data privacy & data security
TRANSCRIPT
EWSolutions
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 1
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Privacy &
Data SecurityBy David Marco
President
EWSolutions
Webinar Series: Data Governance Mastery
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 2
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Strategic Partnership
www.iim-africa.org
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 3
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
EWSolutions’ Background
EWSolutions is a Chicago-headquartered strategic partner and full life-cycle systems integrator
providing both award winning strategic consulting and full-service implementation services. This
combination affords our client partners a full range of services for any size enterprise information
management, metadata management, data governance and data warehouse/business intelligence
initiative. Our notable client partner projects have been featured in the Chicago Tribune, Federal
Computer Weekly, Journal of the American Medical Informatics Association (JAMIA), Crain’s Chicago
Business, The Doings and won the 2004 Intelligent Enterprise’s RealWare award, 2007 Excellence
in Information Integrity Award nomination, DM Review’s 2005 World Class Solutions award and 2016
CIO Review 20 Most Promising Enterprise Architecture providers.
For more information on our Strategic Consulting Services, Implementation Services, or
World-Class Training, email us at [email protected] or call at 630.920.0005
Best Business Intelligence Application
Information Integration
Client: Department of Defense
World Class
Solutions Award
Data Management
2007 Excellence in Information
Integrity Award Nomination
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 4
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Over 150 Client Partners Since 1997
For more information on our Strategic Consulting Services, Implementation Services,
or World-Class Training email us at [email protected]
AFLACAON (Hewitt Associates)
Arizona Supreme CourtBank of America (Countrywide)
Bank of MontrealBankUnited
Basic American Foods
Becton, Dickinson and CompanyBlue Cross Blue Shield companies
Booz Allen HamiltonBranch Banking & Trust (BB&T)
British Petroleum (BP)
California DMVCalifornia State Fund
Canadian Institute for Health Information (CIHI)Canadian National Railway
Capella UniversityCigna
College Board
ComcastCorning Cable Systems
Contech Systems, Inc.CostCo
D.A. Davidson
Defense Logistics Agency (DLA)Delta Dental
Department of Defense (DoD)Department of State (DOS)
DiscoverDriehaus Capital Management
Eli Lilly and CompanyEnvironment Protection Agency (EPA)
ErwinFarmers Insurance Group
Federal Aviation Administration
Federal Bureau of Investigation (FBI)FedEx
Fidelity Information Services Ford Motor Company
GlaxoSmithKline
Harbor FundsHarris Bank (BMO)
The HartfordHarvard Pilgrim HealthCare
Health Care Services CorporationHP (Hewlett-Packard)
IDMA (Insurance Data Mgt. Institute)
Information Resources Inc.International Paper
IQVIA (Quintiles)Janus Mutual Funds
Johnson Controls
Key BankLiquidNet
Loyola Medical Center
SurescriptsTarget Corporation
Texas CPAThe Regence Group
Thomson Multimedia (RCA)Thrivent Financial
United Healthcare (UHC)
United Health GroupUnited Nations (ICAO)
United States Air ForceUnited States Army
United States Courts
United States Department of StateUnited States Fish and Wildlife Service
United States NavyUnited States Navy (BUPERS)
United States Transportation CommandUniversity of Michigan
University of Wisconsin Health
USAAUS Cellular
Vera BradleyWaste Management
Wells Fargo
Wisconsin Department of TransportationWorkers’ Compensation Insurance Rating Bureau of California (WCIRB)
Zurich Cantonal Bank
Manulife FinancialMayo Clinic
McDonaldsMicron
MicrosoftMoneyGram
NASA
National City Bank (PNC Financial)Nationwide
Neighborhood Health PlanNORC
Physicians Mutual Insurance
PillsburyQuartz Benefits
Rowan College of South Jersey (RCSJ)Sallie Mae
Saudi Arabia Minister of the InteriorSaudi Telecom Company (STC)
Schneider National
Secretary of Defense/LogisticsSingapore Defense Science & Technology Agency (DSTA)
Social Security AdministrationSouth Orange County Community College
Spherion
Standard Bank of South AfricaSunTrust Bank
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 5
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
David Marco – Professional Profile
Best known as the world’s foremost authority on metadata management and the father of the Managed Metadata Environment, he is an internationally recognized expert in the fields of data governance, big data, data warehousing, master data management and data management. In 2004 David Marco was named the “Melvil Dewey of Metadata” by Crain’s Chicago Business as he was selected to their very prestigious “Top 40 Under 40” list. David Marco has authored several books including the widely acclaimed “Universal Metadata Models” (Wiley, 2004) and the classic “Building and Managing the Metadata Repository: A Full Life-Cycle Guide” (Wiley, 2000).
❑ President of Data Management University (DataManagementU.com)
❑ Author of several best-selling information technology books, including the top 2 sellers in metadata management history
❑ 2016 Data Management Channel Expert for Business Analytics Collaborative
❑ 2008 DAMA Data Management Hall of Fame (Professional Achievement Award)
❑ 2007 DePaul University named him one of their “Top 14 Alumni Under 40”
❑ Selected to the prestigious 2004 Crain’s Chicago Business “Top 40 Under 40”
❑ Presented hundreds of keynotes/seminars across four continents
❑ Published hundreds of IT articles some of which were translated into Mandarin, Russian, Italian, Portuguese and others
❑ Taught at the University of Chicago and DePaul University
❑ Earned an MBA and holds CDMP, CDP, CCP and CBIP certifications
Email: [email protected]
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 6
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Agenda
❑ Regulations Driving Data Governance
❑ Data / Information Security Fundamentals
❑ Data Security vs. Data Privacy
❑ Data Security Classifications
❑ Regulatory Subjects Spreadsheet
❑ Regulatory Data Policy Workflow Example
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 7
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Regulations Driving
Data Governance
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 8
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
GDPR Compliance
❑ General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy
❑ Fines can be as high as 5% of gross revenues
❑ Ask Google about the fine they received 1/21/2019
❑ France’s data protection regulator, CNIL (Commission Nationale de l'Informatique et des Libertés), has issued a €50 million fine ($56.8 million USD) fine to Google for failing to comply with GDPR (1/21/2019)
❑ It’s only a matter of time before we have a United States GDPR equivalent
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 9
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Other Regulations
❑ Know Your Customer (KYC)
➢ Guidelines in financial services requiring that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship
❑ Anti-Money Laundering (AML)
➢ Bank regulations and anti-money laundering regulations
➢ In the 10 years since 2008, over $26B in fines have been levied by government bodies with over 91% coming from the United States government*
* https://www.complianceweek.com/report-financial-firms-fined-26b-for-aml-sanctions-kyc-non-compliance-since-2008/8088.article
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 10
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Other Regulations
❑ California Consumer Privacy Act (CCPA) is a California state statute intended to enhance privacy rights and consumer protection for residents of the state➢ Business criteria:
▪ Annual gross revenues over $25,000,000; or
▪ Possesses the personal information of 50,000 or more consumers, households, or devices; or
▪ More than half of your company’s annual revenue comes from selling consumers’ personal information
➢ Fines▪ CCPA fines are applied per violation
▪ Maximum fine of $7,500 for an intentional violation
▪ No cap on the fines that can be given to an organization
❑ Nigerian Data Protection Regulation (NDPR), May 2020 from the National Information Technology Development Agency➢ Section 37 of the Constitution of the Federal Republic of Nigeria 19999, as amended, provides that “The privacy
of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”
➢ Similar to United States Federal Trade Commission's fair information practice principles (FIPPs)
➢ Requires public institutions to have a Data Protection Officer (DPO)
❑ Nevada's Data Breach Notification Law (CHAPTER 603A)
❑ Oregon Consumer Identity Theft Protection Act (codified as ORS § 654A.600 to 654A.628)
❑ MANY MORE!
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 11
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Governance and Data
Security
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 12
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Effective Data Security
❑ Effective data security policies and procedures:
➢ Ensure that the right people can use and update
data in the right way
➢ Restrict all inappropriate access and updates
➢ Should be clear, thorough, and binding to all those
with access to data and information
▪ Internal
▪ External
❑ Data security goal is to ensure data privacy and
protection of critical data
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 13
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Privacy Definition
❑ Data privacy is defined simply as the allowed use of data
➢ Transparent handling of individual’s personal data in accordance with the individual’s choice and consent
➢ Careful management of organization’s critical data based on business requirements and identified policies
➢ In a manner that prevents unauthorized disclosure while allowing permitted uses
❑ According to the United States Federal Trade Commission's fair information practice principles (FIPPs) consumers have 4 fundamental privacy rights:
➢ Notice / Awareness
➢ Choice / Consent
➢ Access / Participation
➢ Integrity / Security
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 14
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
United States Federal Trade Commission's FIPPs
Notice / Awareness: Consumers should be given notice of an entity's information practices before any personal information is collected from them
❑ This is the most fundamental FIPP principle
❑ This requires that companies explicitly notify some or all of the following: ➢ identification of the entity collecting the data;
➢ identification of the uses to which the data will be put;
➢ identification of any potential recipients of the data;
➢ the nature of the data collected and the means by which it is collected;
➢ whether the provision of the requested data is voluntary or required;
➢ the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 15
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
United States Federal Trade Commission's FIPPs
Notice / Awareness
❑ The notice should identify any available consumer rights, including: ➢ any choice respecting the use of the data;
➢ whether the consumer has been given a right of access to the data;
➢ the ability of the consumer to contest inaccuracies;
➢ the availability of redress for violations of the practice code;
➢ and how such rights can be exercised.
❑ Notice in the context of the internet➢ Can be accomplished by the posting of an information practice disclosure describing an
entity's information practices on a company's site on the Web
➢ Such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any Web page where information is collected from the consumer
➢ Notice needs to be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 16
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
United States Federal Trade Commission's FIPPs
Choice / Consent: In an on-line information-gathering sense, Choice / Consent means giving consumers options to control how their data is used
❑ Choice relates to secondary uses of information beyond the immediate needs of the information collector to complete the consumer's transaction. The two typical types of choice models are:➢ Opt-in: requires that consumers affirmatively give permission for their information to be
used for other purposes▪ Without the consumer taking these affirmative steps in an 'opt-in' system, the information gatherer
assumes that it cannot use the information for any other purpose
➢ Opt-out: requires consumers to affirmatively decline permission for other uses▪ Without the consumer taking these affirmative steps in an 'opt-out' system, the information
gatherer assumes that it can use the consumer's information for other purposes
❑ Each of these systems can be designed to allow an individual consumer to tailor the information gatherer's use of the information to fit their preferences by checking boxes to grant or deny permission for specific purposes rather than using a simple "all or nothing" method
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 17
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
United States Federal Trade Commission's FIPPs
Access / Participation: Refers to an individual's ability both to access data about him or herself (i.e. to view the data in an entity's files) and to contest that data's accuracy and completeness
❑ Data accuracy and completeness are both essential
❑ Access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 18
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
United States Federal Trade Commission's FIPPs
Integrity / Security: Data needs to be accurate and secure
❑ To assure data integrity, collectors must take reasonable steps, such as:
➢ using only reputable sources of data and cross-referencing data against multiple sources,
➢ providing consumer access to data,
➢ destroying untimely data or converting it to anonymous form
❑ Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data
❑ Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes
❑ Technical measures to prevent unauthorized access include:
➢ encryption in the transmission and storage of data
➢ limits on access through use of passwords
➢ storage of data on secure servers or computers that are inaccessible by modem
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 19
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Privacy Definition
❑ Privacy is the true objective of security
❑ Data security governs the technical and physical requirements
that keep data protected and confidential
❑ Data privacy governs the data rights of individuals and
organizations, and imposes requirements on the use of that
data
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 20
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Security vs. Data Privacy
❑Data security and data privacy are not
synonyms
➢ Privacy: appropriate use of data
❑Data security is established to ensure
data privacy, accuracy, reliability,
availability, conformance to regulations,
correct accessibility
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 21
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Regulations
Impacting Data Policies
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 22
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Policies – Regulatory Requirements
❑ There are many regulations that an organization needs to adhere to
❑ A big challenge is that it is difficult to create an overarching data strategy that allows a company to adhere to the current regulations AND can grow to meet future regulations and changes to existingregulations
❑ Building a Regulatory Subjects spreadsheet is a key artifact of the Data Governance Guide
❑ The Regulatory Subjects spreadsheet will be the driver of many of your organizations data policies
❑ Excellent CYA when the regulators come calling!
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 23
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Regulatory Subjects Spreadsheet
Regulatory Subjects & Groupings
Subjects Regulatory Groupings Sub-Groupings Regulatory Language Organizational Impact
Data - Addition CCPA
Data - Deletion FISMA
Data - Read GDPR
Data - Request HIPPA
Data - Update Internal Policies
Intake PHI
Verify PII
Search Third Party Policies
Response
Regulatory Grouping's
concepts relating to a subject.
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 24
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Regulatory Subjects Spreadsheet – Example
Regulatory Subjects & Subject Sub-Groupings
Subjects
Regulatory
Groupings Sub-Groupings Regulatory Language Organizational Impact
Data - Deletion PII PII Deletion
When a customer is deleted all PII related fields
for that customer need to be deleted throughout
our systems and our documents .
PII California Code, Civil Code - CIV § 1798.85 (a) Except as provided in this section, a person or entity may not do any
of the following:
(1) Publicly post or publicly display in any manner an individual's social security number. “Publicly post” or
“publicly display” means to intentionally communicate or otherwise make available to the general public.
(2) Print an individual's social security number on any card required for the individual to access products or services
provided by the person or entity.
(3) Require an individual to transmit his or her social security number over the Internet, unless the connection is
secure or the social security number is encrypted.
(4) Require an individual to use his or her social security number to access an Internet Web site, unless a password
or unique personal identification number or other authentication device is also required to access the Internet Web
site.
(5) Print an individual's social security number on any materials that are mailed to the individual, unless state or
federal law requires the social security number to be on the document to be mailed. Notwithstanding this
paragraph, social security numbers may be included in applications and forms sent by mail, including documents
sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or
policy, or to confirm the accuracy of the social security number. A social security number that is permitted to be
mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an
envelope, or visible on the envelope or without the envelope having been opened.
Legal has deemed that Social Security Number
shall be a "Top Secret" field and will not be used
in any manner expect by individuals, specially
authorized and trained in its use.
California Code, Civil Code - CIV § 1798.81 A business shall take all reasonable steps to dispose, or arrange for the
disposal, of customer records within its custody or control containing personal information when the records are no
longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal
information in those records to make it unreadable or undecipherable through any means.
Data - Read Social Security
Number
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 25
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Policies – Workflow
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 26
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Data Policy Workflow ExampleCustomer Request - Deletion
Requestor
Business &
Technical Stewards
Responsible Data
Steward
Lead Data Steward
Domain Data
Steward Group
DS Coordinating
Group
Data Governance
Council
Legend
Delete or Lock?
Start
1. Request to Delete a Customer
End
3. Begin workflow to
identify required instances of
DecisionManual Process
Automated Process
2. Notify Requestor of
receipt of Request
4. Analyze key databases for
Customer data instances 5b. Lock
Customer data through
special flags
5a. TriggerCustomer
Delete Process 6.Send
notifications of actions taken
7.Review process and
provide feedback
ProcessSuccessful?
8.Communicate to Customer
results
Yes
No A
A
Connector
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 27
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
In the Final Analysis
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 28
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
❑ You can create your own Data Stewardship roles based
on your organization’s culture
❑ Make sure to follow the best practices outlined today
❑ You will achieve GREAT results
Learning Points
© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 29
Over 140 Successful Client Partner Implementations
Contact us at [email protected] to become our next success
Questions & Answers
World-Class Training
More than 40 courses, taught
by industry experts. Over 150
satisfied client partners
Data
Warehouse
Data Models