How 5 major brands have secured GDPR Compliance with Protegrity
CAPABILITIES
COMPLIANCE
PAYMENT CARD INDUSTRY (PCI)
BIG DATA
PROTECTED HEALTH INFORMATION (PHI)
ENCRYPTION
PERSONALLY IDENTIFIABLE INFORMATION (PII)
TOKENIZATION
AUDIT & COMPLIANCE
2
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
HOW THIS EBOOK CAN HELP YOUR BRAND Privacy and GDPR compliance are clearly important to you and your brand, so we are keen to share the best practices for protecting private information we have honed working with over 200 global and data-driven organisations. Given the highly sensitive nature of the services we provide to our customers, their identities have been anonymised here to protect their security posture but further details are available upon request. Look out for icons in the following pages to easily recognise how the described use cases relate to your business enterprise.
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
3
1
MULTINATIONAL BANK
As this bank meets their obligations under GDPR they recognise that the use of Protegrity has provided them with the visibility and security of personal information that is foundational to compliance with the Regulation’s requirements.
This multinational bank integrated private data from individual European entities to a data warehouse located in their Italian Headquarters, but EU cross-border data protection laws meant that access to Austrian and German customer data needed to be restricted to only requesters in each respective country. They chose to implement Protegrity Vaultless Tokenization locally to pseudonymise personally identifiable information within the source banking entities before transferring it to the data warehouse in Italy. Centralised, rule-based access control policies were deployed, integrating LDAP and Active Directory, to restrict access to re-identified data to authorised users only, meeting country-specific requirements for both Austria and Germany. Over time the bank has made broader use of Protegrity’s capabilities enterprise-wide, to ensure that only authorised users can access data in the clear.
4
Protegrity allows us to centrally manage the security of sensitive data regardless of where it goes. Complying with EU cross-border data security laws in this way provides a foundation for meeting their GDPR obligations without compromising business analysis capabilities
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
CHARACTERS 10k strings
DEPLOYMENT 30-node Cloudera data lake
USERS Globally distributed
SOLUTION
DRIVER The need to reliably restrict access to centralised data to country-specific user groups for compliance with EU cross-border data protection laws
CHALLENGE Compliantly consolidate large volumes of multiple data types, sourced from several disparate IT systems (including mainframe, ERP & SAS), across geographical borders, into a single environment in Italy
STEPS TO SUCCESS Identified and prioritised specific privacy fields that needed protection then applied pseudonymisation protection at source in each country using policy enforced controls to de-protect data only for authorised users in compliance with regulations
Protegrity’s Enterprise Security Administrator allows this bank to ensure access to unprotected data is only given to authorised users. Protegrity’s Database and Application Protectors perform in-country protection of sensitive information before its transfer to the central enterprise data warehouse in Italy
GDPR BENEFITS Protegrity maintained the efficiency and value of this bank’s single enterprise data warehouse while providing robust protection that satisfied privacy regulations without impacting appropriate business use of information, and a Privacy by Design foundation for GDPR compliance has been established
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
5
2
ECOMMERCE RETAILER
This retailer uses Protegrity solutions to restrict access to sensitive data to authorised users only, and automate monitoring, auditing and alerts on the entire data security system for compliance with internal privacy requirements and those of the GDPR.
Compliance with internal privacy requirements and industry data protection standards within a very short turnaround time made this eCommerce giant seek advice about security solutions to protect PII and PCI data within their data warehouse. Protegrity came so highly recommended as a preferred security partner that the global online retailer immediately felt confident they had found a security solution they could trust to protect private customer information without compromising business performance.
Protegrity’s Enterprise Security Administrator enabled the retailer’s security team to centrally control and enforce code of conduct based policies throughout the data flow, and ensure that personal data remains protected enterprise-wide by restricting access to authorised users only. This global eCommerce company is expanding the Protegrity model to bring their entire organisation into compliance with the GDPR ahead of time.
The retailer started by providing Protegrity with a list of priority privacy data elements to be protected, which formed the basis of their organisation’s security policies. Within three weeks, data discovery was complete and the entire solution took just months to implement.
6
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
IMPACT Negligible
DEPLOYMENT Less than 6 months
VOLUME PII protection in 500 tables
DRIVER
Protegrity came very highly recommended, and they’ve more than met our expectations.
Compliance with internal requirements and industry standards for data protection
CHALLENGE A very short deadline for project completion
STEPS TO SUCCESS Working with data owners to discover personal data elements throughout the data flows
SOLUTION Protegrity’s Enterprise Security Administrator and Database Protectors for central control of data protection, monitoring and alerting
GDPR BENEFITS Protecting personal data without compromising business continuity established a model for GDPR success ahead of time
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
7
3
RETAIL BANK
This global financial institution, with a long history of analytical leadership, uses Protegrity to protect customer data from unnecessary or unauthorised access in a way that respects privacy and provides a solid basis for GDPR compliance.
For over two decades this multinational retail bank has been performing an extensive range of customer analytics within an ecosystem that incorporates a broad range of applications and technologies. Seeking efficiency, the bank chose to consolidate all analytical sources in a Hadoop® big data platform. After rejecting in-house and alternative vendors’ offerings the bank found Protegrity’s enterprise data protection solution utterly compelling in its alignment with their goal to secure private information throughout its analytical journey, without impacting its business value. With Protegrity’s multi-platform solution the bank can pseudonymise private data as early in its lifecycle as possible and consistently enforce a security policy that allows access to data in the clear only by authorised users and only when necessary.
8
Protegrity’s data-centric approach has enabled scalable protection of personal information by design and by default and provided a solid basis for the bank’s GDPR compliance programme.
Our GDPR strategy is built on the ‘by design’ nature of Protegrity’s data security solutions.
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
INPUT >15 Source systems
PERFORMANCE SLA for <1-hour end-to-end processing met
VOLUME >120m records per day
DEPLOYMENT <40 working days effort
DRIVER Improving a long established analytic history by making effective use of Cloudera Hadoop and reducing PCI audit scope. Re-engineering a complex analytical environment to improve analytical processes, make effective use of HadoopÂŽ and stay GDPR compliant
CHALLENGE Securely re-engineering a complex analytical environment that touches all aspects of retail banking process and operational change
STEPS TO SUCCESS Prioritising the sensitivity of data and recognising the value of pseudonymising it as early as possible to protect it throughout the dataflow
SOLUTION Protegrityâ&#x20AC;&#x2122;s Enterprise Security Administrator pseudonymises data as it is captured and limits access to unprotected data to defined, authorised users and analytic tools
GDPR BENEFITS A pseudonymisation approach to securing personal information has reduced data-centric costs and provides a blueprint for GDPR compliance while analytic value is preserved HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
9
4
GOVERNMENT DEPARTMENT
To provide better service and reduce the cost of managing multiple systems, this government department consolidated many silos into a single governmental Enterprise Data Hub. Using Protegrity to maintain privacy and analytic value puts the department in good shape for GDPR compliance.
Government records are internally classified for sensitivity in several ways based on many criteria. Users may only access records for which they have the appropriate security clearance necessary for them to fulfill their specific duties. Further, due to changes in circumstance, a citizen’s records may need to be reclassified at a different security level meaning unauthorised users and analysts should no longer be able to access the record or its historic data. Protegrity worked with the department to develop Entity Based Protection (EBP), an advanced form of Row Level Protection that provides both field and record level protection to overcome the complexities of securing big data.
10
Each citizen’s sensitivity classification is programmatically defined by the centrally managed, code of conduct based security policy and all citizen data is uniquely pseudonymised to protect private information by design and by default from those without the appropriate level of security clearance. If a change is required to a citizen’s classification level, an update is sent to the Protegrity platform to reconfigure the data protection policy for that individual, honouring their fundamental rights to privacy and data protection under the GDPR.
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
DEPLOYMENT 27 nodes rising to 100+
VOLUME >100m records
VARIETY <20 fields
DRIVER
We’re currently consolidating the data from all of our legacy data warehouses into the EDH, which will use advanced security solutions to keep the data safe.
Streamlining processes, improving analytic capability and reducing costs with a single governmental data lake
CHALLENGE Ensuring maximum security in an environment with complicated levels of access authorisation in a constant state of flux
STEPS TO SUCCESS Working closely as a team with Protegrity and big data experts to accomplish a shared vision of excellence
SOLUTION Central enforcement, auditing and reporting of data protection policies using Protegrity’s ESA and pseudonymisation technology to protect privacy without compromising analytic ambition
GDPR BENEFITS Pseudonymisation protects privacy while whole population analytic value is ensured in compliance with government internal security requirements and the EU’s GDPR
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
11
5
WORLDWIDE BANKING GROUP
Established in the 1700s, this British bank chose Protegrity’s pseudonymisation solutions specifically to comply with critical aspects of the GDPR and customers’ privacy expectations, without impact to data-driven business performance.
After identifying data breach vulnerabilities, this major British financial institution chose Protegrity to overcome GDPR challenges around customer privacy and appropriate access to personal information, without impact to business process or performance. Protegrity helps the bank to mitigate the impact of the GDPR’s breach notification requirements by protecting personal information in a way that it no longer identifies the person to which it pertains to, and to honour customers’ “right to be forgotten”, by providing the ability to remove cryptographic keys so data retains its value for analytics but cannot be restored to its original format.
12
Protegrity enables the bank to centrally control codes of conduct data protection policies and enforce separation of duties by role in operational and analytical environments enterprise-wide, to ensure only users with a legitimate need can see personal customer data according to the function they perform. Protegrity has responded to the bank’s need to produce consistent, ‘human readable’ test data with a solution that turns protected information into familiar, but false data. The uniquely pseudonymised data will always become the same readable word but with no way to convert the test data back into the real data so privacy is by design and by default.
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
EVALUATION 2 use cases, 4 platforms, 8 days
DISCOVERY & DESIGN 12 days
DEPLOYMENT 6–8 weeks
DRIVER
GDPR compliance is simplified with a central point of control for enforcing Privacy by Design based codes of conduct – enterprise-wide.
To reduce privacy risk and comply with critical aspects of the GDPR while preserving analytic value
CHALLENGE Ensuring business continuity and analytical excellence while protecting the personal data of 22 million worldwide customers from multiple sources and in a complex IT estate
STEPS TO SUCCESS Side by side evaluation of 13 vendors ensured this bank selected Protegrity as their trusted security advisors
SOLUTION Protegrity enables the bank to ensure only authorised users with a legitimate need to see personal information may do so based on centrally managed, codes of conduct based data privacy policies
GDPR BENEFITS As well as reducing the risk of penalties for noncompliance with GDPR, the bank can honour customers’ privacy rights without compromising analytic ambition HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
13
Why Protegrity The GDPR is a significant requirement for all multinational corporations and traditional approaches to data protection will not be sufficient for compliance without compromise to business – new approaches are needed to holistically protect and report on personal information as it flows throughout the enterprise. Protegrity’s data-centric audit and protection solution provides forward looking organisations with central management of automated data protection, access control and reporting, to simplify delivery and certification of GDPR compliance, by design and by default. Leveraging multiple data protection technologies, Protegrity’s deidentification solutions can pseudonymise personal information while preserving multiple data types and formats so processing and analytics can continue without risk to compliance on premise and in the cloud, while transparently preserving privacy for different parties. Customer-centric and digitally disruptive organisations with privacy as a brand value increasingly rely on Protegrity’s innovative solutions to protect personal information for enterprise wide compliance with data protection regulations, without compromise to business excellence.
14
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
Protegrity was born of the need to deliver a new kind of data security that is equipped to meet the privacy challenges of modern enterprises: security that protects the data itself everywhere it goes while enabling businesses the freedom to transform and innovate with their data. The right balance between sophisticated data analysis and risk management can be achieved. Neither needs to be sacrificed. Data today is more than power – it is the lifeblood of the organisation and needs to flow to the right data owners in realtime. If it can’t be mined and manipulated at or near real-time while still maintaining security and privacy, it’s not delivering maximum value.
Read more about how Protegrity can help your business
Key Terms
Data Protection for the Data-Driven Protegrity’s data-centric audit and protection (DCAP) solution helps forward looking organisations with enterprise wide best practice privacy data protection for compliance with the EU’s General Data Protection Regulation (GDPR) by design and by default, without compromising business processes.
Pseudonymisation
Protegrity is the only enterprise data security software platform that helps brands to meet their obligations to protect personally identifiable information (PII) and maintain its value and usability on premise, in the cloud and by third parties, irrespective of operating system or application. The GDPR mandates that organisations must know where and how the private data of European citizens is stored and accessed, then prove that it is appropriately protected “by design and by default” throughout its lifecycle with, “the existence of appropriate safeguards, which may include encryption or pseudonymisation.”
Data Protection That Delivers Customer-centric and digitally disruptive organisations with privacy as a brand value increasingly rely on Protegrity’s innovative solutions to mitigate internal and external threats to PII without compromise to its analytic value, business excellence, or compliance with regulatory requirements.
Who should care about the GDPR? AN EXECUTIVE SUMMARY
The foundation of Protegrity’s data-centric approach to protecting PII for GDPR compliance is the Enterprise Security Administrator (ESA), which provides central control and management of rule based security policies created in answer to these internal operational needs:
A method of de-identifying PII advocated by the GDPR to protect individuals’ rights during data processing.
Tokenization A non-mathematical, reversible method of pseudonymisation that substitutes PII with random fake data that preserves data type, length and format, allowing legacy architecture underneath to remain operational. Tokens can keep data’s integral value fully or partially visible, enabling secure data processing and analytics.
Encryption A mathematical method of rendering PII unintelligible to any person without the authority to access it.
Protegrity Insight: Discovery DATA SHEET
DATA SHEET
Protegrity for the General Data Protection Regulation
Protegrity Discovery is a database agnostic sensitive information discovery and tracking tool, designed to reduce, manage and control the risk associated with storing sensitive data as well as the disruption and financial impact of multiple or third party enterprise data audits. Think of data regulation in terms of an iceberg – ignorance of what lies beneath the waterline is no excuse for noncompliance. Think about analytics in terms of a puzzle – without all the pieces it is impossible to see the bigger picture.
Discover Success Starting data-driven projects with discovery and classification accelerates their completion, optimizes processes and consistency and quickly reduces enterprise cost and risk. Knowing where sensitive information resides sets realistic expectations for managing the scope, cost and timeframe of data projects, including security and regulatory compliance.
The exponential growth in data generation and usage across multiple data silos is rendering current data security methods obsolete… Security and risk management leaders must use data-centric audit and protection (DCAP) products to mitigate threats and compliance issues to critical data.
• Patent-pending classification technique with classifiers on multiple features • Classifiers are weighted, based on the probability of accuracy
Discovery Benefits • Supports determining the scope of new projects • Simplifies compliance with regulatory requirements such as GDPR Privacy Impact Assessments and PCI audits, etc. • Insight into enterprise systems that represent risk to data privacy and security
How Discovery Works
A method of masking PII with unrelated values most commonly used for archiving, testing and development purposes.
Leveraging multiple data protection technologies, Protegrity’s deidentification solutions can pseudonymise PII while preserving multiple data types and formats so processing and analytics can continue without risk to compliance or impact to automated downstream systems. This enables controlled access to PII, on premise and in the cloud, while transparently preserving privacy and data security for different parties.
• Highly scalable architecture, elastic and parallel processing, sampling and partial results
This document lists the articles of the GDPR, with a brief explanation in plain English of the role Protegrity may play in enabling a brand’s compliance with GDPR. PROTEGRITY RELEVANCE YES
Protegrity is relevant to the Article.
SOME Protegrity has some indirect or potential relevance to the Article.
CHAPTER 1 GENERAL PROVISIONS 1
Subject matter and objectives
2
Material scope
3
Territorial scope
4
Definitions
• Goes through the data sources it is pointed at and opens as many items as possible to discover sensitive data wherever it exists • Associates and records data classifications as directed (tags, labels, data element types…)
Discover Simplicity Organizations that do not know where sensitive data resides find it hard to prioritize data security and privacy risks, and regulatory goals, and thus struggle with where to start compliance and data security projects.
CHAPTER 2 PRINCIPLES 5
Principles relating to processing of personal data
• Automatically compares previous and current scan results to identify and understand anomalies within the environment
Generally accepted privacy principles. SOME Protegrity enables organisations to ensure the appropriate security of personal data during processing.
6
Lawfulness of processing
7
Conditions for consent
8
Conditions applicable to child’s consent in relation to information society services
9
Processing of special categories of personal data
• Positive results are stored and classifiers show a confidence percentage
Without the ability to quantify risk, it is harder to successfully strategize data and justify the budgets necessary for keeping up with digital and regulatory change. Discovery and classification of sensitive information enables organizations to quickly and confidently jumpstart data-centric projects, including GDPR, PCI and HIPAA compliance.
Terms are defined for the purposes of the Regulation. SOME Protegrity provides organisations with the ability to protect data subjects’ data privacy with pseudonymisation, the processing of personal data in such a manner that it can no longer be attributed to an individual, and encryption which renders data unintelligible to any person who is not authorised to access it.
• Performance is independent of target system capacity
Obfuscation
• What data shall be protected? • How shall the data be protected? • Who shall have access to it? • Where shall the policy be enforced? • Audit of access and attempts by whom, to what, where and when?
the g in gdpr is for global, not just general
GDPR & where Protegrity plays a role Discovery Features • Cross platform coverage
Organizations must ensure that processing is lawful. SOME Protegrity simplifies compliance by pseudonymising data subjects without impact to the business value of their data, and preventing unauthorized access.
10
THE ER’S HIK H C IT H TO GUIDEACY IV PR SIGN BY DE OVIC
RUSK
ARA PE
BARB
t star here
Does your company process or store eu citizen data?
no
Harness the Power of Data Centric Security to Overcome GDPR Challenges
has company if your or affiliate in an office pean country any euro lIKElY it is VERY storing you are n data eu citize
Does your current Data protection posture incluDe privacy by design? privacy by design is a concept created by canada’s former information commissioner ann cavoukian
you’re in bad shape: appropriate controls should be embedded in the it and organization processes to ensure that privacy data is appropriately protected
The definition of what is considered PII has expanded under the GDPR.
you must maintain comprehensive records of your processing & protection activities for eu citizens
YES
no
you are required to maintain records of activities related to higher risk processing
Data privacy challenges associated with the GDPR and how organizations with complicated IT landscapes can overcome them with fit for purpose technology to achieve compliance and inspire trust.
SOME Protegrity supports protection of a wide range of data types and formats to cover data classified as personally identifiable information under GDPR.
Does your company employ more than 250 people?
YES
no
you’re in good shape, however…
Processing of personal data relating to criminal convictions and offences
Do you rely on siloed based protection?
Data Protection Central to Gartner’s 2017 DCAP Market Guide
WHO SHOULD CARE ABOUT THE GDPR EXECUTIVE SUMMARY
you must take steps to become GDpr compliant
YES
ConGRATulATIonS your organization only has to worry about local regulations
PROTEGRITY FOR THE GDPR DATA SHEET
PROTEGRITY INSIGHT DISCOVERY DATA SHEET
GDPR & WHERE PROTEGRITY PLAYS A ROLE DATA SHEET
THE HITCHHIKER’S GUIDE TO PRIVACY BY DESIGN eBOOK
HARNESS THE POWER OF DATA CENTRIC SECURITY… WHITE PAPER
this is not enough – the exponential growth in data generation and usage across multiple data silos is rendering current data security methods obsolete
YES
no
you’re in good shape, however…
THE G IN GDPR IS FOR IS FOR GLOBAL… INFOGRAPHIC ConTACT PRoTEGRITY
A data-centric approach to protection protects the data itself, regardless of where it is stored or consumed
all protection of data should be audited and any access to unprotected data should be monitored, to ensure compliance with organizational policies
Does your Data centric approach incluDe central control of monitoring & auditing?
YES
no
ConTACT PRoTEGRITY
you’re in good shape, however…
Protegrity is recognized in gartner’s market guide For Data-centric Audit & Protection (DCAP) for protecting all data silos with the highest levels of capability
Does your Data centric protection approach allow central control of policies and mechanisms? GDpr requires enterprise wide enforcement of privacy by Design policies
no
PRoTEGRITY SoluTIonS InCludE CEnTRAl EnfoRCEmEnT of PolICIES To mEET SEPARATIon of duTIES And ThE RIGhT To ERASuRE REquIREmEnTS EnTERPRISE wIdE
YES
congratulations. You muST bE uSInG
www.protegrity.com
Corporate Headquarters: Protegrity USA, Inc.
Protegrity (Europe)
333 Ludlow Street, South Tower, 8th Floor
Suite 2, First Floor, Braywick House West, Windsor Road
Stamford, CT 06902, USA
Maidenhead, Berkshire SL6 1DN, United Kingdom
Phone: +1.203.326.7200
Phone: +44 1494 857762
Copyright © 2018 Protegrity Corporation. All rights reserved. Protegrity® is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners.
HOW 5 MAJOR BRANDS HAVE SECURED GDPR COMPLIANCE WITH PROTEGRITY
15