Privacy legislation is created based on ideal scenarios that don’t consider how legacy systems handle information. While smaller organizations often have a simple enough environment where they can identify and modify key systems, large multinationals are rarely afforded the same opportunity. Large organizations may have trouble just identifying all active systems and what’s in them. Or they have a business-critical reason for using a legacy system that cannot comply with the requirements of privacy legislation.
Listening in the recording above for this anonymized case study covering a large, multinational organization in a highly regulated environment and their project to implement EU General Data Protection Regulation–based privacy retention requirements in a large-scale IT environment with thousands of systems of all types, ages and characteristics.
In this session we will cover:
• Identifying and quantifying GDPR requirements in a large-scale IT environment.
• Identifying relevant stakeholders.
• Developing priorities across large numbers of data types across a multitude of information systems.
• Determining with reasonable certainty what personally identifiable information data types reside in what systems.
• Determining what level of remediation — from complete, literal legal compliance to nothing-is-possible — for each system.
• Building consensus among the stakeholders.
• Negotiating a mutually acceptable go-forward strategy.
• Negotiating agreed-upon outcomes with system owners and custodians.