there is a question so how
where do US controllers that do online
business with the EU citizens register
well have what you have
to do and this is why I'm so glad that
we're going to be doing away with this
ridiculous requirement is that you have
to go to the site of the respective DPA
so say for example that you're doing
business in the UK you have a physical
presence there or you're selling or you
have some kind of equipment connection
in there or what have you you have to go
to the ICO site and then go register
then they'll give you instructions on
how to register and that they don't I
mean I think the questions aren't
difficult or say but it's just a lot of
work and if you have for each individual
instance you have their so say you've
got five subsidiaries in there then
you've got to do five separate filings
and then you may all file them at
different dates and then you have to
constantly check and see if you do for
the refiling every year so every single
DPA that requires filing at all will ask
you to go to their site the problem is a
lot of these sites and forgive me for
you know I'm not being disrespectful
these folks but they don't put all these
things in English so unless you have
someone local there they can read the
the local language or you go to outside
council locally and have them do it your
mini cases you're kind of questioning
what they're asking in the first place
so in many cases we just have to use
local employees to go and read these
things and of course they're not
thrilled with that because they
concerned about their own personal
liability that they interpret something
wrong a lot of the questions these folks
ask the DPA is asked just don't make a
lot of sense right frankly it's um I
said with somewhat surprised and I
probably shouldn't be at this point ok
Scott there's another question
participants asking if you're talking
about the current world or the GDP our
world because they're interested in the
current world this is okay well we will
shift right now to GTR that's fine
current world yes you do have to
register but and here's the happy but
the under GDP are you don't have to
register so let's go to the next slide
here okay so now this is GTR land we're
in right now so so recycle 32 it spells
it out it says the controller or the
processor this is new processors now
have to maintain records which they
should have have in my view anyway but
now they're required under GDP are are
to maintain records of processing
activities so that's great they've laid
down the law article 30 they get into
the details of it and they'll say each
controller shall do the following and
they give you a laundry list of
information that you have to check sorry
that you have to keep track of so not
surprisingly contact information while
you're processing description of the
categories the data subject there's a
laundry list I won't dig into it because
we're going to show you in a minute
anyway but this is both for article 30 -
one is for controllers - two is for
processors so again great news
processors now have to maintain their
own records officially they you know
officially did not have to before
so good news there so let's go to the
next slide Google will dig into this a
bit more so what what what a data
inventory look like okay this is a super
bare-bones I'm just drawing from article
30 so these are just some categories
things so what are the processing
activities and if you look on the far
left I've made up some names of some
applications you'll probably recognize
all of these you know that's the first
one I call it employee central it's a an
HR is system that you probably are all
familiar with or one of the competitors
I'm selling me stuff again that's going
to be a CRM system reimburse me those of
you that have file expense reports know
all about these kind of things gives you
some very typical applications so what's
the processing activity if you look at
employee central it's maintaining
employee records you can be as as
general as that and still be ok and then
what's the purpose for again to maintain
employee records for the management of
employees a lot of times we use that
phrase employer management career
management for the employees scheduling
and really anything that gives the the
GPA or the supervisory authority is
their call now the the idea of what
you're actually doing with this with
this information and then who are the
data subjects in this case it's going to
be your full-time and part-time
employees what specific data fields and
this is critical folks this is really
where the rubber meets the road is going
and finding the very specific field so
are you collecting you're collecting
obviously the name and and perhaps their
home address and their home phone number
where you get into trouble is national
ID numbers and this is something we had
endless discussions about and my foreign
company about what were you legally able
to even capture a national identify
identification numbers in some cases the
answer is yes some types no so this is
something that even with gdpr you're
going to have to go to local law in in
many cases and find out if you can even
capture then when we take it for granted
here in the US that you can just use an
SSN for anything that's not the case in
the EU they're very touchy about that
and so you just have to be very careful
about whether you can do that but it's
important to go and find out what you're
capturing again when you talk to the
application owners they can usually give
you a list of all the fields that
theoretically you can capture verses
which are actually capturing and then
you have to get an idea of what you're
actually capturing because in many cases
no one even realizes that until you
start asking questions then the next
most important one over is recipient
list so who's getting this well when we
say recipients it really means who has
eyes on it who's getting a feed from the
database so obviously it's going to be
your headquarters HR staff that are
running it it may be that an employee's
manager potentially it definitely be the
payroll folks will almost certainly have
access to this you can go get a feed
from it and just get certain fields from
it I'm an LMS learning management system
just making sure that that employee has
completed all their training you'll
usually get a fee to but just a couple
fields from the the larger database into
that one of the real date is the
questions like always asking data in
Tory's is what does this feed in jus HR
systems they may feed anywhere from five
to fifteen different subsystems like
travel or LMS or benefits or any myriad
of things and if you don't ask you won't
know this is again one of the hot just
hard lessons when you do these data
inventories you have to ask a lot of
questions to the the data steward the
data application owner whatever you want
to call the person in charge in the
application and you may have to go back
a couple times to get clarification next
is-is-is the data transferred out of the
EU for the u.s. folks that are on the
call here which is probably most of you
answer is almost always going to be yet
so say that you have a third party even
that that's hosting your HR system
typically the servers are somewhere in
the US they're typically outside of EU
unless you built a system the EU centric
but physically everyone here on the
calls probably got their systems here in
the US even if working with a third
party
so that's transfer outside the EU and
there has to be a mechanism to get that
information out legitimately so for
example whether it is a privacy shield
or there's a model contracts about
whatever it is there has to be a
mechanism above and beyond just a
regular contract between you and the
third party provider so for example if
you look at the data transfer mechanism
here for the first item which is the H
HR staff they had quarter staff it's an
intra group agreement so think about a
model contract clauses between your
European subsidiary and your US
subsidiary rest parent company that is a
intergroup agreement or IgA typically
you'll get all of your EU subsidiaries
onto that one agreement and something
that's how I've done it the past and
then we'll sign that with a parent
company that'll be your your agreement
it uses model contract clauses but you
can also potentially use privacy shield
in different different ways you can do
that the idea though is you want to have
a list of all the different mechanisms
for each individual application each
application may be completely different
in what mechanism you're using and so
you want to be able to tell the
Supervisory Authority how you did that
because in many cases they're going to
want to know and then also you're gonna
want a application owner so who is the
person or persons that are responsible
for that application so you may for
example for the HR system you may have
several people that are responsible for
different facets of the HR system and so
you want to put a list of those owners
because those are people you want to
call if something goes wrong if you wake
up one day and you see that you've been
breached and some bad guys have got into
your system you're going to want to know
who to call right away depending on what
information is in briefs
and then finally the last column
organizational technical security
measures so what I would do here is put
a link to the larger policies that you
have that govern information security I
mean you can put a summary if you want
to put it there of the actual controls
in place but if you're just for
illustration purposes I've just put
links to the policies and procedures in
that spine the idea behind this you want
a supervisory authority to have an idea
exactly how you protected individual
things and it may be that you've got two
complete different set of controls for
each application that's fine but you
want to let them know that you've
thought this through then you've
adequately protected it per article 32
I'm going to pause there Doug I'm
there's any questions or comments or
thoughts thus far is this what it would
look like for every organization um no I
mean this really is just square one I
mean when I've done these and doing me
now you've probably got 30 different
fields to address all kinds of things
like for example some supervisory
authorities want to know not only who
has access but whether they have
administrator access or just regular
end-user access so I mean there's a lot
of minutiae here it just it there's
almost no into in some cases of just the
questions the last year so I this what
you're saying here is just the beginning
this is just getting you off the ground
like I said this is probably about eight
or nine ten fields you'll probably have
triple that when all is said done great
a question from the audience is
application owner from the id IT
department the application are typically
off to application owners we stepped in
my experience you'll have one from IT
and one from the clinical business unit
so you'll have a technical owner and
typically oh I'm a business owner so the
IT person may be the person that's
either the administrator or is
responsible for some technical aspects
and then you'll have a business owner
from the respective department that's
involved in this and that person will be
actually running this thing from day to
day so I now simplified the owner but
typically you'll have two owners for
every application if not more
so next up with some challenges in
building the data inventory so we got
two challenges in building data
inventory one is just finding what data
is in scope and if you you've spent time
with us in the past on some of our other
webinars you've probably seen some of
the things that we're discussing here
but just for the sake of completeness um
one of the the issues is just a
definition of personal data again I
talked to folks here in the US that are
very centric about saying oh you know we
we collect s s ends or we collect you
know addresses or what have you that's
all the sensitive stuff that we need you
know if it health care organization and
they have a very acute sense of what
sensitive but above and beyond that
people don't realize that the definition
of personal data is so much wider and I
it's impossible for you to overstate
this in the EU they have this idea of
online identifiers and an online
identifier is just some electronic
representation of information that can
be ultimately connected back to you so
on the idea of IP addresses and the IT
folks on there you pyrole in your eyes
and right now saying that's crazy how
can i p address be personal data well
the European courts have decided that it
is even even scat even dynamic ones
which is pretty crazy because obviously
they're so ephemeral but the the EU big
believer in in IP addresses as a
identifiers so you've got things like
browser cookies GPS coordinates MAC
addresses RFID tags any kind of device
identify ER or other related dentists is
going to wind up as an online identifier
it's just this is what we're stuck with
right now and this problem trying to get
bigger not not smaller over time so just
a word to the audience here that when
you're searching for all of these things
you're really going to have to take a
very sign microscope to everything and
getting an idea of what kind of data are
you capturing so you have online
identifiers you have the regular
quote/unquote personal data like a
national identifier remember a phone
number and address etc etc you're going
to have special things so they have
special
and data like healthcare data and
what-have-you but they also have for us
special categories of data or a little
bit unusual so for example special
categories of data include things like
religious beliefs clinical beliefs
sexual orientation etc etc so those are
things to be on the lookout for as well
and that's tougher to capture not
surprisingly because it's it's very it's
very nebulous what qualifies is that
when you're you know if you're reading a
sentence and someone says they have a
appointment with their oncologist say
it's in an email well I mean is that
medical data yeah arguably it is you
know how do you protect that and so this
is the kind of exercise you have to go
through whenever you're doing a data
inventory is is looking at what the
email traffic is looking like as well
it's not just interviewing folks that
will talk more about that in a minute so
don't a pause here do we have any
questions or comments coming in there
you want to address otherwise all will
continue yeah Scott how would you
address finding online identifiers in
the past or how have you how we've done
it is and how we got involved in is in
data discovery way back when was this
issue on for us we had to find export
controlled items so that's how we got
this start in doing data discovery and
classification because you had to be
able to find things that were indicative
of export control things that were
controlled by the ITAR and what-have-you
so that technology that methodology is
and this is something I got involved
with about three years ago and so I just
became very enamored of data discovery
and classification because you're having
an automated process go through and go
look for things that meet certain
criteria and so you can obviously dial
it in as loosely or as finely as you
want to look for things but that's how
we got the start using got a discovery
classification and now just happens to
be that it works extraordinarily well
for finding personal data great a couple
questions is log-in identifiers for
applications covered under the GPR gdpr
absolutely absolutely a user ID login ID
that is an online identifier so now I'm
sure again eyes are rolling in the
audience here saying geez got that could
be just about anything and the answer
yeah it could be just about anything I I
wasn't joking when I said I can't
overstate this just everything is fair
game
okay I'll give you an example here um I
was working with a colleague who had a
program that would go and inventory all
the software that our company had to
make sure that we had all the licensing
correct and so not surprisingly it's
going and checking you IDs well guess
what those you IDs those that's now
personal data and so we had to go talk
to the vendor and sign a model contract
clause agreement with them to address
all the legalities of that so it's
amazing how innocuous things can wind up
being in scope on this that's that's why
I'm saying that you really have to take
someone jaundice you whenever you do
your data inventory and ask yourself it
really could this be personal data in
any contact based on this and I think
that's the safest way to go great couple
more questions
is there a document a list of
identifiers for example genetic
sequences brown hair is not as an
example
unfortunately no at this point the we
have not gotten much in the way of
guidance by the article 29 working group
which is going to be the European data
protection advisor or supervisor or
board I think it's EDPs board is that is
the think tank of the the article are
the the current member states so the
short answer is no there is no
definitive list so for the moment we're
just going to have to ask ourselves look
at a piece of information could you
combine it with one or two other things
and identify someone with it if you can
it's likely in scope I wish we had a
exhaustive list but I'm not holding my
breath we'll ever get one okay um
perhaps some guidance someone is also
looking for a list for guidance on what
is considered as PII for gdpr so same
question in a different way yeah and
what's important is and I know this is
frustrating for an American audience
here we have to get out of the mentality
of PII CII is a
set of personal data really we have to
again go back and ask ourselves what's
the easy stuff the easy stuff is going
to be things that's obvious name address
phone numbers email addresses social
security numbers things that we're
familiar with but and I'll give you an
example is a vehicle identification
number personal data under the standard
we have here the answer is yes because
in principle you can plug that into
something else and go look up the driver
so then under a UI is personal data and
again eyes are probably rolling in the
audience going oh no this is ridiculous
but this this is the nature of it so we
have to think very expansively just
about anything can be personal data
which I know is frustrating but this is
just the world we live in so there's
there's no way to give you an exhaustive
list it's always going to do that same
question how could someone misuse or
abuse this and and connect this with
other data and then identify someone
that's ultimately the test and really I
look at it from the bad guys the point
of view how could bad people who get
access to this use this to compile other
data to identify people and perhaps
commit fraud identity theft etc great do
online identifiers have to be combined
with other identifiers like name to be
considered in scope that's a good
question
they have to be potentially identifiable
are connectable with other things to be
in scope the idea is that personal data
is something that can be used directly
or indirectly and directly is easy
indirectly is the much larger scope so
if a item could not be correlated with
something else so if an online
identifier per se but it could not for
some reason be coordinated with
something else
then you can make a great argument it's
not personal information or personal
data as the standard goes under the EU
but I'd be very careful about that
because you may not be able to
coordinate it with with other data
indentify someone but someone else may
I'm always impressed by how creative bad
people are at making use of innocuous
things great a couple more questions
and just to validate our transaction
numbers pointers information like that
entering into the definition of personal
aid it oh they're starting up to the
edge of personal data because again if
the transaction ID you're gonna plug
that you're going to have to plug that
into another database if that database
then you plug it into is going to reveal
personal identification then you can
make a very good argument that a
transaction ID is indirectly linkable
then therefore it should be protectable
as personal data I'll give an example
employee IDs employees are personal data
no doubt okay and so an employee ID if I
gave my employee ID to you you really
couldn't do much with it per se but if
you could combine it with anything else
which probably wouldn't be tough and you
could personally identify me so the
net-net of it is that things again that
are an activist and what like
transaction IDs if they're not personal
data they are very close to it and I
would just presume that they are in
treated as such again I know I'm making
a lot of work for the folks in the
audience but I've just I've been seeing
too many instances where innocuous data
just is being used by bad people and you
wouldn't I would be surprised that they
could do it that I do it so a question
about RFID tags humans do not ingest the
RFID tags so why is it considered that
why is it considered that a MAC address
of the RFID be considered personal data
um because in theory whether a MAC
address is connected to a box like my
laptop which then at some point can be
connected to me by coordinating it with
or with other data so the idea is that
something like a MAC address is not per
se and identify me just by itself
because it's obviously it's just it's
just alphanumeric characters but you can
combine it with something else to
identify me so that's the nature and
that's nature of most if not all I don't
identifiers is that you're combining
with something else to identify you that
really where the danger lies if it was
if you couldn't combine that information
with anything else you can make a very
good argument that it's just it's not
personal data and it's not scope but the
European think tanks have really said
yep RFID tags they actually actually
call out RFID tags in the GDP are by the
way so I mean that's pretty much settled
so as a practical matter all these
things that I'm showing up on the screen
here these are all personal data for all
intents and purposes so you've covered a
lot of different things that might fall
under personal data what is not as a
general rule perhaps what's not personal
data oh boy yes it was oh boy that's a
great question I mean really you think
about it if there's any any data that is
purely machine the machine that is
involved in say a back-end system like
you can make an argument that even
something like it will also tell you
like PLM information product lifecycle
management information so information
that you're processing about a product
you're likely not going to have this I
don't think so in my experience you're
not going to have a lot of person or any
personal information in there because
it's just about your product so it's a
good a good example of a back-end system
it really likes me not going to be in
scope now something that's not terribly
too similar though ERP now you think
about all of the the purchasing
capability for that you're going to have
games and addresses and their contact
information of the people that you have
to build because typically ERP you're
going to have you know pay to or bill to
or whatever it is ship to and you're
gonna have personal data and their
people contact informations name that
puts that in scope gives it a big scope
no but you still have to account for and
I think that's where people sometimes
get off the road as they think oh you
know there's really nothing special here
is just contact information well you
know what unfortunately under the GPR
even before that under the directive
email addresses are our personal data if
they identify someone if they had their
first and last name or you know first
initial last name kind of thing that's
it so it's a long way of saying that
just about everything unfortunately it's
going to going to have some connection
of personal data I want some purely
product related or me
anok we related something on the backend
of your organization great we got a few
more questions coming in sudonym ization
how much which is refered how is it
technically achieved will you be
addressing that later in the
presentation or you know if well I mean
we can address it now because I hadn't
plan to talk about it unfortunately we
don't have almost any guidance and
immunization I mean those of you that
worked either in the payment card
industry or are involved in PCI
compliance you're familiar with the
concept of tokenization which is really
what sudonym ization is said another way
that's the only time I've really had any
experience with tokenization
organization I
we haven't gotten any guidance on it and
frankly I just don't know why the the
European Union is so in love with the
idea but they are so the short answer is
I don't have anything useful to share
with you at the moment
but I'm just stay tuned to Suspiria
website and you know whenever we do get
something from the articles when I'm
working group I'll you know what to get
our webinar and we'll talk about it
great few more questions what about
collected data log files for example
proxy firewall servers will this kind of
data also be classified as personal data
coordinate gdpr
okay potentially potentially because and
depends on the nature of the log file so
a lot some log files like server log
files will have the referring header you
know where it came from and you know so
that potentially if you collect enough
of those from from someone you could
identify them potentially the short
answer is it's a maybe I put log files
here on the list because it depends what
information you're collecting
I mean log files often select IP
addresses and we know that they are per
se
personal data so if even one item in a
log file
is arguably personal data arguably an
online dental fire then the whole thing
is unless you find a way to somehow
isolate it maybe it's a different table
or something like that I've seen
organizations where they'll throw things
and different tables and just combine
them
and all at once to create something
that's a possibility but generally
speaking you consider your log files
personal data at this point I know a lot
of people were probably rated to them to
scream right now that everything seems
like it's personal data but you know
this is the world in which we live right
now great and just to confirm that would
include unstructured data so the
question is do organizations need to
look at unstructured data issues while
doing their data flow mapping absolutely
absolutely they do and this is funny you
mentioned unstructured data which you
know we were just called loose files and
email back in my e-discovery days it's
much the same exercise that you're going
to have to go through these things and
and use some data discovery and get an
idea of just what personal data is
embedded in these documents because a
lot of times Microsoft were they were
they were really well known for spending
all kinds of identifying data in their
documents and I know that since that
time that they had you know scrubbers
come in to be able to scrub out data you
can do it now automatically in Word but
you're gonna have to do and just do
start doing searches doing out of
discovery and looking through your
unstructured data because that's what
that's going to be an excellent
candidate for personal data that you
wouldn't have thought to look for great
next question participant asks for your
view on this she states I see you're
approaching this on a system by system
approach we're looking at it by
Department
so what data does marketing collect for
example what Dana does product
management process and they also would
have IT looking at all the systems such
as the RP HR systems etc any views on
this I mean as far as an approach of
growing department by department versus
application or application I think
that's fine
I don't see any problem going
departments right apart because
different departments are going to have
to have their own separate issues HR is
is going to be probably your biggest
challenge because of the idea that soy
data being especially toxic and again
I'm presuming you're not in a highly
regulated industry so healthcare if you
are then you've probably already had to
solve this problem
already because that data is so
sensitive but for non healthcare
organizations then the issue is going to
be HR is gonna be the first place you go
to marketing is probably number two
especially if you're a b2c play because
you may have all kinds of data that was
collected that you probably can't use
and I know again people we're going to
great it took me right now but a lot of
organizations that have bought lists and
way back when and still have that data
in their databases on folks
much of that's going to have to be
tossed if you can't find a way to
validate that you got permission from
data subject to use it so yeah go by
department by Department is fine so HR
first marketing is second and then again
if you're a b2c play go to your products
if you're if you sell apps for example
apps are just notorious for leaking data
and sharing data and accessing data they
shouldn't be so that's probably a
separate project by itself just going
after your apps and seeing what kind of
data they're sharing and leaking you
probably shocked it what you'll find so
well so the answer is yes if you're a
b2b to be player you'll have less work I
think potentially but still a little lot
of work because it's just amazing the
data that we share that we didn't
realize we were sharing until someone
asked so when you talk about
unstructured data you also mention that
healthcare organizations for example
healthcare organizations may get a lot
of faxes so paper or scan data as an
image is certainly in scope of GDP are
absolutely paper records no question
about it they are in scope so if you've
got if you're storing those things in
one form or fashion then yes you've got
to go and account for that as well
account for whoever whoever you're
sharing that data with to make sure that
because if they're processing that say
that you're in your an insurance company
and you're processing on payments for
medical stuff then you're a processor
and you're connected with that that
healthcare organization yeah they're
gonna be asking you a lot of hard
questions about about your posture on
that absolutely and and we'll talk a
little bit later in the broadcast about
parties but the net-net of it is that
yes absolutely
the short answer is yes great this looks
like the last question we're putting
data subjects do international exchange
students qualify oh boy we've had
endless arguments about this endless
arguments here's the problem is that
this law in theory is limited to two
instances one where you're offering a
better service into the EU or two you're
studying the behavior of the EU data
subjects so setting behavior meaning
that you're you're buying data and
modeling it trying to get an idea of
what someone's likely to buy for example
so here's the thing is that if your
educational institution is advertising
and your advertising to folks in the EU
directly it's not just a website that
you can access from EU but you're
actually actively selling your service
or educational service then you can make
a very good argument that it applied GTR
applies to you now I know some people
will say no no we're way Skott but
that's that's my position at this point
based upon just little reading of the
law now suppose that someone comes over
here as exchange student you've never
advertised to the EU
you're completely siloed and insular and
all that stuff you can make it argument
a very good one I think that the answer
is no it doesn't apply to you that that
person gets the benefit of FERPA okay
which is dealing with student records
here in the US but that's it
and again I know and please don't send
hate mail this is just my opinion but
that's what I think I think it
ultimately is going to wind up being so
okay
we seem again but this is a very hot
topic so would insulin yeah incidental
data be considered in scope for example
if a customer sends data that may
contain personal data elements as a
result of technical support within a
record or a support file yes yes yes yes
and this is something and this is often
what captures organizations and I'll
give you a great example say that you're
making on inner communication software
unified communication software and
you're selling it to health care
organization we'll say for example and
you need to be able to remote in to
troubleshoot and you're likely going to
see healthcare records yes you are in
scope for GDP are no question in my mind
and I've got clients that have retained
us just to go address that those issues
and this is a common issue your if you
if you are just a regular coin quote
software provider but you have to remote
in to go do troubleshooting and it's
you're going to see records of the EU
folks and guess what you're in scope so
it's just it's the nature of the of the
law unfortunately okay great there are a
few more questions what we'll do is
we'll address those and in the interest
of time we'll address those by email and
reply to computer yeah yeah please just
folks just after many questions as you
want if we miss them we'll just package
them up in an email and we'll send them
to everyone we're done so the other
challenge in building a data inventory
is the fact that you I think it's
important to start with interviewing the
owners both the technical owner and the
business owner of an application and I
use the word application very loosely it
may not have an application it may be a
process you may be a company that's just
analyzed as a third party day that
you're getting that process still
implicates personal data so whoever is
in charge of that made it could be the
product manager could be someone else
but you really want to interview the
technical owner and the business owner
or owners as the case may be problem is
that they may be new to the job they may
be new the organization the organization
may have not kept any
records and so I know cuz when I've had
interviews people have said oh yeah we
really thought about X a long time ago
we never documented it but we thought
about you know personal data in this
application well that's great now it's
going to document it and so that's why
again using data discovery
classification to go through the
information ecosystem and and check and
see if they actually their understanding
is correct I can't tell you how many
times we've done searches and found
stuff that we didn't realize was there
and so you want to find out now you
don't want to find out when anonymous
has broken into your to your website or
into your your back-end databases and
abscond it with everything so I think
that covers challenges in building that
inventory what do we got next up okay so
leveraging data inventory for you to be
our compliance the good news is once
you've got your data inventory at hand
there's all kinds of great things that
you can do with it and as a practical
matter of things that you need to do
with it so a data subject rights so
we'll talk briefly about the VCRs or
data subject access requests which are
the scary letters you get or scary mails
you get from data subjects saying tell
me what you got on me third party vendor
management very important on keeping
tabs on your vendors because a lot of
times these folks are very real with
technology and bad with everything else
information security we'll talk about
art 232 really data discovery is a great
mechanism for InfoSec breach
notification if you get hacked or when
you get hacked and the GPA or this
supervisor Authority wants to know
what's going on what's been implicated
you'll have that list ready for them and
then data protection officers to the
green you need one you don't always need
one by the way but whether you have data
protection officer or someone else in
charge they really have to have access
to that data enjoyed to do their date
their day to day jobs so glad to dive
right in
a couple of questions sure at what point
at what point in an organization GDP our
project should the DPO be appointed
presuming the decision has been made
that one's necessary
I'm sooner rather than later so as soon
as you identify the EDP Oh a higher
hamburger or the organization or
whatever it is and and when I say higher
him or her it doesn't have to be someone
who's an employee it could be a third
party that's a just a specialty DPO but
get them involved and here's why because
they're gonna want to know what's going
on so they can actually make intelligent
discussions with the epa's the
Supervisory authorities so bring them on
board as soon as you can and get them
intimately involved in all this there
are some particular entities that you
have to know about
gpo's can't be officers like the chief
marketing officer or something like that
but you know we can say that for another
for another webcast so a participant
asks their their organization's an SMB
and do they need a dedicated EPO or how
does an organization know they need a
dedicated DP or not well your I can tell
you this much you're going to need a
dedicated person should be able to
manage your data privacy program is
global privacy program is for a
multinational so it doesn't have to be a
PPO and the meds will happen let's just
resolve this issue right now on DPO is
really there's very limited
circumstances in which you have to have
a GPO it's really if you process
sensitive data like healthcare day or
criminal records I know
and presumably for voter registration
some companies process criminal records
to make sure someone is eligible etc so
the idea is that for that kind of what
is the best way to describe it
radioactive data you're going to need a
detail flatout I'm also if you're just
crossing lots of personal data a mass
scale so say you're one of those
companies that has the freeway cameras
that watches all the cars go by and you
process data on behalf of the county or
whatever and you can see you know all
these people going by and there's
license plates etc that's a mass
processing of personal data or even if
you're staying there license plates for
example that's the kind of thing where
you definitely want to have an EPO
however everyone should have a data
privacy manager even if it's a part-time
person or or something like that
everyone's got to have someone who has
the IDI knowledge of knowing what's
going on the last thing you want to do
is get hacked and then have no one know
what's going on the GPAs will just let
you have it they really will they get
really bad when you have no idea what's
going on so that's that's the best way I
can articulate that in a short time so
if an organization has users that are us
in us-based systems that are resonance
in the you does that make their personal
information in that organization system
covered by the GD P R yeah if you're
physically in the EU and you're u.s.
really any person on the planet you
shouldn t you guess what you're covered
by side GD P R so that your magically
transformed into EU data subject and so
yes absolutely the law covers that
person again I know this is gonna drive
our viewers or listeners nuts but that's
the way the law works ok great one last
question here criminal data health
information etc aren't these all
personal data are their personal data
sensibility levels that this participant
needs to deal with
yeah there's two levels there's regular
personal data and then there's special
personal data so article 9 of GDP are
talks about special personal data so
that's things like health care data a
political opinions etc sexual
preferences things like that religious
all those things that that's sensitive
personal data spi sometimes I've run
into countries that also say criminal
data is per se STI
so again that's because it's right now
it's a country-by-country notion but as
a practical matter all of those are
sensitive personal data
everything else is regular personal data
I think as a practical matter there's
not a huge distinction you're after all
protected and you're not going to I mean
you're not going to potentially put
extra layers of protection
on SPI versus regular data I'm guessing
that you're going to use one system to
cover everything so you want to build
two separate systems that's my guess
which will ultimately wind up doing
anyway
so no more questions yes absolutely
okay let's go into down subject rights
so article 15 I'm not going to read this
I promise so the idea of this though is
is this is what's known as a dese are so
data subject access requests a Java
subject can send an email or a letter to
an organization say it's effectively
woody a got on and then you have a
certain amount of time to go and get
back I think currently it's 45 days but
I think I think they're going to shorten
it authority it's not mistaken in any
event you're going to have to be able to
get back to them and give them a
description of all the data you have on
and then they have the right to rectify
it to make changes as it were to that to
correct anything and by the way this is
something that most Americans don't know
we have in the US it's called the
Privacy Act of 1974 and you can do that
for the federal government and you are
you have either right to make
corrections and so on and so forth so
the difference is though that now we
have a layer on top of this the right to
be forgotten so if we go to the next
slide you'll see that there is article
16 which is rectification making changes
article section 17 is right to erasure
this is the idea that you want people
want to be able to say look if you have
data about me that you don't eat anymore
then you have to delete it right out
full stop
so that's right - right to be forgotten
is a better way that it's right to
erasure and this is just giving
organization fits because they keep
asking me all these questions about well
does that mean I have to erase every
electron in my organization that
mentions someone's personal you know
personally their name or what have you
the answer is no it's based on a
reasonableness test that's implicated
you don't have to erase every single
electron in your organization you have
to ask what's reasonable
what is is necessary to serve this
person if for example again the example
I would use if it's an employee they
left the company but you're giving them
benefits some kind of medical or helped
your vendor
that's or some other kind of benefits
need either contact information or you
need that information you have about
them to provide the benefits or about a
pension whatever it is then then you
wouldn't want to display that data
because then you couldn't you couldn't
provide that to them so there's always a
bacon reasonableness argument but you
still have to have a very good idea of
what data you have about them to begin
with the last thing you want to do is is
look like that you're you're not telling
the truth you're gonna get spanked by
the DPA state and they love they love
doing that kind of stuff because they
can't so ask data subject right that's
that's the short version on data subject
rights so again the reason why having
very meticulous records is such a huge
help because say for example you get a
hundred people that write a dese are and
say hey tell me what you have on me you
could spend all you can have someone
just spend all day at the job just
answering D czars and especially if you
get hacked
you can bet everyone's going to be
writing and asking for what information
you have about them or if a competitor
gets hacked and they they do business
the competitor but they also just
business with you they you're going to
want to know well you got on me I know
what competitor X we've got and it's a
disaster so this is why you have you
prepared now don't wait because it's
just going to look like a complete
circus if you if you're not ready to
answer a dese are let's go to the next
Linda alright so the third party vendor
management one of the things I'm very
happy about for gdpr is now vendors
third parties process was written in a
column are more or less held the same
standards as as data controllers which
it's great and at the processor you're
gonna certainly have to have your own
article thirty records and in particular
when you finish processing for someone
if you look at article 28 three sub G
after choice of the controller delete or
return all the personal data and most
likely you're going to end up deleting
it
so if you're gonna delete it you're
going to certify that you deleted it and
you better if you're going to certify
better actually have information that it
is consistent with that that you
actually did delete it meaning that you
have to have your own meticulous records
getting an idea of what you have to
begin with and so that you can answer
the question yes I deleted everything I
got rid of it
also sub H make available to the
controller all information necessary to
demonstrate compliance with the
obligation and boy I'll tell you I wish
processors were more cognizant of this
I'm seeing them start to become better
but so many processors again are very
good with technology and very bad with
everything else and so this is something
that right now can be a real burden for
them that's why it's so important to get
your third parties on onboard 4gb our
compliance now and not waiting till
until next year here I can tell you that
it's going to be a lengthy process for
some of these folks InfoSec so article
32 there's really two pieces to this one
article 32 requires you to provide
appropriate technical and organizational
measures to to the organization to
protect personal data I think you're all
probably well versed with that so what's
interesting about this though is they
and if you remember from earlier when we
had the data inventory sample I have a
column there just for citation to your
InfoSec policy and you may have an
InfoSec policy that general you may have
an acceptable use policy you may have an
encryption policy etc etc another thing
that you have to be able to show or at
least they suggest they beany you
suggest you show is here 30 to 1d a
process for regularly testing assessing
and evaluating the effectiveness of
these measures so what do you do with
that well you're going to be running all
kinds of audits and tests and a great
thing again is that discovering
classification after you've built your
entire system using DDC to come back and
say okay let's start scanning let's have
an idea of what information we have we
say we have versus what really is there
so it's a great control to make sure
that you're you're checking things and
you can check this on a differential
basis you can set data discovery up to
warn you if for example data classified
in a certain way perhaps was loaded onto
a USB Drive or it it was put in a
deposit repository where it shouldn't be
whatever it is to be able to send a
trigger notice and say hey guys hey mr.
Ramirez InfoSec professional this data
of class X was moved on its route
Vittoria it shouldn't be letting you
know that that kind of technology is
huge in supporting article 32 D so you
always want to think about all the
different kinds of technology you have
they can provide an early warning and
prevent things from going wrong in the
first place
and so data discovery is just one of
those things all right Doug we can good
so breach notification reach
notification a big deal for GDP are not
surprising one
so article 33 sub three acts for breach
notification specifically and give these
four things now not surprisingly if you
look at these things most of them can be
pull directly from the data inventory so
again not an an accident this is the
kind of things you should be carrying on
your data inventory so again nature of
personal data numbers and proximate
types of data subjects categories of
records involved so essentially you're
basing this all in your data inventory
so if if and when there is a breach
you're able to find it out very quickly
okay here's the data most likely to be
implicated and that's crucial because of
the 72-hour deadline that you have big
deal that we did not have before is the
72-hour deadline and so it's it's a
pretty heavy list and I really would
take this super seriously because I
guarantee they're going to use this they
being the EU data protection authorities
are going to use this as a bludgeon to
punish organizations that that aren't up
to speed on this all right
and DPOs and we talked about DPOs
earlier so I won't beat this to death
again we'll just say that you should
have if you don't have a DP oh that's
fine you may not need one so you make an
independent determination whether you
need one but you you should and if I
should have a person that owns your data
protection program that that owns the
data privacy elements of that and again
this may be split you may have someone
who's an expert on data privacy and one
that that's going to be on InfoSec and
they work as a team that's fine but you
want to have someone you could ask I
know a my former company I was the guy
and so everything hit my desk I mean
everything
anything that was remotely personal data
questions would hit my desk by people
that I'd even know we're in the
organization but they found me and they
said hey we think that this is a problem
and so I would get contracts and
agreements and things all day saying hey
this website says that we can't do X or
you know what can we do so you need
someone who can just answer all those
things or at least push those to the
right people and that's really super
critical if you want to have an
excellent global privacy program and
that's why that person needs access to
the data inventory I think that's what
we have Doug I'm going to wrap up here
and I know we're just about out of time
but like I said keep sitting in
questions and we'll we'll review them
and turn them around the next 24-48
hours so a couple things on data
inventory core component your global
privacy programs don't need to beat that
up I think you guys pretty much are
convinced it is your first line of
defense or answering any kind of data
protection questions or if you get if
you want up getting hacked and it
becomes a crisis or a series of crises
it's your first line of defense to be
able to find that information you don't
want to try and find it when you've
gotten hacked because by that time all
the people you need to talk to you're
probably gonna be on vacation that
that's always seems to be the way it
works this is key component for data
protection managers or officers either
way that person or persons should have
access to this and finally that
protection
or data inventory really should be a
living document it's not something that
you can just write down once and that's
it you're going to have to periodically
update it and again working with your
application owners is crucial for that
and not surprisingly using data
discovering classification to make sure
that their understanding is correct so
that's what I have for you Doug I know
we're at the top of the hour so I'll be
respectful of everyone's time but I'll
leave the rest to you again thank you
very much Scott you're welcome
Browse More Related Video
How to Implement GDPR Part 2 :Roadmap for Implementation
GDPR Compliance Journey - 14 Process Documentation
GDPR Compliance Journey - 04 Processing Activity Record
GDPR Compliance Journey - 06 Data Protection Impact Assessment
Data inventarization according to GDPR
GDPR Compliance Journey - 15 Contracts & Agreements
5.0 / 5 (0 votes)