GDPR EDGE POWERED BY INTEL - Select IntraEdge Clients - Security Forum
←
→
Transcription du contenu de la page
Si votre navigateur ne rend pas la page correctement, lisez s'il vous plaît le contenu de la page ci-dessous
Select IntraEdge Clients GDPR EDGE POWERED BY INTEL
IMPACT DE L'AUTOMATISATION
ÉLÉMENT DE SOLUTION
ÉTAPE 1 PORTAIL
& REPORTING
• Évaluation
• Cartographie de données,
•
•
Création de politique,
Notifications utilisateur,
etc
ÉTAPE 2 CENTRALISATION
DES DONNÉES
ÉTAPE 3 AUTOMATISATION DU BACKEND
* Ceci est une approximation basée sur des exemples réels. Le pourcentage réel de surcharge par fonction varie en fonction des volumes de demandes, du nombre de sources de
données, de la nature des demandes et d'autres variables.
IMPACT OF AUTOMATION FRAIS GÉNÉRAUX OPÉRATIONNELS
DU DROIT D'ACCÈS DE LA PERSONNE CONCERNÉE
RÉDUCTION EN
ÉLÉMENT DE SOLUTION POURCENTAGE Validation de la demande
ÉTAPE 1 PORTAIL
& REPORTING
Validation d'identité
Gestion du flux de travail,
Enregistrement et rapport
Recherche/Identification de
2
données
CENTRALISATION
ÉTAPE DES DONNÉES
Collecte/extraction de données
Emballage et présentation des
données
Rejeter les demandes
3
Modifications de données
AUTOMATISATION DU
ÉTAPE
(suppression, anonymisation,
modification)
Ad hoc / Cas particuliers /
Sources de données manuelles
* Ceci est une approximation basée sur des exemples réels. Le pourcentage réel de surcharge par fonction varie en fonction des volumes de demandes, du nombre de sources de
données, de la nature des demandes et d'autres variables.
A REALISTIC SCENARIO
Comment puis-je gérer cela de manière à prouver que nous
sommes poursuivis ou condamnés à une amende?
À: privacy@brand.com Quel genre de demande est-ce exactement? Comment est-ce que
DATE: 25/5/18 je le traite? Dois-je le traiter?
J'ai 80 systèmes backend. Comment trouver ses données dans
OBJET: Demande de données chacune?
Messieurs, Comment puis-je lui transmettre ses données de manière à ce
qu'elle puisse les comprendre?
Je veux prendre connaissance des informations
Comment pourrais-je supprimer ses données sur tous ces
que vous avez sur moi car je voudrais le droit de les systèmes?
modifier ou de les supprimer en tout ou en partie.
En vertu du RGPD, vous avez un mois pour vous
conformer. Comment vais-je réagir à la demande dans le temps?
Cordialement,
Est-ce vraiment Nancy? Est-ce du spam? Est-ce une tentative de
fraude?
Nancy Melbourn
Je viens de recevoir 1000 demandes. Comment vais-je gérer?
UN EXEMPLE DE PROCESSUS
MANUEL :
Étape 1 : Enregistrement Étape 2 : Accuser Email de accusé Détails complets Évaluation du
Demande de la demande réception de réception du contrat système
Évaluer la
Recherche du Receive resulting Étape 3 : Étape 4 : Décision de
suspension
système data Verification Analyser l’approache DS
réglementaire
Consulter le DPO Communication Étape 5 : Traiter la
Contacter DS Étape 6 : Agir
de l'UE de l’approach Clarification demande
Confirmer la
Notifier le sujet Étape 7 : Cloturer
demande
de données la demande
complétée
PRINCIPES DIRECTEURS SATISFACTION DU CLIENT SÉCURITÉ ü Les sujets de données devraient ü Les identités des utilisateurs être satisfaits par la rapidité, la doivent toujours être validées et clarté et l'éducation leurs données sécurisées PRENDRE LE CONTRÔLE AUTOMATISATION ü Il convient d'indiquer clairement aux ü Les rapports et l'auditabilité doivent personnes concernées ce qu'elles pouvoir être produits à la demande peuvent perdre et de toujours leur et les tâches courantes doivent être donner des options permettant automatisées. d'abandonner ou de préciser une
COMPANY
DATA SUBJECT SHOW ME MY DATA
INSTANTLY INGEST ALL DATA DATA SOURCES
TOUCH POINTS
CENTRALIZED & AUTOMATED
MULTI-POS
PHYSICAL & POINT CONSUMER PORTAL DATA LAKE
OF SALE ALL DATA IN ONE PLACE AZURE, POWERED BY INTEL® ECOMMERCE
API SERVICES
CRMS
Forget
WEBSITE
& DIGITAL Contest ANALYTICS
CHANGE MY DATA Transfer
AT SCALE
DATA ACCESS REQUESTS BLOCKCHAIN LEDGER FULFILL SARS ANYTHING…
MANUAL & AUTOMATED
AUDITABLE & AUTOMATED BUILT ON SAWTOOTH BLOCKCHAIN
ANYWHERE…
MANAGE CONSENT Intuitive Consent Management, detailed logging,
ACROSS SERVICES version control, tied to a matrix of services and
data elements. All logged to the blockchain for
NEW! future retrieval and forensics. Presented in a
straightforward way.
POURQUOI AUTOMATISER LA CONFORMITÉ? REMPLACER LES DEMANDES D'ACCÈS METTRE À L'ÉCHELLE ET AUTOMATISER MANUEL LA CONFIDENTIALITÉ ü Éliminer les SAR non structurés ü Automatiser 95% des droits individuels ü Valider l'identité de l'utilisateur ü Créez une expérience utilisateur agréable ü Transfert d'informations sécurisé et transparente ü Intégration aux systèmes de ticketing et ü Contrôler et influencer les droits à oublier d'authentification existants ü Prise en charge de plusieurs cadres ü Automatiser les rapports et l'auditabilité législatifs sur la protection de la vie ü Gérer les rapports de consentement du privée, par zone géographique client
INDUSTRY LEADERS DEVELOP FIRST BLOCKCHAIN-BASED GDPR SOLUTION
HTTPS://WWW.BDO.COM/NEWS/2018-MAY/INDUSTRY-LEADERS-DEVELOP-FIRST-BLOCKCHAIN-BASED-GD
FINANCIAL & GO-TO-MARKET END-TO-END GDPR STRATEGIC
TECHNOLOGY PARTNER. SPECIALIST. PARTNER.
PARTNER. AZURE-HOSTED DATA RESELLER. GDPR AND TECHNOLOGY
LAKES AND BUSINESS DATA PRIVACY INTEGRATION AND
ARCHITECTURE,
SECURITY, BLOCKCHAIN INTELLIGENCE SERVICES CONSULTING SERVICES SERVICES PARTNER
AND HARDWARE IN 152 COUNTRIES.
CONTRIBUTIONS
AN INTEL® IOT MARKET DEVELOPMENT &
READY SOLUTION COMMERCIALIZATION.
BIG DATA AND SECURITY EXPERTISE,
SOFTWARE DEVELOPMENT, AND
COMMERCIALIZATIONLa Situation de la Conformité RGPD October 2018 © 2018 TrustArc Inc
TrustArc
Consulting & Validations des
Plateforme de Gestion
Formation conformités
Des Experts Des Processes Validés Technologie Puissante
• 300+ person global team • 20+ years and 1000s of • 7 years experience
• CIPPs, former CPOs, engagements used to operating platform at high
world renowned experts inform and refine scale
• Decades of experience at • Based on key global • 6 modules and growing
top brands across all standards: GDPR, FIPPs, • Used by 1,000+ clients
industries OECD, etc.
• Powers consulting &
• Large engineering & • Developed by privacy certification services
support team experts
• Purpose built for privacy
• Powered by industry
• Flexible SaaS architecture
leading technology
2 TrustArc Inc – All Rights Reserved, 2018Enquête RGPD TrustArc / Dimensional
• TrustArc partnered with Dimensional
Research to survey GDPR compliance
status and plans
• June 2018, post the May 25th deadline
• 600 respondents
• Equal mix of US, UK, Other EU
• 50% in IT, 50% in Legal
• Mix of executive, manager and
individual contributors
• Minimum of 25% focus on privacy
• Over 500 employees
• Mix across wide range of regulated
and non-regulated industries
• See report for full demographic
breakdown
6 TrustArc Inc – All Rights Reserved, 2018Quelles sont les Motivations des Entreprises?
Motivated more by values and customer and partner expectations than fear of fines
What are your primary reasons for investing in GDPR compliance?
59%
Meet customer expectations / requirements 58%
54%
48%
Support our company values 47%
52%
Meet partner or other third-party 41%
41%
expectations / requirements 40%
41% United States
Fines or class action lawsuits 38%
39% United Kingdom
European Union
Meet internal reporting requirements 40%
40%
(including board of directors) 35%
19%
Negative media coverage 13%
21%
23%
Differentiate vs. competitors 17%
21%
0% 10% 20% 30% 40% 50% 60% 70%
TrustArc – Dimensional Research July 2018
7 TrustArc Inc – All Rights Reserved, 2018La Conformité RGPD Juste en Cours…
96% have started, but only 20% are fully compliant
Which of the following best describes the state of your GDPR compliance?
96%
4% 15% 8% 23% 30% 20%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
We haven't started We are working on our preliminary plan
We have a plan in place but haven't started implementation We have started our implementation
Our implementation is well underway We are done and are fully GDPR compliant
TrustArc – Dimensional Research July 2018
10 TrustArc Inc – All Rights Reserved, 2018Les Challenges de la Gestion de la Confidentialité des Données TrustArc Inc – All Rights Reserved, 2018
Top Privacy Challenges for 2H18 – 1H19
GDPR. GDPR. GDPR.
Security compliance, ePrivacy, BCRs and Privacy Shield also on radar
What will your top privacy initiatives be for the next 6-12 months?
Maintaining GDPR compliance 59%
Demonstrating GDPR compliance (e.g., GDPR certification) 43%
Achieving GDPR compliance 42%
ISO or other security compliance frameworks 31%
ePrivacy Regulation compliance 30%
Binding Corporate Rules (BCR) 26%
EU US Privacy Shield status 25%
UK Data Protection Bill 20%
APEC CBPR or PRP certifications 16%
Chinese Cybersecurity law 8%
Other regional, country, or industry privacy regulations 4%
We will not have any major privacy initiatives for the next 6-12
months 4%
0% 10% 20% 30% 40% 50% 60% 70%
TrustArc – Dimensional Research July 2018
29 TrustArc Inc – All Rights Reserved, 2018Importance de la Visibilité Temps Réel et des Rapports de Conformité Automatisés 25 TrustArc Inc – All Rights Reserved, 2018
TrustArc Etudes de Cas: Technologie
Company Overview/Challenge TrustArc Solution
• F- 50 global hardware & software technology • Assessment Manager to automate PIAs, DPIAs,
company and other risk assessments, incorporating
• Legacy in-house assessment solution was custom-designed privacy rules, resulting in
hard-coded, difficult to modify and too manual automatic flagging of issues and an increase in
to scale number of users by 60% to over 8,000 and a
• Also limited in terms of producing audit trails 300+% increase in number of privacy
and not enabled for auto-tasking - compliance assessments generated per year
issues relating to privacy rules could not be • “TrustArc is a trusted IBM partner”: Anick Fortin-
auto-flagged Cousens, CPO
• SaaS Machine Data Analytics for DevOps and • Assessment Manager to automate PIAs, DPIAs,
Security and produce Article 30 reports
• Needed to demonstrate GDPR compliance, • Data Flow Manager to map business processes
both as controller and processor to customers, • “TrustArc’s got a lot of great things”: Jen Brown,
partners and 3rd parties DPO
• Needed a competitive GDPR differentiator
• Video conferencing and telehealth services • GDPR Readiness Assessment to identify gaps
• Needed to demonstrate GDPR compliance, and develop action plan
both as Controller and Processor to customers, • Data Flow Manager to map business processes
partner and 3rd parties • Assessment Manager to automate PIAs, DPIAs,
• Needed to continue demonstrating compliance and other risk assessments
with HIPAA • Cookie Consent Manager to collect user consent
• Wished to adopt a “zero cookie load”, explicit on websites
consent approach for EU visitors to the Zoom • Website Monitoring Manager to id use of trackers
website • Guidance creating privacy framework, internal /
• Needed a competitive GDPR differentiator external policies, retention schedule, and incident
response processes
TrustArc Inc – All Rights Reserved, 2018TrustArc Etudes de Cas: Services Financiers
Company Overview/Challenge TrustArc Solution
• Multi-national technology services • Assessment Manager to automate PIAs, DPIAs, and
company (F- 500 company) other risk assessments
• Issuer of credit, debit and pre-paid charge • Data Flow Manager to map business processes
cards • Conducted a large number of PIAs and DPIAs across
• Operates in over 210 countries and MasterCard’s worldwide systems
territories, including Asia Pacific • Guidance creating privacy framework, internal /
• Needed to demonstrate GDPR & APEC external policies
CBPR compliance, both as controller and • Assistance achieving APEC CBPR certification,
processor to customers, partners & 3rd demonstrating compliance as a controller under the
parties APEC CBPR Framework
• Needed a competitive GDPR differentiator
• Insurance for smartphones, tablets, • Completed Readiness Assessment mapped against
consumer electronics, etc. (operates in Canadian privacy laws and developed remediation
over 14 countries) action plan
• Needed compliance assistance with • Website Monitoring Manager to id use of trackers
Canadian privacy rules, including PIPEDA • Assistance achieving APEC CBPR certification,
• Needed to demonstrate APEC CBPR demonstrating compliance as a controller under the
compliance APEC CBPR Framework
• Dealer and customer financing, insurance, • Assessment Manager to automate PIAs, DPIAs, and
and related services for AB Volvo trucks, other risk assessments
buses and construction equipment in 45 • Supported assessments in customer’s many markets
countries and lines of business
• Needed to demonstrate GDPR compliance, • “The TrustArc privacy platform has been very helpful
both as controller and processor to in supporting VFS’s unified approach … and to help us
customers, partners & 3rd parties prepare for GDPR readiness.” – Alexia Maas, SVP &
• Needed a competitive GDPR differentiator General Counsel
TrustArc Inc – All Rights Reserved, 2018TrustArc Etudes de Cas: Media
Company Overview/Challenge TrustArc Solution
• Online content network for information and • Assessment Manager to automate PIAs, DPIAs, and
entertainment other risk assessments
• Division of CBS and home of • Data Flow Manager to map business processes
CBSNews.com, CBSSports.com, CNET • Individual Rights Manager to automate handling of
• Needed to manage requests from EU Data Subject Access Rights under GDPR
residents exercising individual rights under • Consulting assistance to deploy Individual Rights
GDPR in automated fashion, with minimal Manager and other TrustArc Platform modules
employee effort and with needed • Consulting Assistance to train personnel on
information being easy to find and manage requirements of GDPR
with respect to the individual requests to
delete, correct, etc.
• Professional American football league • Consulting on privacy policies and procedures and
• Needed 360 degree view of the privacy delivery of a privacy gap analysis with remediation
practices of the organization recommendations
• Needed to demonstrate compliance with • Conducted GDPR Strategic Priorities Assessment and
GDPR as a controller, with a particular developed a GDPR action plan
focus on the operations of the UK office • Assisted customer in demonstrating overall privacy
compliance through achievement of TRUSTe
Enterprise Privacy Certification
• Business magazine (bi-weekly) • Cookie Consent Manager to collect user consent on
• Issuer of Forbes Global 2000 list websites
• Needed to demonstrate compliance with • Website Monitoring Manager to id use of trackers
the GDPR, particularly iconsent • Ads Compliance Manager to comply with DAA, EDAA
management requirements and related standards
• GDPR Strategic Priorities Assessment
• Assisted customer in achieving EU-US Privacy Shield
Certification
TrustArc Inc – All Rights Reserved, 2018Merci! Questions? © 2018 TrustArc Inc
TrustArc Privacy Solutions – GDPR Example
Data Governance Readiness Gaps, Risks, GDPR Plan
Framework Assessment Remediation
Customer Input
Consent Website Data Flow
Manager Scanning Manager
Data Inventory
Data Maps
Individual Article 30
Assessments
GDPR Rights Mgr Reports
Validation DPIA / PIA
Inherent Risk
Vendor Risk
Policies & Int’l Data Transfers
Validation Individual Rights Assessment
Procedures
Report Manager
Gap Analysis
Risk / Task Mgmt
Breach
Prep Article 35
Reports
Platform Sample Sample
Modules Content Reports
38 TrustArc Inc – All Rights Reserved, 2018Sample Engagement to Prepare for GDPR
Started in Fall, 2016
• Global medical device company
– GDPR assessment plus EU/US Privacy Shield
• Add in HIPAA assessment
• Roadmap (started in spring 2017)
– Data inventory and mapping (Article 30)
– Policies and procedures (GDPR plus HIPAA)
– DPIA / PIA process (engineering resistance)
– Vendor management (including contracts and due diligence process)
– Individual rights (HIPAA, too)
– Incident response plan and testing (privacy v. security v. combined)
– Employee training
– PLUS
» HiTRUST certification readiness
» Global comparisons (Canada, Latin America, Switzerland, APAC)
» Now CCPA education
39 TrustArc Inc – All Rights Reserved, 2018Vous pouvez aussi lire
