data privacy & data security

EWSolutions

© 1997 to present, Enterprise Warehousing Solutions, Inc. (EWSolutions) – 1

Over 140 Successful Client Partner Implementations

Contact us at [email protected] to become our next success

Data Privacy &

Data SecurityBy David Marco

President

EWSolutions

Webinar Series: Data Governance Mastery

mailto:[email protected]




Strategic Partnership

www.iim-africa.org





EWSolutions’ Background

EWSolutions is a Chicago-headquartered strategic partner and full life-cycle systems integrator

providing both award winning strategic consulting and full-service implementation services. This

combination affords our client partners a full range of services for any size enterprise information

management, metadata management, data governance and data warehouse/business intelligence

initiative. Our notable client partner projects have been featured in the Chicago Tribune, Federal

Computer Weekly, Journal of the American Medical Informatics Association (JAMIA), Crain’s Chicago

Business, The Doings and won the 2004 Intelligent Enterprise’s RealWare award, 2007 Excellence

in Information Integrity Award nomination, DM Review’s 2005 World Class Solutions award and 2016

CIO Review 20 Most Promising Enterprise Architecture providers.

For more information on our Strategic Consulting Services, Implementation Services, or

World-Class Training, email us at [email protected] or call at 630.920.0005

Best Business Intelligence Application

Information Integration

Client: Department of Defense

World Class

Solutions Award

Data Management

2007 Excellence in Information

Integrity Award Nomination


http://www.ewsolutions.com/news-events/news-press-releases/press_release.2005-10-03.9140171518




Over 150 Client Partners Since 1997

For more information on our Strategic Consulting Services, Implementation Services,

or World-Class Training email us at [email protected]

AFLACAON (Hewitt Associates)

Arizona Supreme CourtBank of America (Countrywide)

Bank of MontrealBankUnited

Basic American Foods

Becton, Dickinson and CompanyBlue Cross Blue Shield companies

Booz Allen HamiltonBranch Banking & Trust (BB&T)

British Petroleum (BP)

California DMVCalifornia State Fund

Canadian Institute for Health Information (CIHI)Canadian National Railway

Capella UniversityCigna

College Board

ComcastCorning Cable Systems

Contech Systems, Inc.CostCo

D.A. Davidson

Defense Logistics Agency (DLA)Delta Dental

Department of Defense (DoD)Department of State (DOS)

DiscoverDriehaus Capital Management

Eli Lilly and CompanyEnvironment Protection Agency (EPA)

ErwinFarmers Insurance Group

Federal Aviation Administration

Federal Bureau of Investigation (FBI)FedEx

Fidelity Information Services Ford Motor Company

GlaxoSmithKline

Harbor FundsHarris Bank (BMO)

The HartfordHarvard Pilgrim HealthCare

Health Care Services CorporationHP (Hewlett-Packard)

IDMA (Insurance Data Mgt. Institute)

Information Resources Inc.International Paper

IQVIA (Quintiles)Janus Mutual Funds

Johnson Controls

Key BankLiquidNet

Loyola Medical Center

SurescriptsTarget Corporation

Texas CPAThe Regence Group

Thomson Multimedia (RCA)Thrivent Financial

United Healthcare (UHC)

United Health GroupUnited Nations (ICAO)

United States Air ForceUnited States Army

United States Courts

United States Department of StateUnited States Fish and Wildlife Service

United States NavyUnited States Navy (BUPERS)

United States Transportation CommandUniversity of Michigan

University of Wisconsin Health

USAAUS Cellular

Vera BradleyWaste Management

Wells Fargo

Wisconsin Department of TransportationWorkers’ Compensation Insurance Rating Bureau of California (WCIRB)

Zurich Cantonal Bank

Manulife FinancialMayo Clinic

McDonaldsMicron

MicrosoftMoneyGram

NASA

National City Bank (PNC Financial)Nationwide

Neighborhood Health PlanNORC

Physicians Mutual Insurance

PillsburyQuartz Benefits

Rowan College of South Jersey (RCSJ)Sallie Mae

Saudi Arabia Minister of the InteriorSaudi Telecom Company (STC)

Schneider National

Secretary of Defense/LogisticsSingapore Defense Science & Technology Agency (DSTA)

Social Security AdministrationSouth Orange County Community College

Spherion

Standard Bank of South AfricaSunTrust Bank





David Marco – Professional Profile

Best known as the world’s foremost authority on metadata management and the father of the Managed Metadata Environment, he is an internationally recognized expert in the fields of data governance, big data, data warehousing, master data management and data management. In 2004 David Marco was named the “Melvil Dewey of Metadata” by Crain’s Chicago Business as he was selected to their very prestigious “Top 40 Under 40” list. David Marco has authored several books including the widely acclaimed “Universal Metadata Models” (Wiley, 2004) and the classic “Building and Managing the Metadata Repository: A Full Life-Cycle Guide” (Wiley, 2000).

❑ President of Data Management University (DataManagementU.com)

❑ Author of several best-selling information technology books, including the top 2 sellers in metadata management history

❑ 2016 Data Management Channel Expert for Business Analytics Collaborative

❑ 2008 DAMA Data Management Hall of Fame (Professional Achievement Award)

❑ 2007 DePaul University named him one of their “Top 14 Alumni Under 40”

❑ Selected to the prestigious 2004 Crain’s Chicago Business “Top 40 Under 40”

❑ Presented hundreds of keynotes/seminars across four continents

❑ Published hundreds of IT articles some of which were translated into Mandarin, Russian, Italian, Portuguese and others

❑ Taught at the University of Chicago and DePaul University

❑ Earned an MBA and holds CDMP, CDP, CCP and CBIP certifications

Email: [email protected]


http://lnkd.in/bky55wQ




Agenda

❑ Regulations Driving Data Governance

❑ Data / Information Security Fundamentals

❑ Data Security vs. Data Privacy

❑ Data Security Classifications

❑ Regulatory Subjects Spreadsheet

❑ Regulatory Data Policy Workflow Example





Regulations Driving

Data Governance





GDPR Compliance

❑ General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy

❑ Fines can be as high as 5% of gross revenues

❑ Ask Google about the fine they received 1/21/2019

❑ France’s data protection regulator, CNIL (Commission Nationale de l'Informatique et des Libertés), has issued a €50 million fine ($56.8 million USD) fine to Google for failing to comply with GDPR (1/21/2019)

❑ It’s only a matter of time before we have a United States GDPR equivalent





Other Regulations

❑ Know Your Customer (KYC)

➢ Guidelines in financial services requiring that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship

❑ Anti-Money Laundering (AML)

➢ Bank regulations and anti-money laundering regulations

➢ In the 10 years since 2008, over $26B in fines have been levied by government bodies with over 91% coming from the United States government*

* https://www.complianceweek.com/report-financial-firms-fined-26b-for-aml-sanctions-kyc-non-compliance-since-2008/8088.article





Other Regulations

❑ California Consumer Privacy Act (CCPA) is a California state statute intended to enhance privacy rights and consumer protection for residents of the state➢ Business criteria:

▪ Annual gross revenues over $25,000,000; or

▪ Possesses the personal information of 50,000 or more consumers, households, or devices; or

▪ More than half of your company’s annual revenue comes from selling consumers’ personal information

➢ Fines▪ CCPA fines are applied per violation

▪ Maximum fine of $7,500 for an intentional violation

▪ No cap on the fines that can be given to an organization

❑ Nigerian Data Protection Regulation (NDPR), May 2020 from the National Information Technology Development Agency➢ Section 37 of the Constitution of the Federal Republic of Nigeria 19999, as amended, provides that “The privacy

of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.”

➢ Similar to United States Federal Trade Commission's fair information practice principles (FIPPs)

➢ Requires public institutions to have a Data Protection Officer (DPO)

❑ Nevada's Data Breach Notification Law (CHAPTER 603A)

❑ Oregon Consumer Identity Theft Protection Act (codified as ORS § 654A.600 to 654A.628)

❑ MANY MORE!





Data Governance and Data

Security





Effective Data Security

❑ Effective data security policies and procedures:

➢ Ensure that the right people can use and update

data in the right way

➢ Restrict all inappropriate access and updates

➢ Should be clear, thorough, and binding to all those

with access to data and information

▪ Internal

▪ External

❑ Data security goal is to ensure data privacy and

protection of critical data





Data Privacy Definition

❑ Data privacy is defined simply as the allowed use of data

➢ Transparent handling of individual’s personal data in accordance with the individual’s choice and consent

➢ Careful management of organization’s critical data based on business requirements and identified policies

➢ In a manner that prevents unauthorized disclosure while allowing permitted uses

❑ According to the United States Federal Trade Commission's fair information practice principles (FIPPs) consumers have 4 fundamental privacy rights:

➢ Notice / Awareness

➢ Choice / Consent

➢ Access / Participation

➢ Integrity / Security





United States Federal Trade Commission's FIPPs

Notice / Awareness: Consumers should be given notice of an entity's information practices before any personal information is collected from them

❑ This is the most fundamental FIPP principle

❑ This requires that companies explicitly notify some or all of the following: ➢ identification of the entity collecting the data;

➢ identification of the uses to which the data will be put;

➢ identification of any potential recipients of the data;

➢ the nature of the data collected and the means by which it is collected;

➢ whether the provision of the requested data is voluntary or required;

➢ the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data






Notice / Awareness

❑ The notice should identify any available consumer rights, including: ➢ any choice respecting the use of the data;

➢ whether the consumer has been given a right of access to the data;

➢ the ability of the consumer to contest inaccuracies;

➢ the availability of redress for violations of the practice code;

➢ and how such rights can be exercised.

❑ Notice in the context of the internet➢ Can be accomplished by the posting of an information practice disclosure describing an

entity's information practices on a company's site on the Web

➢ Such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any Web page where information is collected from the consumer

➢ Notice needs to be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge






Choice / Consent: In an on-line information-gathering sense, Choice / Consent means giving consumers options to control how their data is used

❑ Choice relates to secondary uses of information beyond the immediate needs of the information collector to complete the consumer's transaction. The two typical types of choice models are:➢ Opt-in: requires that consumers affirmatively give permission for their information to be

used for other purposes▪ Without the consumer taking these affirmative steps in an 'opt-in' system, the information gatherer

assumes that it cannot use the information for any other purpose

➢ Opt-out: requires consumers to affirmatively decline permission for other uses▪ Without the consumer taking these affirmative steps in an 'opt-out' system, the information

gatherer assumes that it can use the consumer's information for other purposes

❑ Each of these systems can be designed to allow an individual consumer to tailor the information gatherer's use of the information to fit their preferences by checking boxes to grant or deny permission for specific purposes rather than using a simple "all or nothing" method






Access / Participation: Refers to an individual's ability both to access data about him or herself (i.e. to view the data in an entity's files) and to contest that data's accuracy and completeness

❑ Data accuracy and completeness are both essential

❑ Access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients






Integrity / Security: Data needs to be accurate and secure

❑ To assure data integrity, collectors must take reasonable steps, such as:

➢ using only reputable sources of data and cross-referencing data against multiple sources,

➢ providing consumer access to data,

➢ destroying untimely data or converting it to anonymous form

❑ Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data

❑ Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes

❑ Technical measures to prevent unauthorized access include:

➢ encryption in the transmission and storage of data

➢ limits on access through use of passwords

➢ storage of data on secure servers or computers that are inaccessible by modem





Data Privacy Definition

❑ Privacy is the true objective of security

❑ Data security governs the technical and physical requirements

that keep data protected and confidential

❑ Data privacy governs the data rights of individuals and

organizations, and imposes requirements on the use of that

data





Data Security vs. Data Privacy

❑Data security and data privacy are not

synonyms

➢ Privacy: appropriate use of data

❑Data security is established to ensure

data privacy, accuracy, reliability,

availability, conformance to regulations,

correct accessibility





Data Regulations

Impacting Data Policies





Data Policies – Regulatory Requirements

❑ There are many regulations that an organization needs to adhere to

❑ A big challenge is that it is difficult to create an overarching data strategy that allows a company to adhere to the current regulations AND can grow to meet future regulations and changes to existingregulations

❑ Building a Regulatory Subjects spreadsheet is a key artifact of the Data Governance Guide

❑ The Regulatory Subjects spreadsheet will be the driver of many of your organizations data policies

❑ Excellent CYA when the regulators come calling!





Regulatory Subjects Spreadsheet

Regulatory Subjects & Groupings

Subjects Regulatory Groupings Sub-Groupings Regulatory Language Organizational Impact

Data - Addition CCPA

Data - Deletion FISMA

Data - Read GDPR

Data - Request HIPPA

Data - Update Internal Policies

Intake PHI

Verify PII

Search Third Party Policies

Response

Regulatory Grouping's

concepts relating to a subject.





Regulatory Subjects Spreadsheet – Example

Regulatory Subjects & Subject Sub-Groupings

Subjects

Regulatory

Groupings Sub-Groupings Regulatory Language Organizational Impact

Data - Deletion PII PII Deletion

When a customer is deleted all PII related fields

for that customer need to be deleted throughout

our systems and our documents .

PII California Code, Civil Code - CIV § 1798.85 (a) Except as provided in this section, a person or entity may not do any

of the following:

(1) Publicly post or publicly display in any manner an individual's social security number. “Publicly post” or

“publicly display” means to intentionally communicate or otherwise make available to the general public.

(2) Print an individual's social security number on any card required for the individual to access products or services

provided by the person or entity.

(3) Require an individual to transmit his or her social security number over the Internet, unless the connection is

secure or the social security number is encrypted.

(4) Require an individual to use his or her social security number to access an Internet Web site, unless a password

or unique personal identification number or other authentication device is also required to access the Internet Web

site.

(5) Print an individual's social security number on any materials that are mailed to the individual, unless state or

federal law requires the social security number to be on the document to be mailed. Notwithstanding this

paragraph, social security numbers may be included in applications and forms sent by mail, including documents

sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or

policy, or to confirm the accuracy of the social security number. A social security number that is permitted to be

mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an

envelope, or visible on the envelope or without the envelope having been opened.

Legal has deemed that Social Security Number

shall be a "Top Secret" field and will not be used

in any manner expect by individuals, specially

authorized and trained in its use.

California Code, Civil Code - CIV § 1798.81 A business shall take all reasonable steps to dispose, or arrange for the

disposal, of customer records within its custody or control containing personal information when the records are no

longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal

information in those records to make it unreadable or undecipherable through any means.

Data - Read Social Security

Number





Data Policies – Workflow





Data Policy Workflow ExampleCustomer Request - Deletion

Requestor

Business &

Technical Stewards

Responsible Data

Steward

Lead Data Steward

Domain Data

Steward Group

DS Coordinating

Group

Data Governance

Council

Legend

Delete or Lock?

Start

1. Request to Delete a Customer

End

3. Begin workflow to

identify required instances of

DecisionManual Process

Automated Process

2. Notify Requestor of

receipt of Request

4. Analyze key databases for

Customer data instances 5b. Lock

Customer data through

special flags

5a. TriggerCustomer

Delete Process 6.Send

notifications of actions taken

7.Review process and

provide feedback

ProcessSuccessful?

8.Communicate to Customer

results

Yes

No A

A

Connector





In the Final Analysis





❑ You can create your own Data Stewardship roles based

on your organization’s culture

❑ Make sure to follow the best practices outlined today

❑ You will achieve GREAT results

Learning Points





Questions & Answers

World-Class Training

More than 40 courses, taught

by industry experts. Over 150

satisfied client partners

Data

Warehouse

Data Models


data privacy & data security

Documents