Data Governance
in the CRM Framework
Running Order
• Session aims
• Introductions
• Setting the scene
• Exercises and Feedback
• Demo
Aims
• Stimulate thought about DG/IG
• Frame where it sits in a CRM strategy
• Answer questions you have
• Say, “we’re here”
• Give you some useful resources and stuff
• Work through some exercises
Absolute Data
• Firm of expert PDP Certified consultants
• Est. 2005
• First hand senior level commercial experience
and public/third sector experience
• Project and retained work
• Salesforce CRM consultancy
Joe Colleran
Phil Brining
Setting the Scene
• NOT about
– Good/best/industry standard practice – Following the herd
– Information security or IT
– About Legals and lawyers - only see half the picture
• Big mistakes, thinking that it’s just about IT, trusting that “we have it covered”, believing that it’s someone else’s problem. • Definitions “Governance”, “Good Governance”,
“Assurance”.
IT IS ABOUT GETTING DATA UNDER A
STRUCTURED REGIME OF MANAGEMENT CONTROL.
Where IG sits in CRM strategy
CRM SYSTEM Acquire Capture Destruction Storage Retrieval Transfer Enrich MMP Hygiene Verify Measure & Report Back Up Comms Segment Legislation Technology Competitors Hackers/intruders Customer expectations Organisation culture IT security measures Policy and Procedures Access controlsBudget
People and Skills Legacy technology
IG Hierarchy
Public Facing Docs Supply Chain Docs Internal Policy & ProceduresNotification, Privacy Policy, Fair Processing Notice(s),
Cookie Policy ...
Supply Agreements, down-stream supply agreements,
Infosec checklist … Retention, Infosec, Training, BYOD, Mobile,
Typical landscape
CRM DBase3 DBase DBase2 .xls Files Back Up Cloude
Form Email Retail PP etcGovernance principles
• British Standards Institute BS10012
• PDCA
• Four cornerstones
– Documentation (plan)
– Awareness (do)
– Audit (check)
– Risk Assessment (act)
Plan
Do Check
Example Data Governance Tools
• Documents/Policies • Registers • Risk Assessments PLAN DO CHECK ACT • Internal/External Audit • Records/Logs • Mystery Shopper • Work Instructions• Training & Awareness • Infosec measures
• Corrective/Preventive Action
Case Study 1
• You are the CRM Manager of a National Sports Governing Body and you need to get your
database of members cleansed. The data base comprises both supporters and athletes. You believe there to be quite a few duplicate records in the data. • You have obtained 3 quotes for
the work:
– UK based GB Group £25,000 – US based DataMart $10,000 – India based DMP $5,000
• DMP have just completed a
project for a similar organisation. • DataMart intend to outsource the
work to Uruguay.
1. Which quote will you accept and why?
2. What are the legal obligations you should consider?
3. What practical steps should you take before the work is started?
Case Study 1 Review
• Uruguay is an
“adequate country”.
• Dangerous to follow the
herd.
• Do your own due diligence:
– Pre-qual Q’aire – Contract
– Tight brief
– Retention and destruction – Safe transfer of data
Case Study 2
• For £100 per 1,000 records, the third party can enhance your database with
additional data including for each data subject:
– Top 50 websites visited (URLs) from a tracking cookie
– 20 most emailed Facebook contacts (Email addresses) – 10 most visited locations (GPS
co-ords) from mobile records – Top 10 interests based on 24
months of Google search phrases – Health index based on health
related Google search phrases
1. Would this information be useful to your organisation? 2. What are the legal obligations
you should consider?
3. What practical steps should you take before buying the data?
Case Study 2 Review
• Is your holding this data consistent with your public facing documents?
• Has the information been lawfully collected?
• What information are you likely to be supplied with?
• Practical steps
– Flag data source – Amend notification
– Privacy Impact Assessment – Change privacy policy
– Limit access to the information
Case Study 3
• You end up buying 50,000 new records comprising
– Email Address
– First and Last Name – Facebook-related email
address
• You want to run email
campaigns: 1) to encourage participation in your sport, and 2) to encourage support of your sport
• You also want to use a cloud based email broadcast
system
1. Legal considerations before executing the campaigns?
2. What practical steps should you take before running the campaign?
Case Study 3 Review
• 50,000 NEW records PLUS third parties’ email
addresses from Facebook • Consent and lawful
collection of data
• Securely moving data about • Cloud issues - control
• Can individuals easily opt-out of receiving electronic marketing?
• Practical steps
– Campaign the new data but – Flag data source
– Change privacy notice? – One, two or three emails
– Segmentation and message(s) – Unsubscribe link on email
– Those that don’t opt out … your data
Case Study 4
• You have a new main
partner UK based PPI Claim Hero. They have negotiated database access in their
package of rights and have requested a copy of your database to allow them to send out a paper and e marketing campaign with telephone follow-up.
1. You have been asked to advise the CEO of your legal position.
2. What practical steps should you take before proceeding?
3. What practical steps should you take later?
Case Study 4 Review
• Do you have consent to share? • Need to take account of both
the DPA98 and PECR11; a
breach of either of these may be a criminal offence.
• Can you differentiate between adults and children/young
people?
• Commercial contract breach is unlikely to be a criminal
offence. DPA might be!
• Practical steps
– Carry out a Privacy Impact Assessment (PIA) before sharing data.
– Ensure that you have a data sharing agreement in place between the Club & Claim Hero.
Case Study 5
• Following a series of
complaints by a “nuisance customer” about your
sharing of their personal information with PPI Claim Hero you have received a letter from the Office of the Information Commissioner informing you that an
Assessment Officer will
make a site inspection in 28 days.
1. What should you do to prepare for the visit? 2. What do you think the
Assessor will want to see? 3. What are the possible
Case Study 5 Review
• Have you got a suitable information governance framework in place?
• Are staff aware of your information governance framework and how it affects them?
• Are your training records up-to-date?
• The ICO could impose financial and other penalties.
• Practical steps
– Review your existing information governance/data protection/privacy policies, procedures and processes. – Review your public facing statements;
e.g. privacy, cookies, T&C’s, etc – Review your existing training
programme for staff; does it include material relating to privacy
matters?
– Review your customer consent management.
Quick Wins
• Initial DPA Audit exposure
– Adequacy audit– Compliance audit
• DP training records
• Responsible Person
• What data have we got?
• Where is all our data?
• Who has access to data?
• Third party contracts
Data Governance Coverage
• What data have you got • Where did it come from • How did you get hold of it
• Under what terms was it acquired • Where is it
• How did it get there
• Where else could it be/is it
• How is access to the data controlled • How long do you keep it for
• What do you use it for (purposes) • What do you do to keep it secure? • How do you raise awareness about • How do you check that your controls
are robust and operating as planned (audit)
• How do you regulate and control your data and data “universe” (policy)
• What if someone wants to access/share your data
• What if someone wants you to tell them what you have about them • What if someone wants you to
change their details or remove them from your database(s)
• How do you keep your data accurate and up to date
• Where in the world might your data be
DATAWISE DEMO
DataWISE by Absolute Data is a complete information assurance system built on the force.com platform in the cloud is the most comprehensive system available for data governance and information management.
Demo
Notification Data Processing Purposes Conditions for Processing COMPLIANCE IT Assets Data Assets ISO27001 Security Measures ASSETS Subject Access Requests 3rd Party Disclosures Data Disclosure Agreements DISCLOSURES InfoSec Questionnaires Training Awareness TRAINING Audit Schedule Audit Reports Audit Checklists AUDITS CAPAs Policies Procedures and Work Instructions DOCUMENTS Security Incidents Data Processes Disposals Responsibilities Users Permissions ADMIN Reports Dashboards REPORTSDataWISE by Absolute Data is a complete information assurance system built on the force.com platform in the cloud is the most comprehensive system available for data governance and information management.
Why bother
• Ponemon
• Recent cases
• Change in the law
• Sleep at night zzzzzzzz..
• Trust and brand
assurance
• Competitive advantage?
• Gain control
• Be pro-active
• Reduce business risks
• Identify efficiencies
QUESTIONS
Absolute Data Limited [email protected]
Final Thoughts
“In today’s environment, it’s not a matter of if a data
breach will occur, but when it will occur, and how well
you respond. Do everything you can to prevent data
breaches, but also fully plan out how you will respond if
you are breached. Today’s media and business
environment demands that two-pronged approach.”
Brian Lapidus, coo, kroll fraud solutions
Final Thoughts
“Extra vigilance is required so that people’s personal
information does not end up in the wrong hands.
Organisations should have clear security and disclosure
procedures that staff can understand, properly
implement these and ensure that they are being
followed. Staff must be adequately trained not just in
the value of personal information but in how
to protect it.”
Definitions
• Information assurance (IA) is the practice of assuring information and managing
risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information
assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical and
administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. These protections apply to data in transit, both
physical and electronic forms as well as data at rest in various types of physical and electronic storage facilities.
• Information assurance as a field has grown from the practice of information security. Generally considered the more broadly-focused of these two fields, IA consists more of the strategic risk management of information systems rather than the creation and application of security controls. In addition to defending against malicious hackers and code (e.g., viruses), IA practitioners consider corporate
governance issues such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery as they relate to information systems.
Case Study 4 alt
• You have a new gaming partner IOM based Poker Stars.com. They have
negotiated database access in their package of rights and have requested a copy of your database to allow them to send out a paper and e marketing campaign with telephone follow-up.
1. You have been asked to advise the CEO of your legal position.
2. What practical steps should you take before proceeding?
