Event Recording

Matthias Reinwarth - You Are Here! Assessing Your Organisation‘s GDPR Readiness

Presentation at the Digital Finance World 2018 in Frankfurt, Germany

Okay, ladies and gentlemen, welcome to this last section of the national finals world two 18. These are the closing keynotes IMTS. I'm present those four final keynotes. And as you can see, it's schizophrenic, I'm also the first presenter. So don't expect me to ask myself questions afterwards, but if you have any questions, please do ask them and you see that in the morning. I'm very keen on keeping the time. Now I'm talking. So if you give me a sign after 20 minutes to stop, that would be great. And I was started with the first keynote, which is called you are here assessing your organization's GDPR readiness. And that is exactly what, what, what it means, this what we are want to talk about. We want to give you some assistance, some guidance on assessing your own organizations readiness for GDPR compliance. First of all, measuring compliance.
Is this possible? Yes, of course it is, but I won't dare as I'm not a lawyer and even a lawyer would not dare. I hope you will agree there that you cannot really assure somebody of being compliant to GDPR. You can always identify when somebody is not compliant and there's a vacant reach when there's data processing outside of the given content or the legal framework, but providing actually an assessment that somebody is GDPR compliant might be difficult. Everything that cannot be measured, make it measurable as far as possible. So this is of course, the game that we all play when it comes to GDPR, we really want to find out where we are, where we are in relationship to the GDPR compliance or our readiness towards this GDPR compliance.
When we, as Analyst are assessing compliance, there is what I said before. There is no agreed certification. There is no document that really says we are GDP, GDPR compliant for the reasons I've just given. And I assume that there is no real use to having a certification there. Instead, we will have a process of preparing, assessing, improving, which is a life cycle and continuous cycle that needs to be continued there. What we do at could we deploy the CMM or CMI maturity levels? And this is aim these aims at self-assessment or being assessed. So really making sure to understand where you stand and you all know these levels are just shortly, read them out to make sure that we, we are all in the same page. So it comes, it starts with a level one, which is initial, which is yeah, very, very weak, unpredictable, poorly controlled ad hoc reactive.
And we continue to a first level two, which is managed. I did not mention level zero. This is nothing be done. Nothing is done. Of course, that that is the, the starting level level two managed, which is partially documented, which is partially repeatable. Level three is defined. So somebody has made a plan. There's an overall defined business process. There's some technology, there's some organization, but maybe not enough, maybe enough. We'll see. When it comes to, to, to GDPR compliance level four measured controlled, automated of course, much better than level three, but not yet where we want to get to when it comes to level five, optimizing, improving, adapting. So even a solution that aims at being prepared for onboarding new applications, new data, new business processes, everything that is required there. So that is, that is the foundation for what I want to present here.
When it comes to understanding where you are, when it comes to GDPR readiness, and what we've introduced is something that we call CMT support attributes. Of course, this is something that is well known in the literature, but we applied six dimensions when it comes to GDPR. And when we look at actually at the, at the qualification of the quality of the readiness of an organization, and these are the six that are in that circle and all these are interdependent, actually there should be arrows between all of them, but doesn't make, doesn't make any sense. So first of all, we look at, when we look at the readiness from GDPR compliance, we look at inside and documentation. That is actually everything that you need to do to document what you are doing. So a complete and continuous analysis and documentation of fair and lawful collection, storage, storage, and processing of personal data.
I really out, because I think these, these formulations are really put in a way that they really assist you in understanding what is assessed in this dimension. When we look at these key support attributes. So it's a complete and continuous analysis of what you are doing. Mike mentioned earlier, this find your PII. This is exactly what you need to do and make sure that you document the fair and lawful collection and processing and storage of data. So really once you identify where the data is, you really explain and document provide evidence of this storage, this processing, and this collection of personal data. This is the first I mentioned, this is something that we look at and where we can really identify in that dimension, where the readiness of an organization is second dimension will be process definition, so that to make sure that the GDPR data protection principles, and you all have seen them for lawfulness and fairness and all these principles are embedded in all your business processes, wherever applicable, and, and this needs to be assessed and well documented as well. So then we can identify where you are when it comes to your business process. That means when there is a marketing automation process, and this has access to personally identifiable information that this process makes sure that this marketing automation process run on an adequate lawful ground
That's organizational measures completely different. But the idea is that you really assess and document and identify where you are when it comes to your organizations readiness for GDPR requirements. For example, of course, the DPO, everybody knows we need the DPO. Most probably we need one and all the GDPR responsibilities are assigned to the right people. These people are identified and well trained and suitable for, for the job
Technical measures. Of course, this is everything that we need to deploy when it comes to protecting the data. For example, for preventing your data breach for, for making sure that the data is only processed in a way that you really want to have it. That is as, as I mentioned here, it's secure storage, secure processing of PII. That means encryption, serialization, tokenization, access control, fair, coming, recover all these technical processes that we have been talking about these days. And in the end of course, the way towards privacy by design default. So this is the technical dimension that we look at when we assess a readiness for GDPR compliance,
Contractual measures that has been mentioned all earlier as well. So we are just trying to wrap up, sorry, wrap up what is also what is required when it comes to yeah. GDPR readiness contraction means if you are a data owner and pass on the responsibility for the processing of some of this data over to a data processor who does that for you, you have to make sure that this is done on a well defined and well documented contractual basis. That is clear who has responsibility for which aspects of these two dimensions. Again, I'm not a lawyer. I have to mention it sometimes. So everything that I say might be confirmed or not confirmed by lawyers, but this is the, but I'm also not a, a regulator when it comes to driving a car. And I can tell you the rules of driving a car, some of these at least, but this is the idea behind that. So really make sure that there are recent agreements between the data owners and the data processes. And you might also take both roles in different cases. Maybe you are the data processor for another data owner, fully defined responsibilities and duties aligned with the GDPR.
Finally, the complete process of concept management, which is part of this fair, fair, and lawful processing and storage and, and collection of data. But this especially is, is required when it comes to using more data than actually required for the process that you're doing, because you want to use that for additional purposes for each of those. It needs to be a well defined, well implemented and well documented process for managing consent for each data, subject and purpose. And for each data field access controls in the end must follow this consent given. So if somebody agrees for the birth date to be processed in a separate way, in a special way, all applications that access this information must know whether they are responsible for that process or not. So they have to identify, am I actually in the position to access this data for that purpose? Or these are the you six dimensions of key support attributes that we look at when we look at GDPR readiness or readiness for GDPR compliance next step,
Now that we've seen the generic maturity levels, and we've seen the six dimensions that we apply for that, this is, that is the levels that we have defined as cooking a cold, not only me that will be, but as a team to identify, how could we really have a measurement of, of this readiness? And of course the levels will be similar to what we described before. So first of all, first level is ad hoc and reactive fun data protection measures are there for business security, high risk of Inco compliance. So every organization who is in one of these dimensions at level one should do some more homework. So level two, there is a strategic approach towards GDPR compliance. And this is initiated there's. There are partly documented processes and there's a repeatable approach toward GDPR compliance, but there are still fragmented, PII, repositories, maybe not all found yet. And this is still a high risk of in compliance when it comes to readiness, where are you right now?
Letter three, if you look at that, you have, there are the glasses half, half full, and this is something that, where we think already GDPR compliance has to be achieved. Maybe all the processes are still very clumsy, very manual, very, very tedious and taking long time, but they are all in a way that they could, could be adequate for GDPR compliance. If somebody requests a, you are in the position that you really know where the information is, it might take 10 days, but you are in a position where you can gather the information presented in an adequate way that might fail for 2000 people doing that at the same time, but you have a process in place and you have documentation in place, which really makes you comfortable that you could do it at least in a manual stage. And this is where we say it's print and bulge justify compliance with GDPR.
So that would be the target for in the first level. Four of course is building upon that. And it's the idea of getting better through automation, through a high level of efficiency and, and the enforcement of GDPR compliance, enforced by technical measures. For example, through onboarding processes, through access control, that is really implemented into the APIs that you're using. And the final step of course, would be level five. And this would be something which could be considered as the gold standard when it comes to GDPR or readiness for GDPR compliance. And that is really what we want to achieve. Continuous improvement of process and technology. So if you onboard a new application, this application will be by design and by default prepared for GDPR compliance, complete and continuous insights of this push button approach to identify where now, where where's the documentation. Somebody asks request that you can really say here here's the data just looked downloaded and it's it's about, and we have it fully documented, and this would be level five privacy by design privacy by default implemented. So these would be the, the metrics that metrics that we have when it comes to assessing GDPR compliance. And this is something that you could apply also to your organization.
This is where you have to be by the 25th of May question. No five minutes, five minutes. I'm good to know. Thank you. Perfect. Thank you. This is where you have to be by the 5th of May. This is where you should be by the, of may. What do you need for such an assessment? You need a clearly defined sense of criteria per maturity level. You need the willingness to understand, identify gap. You need to have the willingness to improve, and you will have to have a continuous maturity assessment cycle. And that means measuring control improvements and document achievements, which is no problem because you have to document anyway for GDPR. Cause you have to provide evidence
Where are the resources that you need? First of all, actually the European commission has very good information at hand and you can really look at this website, see Europe info, where good information is available. And there's lots of more from vendors from Analyst, from many organizations who help you in understanding that, and there is this document that we've written here. That's my phase on it, but this is not true. The maturity level metrics for GDPR readiness, and this document is something that could help you in achieving that. And the good thing is that you stay until here until now here. And because the Latin said, team Daniel done almost at be afraid. When the Greek come with presence, I'm not creepy easy. This document is, is freely available for all participants of this event. So if you get in touch with me or anybody else who's around there, you can download this metrics and use it for all your own purposes for self-assessment for understanding where you are. There's the metrics in there, all the criteria in there. So please feel free to use it and download it. And if you have any questions, get in touch with us, that's it for my presentation. Do you have any questions.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

You Can Only Protect and Govern the Data You Know About

Data is widely recognized as the lifeblood of the modern enterprise. However, the exponential rate at which it is being generated means that it is crucial that organizations have the capability to manage it effectively to ensure its confidentiality, integrity, and availability. These…

Webinar Recording

What Does the Future Hold for Passwordless Authentication and Zero Trust?

Enterprises of all types face a growing number of cyber threats today. Studies show that most data breaches begin with compromised passwords. Moreover, password management is expensive and not user-friendly. Enterprise workforce users are driving the consumerization of IT. They want the…

Webinar Recording

Complying With PSD2: Everything You Need to Know

With the Revised Payment Service Directive (PSD2) coming into full effect this fall, banks and online retailers need to adapt to changes that carry with them many regulatory and technical challenges. Acknowledging these extensive changes, Germany’s Federal Financial Supervisory…

Webinar Recording

Leverage Enterprise Architecture to Achieve GDPR Compliance

Several measures have been undertaken by Organizations at various levels to comply with GDPR, most of which remain reactive, fragmented and largely ad-hoc. These controls are also not continuous in nature and therefore fail to satisfy ongoing compliance requirements. Organizational leaders…

Webinar Recording

The Foundation for GDPR Compliance and PI/PII Protection: Understand Where Data Resides and Who Processes It

The EU GDPR requires covered organizations to be able to account for and document how personal data is collected, processed and shared.  What many companies often fail to realize is that this data is not only stored in specialized and appropriately secured silos such as…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00