LetsTalkAboutData

A2. Data classification. It only gets harder from here if you don’t classify your data based on contractual requirements, data sovereignty, PII, sensitivity and regulatory requirements.

Each organisation works differently. In some, enterprise architects may be directly responsible for ensuring #GDPR #compliance. In others, architects may not have even been invited to the party. So the first thing for architects to do is buddy up!

A2. You also need classification in order to effectively use SIEM. Check out https://www.ca.com/u...

You must prioritize which #GDPR requirements to tackle first!

I agree with @kevin_jackson - how many orgs even know what all their data is (lack of metadata) to know what must be in compliance with GDPR. That is a big task to tackle!

Data identification and unification. Virtualization of data to put everything in a seemingly local interface will let data architects find and identify data faster.

@Kevin_Jackson Kevin, what constraints are mainframe data centers facing when attempting to classify the unclassified accumulation of data from the decades the mainframe has been in use?

- so many companies are still seeming to struggle with just developing a basic Vocabulary and Language to even discuss the issues - I think for many just starting the conversation is a major 1st step ;-)

- and of course there's the fact that we now only have 55 left to actually get compliant ;-)

@craigmullins Identifying and classifying data is the best first step to GDPR compliance. You need to know where your risk might be.

@craigmullins managing the #Metadata is harder than managing the data!

Days until GDPR goes into effect https://howmanydayst...

Its about not having the right people focused on the critical activities, priorities and budget for the #GDPR challenge

@Kevin_Jackson If only people had adopted and actually used Metadata Repositories like CA Repository!

from a marketing perspective, pivoting from PII to behavioral data is also a major step needed. Reduce dependence on collected data from customer records.

Data classification and life-cycles are incredibly complex and living beast. In general you need to trade-off agility and innovation for control and management. Less than ideal!

Classifying data is critical for privacy, articles 25 & 32, and for right to access, article 15, right to be forgotten, article 17, and right to data portability, article 20

A2. Hoping firms do not wait for major fines to be levied before taking action on #GDPR.

And don't forget, GDPR is not limited to EU companies. Many US companies have signed Commerce Dept Privacy which puts them under the regulation

basic overview - for those unsure...\ : According to GDPR orgs must: 1) only process data for authorized purposes 2) ensure data accuracy and integrity 3) minimize users identity exposure 4) implement data security measures

The larger elephant in the room is who will be held responsible for missing deadline, the CEO, Board or CIO?. Will their stock price take a hit? #GDPR

Craig @craigmullins on the metadata point do you see converged data being more efficient and what role does #blockchain play here? @kevin_jackson #LetsTalkAboutData

@TrippBraden That's a huge elephant. Everyone with P&L responsibility has a stake in #GDPR compliance.

@TmanSpeaks There may be more metadata available for converged data

@TmanSpeaks Not really sure how blockchain could help us to identify and classify all of our existing data

stats indicate that 65% of organizations will fail to meet GDPR deadlines - @TrippBraden who is responsible? I believe that the responsibility will vary per organization - but the finger will be pointed across the C- channels

maybe an opportunity for a new GDPR insurance policy!

big gaps all over! Totally an opportunity to modernize for example move to the #cloud for the love of god, please move to the #cloud as part of the #GDPR migration plan. Amazon have been pumping it out there #GDPR as are other big #cloud providers #LetsTalkAbout

@kwwalder will happen - similarly to having a Cyber insurancy policy

Chip, #GDPR is for all companies around the world that handle personal #data of European citizens. It doesn’t really matter if they signed anything or not. How will EU inforce it, that’s another discussion 😏

@craigmullins I was just more future thinking and effective data management with global #metadata but I'd leverage you and Dez on that front! #LetsTalkAboutData

@Kevin_Jackson this is one place to start http://cainc.to/cNpN...

@TrippBraden planning planning planning

@TmanSpeaks #Blockchain can help a lot!

@TmanSpeaks AMZ has a great solution, but for mainframe, no need to move the data. Keep it in place and identify risk of PII with CA DCD https://www.ca.com/u...

@Kevin_Jackson Interested to learn how Kevin?

@kevin_jackson do tell how #blockchain can help? #LetsTalkAboutData

@craigmullins #Blockchain can be used to track data provenance.

Biggest gaps are budgets - as well as time factors. There are many areas the companies have to tighten up on - in order to get there budgets have to be allocated first

@Kevin_Jackson Certainly looking-forward but not really helpful for identifying and categorizing existing data - perhaps I was focusing my thoughts too narrrowly

@TrippBraden Consensus seems to be that as long as you can prove 'significant effort' there will be leniency on compliance. But if you have a breach: the hammer will fall!

Meeting the 72-hr notification timeframe will be a real challenge for US orgs, as most US laws allow for 30-45 days or even more vaguely "most expeditious time possible." 72 hrs will feel like a sprint in comparison! Automation can streamline the process.

@evankirstel Maybe a ready, fire, aim strategy might be more appropriate give the current status of their planning

@jcherrington The challenge is in enforcing enterprise IT governance.

#GDPR as a wider opportunity to transform the way that you handle data and manage risk and compliance, and can serve as a catalyst that will put your org in better shape to compete in the digital economy!

Risk mitigation is the name of the game. Savvy companies need to think in terms of MVD: Minimum Viable Data. What's the least you need to be effective, rather than store & secure everything?

A4. Data privacy is the new Y2K! Deal with it now or suffer greatly. #LetsTalkAboutData http://cainc.to/CGvL...

Tech advances at a rapid pace and legislation is always in danger of lagging behind

The more #DarkData you have lurking in digital filing cabinets, the greater your operating costs, storage issues, and most of all security problems you have. #DarkData is company enemy #1.

@cspenn Great perspective! Less is more.

One thought is that regulation might slow digital transformation

A4. Effective action begins with data classification and digital rights management technology http://cainc.to/cNpN...

@cspenn Which is why, with 70% of corporate data sitting on mainframe systems; it seems like ignoring that would make the risk profile increase!

To my way of thinking, #dataprivacy and #datasecurity regulations are needed to make us do the right thing instead of rocketing ahead at the speed of technology

@craigmullins #DigitalTransformation would just be shaped by regulation, same as eCommerce reshaped with local tax laws, no?

Privacy by design and by default has already seen an impact on how wearable technology and #IoT devices are developed and marketed. The public is getting savvy to privacy issues, and putting their money where their values are. #privacybydesign #gdpr

@cspenn is it the data that should be minimize or the access? Least Access Policy enforcement should take precedence over convenience of IAM perhaps

@cmason_CA Least Data. Hackers can't steal what doesn't exist.

@cspenn Industry stats show that data centers hold as much as 50% or more DarkData. Guilty -- I know there are data sets of PII lingering under my HLQ in test & QA from decades ago....

@cspenn All those things are true, but dark data may also be the source of ultimate competitive advantage and opportunity identification.

@evankirstel A great place to start: http://cainc.to/262j...

I am not a Luddite... I just think more thinking is needed before adoption

@PriyaDewan Unquestionably re: 70% of corporate data on mainframes - and with fewer folks who can operate them well, greater security risks.

@craigmullins Perhaps. But today, many cars sell because of safety, and Apple thinks privacy will sell phones. Different way of looking at the issue!

@TrippBraden I sure hope so. @TrustInsights is kind of banking on that :)

Data is viewed as knowledge and power - the more of it you have the better off etc.. tough securing and storing has been a very big issue in the past year - Too many data breaches to count from some of the largest and most trusted companies out there. Much more

focus has to be put on data strorage and security

@cspenn Data is an asset (ask Facebook) Of course, one should remove unneeded data, I agree 100% with that

@cspenn Yes, good point. The speed of technology is getting ahead of us as a society and government is needed to assure reasonable adoption

@cmason_CA That's a great perspective. Security & privacy are to data what safety features are to cars. Initially competitive advantages, and then mandatory minimum features for a viable product.

I'm not sure it really has, lots of talk but as we see with Facebook many of these organization aren't concerned with what is the best interest of their users.

@craigmullins It's an axiom that technology goes through three stages: 1) make the darn thing work at all, 2) make the thing profitable to sell, and (oh, crap!) 3) make the bloody thing secure. We are suffering that curve with IoT right now -- building botnets from thermostats

Least #data won’t cut it, must be combined with least access as well! #GDPR

@craigmullins ...we need good governance enacted in response to reasonable regulation to assure proper technology adoption that benefits society

It's not a one size fits all problem - specific security and thought needs to happen with each company before an implementation plan

@TrippBraden Facebook is very much concerned with the best interest of its users and customers - the ADVERTISERS. We public folks are the product, and we don't count.

I would put @Shirastweet post directly above in BIG BOLD LETTERS. As data privacy largely becomes a risk mitigiation isseu for many companies. How much to spend protecting versus the potential damages. Then insure the rest. This often works out poorly for consumers.

As Yoda would say Don't Try do! Until organization pay a larger price or consumer leave their platform about these issues. It doesn't seem rules matter to these people

@jcherrington Yes! And unfortunately the last step (no. 3) usually requires government coercion via regulations and legislation

A4) loaded question, Dez.... to date the internet has opened up service providers too public data from the public on #cloud platforms with the providers demanding user sign off on their data, well what a mess to date look at FB #GDPR required #LetsTalkAboutData

@TrippBraden FB API allowances were too loose and did not disclose their breach for a 2years. Unfortunately users were quick to click through user agreements -allowed all sorts of access to their data. A stop and pause is needed and tight security implemented

@cspenn Exactly, a breech in trust is just another bump along the road to increasing profits

Has anybody given some thought to how the immutability of transactions in blockchain is incompatible with the right to be forgotten in GDPR?

@craigmullins Maybe Right to Be Forgotten will be a flag in the chain - you cannot use this transaction?

@mclynd YES - In flashing lights! :)

@craigmullins IMHO The right to be forgotten will eventually lose in court

With @Shirastweet on this item, as FB has been called out too many times and tends to take any user agreements/consents to the very edge and some times further. They are not alone!

@mclynd seems to be the trend with "larger than life" companies. The hammer has to fall on one of these big companies for the others to take it all seriously

#dataprivacy and #datasecurity will heighten the value of #data. The ability to harness that value with agility and ease will be key to driving better business outcomes and competitive advantages.

@craigmullins - That will be an interesting problem to solve, as it is likely that multiple parties will try to solve that problem with blockchain and they will probably take different paths. Immutability could end up have powerful legal concerns regarding GDPR and Consents.

@Kevin_Jackson Another issue to be decided in court perhaps: can the EU legitimately claim the right to govern its citizen's data that exists outside the EU?

@Shirastweet - No doubt about it. FB is only the beginning, but their defiance seems to be sparking a lot of discontent.

@Shirastweet Exactly, they were. I can't believe they didn't know it when they did it.Many gained from these loser standards

@mclynd very true - largest "monster" out there - views above it all. However people and are taking notice -- change has to happen