Yesterday we had Ray Everett, Principal Consultant (US), TRUSTe, Veronika Tonry, President, Privacy KnowHow, former Global Privacy Manager at Chevron and Applied Materials, and Guy Sereff, Corporate Counsel, Level 3 Communications share which tools and resources companies are using to conduct data inventories.
Our speakers shared some of the biggest “lessons learned” from when they conducted Data Inventories for the first time, so that you can avoid them.
- There is no “one size fits all” approach – you should conduct these exercises in a way that fits with your company culture.
- Once you’ve received the support for the project, make sure you identify roles and responsibilities before any work begins. For example, what will the project manager, business unit leads, and subject matter experts be responsible for?
- Setting realistic expectations for the level of effort required to complete the project will keep it moving along and on track.
Additional insight shared by our speakers included benefits to other departments outside of privacy that are gained with conducting Data Inventory and Mapping. While the legal, regulatory, and compliance departments all gain ground with EU GDPR compliance, finance, IT, security, and development teams will benefit too. Identifying storage redundancies can save the finance department money, and the IT department headaches. The security team can pinpoint which data and business applications need to be protected. The development team can kickstart a discussion of Privacy by Design because they can see which applications are sharing information early in the development phase, and address any privacy concerns early on. Data Inventory and Mapping is an exercise that can bring benefits to the entire organization.
If you missed it, you can still listen to the full recording here.
TRUSTe Data Inventory and Mapping Solution combines privacy consulting expertise, our proven methodology, and powerful technology tools to help businesses meet privacy regulations like the EU General Data Protection Regulation (GDPR) and minimize data governance risk across the enterprise.
Best Practices to Create a Data Inventory and Meet GDPR Compliance
January 24 @ 9:00 am – 10:00 am PST
Where’s your data? Understanding the data flows and data policies and procedures across the Company is the foundation of any privacy and data governance program and essential for GDPR compliance. This new regulatory requirement is forcing many companies to finally tackle this exercise head-on. Not sure where to start?
Our webinar speakers will:
- Share their experiences in creating data inventories for a range of enterprises
- Provide tips and templates to help set you up for success
- Review how the data inventory can be used by different teams including privacy, infosec, IT and risk and compliance.
- Show the creation of simple data flow maps that can be easily maintained across the organization
Join this webinar to help you understand the tools, resources and methodology companies are using to establish a baseline of data assets and obligations and get on the fast track to GDPR compliance. Speakers include: Ray Everett, Principal Consultant (US), TRUSTe, Veronika Tonry, President, Privacy KnowHow, former Global Privacy Manager at Chevron and Applied Materials and Guy Sereff, Corporate Counsel, Level 3 Communications.
> Register here
#ChatSTC Twitter Chat: Being #PrivacyAware is Good for Business
January 25 @ 12:00 pm – 1:00 pm PST
Online Twitter Chat
Consumers are paying closer attention to the value of their personal information and how to manage their privacy. To build trust, businesses must address customers’ preferences, needs and concerns about privacy by being transparent about their collection, use and protection of consumer data and providing easy to use privacy and security tools. This #ChatSTC Twitter chat will help you understand how privacy is good for business and the steps your organization can take to respect privacy, safeguard data and enable trust.
Moderator: STOP. THINK. CONNECT.™ (@STOPTHNKCONNECT)
Guests: Better Business Bureau Enterprise (@BBB_Enterprise), ConnectSafely (@ConnectSafely), CyberWise (@BeCyberwise), Federal Trade Commission (@FTC), Future of Privacy Forum (@futureofprivacy), Get Cyber Safe (@GetCyberSafe), Higher Education Information Security Council (@HEISCouncil), iKeepSafe (@iKeepSafe), Level 3 Now (@Level3Now), PCI Security Standards Council (@PCISSC), Privacy Rights Clearinghouse (@PrivacyToday), Securing the Human (@SecureTheHuman), TRUSTe (@TRUSTe), Women in Security and Privacy (@wisporg), Data Privacy Day (@DataPrivacyDay), National Cyber Security Alliance (@StaySafeOnline), additional guests TBD
> Use #ChatSTC to join
Data Privacy Day
January 28 (other events scheduled)
Respecting Privacy, Safeguarding Data and Enabling Trust is the theme for Data Privacy Day (DPD), an international effort held annually on January 28 to create awareness about the importance of privacy and protecting personal information. Use #PrivacyAware to join the fun.
Live from Twitter HQ: Data Privacy Day Event 2017 will take place on January 26th at Twitter HQ. Join the National Cyber Security Alliance to watch exciting TED-style talks, segments and interviews focusing on the latest privacy issues for consumers and business. The event will be available online for the world to watch on Livestream, Periscope and Facebook Live.
> Register to watch live here
For organizations that operate globally, complying with the EU GDPR will likely require significant investment in personnel, process change, and new tools. In order to meet the compliance deadline, companies are actively preparing now. TRUSTe has developed a four phase process to help guide you on the path to compliance. During November, December, and January we will provide you with a series of tips to use along your path to compliance.
See Tip No. 4: Build Consensus for GDPR Compliance by executing an awareness campaign
TIP NO. 5: Uncover Risk by Conducting a Comprehensive Data Mapping Analysis
To ensure you have uncovered all of the risks and appropriately prioritized your plan, you must have a solid understanding of your organization’s complete data lifecycle.
The process to document this lifecycle is referred to as a data flow analysis or data mapping.
Data mapping will require that you talk to your teammates who know where data is at each of these stages across the enterprise and with third parties:
The IAPP / TRUSTe benchmarking study “Preparing for the GDPR: DPOs, PIAs, and Data Mapping” found that many organizations face similar barriers to completing a data inventory and mapping project for privacy purposes:
- lack of internal resources / staff: 58%
- it’s a low priority for the organization: 48%
- too busy; focused on other projects: 32%
- these projects are done by others: 30%
- lack of budget for external consultants or suppliers: 30%
- it cannot be maintained so no reason to start: 12%
- don’t know: 10%
Don’t let these reasons stop your organization from uncovering risk. If you need help with conducting comprehensive data mapping, TRUSTe offers Data Inventory and Mapping solutions. Contact us for more information.
Why you should know where your data is: two practical use cases
The General Data Protection Regulation (GDPR) includes a wide range of privacy related requirements which will impact all areas of a company, including legal, compliance, information security, marketing, engineering, and HR. These changes will require companies to have a clear understanding of where their data is in order to ensure GDPR compliance.
Use Case 1: A data subject requests a copy of their data.
Article 15 grants data subjects the right of access giving individuals a right to obtain confirmation as to whether personal data is being processed about them or to request a copy of that data.
Your organization collects data about its customers so that it can provide suggestions to enhance the customer experience. If a customer requests a copy of their data, will you know where to find it? If they ask additional questions about their data, will you be able to answer them?
Use Case 2: A global business transaction.
Article 46 allows for data transfers to non-EU countries by way of mechanisms that provide appropriate safeguards. Appropriate safeguards include: Binding Corporate Rules (BCRs), Model Contract Clauses (MCCs), also known as Standard Contractual Clauses (SCCs), and legally binding documents and enforceable instruments between public authorities or bodies. What about privacy shield?
Your organization is about to close a global deal where Personal Information data will need to be transferred out of the EU to the US based on a subsidiary who uses a vendor in Asia to process that data. Are any measures in place to ensure your team will not overlook certain requirements as the data travels across countries?
Data inventory and mapping allows organizations to pinpoint exactly where data is located and stored, and draws the connections between complicated data flows. Having an easily accessible, centralized inventory will allow organizations to quickly identify which assets or systems manage the processing of the individual’s data, making it more efficient to investigate and respond to that individual’s access request (Use Case 1). Additionally, having a holistic picture of where data is and where data goes will allow for mapping which jurisdictional requirements apply throughout the data lifecycle (Use Case 2).
If you need help with your data mapping efforts, TRUSTe offers a solution. Learn more.
TRUSTe announced today at the Privacy.Security.Risk Conference the availability of Data Inventory 2.0 to help businesses prepare to meet privacy regulations including the EU General Data Protection Regulation (GDPR) and minimize data governance risk across their enterprise. The solution combines TRUSTe’s Data Inventory and Classification service, introduced in 2015, along with the new TRUSTe Data Inventory Manager and other technology tools to generate detailed insights into complex data flows.
The IAPP-EY Annual Privacy Governance Report (2015) indicated Data Inventory and Mapping was a top priority on the privacy roadmap for nearly half (47%) of respondents. In order to fully assess privacy and compliance risks, companies need to understand how customer and employee data in their organization is used. This includes knowing what data is collected; where it is stored; who it is shared with; and how long it is retained. For a large enterprise, this can entail hundreds of websites, systems and vendors – and dozens of data types – creating a complex and often overwhelming task for businesses to manage.
TRUSTe Data Inventory 2.0 solves this challenge by providing a comprehensive solution that streamlines the process into three phases:
- Comprehensive enterprise-wide review of customer and HR data flows guided by TRUSTe’s privacy consultants and proven methodology. Process is enhanced by data discovery powered by TRUSTe website and mobile app scanning tools.
- Data is categorized by type and recorded into the new TRUSTe Data Inventory Manager, a centralized / interactive database providing a secure and efficient way to store, search, and sustain information.
- Visual summary of data flows are created and delivered as part of an in-depth report and high level summary to provide an enhanced way to analyze and act upon the findings.
The output is a comprehensive, actionable and sustainable data inventory and visual data flows that are easy to share across the organization and update to reflect changing business activities.
Data Inventory 2.0 is available today standalone or integrated with TRUSTe Assessment Manager to seamlessly conduct PIAs and privacy risk assessments on assets identified in the data inventory. Pricing varies based on company size and engagements can often be completed in 8 weeks or less. For more information visit truste.com/data-inventory or call 888-878-7830.