Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

00:00

all right well go ahead and get started

00:01

so welcome to today's webinar data

00:04

inventories and data Maps the

00:06

cornerstone to GDP are compliance all

00:09

right first of all I'd like to point out

00:11

here at spier on we've been getting a

00:13

lot of customers that have been asking

00:15

about GDP our our customers have been

00:18

successful in doing data discovery and

00:20

classification monitor and protect their

00:23

sensitive data across your organization

00:25

in this presentation

00:27

Scott Giordano will be talking about the

00:28

GDP our requirements around data mapping

00:31

and how data discovering cloud

00:33

classification helps accelerate and

00:37

replace manual processes related to

00:40

meeting the GDP our requirements so at

00:43

this point I'd like to introduce you to

00:46

Scott wonderful thank you dad

00:49

yeah I do want to reiterate you had the

00:51

audience that if you have questions

00:52

while I'm doing the presentation please

00:55

send them in we love getting questions

00:56

all right so first up let's talk about

01:00

record-keeping just in general this

01:04

whole idea of record-keeping for for

01:06

data controllers so Scott what's the

01:10

current responsibilities for data

01:11

controllers under the Data Protection

01:13

Directive the way it works right now is

01:18

that every every controller has to

01:23

register or at least has to be liable to

01:27

register with every member state so for

01:29

example the ICO which is the Information

01:33

Commissioner's Office in the UK has

01:35

registration requirements for for data

01:37

controllers the kaneo which is the the

01:40

essentially the equivalent of the ICO in

01:42

France they have their own registration

01:45

requirements the Belgium EPA has their

01:48

own everyone has their own some nations

01:50

don't have them at all Germany doesn't

01:52

really have much of the registration

01:53

requirement at all to speak of so right

01:56

now all of the EU Member States either

01:58

have individual requirements of some

02:01

form or fashion or may not have any but

02:05

the issue is that data controllers are

02:08

required to do all these just crazy

02:12

questions they have to answer

02:13

with respect to data processing and this

02:16

is I'm talking from my own experience

02:18

here that every single DTA that required

02:21

us I'm speaking when I was at a defense

02:24

contractor we had to register with all

02:27

these different GPAs and everyone had a

02:29

Niek set of questions and the problem

02:31

was that it was hugely hugely tedious

02:35

and time-consuming I think for for one

02:38

DPA we spent the better part of a month

02:40

doing all of our registration filings

02:42

because for every third party that you

02:44

had as part of your information

02:47

ecosystem if you will that was

02:49

processing data you had to put a

02:50

separate annex for them and then for

02:52

every subsidiary of your organization

02:54

you had to also file a separate document

02:57

so you may file several hundred

02:59

documents in one jurisdiction just for

03:02

registration

03:03

so it was a extraordinarily tedious and

03:06

time-consuming and expensive endeavor

03:10

just not only for internal person time

03:12

but for outside Council time we burned

03:15

up a small fortune on outside council

03:17

expenses which is great if you're in a

03:18

you know outside council but it really

03:20

it just didn't really serve us very well

03:23

especially since a lot of the questions

03:24

we were asked were ridiculous questions

03:27

that were more fit for the 1980s when

03:32

when data protection was starting to be

03:33

taken seriously then then today they

03:35

just were outdated and you really

03:37

couldn't answer them very effectively so

03:39

just as it as a practical matter under

03:41

the directive record-keeping was just a

03:44

nightmare there and it really was not

03:45

something I look forward to and

03:47

certainly I think DPAs didn't like it as

03:49

well because it was a lot of wasted time

03:51

and there was really no value in it if

03:53

you had something go wrong for example

03:56

if you did have a breach they aren't

03:57

going to look at the records they're

03:58

just gonna call you and ask you what

03:59

happened anyway so it's just I

04:02

understand why they made this

04:04

requirement but the net-net of it was

04:06

that it didn't really serve anyone well

04:08

and we're well rid of it as we'll talk

04:11

about in a minute

04:14

okay Scott there is a question so how

04:18

where do US controllers that do online

04:21

business with the EU citizens register

04:25

well have what you have

04:27

to do and this is why I'm so glad that

04:29

we're going to be doing away with this

04:31

ridiculous requirement is that you have

04:33

to go to the site of the respective DPA

04:36

so say for example that you're doing

04:38

business in the UK you have a physical

04:41

presence there or you're selling or you

04:43

have some kind of equipment connection

04:44

in there or what have you you have to go

04:47

to the ICO site and then go register

04:49

then they'll give you instructions on

04:50

how to register and that they don't I

04:52

mean I think the questions aren't

04:53

difficult or say but it's just a lot of

04:56

work and if you have for each individual

04:58

instance you have their so say you've

05:00

got five subsidiaries in there then

05:02

you've got to do five separate filings

05:03

and then you may all file them at

05:06

different dates and then you have to

05:08

constantly check and see if you do for

05:10

the refiling every year so every single

05:12

DPA that requires filing at all will ask

05:15

you to go to their site the problem is a

05:17

lot of these sites and forgive me for

05:19

you know I'm not being disrespectful

05:22

these folks but they don't put all these

05:23

things in English so unless you have

05:26

someone local there they can read the

05:28

the local language or you go to outside

05:30

council locally and have them do it your

05:32

mini cases you're kind of questioning

05:35

what they're asking in the first place

05:37

so in many cases we just have to use

05:39

local employees to go and read these

05:42

things and of course they're not

05:43

thrilled with that because they

05:44

concerned about their own personal

05:46

liability that they interpret something

05:48

wrong a lot of the questions these folks

05:50

ask the DPA is asked just don't make a

05:52

lot of sense right frankly it's um I

05:54

said with somewhat surprised and I

05:56

probably shouldn't be at this point ok

05:59

Scott there's another question

06:01

participants asking if you're talking

06:03

about the current world or the GDP our

06:05

world because they're interested in the

06:07

current world this is okay well we will

06:10

shift right now to GTR that's fine

06:12

current world yes you do have to

06:13

register but and here's the happy but

06:15

the under GDP are you don't have to

06:18

register so let's go to the next slide

06:20

here okay so now this is GTR land we're

06:24

in right now so so recycle 32 it spells

06:28

it out it says the controller or the

06:30

processor this is new processors now

06:32

have to maintain records which they

06:34

should have have in my view anyway but

06:36

now they're required under GDP are are

06:41

to maintain records of processing

06:42

activities so that's great they've laid

06:45

down the law article 30 they get into

06:47

the details of it and they'll say each

06:49

controller shall do the following and

06:52

they give you a laundry list of

06:53

information that you have to check sorry

06:56

that you have to keep track of so not

06:59

surprisingly contact information while

07:02

you're processing description of the

07:04

categories the data subject there's a

07:05

laundry list I won't dig into it because

07:07

we're going to show you in a minute

07:09

anyway but this is both for article 30 -

07:13

one is for controllers - two is for

07:15

processors so again great news

07:17

processors now have to maintain their

07:20

own records officially they you know

07:22

officially did not have to before

07:24

so good news there so let's go to the

07:26

next slide Google will dig into this a

07:29

bit more so what what what a data

07:33

inventory look like okay this is a super

07:36

bare-bones I'm just drawing from article

07:39

30 so these are just some categories

07:41

things so what are the processing

07:43

activities and if you look on the far

07:45

left I've made up some names of some

07:47

applications you'll probably recognize

07:49

all of these you know that's the first

07:51

one I call it employee central it's a an

07:54

HR is system that you probably are all

07:57

familiar with or one of the competitors

07:59

I'm selling me stuff again that's going

08:01

to be a CRM system reimburse me those of

08:04

you that have file expense reports know

08:05

all about these kind of things gives you

08:08

some very typical applications so what's

08:12

the processing activity if you look at

08:13

employee central it's maintaining

08:16

employee records you can be as as

08:17

general as that and still be ok and then

08:20

what's the purpose for again to maintain

08:23

employee records for the management of

08:25

employees a lot of times we use that

08:26

phrase employer management career

08:28

management for the employees scheduling

08:30

and really anything that gives the the

08:33

GPA or the supervisory authority is

08:36

their call now the the idea of what

08:39

you're actually doing with this with

08:41

this information and then who are the

08:43

data subjects in this case it's going to

08:45

be your full-time and part-time

08:46

employees what specific data fields and

08:49

this is critical folks this is really

08:51

where the rubber meets the road is going

08:52

and finding the very specific field so

08:54

are you collecting you're collecting

08:58

obviously the name and and perhaps their

09:00

home address and their home phone number

09:02

where you get into trouble is national

09:05

ID numbers and this is something we had

09:06

endless discussions about and my foreign

09:09

company about what were you legally able

09:12

to even capture a national identify

09:14

identification numbers in some cases the

09:16

answer is yes some types no so this is

09:19

something that even with gdpr you're

09:21

going to have to go to local law in in

09:23

many cases and find out if you can even

09:24

capture then when we take it for granted

09:26

here in the US that you can just use an

09:28

SSN for anything that's not the case in

09:31

the EU they're very touchy about that

09:33

and so you just have to be very careful

09:35

about whether you can do that but it's

09:37

important to go and find out what you're

09:39

capturing again when you talk to the

09:42

application owners they can usually give

09:44

you a list of all the fields that

09:45

theoretically you can capture verses

09:47

which are actually capturing and then

09:49

you have to get an idea of what you're

09:50

actually capturing because in many cases

09:52

no one even realizes that until you

09:54

start asking questions then the next

09:57

most important one over is recipient

09:59

list so who's getting this well when we

10:01

say recipients it really means who has

10:03

eyes on it who's getting a feed from the

10:06

database so obviously it's going to be

10:08

your headquarters HR staff that are

10:10

running it it may be that an employee's

10:12

manager potentially it definitely be the

10:15

payroll folks will almost certainly have

10:17

access to this you can go get a feed

10:19

from it and just get certain fields from

10:21

it I'm an LMS learning management system

10:23

just making sure that that employee has

10:26

completed all their training you'll

10:27

usually get a fee to but just a couple

10:29

fields from the the larger database into

10:31

that one of the real date is the

10:33

questions like always asking data in

10:34

Tory's is what does this feed in jus HR

10:38

systems they may feed anywhere from five

10:40

to fifteen different subsystems like

10:43

travel or LMS or benefits or any myriad

10:47

of things and if you don't ask you won't

10:49

know this is again one of the hot just

10:50

hard lessons when you do these data

10:53

inventories you have to ask a lot of

10:54

questions to the the data steward the

10:57

data application owner whatever you want

10:58

to call the person in charge in the

10:59

application and you may have to go back

11:02

a couple times to get clarification next

11:05

is-is-is the data transferred out of the

11:08

EU for the u.s. folks that are on the

11:10

call here which is probably most of you

11:12

answer is almost always going to be yet

11:14

so say that you have a third party even

11:17

that that's hosting your HR system

11:19

typically the servers are somewhere in

11:21

the US they're typically outside of EU

11:24

unless you built a system the EU centric

11:26

but physically everyone here on the

11:28

calls probably got their systems here in

11:30

the US even if working with a third

11:32

party

11:32

so that's transfer outside the EU and

11:35

there has to be a mechanism to get that

11:39

information out legitimately so for

11:42

example whether it is a privacy shield

11:46

or there's a model contracts about

11:48

whatever it is there has to be a

11:49

mechanism above and beyond just a

11:51

regular contract between you and the

11:53

third party provider so for example if

11:56

you look at the data transfer mechanism

11:59

here for the first item which is the H

12:01

HR staff they had quarter staff it's an

12:04

intra group agreement so think about a

12:06

model contract clauses between your

12:08

European subsidiary and your US

12:10

subsidiary rest parent company that is a

12:13

intergroup agreement or IgA typically

12:16

you'll get all of your EU subsidiaries

12:18

onto that one agreement and something

12:20

that's how I've done it the past and

12:22

then we'll sign that with a parent

12:23

company that'll be your your agreement

12:25

it uses model contract clauses but you

12:27

can also potentially use privacy shield

12:29

in different different ways you can do

12:31

that the idea though is you want to have

12:33

a list of all the different mechanisms

12:35

for each individual application each

12:38

application may be completely different

12:40

in what mechanism you're using and so

12:42

you want to be able to tell the

12:43

Supervisory Authority how you did that

12:46

because in many cases they're going to

12:47

want to know and then also you're gonna

12:50

want a application owner so who is the

12:52

person or persons that are responsible

12:55

for that application so you may for

12:58

example for the HR system you may have

13:00

several people that are responsible for

13:02

different facets of the HR system and so

13:04

you want to put a list of those owners

13:06

because those are people you want to

13:07

call if something goes wrong if you wake

13:10

up one day and you see that you've been

13:12

breached and some bad guys have got into

13:14

your system you're going to want to know

13:15

who to call right away depending on what

13:18

information is in briefs

13:19

and then finally the last column

13:21

organizational technical security

13:23

measures so what I would do here is put

13:25

a link to the larger policies that you

13:27

have that govern information security I

13:29

mean you can put a summary if you want

13:32

to put it there of the actual controls

13:34

in place but if you're just for

13:36

illustration purposes I've just put

13:39

links to the policies and procedures in

13:41

that spine the idea behind this you want

13:43

a supervisory authority to have an idea

13:47

exactly how you protected individual

13:49

things and it may be that you've got two

13:51

complete different set of controls for

13:53

each application that's fine but you

13:55

want to let them know that you've

13:56

thought this through then you've

13:57

adequately protected it per article 32

14:00

I'm going to pause there Doug I'm

14:03

there's any questions or comments or

14:05

thoughts thus far is this what it would

14:07

look like for every organization um no I

14:09

mean this really is just square one I

14:13

mean when I've done these and doing me

14:15

now you've probably got 30 different

14:18

fields to address all kinds of things

14:20

like for example some supervisory

14:23

authorities want to know not only who

14:27

has access but whether they have

14:28

administrator access or just regular

14:31

end-user access so I mean there's a lot

14:33

of minutiae here it just it there's

14:37

almost no into in some cases of just the

14:39

questions the last year so I this what

14:42

you're saying here is just the beginning

14:44

this is just getting you off the ground

14:46

like I said this is probably about eight

14:48

or nine ten fields you'll probably have

14:49

triple that when all is said done great

14:53

a question from the audience is

14:55

application owner from the id IT

14:58

department the application are typically

15:00

off to application owners we stepped in

15:02

my experience you'll have one from IT

15:04

and one from the clinical business unit

15:07

so you'll have a technical owner and

15:08

typically oh I'm a business owner so the

15:10

IT person may be the person that's

15:12

either the administrator or is

15:13

responsible for some technical aspects

15:16

and then you'll have a business owner

15:18

from the respective department that's

15:21

involved in this and that person will be

15:23

actually running this thing from day to

15:25

day so I now simplified the owner but

15:28

typically you'll have two owners for

15:29

every application if not more

15:31

so next up with some challenges in

15:33

building the data inventory so we got

15:37

two challenges in building data

15:38

inventory one is just finding what data

15:41

is in scope and if you you've spent time

15:43

with us in the past on some of our other

15:46

webinars you've probably seen some of

15:49

the things that we're discussing here

15:50

but just for the sake of completeness um

15:52

one of the the issues is just a

15:54

definition of personal data again I

15:56

talked to folks here in the US that are

15:58

very centric about saying oh you know we

16:01

we collect s s ends or we collect you

16:05

know addresses or what have you that's

16:07

all the sensitive stuff that we need you

16:09

know if it health care organization and

16:11

they have a very acute sense of what

16:12

sensitive but above and beyond that

16:14

people don't realize that the definition

16:16

of personal data is so much wider and I

16:19

it's impossible for you to overstate

16:22

this in the EU they have this idea of

16:25

online identifiers and an online

16:27

identifier is just some electronic

16:29

representation of information that can

16:33

be ultimately connected back to you so

16:36

on the idea of IP addresses and the IT

16:38

folks on there you pyrole in your eyes

16:40

and right now saying that's crazy how

16:42

can i p address be personal data well

16:44

the European courts have decided that it

16:46

is even even scat even dynamic ones

16:49

which is pretty crazy because obviously

16:50

they're so ephemeral but the the EU big

16:54

believer in in IP addresses as a

16:58

identifiers so you've got things like

17:01

browser cookies GPS coordinates MAC

17:04

addresses RFID tags any kind of device

17:09

identify ER or other related dentists is

17:11

going to wind up as an online identifier

17:13

it's just this is what we're stuck with

17:14

right now and this problem trying to get

17:16

bigger not not smaller over time so just

17:20

a word to the audience here that when

17:23

you're searching for all of these things

17:25

you're really going to have to take a

17:27

very sign microscope to everything and

17:30

getting an idea of what kind of data are

17:31

you capturing so you have online

17:33

identifiers you have the regular

17:34

quote/unquote personal data like a

17:37

national identifier remember a phone

17:39

number and address etc etc you're going

17:42

to have special things so they have

17:45

special

17:46

and data like healthcare data and

17:47

what-have-you but they also have for us

17:49

special categories of data or a little

17:51

bit unusual so for example special

17:54

categories of data include things like

17:55

religious beliefs clinical beliefs

17:57

sexual orientation etc etc so those are

18:01

things to be on the lookout for as well

18:02

and that's tougher to capture not

18:04

surprisingly because it's it's very it's

18:08

very nebulous what qualifies is that

18:10

when you're you know if you're reading a

18:12

sentence and someone says they have a

18:14

appointment with their oncologist say

18:16

it's in an email well I mean is that

18:18

medical data yeah arguably it is you

18:20

know how do you protect that and so this

18:22

is the kind of exercise you have to go

18:23

through whenever you're doing a data

18:26

inventory is is looking at what the

18:28

email traffic is looking like as well

18:30

it's not just interviewing folks that

18:31

will talk more about that in a minute so

18:33

don't a pause here do we have any

18:35

questions or comments coming in there

18:37

you want to address otherwise all will

18:39

continue yeah Scott how would you

18:41

address finding online identifiers in

18:43

the past or how have you how we've done

18:47

it is and how we got involved in is in

18:49

data discovery way back when was this

18:53

issue on for us we had to find export

18:57

controlled items so that's how we got

18:59

this start in doing data discovery and

19:02

classification because you had to be

19:04

able to find things that were indicative

19:06

of export control things that were

19:08

controlled by the ITAR and what-have-you

19:10

so that technology that methodology is

19:13

and this is something I got involved

19:14

with about three years ago and so I just

19:16

became very enamored of data discovery

19:19

and classification because you're having

19:21

an automated process go through and go

19:23

look for things that meet certain

19:25

criteria and so you can obviously dial

19:28

it in as loosely or as finely as you

19:30

want to look for things but that's how

19:32

we got the start using got a discovery

19:35

classification and now just happens to

19:37

be that it works extraordinarily well

19:38

for finding personal data great a couple

19:41

questions is log-in identifiers for

19:45

applications covered under the GPR gdpr

19:48

absolutely absolutely a user ID login ID

19:51

that is an online identifier so now I'm

19:55

sure again eyes are rolling in the

19:57

audience here saying geez got that could

19:58

be just about anything and the answer

19:59

yeah it could be just about anything I I

20:02

wasn't joking when I said I can't

20:04

overstate this just everything is fair

20:06

game

20:06

okay I'll give you an example here um I

20:08

was working with a colleague who had a

20:11

program that would go and inventory all

20:13

the software that our company had to

20:15

make sure that we had all the licensing

20:17

correct and so not surprisingly it's

20:21

going and checking you IDs well guess

20:23

what those you IDs those that's now

20:25

personal data and so we had to go talk

20:27

to the vendor and sign a model contract

20:30

clause agreement with them to address

20:32

all the legalities of that so it's

20:35

amazing how innocuous things can wind up

20:38

being in scope on this that's that's why

20:40

I'm saying that you really have to take

20:42

someone jaundice you whenever you do

20:44

your data inventory and ask yourself it

20:47

really could this be personal data in

20:50

any contact based on this and I think

20:52

that's the safest way to go great couple

20:55

more questions

20:56

is there a document a list of

20:58

identifiers for example genetic

21:01

sequences brown hair is not as an

21:04

example

21:06

unfortunately no at this point the we

21:08

have not gotten much in the way of

21:10

guidance by the article 29 working group

21:14

which is going to be the European data

21:16

protection advisor or supervisor or

21:20

board I think it's EDPs board is that is

21:24

the think tank of the the article are

21:27

the the current member states so the

21:30

short answer is no there is no

21:32

definitive list so for the moment we're

21:35

just going to have to ask ourselves look

21:36

at a piece of information could you

21:38

combine it with one or two other things

21:40

and identify someone with it if you can

21:42

it's likely in scope I wish we had a

21:45

exhaustive list but I'm not holding my

21:47

breath we'll ever get one okay um

21:50

perhaps some guidance someone is also

21:54

looking for a list for guidance on what

21:56

is considered as PII for gdpr so same

22:00

question in a different way yeah and

22:04

what's important is and I know this is

22:07

frustrating for an American audience

22:08

here we have to get out of the mentality

22:10

of PII CII is a

22:13

set of personal data really we have to

22:17

again go back and ask ourselves what's

22:19

the easy stuff the easy stuff is going

22:21

to be things that's obvious name address

22:23

phone numbers email addresses social

22:26

security numbers things that we're

22:27

familiar with but and I'll give you an

22:29

example is a vehicle identification

22:32

number personal data under the standard

22:35

we have here the answer is yes because

22:37

in principle you can plug that into

22:39

something else and go look up the driver

22:41

so then under a UI is personal data and

22:46

again eyes are probably rolling in the

22:48

audience going oh no this is ridiculous

22:50

but this this is the nature of it so we

22:52

have to think very expansively just

22:55

about anything can be personal data

22:56

which I know is frustrating but this is

22:58

just the world we live in so there's

23:00

there's no way to give you an exhaustive

23:02

list it's always going to do that same

23:03

question how could someone misuse or

23:05

abuse this and and connect this with

23:08

other data and then identify someone

23:10

that's ultimately the test and really I

23:12

look at it from the bad guys the point

23:14

of view how could bad people who get

23:16

access to this use this to compile other

23:19

data to identify people and perhaps

23:21

commit fraud identity theft etc great do

23:27

online identifiers have to be combined

23:29

with other identifiers like name to be

23:31

considered in scope that's a good

23:35

question

23:37

they have to be potentially identifiable

23:40

are connectable with other things to be

23:41

in scope the idea is that personal data

23:44

is something that can be used directly

23:46

or indirectly and directly is easy

23:48

indirectly is the much larger scope so

23:51

if a item could not be correlated with

23:55

something else so if an online

23:57

identifier per se but it could not for

24:00

some reason be coordinated with

24:01

something else

24:01

then you can make a great argument it's

24:03

not personal information or personal

24:05

data as the standard goes under the EU

24:08

but I'd be very careful about that

24:10

because you may not be able to

24:13

coordinate it with with other data

24:14

indentify someone but someone else may

24:16

I'm always impressed by how creative bad

24:19

people are at making use of innocuous

24:22

things great a couple more questions

24:26

and just to validate our transaction

24:30

numbers pointers information like that

24:33

entering into the definition of personal

24:35

aid it oh they're starting up to the

24:39

edge of personal data because again if

24:41

the transaction ID you're gonna plug

24:44

that you're going to have to plug that

24:46

into another database if that database

24:49

then you plug it into is going to reveal

24:52

personal identification then you can

24:54

make a very good argument that a

24:55

transaction ID is indirectly linkable

24:58

then therefore it should be protectable

25:01

as personal data I'll give an example

25:02

employee IDs employees are personal data

25:05

no doubt okay and so an employee ID if I

25:08

gave my employee ID to you you really

25:12

couldn't do much with it per se but if

25:14

you could combine it with anything else

25:15

which probably wouldn't be tough and you

25:17

could personally identify me so the

25:19

net-net of it is that things again that

25:21

are an activist and what like

25:23

transaction IDs if they're not personal

25:27

data they are very close to it and I

25:29

would just presume that they are in

25:31

treated as such again I know I'm making

25:33

a lot of work for the folks in the

25:34

audience but I've just I've been seeing

25:37

too many instances where innocuous data

25:39

just is being used by bad people and you

25:45

wouldn't I would be surprised that they

25:48

could do it that I do it so a question

25:51

about RFID tags humans do not ingest the

25:55

RFID tags so why is it considered that

25:59

why is it considered that a MAC address

26:01

of the RFID be considered personal data

26:05

um because in theory whether a MAC

26:09

address is connected to a box like my

26:12

laptop which then at some point can be

26:15

connected to me by coordinating it with

26:17

or with other data so the idea is that

26:20

something like a MAC address is not per

26:24

se and identify me just by itself

26:26

because it's obviously it's just it's

26:28

just alphanumeric characters but you can

26:30

combine it with something else to

26:32

identify me so that's the nature and

26:34

that's nature of most if not all I don't

26:36

identifiers is that you're combining

26:38

with something else to identify you that

26:40

really where the danger lies if it was

26:43

if you couldn't combine that information

26:44

with anything else you can make a very

26:45

good argument that it's just it's not

26:47

personal data and it's not scope but the

26:50

European think tanks have really said

26:53

yep RFID tags they actually actually

26:55

call out RFID tags in the GDP are by the

26:58

way so I mean that's pretty much settled

27:01

so as a practical matter all these

27:04

things that I'm showing up on the screen

27:05

here these are all personal data for all

27:07

intents and purposes so you've covered a

27:11

lot of different things that might fall

27:13

under personal data what is not as a

27:17

general rule perhaps what's not personal

27:20

data oh boy yes it was oh boy that's a

27:26

great question I mean really you think

27:28

about it if there's any any data that is

27:31

purely machine the machine that is

27:33

involved in say a back-end system like

27:35

you can make an argument that even

27:36

something like it will also tell you

27:39

like PLM information product lifecycle

27:41

management information so information

27:42

that you're processing about a product

27:44

you're likely not going to have this I

27:47

don't think so in my experience you're

27:49

not going to have a lot of person or any

27:51

personal information in there because

27:52

it's just about your product so it's a

27:54

good a good example of a back-end system

27:56

it really likes me not going to be in

27:58

scope now something that's not terribly

28:01

too similar though ERP now you think

28:02

about all of the the purchasing

28:05

capability for that you're going to have

28:07

games and addresses and their contact

28:08

information of the people that you have

28:11

to build because typically ERP you're

28:13

going to have you know pay to or bill to

28:15

or whatever it is ship to and you're

28:17

gonna have personal data and their

28:18

people contact informations name that

28:21

puts that in scope gives it a big scope

28:23

no but you still have to account for and

28:25

I think that's where people sometimes

28:26

get off the road as they think oh you

28:28

know there's really nothing special here

28:30

is just contact information well you

28:31

know what unfortunately under the GPR

28:34

even before that under the directive

28:36

email addresses are our personal data if

28:39

they identify someone if they had their

28:41

first and last name or you know first

28:43

initial last name kind of thing that's

28:45

it so it's a long way of saying that

28:47

just about everything unfortunately it's

28:49

going to going to have some connection

28:51

of personal data I want some purely

28:52

product related or me

28:54

anok we related something on the backend

28:55

of your organization great we got a few

28:59

more questions coming in sudonym ization

29:01

how much which is refered how is it

29:05

technically achieved will you be

29:07

addressing that later in the

29:08

presentation or you know if well I mean

29:13

we can address it now because I hadn't

29:14

plan to talk about it unfortunately we

29:18

don't have almost any guidance and

29:20

immunization I mean those of you that

29:22

worked either in the payment card

29:24

industry or are involved in PCI

29:26

compliance you're familiar with the

29:28

concept of tokenization which is really

29:32

what sudonym ization is said another way

29:34

that's the only time I've really had any

29:36

experience with tokenization

29:37

organization I

29:39

we haven't gotten any guidance on it and

29:41

frankly I just don't know why the the

29:45

European Union is so in love with the

29:47

idea but they are so the short answer is

29:51

I don't have anything useful to share

29:53

with you at the moment

29:54

but I'm just stay tuned to Suspiria

29:57

website and you know whenever we do get

29:59

something from the articles when I'm

30:00

working group I'll you know what to get

30:02

our webinar and we'll talk about it

30:04

great few more questions what about

30:07

collected data log files for example

30:10

proxy firewall servers will this kind of

30:13

data also be classified as personal data

30:16

coordinate gdpr

30:17

okay potentially potentially because and

30:21

depends on the nature of the log file so

30:23

a lot some log files like server log

30:25

files will have the referring header you

30:27

know where it came from and you know so

30:30

that potentially if you collect enough

30:32

of those from from someone you could

30:34

identify them potentially the short

30:37

answer is it's a maybe I put log files

30:39

here on the list because it depends what

30:41

information you're collecting

30:42

I mean log files often select IP

30:44

addresses and we know that they are per

30:48

se

30:48

personal data so if even one item in a

30:52

log file

30:52

is arguably personal data arguably an

30:55

online dental fire then the whole thing

30:57

is unless you find a way to somehow

31:00

isolate it maybe it's a different table

31:02

or something like that I've seen

31:04

organizations where they'll throw things

31:05

and different tables and just combine

31:07

them

31:07

and all at once to create something

31:10

that's a possibility but generally

31:11

speaking you consider your log files

31:14

personal data at this point I know a lot

31:16

of people were probably rated to them to

31:19

scream right now that everything seems

31:21

like it's personal data but you know

31:23

this is the world in which we live right

31:24

now great and just to confirm that would

31:28

include unstructured data so the

31:31

question is do organizations need to

31:33

look at unstructured data issues while

31:35

doing their data flow mapping absolutely

31:39

absolutely they do and this is funny you

31:41

mentioned unstructured data which you

31:43

know we were just called loose files and

31:44

email back in my e-discovery days it's

31:47

much the same exercise that you're going

31:49

to have to go through these things and

31:51

and use some data discovery and get an

31:53

idea of just what personal data is

31:55

embedded in these documents because a

31:56

lot of times Microsoft were they were

31:58

they were really well known for spending

32:01

all kinds of identifying data in their

32:04

documents and I know that since that

32:06

time that they had you know scrubbers

32:08

come in to be able to scrub out data you

32:10

can do it now automatically in Word but

32:11

you're gonna have to do and just do

32:13

start doing searches doing out of

32:15

discovery and looking through your

32:17

unstructured data because that's what

32:18

that's going to be an excellent

32:19

candidate for personal data that you

32:21

wouldn't have thought to look for great

32:25

next question participant asks for your

32:29

view on this she states I see you're

32:32

approaching this on a system by system

32:34

approach we're looking at it by

32:37

Department

32:38

so what data does marketing collect for

32:40

example what Dana does product

32:42

management process and they also would

32:47

have IT looking at all the systems such

32:49

as the RP HR systems etc any views on

32:52

this I mean as far as an approach of

32:57

growing department by department versus

32:59

application or application I think

33:01

that's fine

33:01

I don't see any problem going

33:03

departments right apart because

33:04

different departments are going to have

33:05

to have their own separate issues HR is

33:08

is going to be probably your biggest

33:10

challenge because of the idea that soy

33:12

data being especially toxic and again

33:14

I'm presuming you're not in a highly

33:15

regulated industry so healthcare if you

33:18

are then you've probably already had to

33:20

solve this problem

33:21

already because that data is so

33:23

sensitive but for non healthcare

33:26

organizations then the issue is going to

33:28

be HR is gonna be the first place you go

33:30

to marketing is probably number two

33:32

especially if you're a b2c play because

33:35

you may have all kinds of data that was

33:37

collected that you probably can't use

33:40

and I know again people we're going to

33:42

great it took me right now but a lot of

33:44

organizations that have bought lists and

33:47

way back when and still have that data

33:50

in their databases on folks

33:53

much of that's going to have to be

33:55

tossed if you can't find a way to

33:56

validate that you got permission from

33:58

data subject to use it so yeah go by

34:00

department by Department is fine so HR

34:03

first marketing is second and then again

34:06

if you're a b2c play go to your products

34:08

if you're if you sell apps for example

34:11

apps are just notorious for leaking data

34:14

and sharing data and accessing data they

34:17

shouldn't be so that's probably a

34:19

separate project by itself just going

34:21

after your apps and seeing what kind of

34:22

data they're sharing and leaking you

34:24

probably shocked it what you'll find so

34:26

well so the answer is yes if you're a

34:28

b2b to be player you'll have less work I

34:31

think potentially but still a little lot

34:33

of work because it's just amazing the

34:36

data that we share that we didn't

34:37

realize we were sharing until someone

34:38

asked so when you talk about

34:41

unstructured data you also mention that

34:43

healthcare organizations for example

34:48

healthcare organizations may get a lot

34:51

of faxes so paper or scan data as an

34:54

image is certainly in scope of GDP are

34:58

absolutely paper records no question

35:01

about it they are in scope so if you've

35:04

got if you're storing those things in

35:05

one form or fashion then yes you've got

35:08

to go and account for that as well

35:10

account for whoever whoever you're

35:12

sharing that data with to make sure that

35:14

because if they're processing that say

35:16

that you're in your an insurance company

35:18

and you're processing on payments for

35:20

medical stuff then you're a processor

35:22

and you're connected with that that

35:25

healthcare organization yeah they're

35:27

gonna be asking you a lot of hard

35:28

questions about about your posture on

35:30

that absolutely and and we'll talk a

35:33

little bit later in the broadcast about

35:35

parties but the net-net of it is that

35:37

yes absolutely

35:39

the short answer is yes great this looks

35:43

like the last question we're putting

35:45

data subjects do international exchange

35:47

students qualify oh boy we've had

35:51

endless arguments about this endless

35:54

arguments here's the problem is that

35:57

this law in theory is limited to two

36:01

instances one where you're offering a

36:03

better service into the EU or two you're

36:06

studying the behavior of the EU data

36:09

subjects so setting behavior meaning

36:11

that you're you're buying data and

36:13

modeling it trying to get an idea of

36:15

what someone's likely to buy for example

36:17

so here's the thing is that if your

36:19

educational institution is advertising

36:21

and your advertising to folks in the EU

36:25

directly it's not just a website that

36:27

you can access from EU but you're

36:29

actually actively selling your service

36:31

or educational service then you can make

36:33

a very good argument that it applied GTR

36:36

applies to you now I know some people

36:38

will say no no we're way Skott but

36:40

that's that's my position at this point

36:42

based upon just little reading of the

36:44

law now suppose that someone comes over

36:46

here as exchange student you've never

36:47

advertised to the EU

36:48

you're completely siloed and insular and