WIXLIB

MDM GDPR ConsentMasteringKamal AbrolCustomer Success Technologist

Housekeeping Tips Todays Webinar is scheduled to last 1 hour including Q&A All dial-in participants will be muted to enable the speakers to present without interruption Questions can be submitted to “All Panelists" via the Q&A option and we will respond at the end of the presentation The webinar is being recorded and will be available to view on our INFASupport YouTube channel and Success Portal.The link will be emailed as well. Please take time to complete the post-webinar survey and provide your feedback and suggestions for upcoming topics.2 Informatica. Proprietary and Confidential.

Success Portalhttps://success.informatica.comLearn. Adopt. Succeed.Bootstrap producttrial experienceEnriched Onboardingexperience Informatica. Proprietary and Confidential.FREE ProductLearning Pathsand weekly ExpertsessionsInformaticaConcierge withChatbot integrationsTailored training andcontentrecommendations

Safe HarborThe information being provided today is for informational purposes only. Thedevelopment, release, and timing of any Informatica product or functionalitydescribed today remain at the sole discretion of Informatica and should not berelied upon in making a purchasing decision.Statements made today are based on currently available information, which issubject to change. Such statements should not be relied upon as arepresentation, warranty or commitment to deliver specific products orfunctionality in the future.4 Informatica. Proprietary and Confidential.

Disclaimer Compliance with the GDPR will be based on the specific facts of an organization’sbusiness, operations and use of data. This presentation provides a set of discussion points that may be useful in thedevelopment of an organization’s GDPR compliance efforts, and is not intended to belegal advice, guidance or recommendations. An organization should consult with its own legal counsel about what obligations theymay or may not need to meet5 Informatica. Proprietary and Confidential.

AgendaGDPR Nutshell-Why When Where What ?Business Implications (Data Protection EU/Non EU)Unleashing power of MDM with governanceConsent Data Services and ArchitectureLive-Consent Mastering demo-Informatica Solution Covering All6 Informatica. Proprietary and Confidential.

GDPR nutshellWHY? GDPR is about harmonization ofprotection of personal data inregard to its processing ways andalso increase powers of subjects/authorities to take action againstnon compliant business7 Informatica. Proprietary and Confidential.WHEN?WHERE? All 28 EU member countries EU business,organizations,authorities,nonprofit organizations Business outside EU processing personaldata about EU citizensWHAT? Protection of personal datathrough individual consents viaorganizational, administrativeor technical means and provideevidence of that protection

The Big PictureKey changes of the GDPR Affirmative & Retractable Consent Tough penalties:Fines of up to 4% orturnover 20M ’000of annual global ’000,000Previously fines were limited in size and impact.GDPR fines will apply to both controllers and processors.Consent for processing personal data must be clear, contextbased and must seek an affirmative response. It must be as easy towithdraw consent as it is to give it. Right to be Forgotten Breach Notification within 72 HoursData Subjects have the right to be forgotten anderased from records, cease further disseminationof the data, and potentially have third partieshalt processing of the dataPreviously fines were limited in size and impact. GDPR fines will apply to bothcontrollers and processors. Borderless ScopeRegulation also applies to non EU companies that processpersonal data of individuals in the EU

GDPRGDPRDefinitionDiscoveryDo you know what data you hold, whohas access to it, and for what purpose?Do you know where all your in-scopedata is?Execute: Manage, Protect & MonitorDo you know how you will protect yourdata and apply appropriate controls?9 Informatica. Proprietary and Confidential.Do you know how you will manageconsents and enacting rights?

Informatica Data Governance & Compliance Solution for GDPRGDPRDefinitionDiscoveryData GovernanceInformatica Axon Sensitive Data Discovery & RiskInformatica Secure@Source Execute: Manage, Protect & MonitorArchiving & AnonymizationInformatica Data Masking & Archiving10 Informatica. Proprietary and Confidential.Subject Rights & Consent MasteringInformatica Master Data Management

GDPR Perspective-Why MDM needs DG?MDMDiscovery & ProfilingCleansing & DuplicationMaster/Ref DataMaintenanceGovernanceProvide RulesguidanceRoles & ResponsibilitiesCreate & EnforceCompliance,PoliciesBPM/Workflow(ActiveVOS) 11 Informatica. Proprietary and Confidential.Decision rightsArbiters & EscalationMeasurement & MonitoringData Publish/SharingStandardized Methods and Data DefinitionsTrack ProgressLineage/StatisticsExecution Analysis/MonitoringProvide Feedbacks

Enforcing Governance -informatica SolutionsSubject Rights and ConsentCompliance Do you know whether you haveconsent to hold and use this data? Do you know how you will protectyour data and apply appropriatecontrols? 12Enforcing GDPR process &Consent Mastering via C360 10.4 Informatica. Proprietary and Confidential. IT should not own DG program Business should be Key drivers of DG program whileIT as participating member laying down MDM/DQFrameworks.IT Business Collaboration viaMDM BPM Workflows(ActiveVos)

Business implications(GDPR - a big shift in management of Consent)NowIn past: Opt-in, Opt-out flagI only know thatsomewhere, somehow andsometime I got the consentto use the data.Consent is not just an Opt-in/Opt-out flag I need to provide: Consent proofs - accountabilityPrivacy by defaultControllersPurposesPoliciesRetention periodsShare with 3rd partyAuditHistoryCross border policiesPortability to other partiesPortability from other partiesWithdrawal, rectification, objection and accessrightsRight to be forgottenAnonymization“In behalf of” dataUnstructured data (i.e. images)Single view of person WHY: The purpose for which the consent was collected. WHEN: The time I need the data stored for that purpose. Typical default is 6 months. WHAT: What data needs to be collected for that purpose.13 Informatica. Proprietary and Confidential.

14 Informatica. Proprietary and Confidential.

Expanded GDPR Rights achieved with MDM Right to object Right to prevent automatedprocessing, including profilingRight to be informedRight to erasure(RTF)Right to data portabilityRight to restrictionRight to rectificationRight of access Including additional processing detailsOther MDM functionalities required/wanted forGDPR:Security?Role & processing-purposespecific layouts15 Informatica. Proprietary and Confidential.Metadata?Special care (with aditional metadata) when:Subject is a child: a proof with the consent of theparents should be provided.Shared cross borders outside the EU: we need anspecial consent of the subject, we need to inform thedestination country, we’ve to respect the laws.Shared with 3rd party providers: we’ve to inform tothe subject what is the 3rd party and specify how hecan apply his rights to that party.Audit?CompleteConsent lineage,log the personaldata usage.

Introduction: GDPR non-MDM functionalitiesOther functionalities required for GDPR that we don’t pretend to cover with MDM: Data breaches: in case a data gap occurs, the affected subjects has the right to be informed. It’smore a Forensic task. Policy definition: a clear definition of the GDPR data governance policies, actors and taxonomiesshould be done. AXON more suitable for that. Consent evidence: we must store the proof of the consent. For example, if the customer filled aform with his personal data and consents, we’ve to keep a copy of the form, or if the customer gaveus his data through the call center, we should to record it. Typically a content manager tool can beused for this. The URL with the proof can be stored with the MDM’s consent. Data anonymization: when the erasure right is applied by a subject, we can delete the data oranonymize it. To anonymize, we can use a simple rule (i.e replace the last 4 digits of the phone byXXXX), or use data masking tools. Archiving: if we don’t have the consent or the consent have been expired, we can still store it forhistorical purposes. Data Archiving tool can be used.16 Informatica. Proprietary and Confidential.

DPO Intro-GDPR Consents as a Competitive ssData as a Risk17 Informatica. Proprietary and Confidential.ConsentsMasteredData as an Asset

Information ChallengeWhere to manage consents?HRCRMUsing an existingapplication (i.e. CRM) totry to centralize consentsis not a good idea:Consents should exist forALL senstive informationand for ALL processesSales &MarketingEXTERNALVENDORPROVIDERS Need to adapt “N”applications No single view No consents related Consistency compromised Rights not synchronizedBILLING Informatica. Proprietary and Confidential.3rd Party NTACTERPsManagement OMERACCOUNTCONTACT

Subject Rights and Consent: built upon MDMCRMSales tand esMASTER DATAMANAGEMENTERPs Informatica. Proprietary and Confidential.EMPLOYEESDataQuality3rd Party DataChannelManagementCUSTOMERACCOUNTCONTACT

Example: Consent Data ServicesOmni-ChannelConsent CaptureConsentData Model & Subject 360ConsentDistribution / LookupCRMWebNameConsent Capture ********** ********** **********AddressParty.ConsentMDMSRCStaffPersonal &Consent StorageCoreFinanceMarketing20 Informatica. Proprietary and Confidential.

Simplified MDM Consent and Rights Data ModelConsent Policy (loaded from DG tool)Store & Enacting ConsentPARTYSubject ID (PK)(Subject non-sensitivedata data)Forgotten FlagAnonymzed FlagChild FlagPortability FlagProcessing ObjectionPersDat Consent Rel(1-N)Personal Data IdConsent IDOpt-in flagPersonal Data (1-N)Personal Data ID (PK)Subject ----Tax ID-------------PhonePersonal data tied to theconsents. Include here all1-1 personal info21GDPR Consent PolicyGolden Record of the subject.That is not tied to consents, so if youinclude sensitive info, it can only beused for statisticsTypically one BO per contactmethod (i.e. phone, electronicaddress, addressLU GDPR Legal Basisfor processingConsent Type ID (PK)Consent Type DescGDPR ConsentConsent ID (PK)Subject ID (FK)Purpose ID (FK)Retention End DateConsent FlagConsent Proof URLConsent Proof Type Informatica. Proprietary and Confidential.Explicit Consent, LegitimateInterest, Regulation, LegalObligation, Vital Interest,Public Interest, .Policy ID (PK)Controller ID (FK)Policy DescPurpose Type (FK)Legal Basis (FK)Policy VersionRetention YearsRetention MonthsRetention DaysShare 3rd Party FlagCross Border FlagCountry InX-Border Country OutEnabled flagPortability FromGDPR Policy TextPurpose Text ID (PK)Purpose ID (FK)Language ID (FK)Policy Short TextPolicy Long TextGDPR ControllerController ID (PK)Controller DescIs External FlagController is the selforganization, a 3rd partyprovider or a Business UnitGDPR Third PartiesLU GDPR Purp TypesLU Consent Proof TypesPurpose Type ID (PK)Purpose Type DescSample of consent proof types:Subject IP, document scan,voice recording, etcPurpose Type ID (PK)Purpose Type DescSample of purpose types:Invoice, Advertisment, Logistics,Alerts/Information, etcThird Party ID (PK)Third Party TypeProcessor / Receiver

Subject Rights and Consent ArchitectureConsent Capture: customer channelsWebMobileAppsPortalsConsent and Rights ManagementRights Management:SAR, RTBFSubject 360 (MDM)BPMHistory, XREF, Hierarchy,Lineage, Audit, SecurityOrchestrationDistributionData Integration22 Informatica. Proprietary and Confidential.Cloud IntegrationESBPub / SubServices