Driving Business Value Through Data Management Roni Schuling Enterprise Data Architect Classification: Internal Use
Agenda Principal Overview • Our approach to Privacy Regulations • Pursuit of Intentional Cultural Change • 2 Classification: Internal Use
139 years strong 2003 2003 2007 2007 1998 1998 1941 1941 Post Morley 1990 1990 Principal Bank; Group Advisory Mutual Holding Health & Group Principal 2005 2005 Co Pension Intl 2001 2001 2016 2016 China 2011 2011 1970s 1970s CCB Introduced Spectrum ; HSBC Afore; Principal; global 1911 1911 Defined 1996 1996 Principal Finisterre; Origin brand Columbus Contribution Mutual Financial Principal Circle 2013 2013 Life Co Group Hong Kong IPO Liongate 1995 1995 2010 2010 2002 2002 Principal BrasilPrev 2008 2008 2017 2017 1879 1879 1968 1968 Chile JV Extension Benefit Malaysia Mexico Life Mutual Consultants CIMB-Principal 1997 1997 2012 2012 MetLife Afore Assoc Funds Inc; Total Islamic Brazil Retirement Claritas; Principal Asset Mgmt Bb Seguridade JV Suite SM Mexico Cuprum 1936 1936 1999 1999 2006 2006 Mortgage 2015 2015 Brazil Banking/ Washington BrasilPrev JV; AXA Hong Kong Commercial Mutual Funds; India Pension Mortgage WM Advisors Principal Asset Mgmt Co (India); Principal Global Investors Classification: Internal Use
4 Asset management, retirement savings, risk protection Asset management, retirement savings Asset management Classification: Internal Use
Four distinct businesses Retirement U.S. Insurance Principal Global Principal & Income Solutions Solutions International Investors Classification: Internal Use
Headquarters: Des Moines, Iowa Classification: Internal Use
Our Approach to Privacy Regulations Classification: Internal Use
Phase 1: GDPR – Global Data Protection Regulation Gold Standard Permanent Shift Individual for Privacy in Table Stakes Privacy Rights Regulations 8 Classification: Internal Use
Phase 1: GDPR Focus - Risk Based Prioritization Controls: What new expectations do we want to state? Table Top: What is our workflow/ process when we get inquiries? Remediation: What needs to change? Lawful Basis: Why do we have it? Data Flows: How is it moving? Inventories: Where is our data? 9 Classification: Internal Use
Data Flows: How is it moving? Remediation: What needs to change? Only Traditional Data Protection Exists • • Reduced consent Targeted for explicit requirements for analytics consent requirements • • Simple access controls Extensive, intertwined, access controls • • Anonymized data out of All instances of data in GDPR scope scope • • Decryption auditing All lineage work required supplemented lineage extensive manual effort 10 Classification: Internal Use
Controls: What new expectations do we want to state? Attribute Obfuscation Expectations 11 Classification: Internal Use
Phase 2: GDPR Priority….. And US Regulations on the periphery Continue iterations… • Finish lower risk EU data flows • Begin inventory work for US data • Set a multi-year plan in motion to raise the table-stakes around our data management practices. 12 Classification: Internal Use
Phase 2: U.S. Privacy Regulations (and finish GDPR work as well) Flips focus on it’s head: • California Privacy Regulation is a BIG deal!! • The litigation risks are greater than the regulatory fines. • It’s just the beginning – other states are following • We don’t have ‘years’ to change….we have 10 -12 months!! 13 Classification: Internal Use
What’s important to get right first? What do the next steps really look like? Plan to take time to practice! 14 Classification: Internal Use
Pursuit of Intentional Cultural Change Classification: Internal Use
Holistic Approach Define the horizon Full Data Flow It’s a balancing act Big regulations Every Individual 16 Classification: Internal Use
Regulation Policy The controller or processor should Use attribute-level encryption at the evaluate the risks inherent in the application layer to protect sensitive processing [of personal data] and and personal data. Microfocus Voltage implement measures to mitigate is the enterprise selected tool for those risks, such as encryption. attribute-level encryption. Data protection must be Any new solutions (i.e. greenfield, considered at the design stage of cloud, third party sharing) will align any new process, system or with the new Privacy controls. technology. Lawful Basis: There is a Lawful Basis: Eliminate the use of legitimate interest to have clear-text, sensitive and personal data clear-text production data in in testing environments . testing environments. 17 IT Governance: GDPR Overview One of my favorite resources -- Classification: Internal Use
Stakeholder Management Plan Board of Directors want assurance of our ability to be compliant. CEO accountable to board…sets business Keep Satisfied Manage Closely strategy to continue to differentiate by our customer focused, ethical choices. CDO, CISO, CPO raise expectations and set new privacy controls and policies in place. (want aggressive advancement) Power Influencers CIOs and Presidents make funding and priority decisions about what gets worked on. (think we are fine as we are now) Enterprise Architects advise CIOs & Presidents. Business Risk Officers and Engineers Monitor Keep Informed influence behaviors of front-line leaders. • Regulators adjust regulation All employees responsible for changing • Courts take enforcement actions how they approach the use of data. against other companies (resistant to changing their access to data) Interest 18 Classification: Internal Use
Q? Schuling.roni@principal.com www.linkedin.com/in/ronischuling @schules304 Thank you Classification: Internal Use
Recommend
More recommend
