One Identity Partner: Protiviti – How to prepare for GDPR

[MUSIC PLAYING] My name is Ryan Rubin. I'm a managing director at a company called Protiviti. We focus on helping organizations manage business risks and [INAUDIBLE] security and privacy service spying within the UK. What we you see in the markets is that many organizations are still not greatly prepared. There's a lot of confusion out there about whether this problem is a mountain or whether it's a molehill, and organizations are still trying to work through that before they take action. Unfortunately, we only have roughly 18 months to go, and early quarter one 2018, organizations are going to need to demonstrate compliance and be prepared for what is coming. So the first step is a lot of organizations have perceived GDPR to be a potentially material risk, given the fact that the fines are up to 4% of global turnover. So the first question we ask our clients is really is this a mountain or a mole hill type of problem that they need to climb? And the way that we help organizations do that is by carrying out some type of data privacy risk assessment. What this risk assessment does is it assesses the potential impacts that's a data privacy risk could have to the organization. It covers considerations for the type of data that the organization is processing, the type of processes that are being used to interact with customers and employees that deal with private data, and also, of course, all the type of technologies that are out there and the effectiveness of those to protect the data. So the way we tackle this problem with clients, again, first, looking at a top-down approach, thinking about the key data privacy risks and impacts that the organization could have, potentially looking at areas such as where are bulk data stores being used? What type of data are we actually holding about clients, about customers, about the employees? And all of these things do play a role in helping the organization to sort out the chaos and the uncertainty that exists. The other approach that we take our clients along is a journey around the data lifecycle of the organization. So this is looking at the data from cradle to grave from the time that the data enters the organization to the way it is used, the way it is shared and managed, and ultimately, the way that data is retained and potentially removed. And each of the stages and we believe it's important for the organizations to look at the data privacy controls, the measures, the policies, throughout the life cycle and tackle each of those in step in order to manage this particular risk. So one of the primary areas is around access control and providing a level of ability as well as enforcing segregation of duties for those users in the organization that have access to private data. So we see that as one of the fundamental cornerstones to think about. Obviously, the area of data governed is also really important, which extends beyond identity but also into managing the data and getting visibility about who has access to that data, specifically if that data contains private records and information. We also do see that identity and access management can be an enabler to help organizations through the data privacy regulations. And one example is in the area of consent, where companies are required to obtain re-consent from their customers about the way that they use that data. And identity solutions can play a role in re-obtaining some of that consent when, for example, users log in into the services that they have to offer.