Through Data Management Roni Schuling Enterprise Data Architect - - PowerPoint PPT Presentation

Classification: Internal Use

Driving Business Value Through Data Management

Roni Schuling

Enterprise Data Architect

Classification: Internal Use

• Principal Overview
• Our approach to Privacy Regulations
• Pursuit of Intentional Cultural Change

Agenda

2

Classification: Internal Use

Principal Global Investors Brazil BrasilPrev JV; India Principal Asset Mgmt Co (India); Columbus Circle Principal Financial Group IPO Spectrum; China CCB Principal; 1990 1990 Principal Intl

139 years strong

1879 1879 Life Assoc 1911 1911 Mutual Life Co 1936 1936 Mortgage Banking/ Commercial Mortgage 1941 1941 Group Health & Pension 1968 1968 Mutual Funds 1998 1998 Principal Bank; Mutual Holding Co 1970s 1970s Defined Contribution 2002 2002 Benefit Consultants Inc; Total Retirement Suite SM 2006 2006 Washington Mutual Funds; WM Advisors 2008 2008 Malaysia CIMB-Principal Islamic Asset Mgmt 2007 2007 Morley 1995 1995 Principal Chile 1996 1996 Principal Hong Kong 1997 1997 Principal Mexico 2003 2003 Post Advisory Group 2001 2001 2005 2005 1999 1999 2010 2010 BrasilPrev JV Extension 2011 2011 HSBC Afore; Finisterre; Origin 2012 2012 Claritas; Cuprum 2013 2013 Liongate 2015 2015 AXA Hong Kong Pension 2016 2016 Introduced global brand 2017 2017 Mexico MetLife Afore Brazil Bb Seguridade JV

Classification: Internal Use

4

Asset management, retirement savings, risk protection Asset management, retirement savings Asset management

Classification: Internal Use

Four distinct businesses

Retirement & Income Solutions U.S. Insurance Solutions Principal Global Investors Principal International

Classification: Internal Use

Headquarters: Des Moines, Iowa

Classification: Internal Use

Our Approach to Privacy Regulations

Classification: Internal Use

Phase 1: GDPR – Global Data Protection Regulation

8

Gold Standard for Privacy Regulations Individual Privacy Rights Permanent Shift in Table Stakes

Classification: Internal Use

9

Phase 1: GDPR Focus - Risk Based Prioritization

Inventories: Where is our data? Data Flows: How is it moving? Lawful Basis: Why do we have it? Remediation: What needs to change? Controls: What new expectations do we want to state? Table Top: What is our workflow/ process when we get inquiries?

Classification: Internal Use

10

Data Flows: How is it moving? Remediation: What needs to change? Only Traditional Data Protection Exists

• Reduced consent

requirements for analytics

• Simple access controls
• Anonymized data out of

GDPR scope

• Decryption auditing

supplemented lineage

• Targeted for explicit

consent requirements

• Extensive, intertwined,

access controls

• All instances of data in

scope

• All lineage work required

extensive manual effort

Classification: Internal Use

11

Controls: What new expectations do we want to state?

Attribute Obfuscation Expectations

Classification: Internal Use

12

Phase 2: GDPR Priority….. And US Regulations on the periphery

Continue iterations…

• Finish lower risk EU data flows
• Begin inventory work for US data
• Set a multi-year plan in motion to raise the table-stakes

around our data management practices.

Classification: Internal Use

13

Phase 2: U.S. Privacy Regulations

(and finish GDPR work as well)

Flips focus on it’s head:

• California Privacy Regulation is a BIG deal!!
• The litigation risks are greater than the regulatory fines.
• It’s just the beginning – other states are following
• We don’t have ‘years’ to change….we have 10-12

months!!

Classification: Internal Use

14

What’s important to get right first? What do the next steps really look like? Plan to take time to practice!

Classification: Internal Use

Pursuit of Intentional Cultural Change

Classification: Internal Use

16

Holistic Approach

Define the horizon Full Data Flow Big regulations Every Individual It’s a balancing act

Classification: Internal Use

17

Regulation Policy

The controller or processor should evaluate the risks inherent in the processing [of personal data] and implement measures to mitigate those risks, such as encryption. Use attribute-level encryption at the application layer to protect sensitive and personal data. Microfocus Voltage is the enterprise selected tool for attribute-level encryption. Data protection must be considered at the design stage of any new process, system or technology. Any new solutions (i.e. greenfield, cloud, third party sharing) will align with the new Privacy controls. Lawful Basis: There is a legitimate interest to have clear-text production data in testing environments. Lawful Basis: Eliminate the use of clear-text, sensitive and personal data in testing environments.

IT Governance: GDPR Overview One of my favorite resources --

Classification: Internal Use

18

Stakeholder Management Plan

Keep Satisfied Manage Closely Monitor Keep Informed Influencers

Power Interest

Board of Directors want assurance of our ability to be compliant. CEO accountable to board…sets business strategy to continue to differentiate by our customer focused, ethical choices. CDO, CISO, CPO raise expectations and set new privacy controls and policies in place. (want aggressive advancement) CIOs and Presidents make funding and priority decisions about what gets worked

• n. (think we are fine as we are now)

Enterprise Architects advise CIOs & Presidents. Business Risk Officers and Engineers influence behaviors of front-line leaders. All employees responsible for changing how they approach the use of data. (resistant to changing their access to data)

• Regulators adjust regulation
• Courts take enforcement actions

against other companies

Classification: Internal Use

Thank you

Schuling.roni@principal.com www.linkedin.com/in/ronischuling @schules304

Q?