Embed Size (px)
Citation preview
Title Slide FourWith full image background
© 2017 SureSkills 1
Be tomorrow ready.
GDPR – Discover the Smart Solution
Agenda
2
8:30 – 9:00 : Registration
9:00 – 9:10 : Welcome and opening Remarks – Kevin Reid, SureSkills CTO
9:10 – 9:30 : Rebecca Radloff, Head of Legal @ Microsoft – Partnering with You for GDPR Compliance
9:30 – 9:50 : Kevin Reid, SureSkills CTO – The role of IT and technology in Data Protection
9:50 – 10:10 : Nigel Tozer, Solutions Marketing Director @ CommVault – Meeting the challenges of GDPR in a Hybrid Cloud
10:10 – 10:20 : Coffee break
10:20 – 10:40 : Lanre Oluwatona, Data Protection Consultant @ ICS Skills – The role of the Data Protection Officer and getting Management Buy in
10:40 – 11:00 : Brendan Gavin, Senior Associate @ Byrne Wallace – How to get ready for GDPR Compliance
11:00 – 11:30 : Q & A
11:30 – 12:30 : Lunch & Networking
© 2017 SureSkills
Welcome
3
Plan for the day
Presenter Introduction
Problem Statement Data growth
Speed of change
Stealth IT / Distributed compute and storage environments
Budget constraints (people and technology)
Existing regulations & audit compliance
Upcoming regulation - GDPR
© 2017 SureSkills
Microsoft Partnering With You for GDPR ComplianceRebecca Radloff, Head of Legal Microsoft IrelandFebruary 21, 2017
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
Providing clarity and consistency for the protection of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations that offer goods
and services to people in the European
Union (EU), or that collect and analyze
data tied to EU residents, no matter
where they are located.
Personal
privacy
What are the key changes with the GDPR?
Controls and
notifications
Transparent
policies
IT and training
Need to invest in:
• Privacy personnel and
employee training
• Data policies
• Data Protection Officer
(if 250+ employees)
• Processor/Vendor
contract
• Strict security
requirements
• Breach notification
obligation
• Appropriate consents
for data processing
• Confidentiality
• Recordkeeping
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Transparent and easily
accessible policies
regarding:
• Notice of data
collection
• Notice of processing
• Processing details
• Data retention/deletion
Microsoft’s commitment to its customers
WITH OUR LONG-STANDING COMMITMENT TO
SECURITY AND PRIVACY, YOU CAN TRUST MICROSOFT
TO PROVIDE THE PRODUCTS AND SERVICES YOU’LL
NEED AS YOU WORK TOWARD GDPR COMPLIANCE.
OUR GOAL IS TO STREAMLINE YOUR GDPR
COMPLIANCE THROUGH SMART TECHNOLOGY,
INNOVATION, AND COLLABORATION.
Microsoft’s goal is to streamline your
GDPR compliance through smart
technology, innovation, and
collaboration. Together we’ll help you
build a more secure environment,
simplify your compliance with the GDPR,
and give you the tools and resources
you need to be successful.
Partnering with you to prepare for GDPR
Preparing
for GDPR
What can you do today?
Identify what personal data you have and where it resides.
Manage how personal data is used and
accessed
Establish security controls to prevent, detect, and
respond to vulnerabilities & data breaches
Action data requests and keep required
documentation
Analyze data and systems, stay compliant
and reduce risk
1 2 3 4 5
Discover Control Protect Report Review
• Microsoft.com/GDPR
Protect devices with industry-leading
encryption, anti-malware technologies, and
identity and access solutions
Safeguard customer data in the cloud,
including personal data, with industry-leading
security measures and privacy policies
Secure your IT environment and achieve
compliance with enterprise-grade user and
administrative controls
Protect customer data both in the cloud, and
on-premises, with industry-leading security
capabilities
Safeguard customer data in the cloud,
including personal data, with industry-leading
security measures and privacy policies
The Role of IT and technology in Data Protection
18
What do we mean by data protection
What is happening in the market
Key requirements to implement data protection
Who does what and how
SureSkills BaaS
Service Onboarding
© 2017 SureSkills
© 2017 COMMVAULT SYSTEMS, INC. ALL RIGHTS RESERVED.
Meeting the Challenges of GDPR in a Hybrid Cloud
• February 2017
Session Overview
GDPR and the Cloud
• The Data Challenges of GDPR
• The Data Copy Problem
• Managing Data Proliferation
• GDPR and Cloud Adoption
• A Side Benefit of GDPR: Modernisation
20
Data Types - The Challenges
Structured Semi-structured Unstructured
21
Application Data:• CRM Systems• ERP Applications• Financial• Marketing• Vertical apps e.g. retail• SaaS Apps• RDBMS• Big Data
Application Data:• Email• Document Management• App File Stores
Files & Folders:• NAS• File Servers• Cloud Storage• Laptops• Mobile Devices• Personal Clouds
Security, Protection, Availability, Retention, Copy management, Lifecycle, Custody, Access, Audit
Personal Data Can Be Anywhere
There is NO Silver Bullet for GDPR
GDPR Components
22
• Processes: analysis, discovery, process flow, design, management, ongoing review etc.
• Data Management: protection, recovery, availability, retention, lifecycle, location etc.
• Security Management: Physical, perimeter, breach/vuln. detection, encryption, access controls, cyber security, education etc.
• Manual Tasks: ops, delivery, configuration, search, retrieval, reporting, redaction etc.
ProcessTasks
Security Data
There is NO Silver Bullet for GDPR
GDPR Components
23
More technology silos leads to more manual tasks, and a greater opportunity for human error or misdeed
This increases cost and risk significantly
ProcessTasks
Security Data
Compliance is Simpler with Less Data
Copy
Replicate
MailboxArchive
MailboxBackup
Data Copies and Silos
Products/Silos: 5 – 10Potential Data Copies: 50+
• Example shown just for backup & recovery, retention and compliance
• Each data silo = another potential door for a data breach
• More to manage, monitor report and secure
• Tape is a particularly problematic
• Complex Search/Auditing
MailServer
Files
File Analytics
ComplianceArchive Mailbox
Archive
MultipleBackups
ComplianceCopy
OutlookPSTs
ComplianceReplica
ArchiveBackup
MultipleBackups
ArchiveBackup
Datacentre File Servers
File Archive
EndpointBackup
ServerBackup
ServerBackup
Personal Cloud & Devices
Dept. FileServers
Remote FileServers
Storage Consumption
Storage Consumption
26
45-60% of their total
storage capacity
consisted of what is
considered “copy data”
Less than 20% of respondents
had a formal copy data
strategy, those few that did
realised significant reductions
in storage capacity growth
Source: IDC CDM Survey, 2016
Primary Data
Copy Data
Database Copies
82% of respondents had at least 10 copies of each database
SQL and Oracle applications were present in 75% of the organisations polled, SAP was in 54% of those polled
27Source: IDC CDM Survey, 2016
Einstein was Right: Space and Time are Connected!
• 62% of respondents stated that the copy refresh process took 1⁄2 a day or more to execute
• 32% refreshed every few days with 42% refreshing weekly
• Over 80% of organisations polled used home-grown methods for data masking, less than 5% used off the shelf products, the remaining either didn’t know or had no masking tools at all
• 74% of these organisations in the IDC poll expected their storage spending to increase in the next fiscal year
28Source: IDC CDM Survey, 2016
So How DO You Deal Data Proliferation?
In Europe, GDPR Demands Fundamental Changes
New GDPR Mandates Require Changes to Storage Management Strategies for All Global Enterprises
• Identify Personal Data
• Verify Whether Proper Consent Was Obtained
• Examine Backup Retention
• “Retention should be reduced for systems that contain personal data, and if archiving is not already in place for maintaining these records for governance purposes, then it should be implemented.”
• Implement Archiving for Governance Purposes
30Source: Gartner 2016 New GDPR Mandates Require Changes to Storage Management Strategies for All Global Enterprises
Backup and Archive Confusion
• Many organisations use archive tools for space management, but still retain backup copies for many years as ‘archives’
• Archives require backup, which often creates a ‘silo inside a silo’
• Tape is still the most used medium for long term storage
31
MultipleBackups
ArchiveBackup
File Servers& NAS
File Archive
Offsite or 3rd Party
Archive Benefit: Faster Backup and DR
A 2016 Gartner straw-poll at a European event revealed that
only 4% used the cloud instead of tape for long term retention
The Key Data Management Principles of GDPR
• Right to be forgotten (RTBF, Article 17)
• Data protection by design and by default (Article 25)
• State-of-the-art (SOTA, Articles 25 & 32)
• Ensure ongoing confidentiality, integrity, availability and resilience (Article 32)
• 72 hour data breach notification (Articles 33 & 34)
• Data minimisation principle (Article 25)
• Defining use cases and managing consent (Article 6)
• Data transfers (Articles 44-50)
• Data portability (Article 20)
32
Where Commvault Can Help
Locate personal data, almost anywhere
Most comprehensive available
Integrated beyond any current competitor
Leading backup/recovery, w/ on-demand encryption, secure role-based access
Identify what data was compromised, inc. laptops
Commvault can reduce and manage data copies
N/A for new policies; search after the fact
Partial
Partial
The GDPR BreakdownComplexity Hinders Compliance and Increases Risk
33
LEGACY SYSTEMSDATA CENTERS CLOUD DATA SaaS
PAIN: LACK OF CONTROL AND ANALYSIS• Archive and search systems create silos
• Lack common search and collate
• Multiple access controls to manage
• Gaps in coverage present risk
PAIN: VISIBILITY OF EXTERNAL DATA• Data held externally is difficult to track
• Protection managed by 3rd party
• Limited ability to archive or manage retention
PAIN: BACKUP AND RECOVERY RISKS• Too many siloed solutions & repositories
• Not easy to set common policies
• Reporting is a challenge
• Variable controls in areas such as auditing
• Complexity leads to gaps in coverage
? ? ? ?
x?
Silo
Silo
The GDPR BreakthroughSimply Powerful: An Advanced Data Management Platform
34
LEGACY SYSTEMSDATA CENTERS CLOUD DATA SaaS
GAIN: ROBUST DATA MANAGEMENT• Data is accessible, organized and indexed
• Complete infrastructure awareness
• Centralised governance and control for hybrid clouds
• Consistent data policies across the enterprise
GAIN: UNIFIED CLOUD BACKUP• Single solution to backup the whole enterprise
• Automation ensures backup by default
• Easy to report and audit
• Robust, integrated redundancy for archive policies
GAIN: CONTROL OF EXTERNAL DATA• Backup and archive SaaS data
• Backup and gain visibility of data on mobile devices
• Guard against Malware and data breaches
• Provide secure alternative to personal cloud shares
Data Management
Platform: Indexed
Virtual Repository
Dedupe:Global, Secure
From Backup & Archiveto Information Management
Intelligent Data Management
Single Query Searching across Backup & Archive
Global Data (Cost) Reduction
COLLECTION
Remote & Internal End Users
Email On-Premises or
Cloud
Cloud Solutions Data Center
Access
End User AccessOutlook Plugin
Analyse
• Search & Preservation
• Content-Aware Retention Mgt.
• Data Leakage Detection
• Remote Search of Structured Sources
• Rapid response to data subject inquiries
A
B
C
B
A
1 Yr
30 YrAuto Storage
Tiering
Manage
DELETE
ZIPProduce or
EraseXML
Compliance AccessGDPR, FOIA, eDiscovery,
Data Spillage Search
Audit, Automation and Change & Incident Management
36
Simple, Comprehensive, Role Based UX
Audit
Polic
ies
Report
s
Auto
mation
Resi
lience
Eff
icie
ncy
Single Manager
Conte
xt
3rd Party Service
Management
What a single manager really delivers…
The Recovery Conundrum
A ‘Right to Be Forgotten’ issue
• Applications and Unstructured Data require different approaches after an outage
• Process management can help in both cases e.g. service desk systems
37
?Request to be forgotten
Outage: Corruption
Recovery
Access Without Recovery• Commvault provides access for apps to
mount databases without recovering them; VMs can be started without recovery too
• Unstructured data can be collated for review and subsequent secure deletion
GDPR and the Cloud
GDPR and Cloud Adoption
ON-PREMISES
Public Cloud SaaSCloud: Controls Passed to 3rd Parties• Consistency lost• Cloud systems must meet the same
regulations as on-premises• Must be within a region that offers
‘similar’ protection as the EU/GDPR
Fully Under Your Control• Data Management & Security• Processes, Retention, Recovery etc.• Consistent by design
Commvault, Azure and O365
• Azure Storage: Offsite Storage, Backup, Archive, Tape Replacement
• Migrate to Azure: Simple to ship and convert workloads
• Recovery Use-cases: DR, Dev & Test
• Backup in the Cloud
• Backup O365 and ODFB
• Exchange/O365 Archive & Compliance
• 3rd Party SaaS, Cloud Storage and IaaS also supported On-premises
Workloads & Data to the cloud
Blob Storage
Backup & Archive Data
Single point of control, reporting, search etc.
Rationalise Your Cloud Strategy
41
Cloud Disaster Recovery
Governance & Insight: Across Your Hybrid
Cloud
Enterprise Cloud
Backup
Cloud Migration Services
Summary
• Get some expert help: Sureskills have the skills, people and relationships you need
• Dealing with GDPR can also help you to meet other regulations, such as FOI, MiFID etc.
• Manage GDPR: Accelerate Modernisation
42
Thank You
@NigelTozerwww.commvault.com
Role of the Data Protection Officer in Obtaining Management Buy-in
Lanre Oluwatona
Irish Computer Society
Accountability
Lawfulness, Fairness And Transparency
Purpose Limitation
Data Minimisation
Accuracy
storage limitation
Integrity & Confidentiality
Data Protection Principles Rebranded
Reasons for Lack of DP Buy-in
• Organizational culture and attitudes towards Data Protection
• Negative perception of Data Protection
• Data Protection not seen as a boardroom topic• Higher priority business need always take pre-eminence over DP
• Not a corporate objective
• DP relegated to the ‘back burner’
• Lack of board level Champions on Data Protection
• Perception that DP is an IT issue, not Management
• No Budget for DP
• Reactive DP risk management• “It happened to them. It’ll never happen to us. We’re so solid!!”
The principle of accountability under GDPR states that the “Controller shall be responsible for, and be able to demonstrate compliance with Data Protection Principles/Concepts”.
Article 5(2) GDPR
• Proactive involvement in all things DP
Art.38(1)
• Support and resource provision
Art.38(2)
• Independence and objectivity
Art.38(3)
• Uninhibited & unrestricted Access
Art.38(3 part B)
• Secrecy and confidentiality Art.38(3 part B)
DPO Role in 5 Sentences …
Management Buy-in Skills Required by DPOs
• Proactive
• 6th Sense (risk based)
• Timing & context
• Diplomacy
• Apolitical
• Approachable
• Written
• verbal
• Nonverbal
• visual
Communication Negotiation
Conflict Management
Persuasion
• Know your Stakeholders
• Have a plan or implementation roadmap
• Have a DP budget. Quantify DP issues monetarily
• Audit all data processing activities • Identify data entry and exit points
• Effectively manage your “gate-keepers”
• Identify high risk areas
• Be proactive and not reactive
• Build bridges not walls – Management needs it • Earn trust, don’t demand it
• Think creatively
• Don’t always say no but be creative in your response
How Can I Ensure Management Buy-in?
Q1 2017
Q2 2017
Data Analysis &
Audit
Q3 2017
Strategic Privacy Planning
Policy Development & Review
Q1 2018
Q2 2018
Staff Training & Awareness
Go Live
GDPR: Implementation Roadmap
Q4 2017
Business Support & Compliance Monitoring
Brendan Gavin, Senior Associate, Corporate Law
Getting your Company Ready for GDPR
57GDPR - Discover The Smart Solution, 21 February 2017
Data Protection – Review
Current law based on 1995 Directive: Data Protection Acts 1988 & 2003:
• Outdated
• Inconsistencies in national implementing laws across the EU.
New law: the General Data Protection Regulation (the GDPR)
• Adopted 27 April 2016 Currently in grace period until it comes into force on 25 May 2018
February 24, 2017 58
Key Changes to the Law
1. Expands Definition of Personal Data
2. Applies to Data Processors
3. Extra-territoriality
4. New Rights for Data Subjects
5. Data Breaches
6. Data Protection Officers
7. Data Protection Impact Assessments
8. Enforcement
February 24, 2017 59
Personal Data
• GDPR now expressly includes IP addresses and UDIDs
• Pseudonymous data –truly anonymous data very difficult to achieve – relaxed rules
• Definition of sensitive data also extended to include genetic and biometric data
• Don’t rely on consent – can be revoked and difficult to regulate
• Be clear on your legal basis for processing
February 24, 2017 60
Data Processors
• Previous law focused obligations on data controllers
• No longer a requirement to register
• Direct obligations now imposed on processors
• Data processors now subject to enforcement and fines
• Mandatory terms for contracts with controllers
February 24, 2017 61
Territorial Scope
• EU established
• Non – EU established if:
– offering goods and services within the EU or
– monitoring behaviour of EU data subjects
• Transfers of data outside the EU
– EU approved ‘adequacy’ list
– EU-US Privacy Shield
• Know where your data is
February 24, 2017 62
New Rights for Data Subjects
• Erasure - stemming from Google right to be forgotten case
• Portability – to allow data subjects to transfer data from one controller to another
• Access to your data – can no longer charge for data access requests and must be processed within 1 month (reduced from 40 days previously)
• Right to complain to Data Protection Authorities
• Right to sue for breaches of your rights
February 24, 2017 63
Data Breaches
• Current law recommends notification to DPC within 48 hours
• GDPR makes notification of data breaches mandatory within 72 hours
• New requirement to notify affected data subjects
• Now uniform requirement across Member States, this was previously only the case in the telecoms sector
February 24, 2017 64
Data Protection Impact Assessments
• Privacy by design – data protection must now be taken into account when designing new technologies
• Privacy by default – must be able to demonstrate that only personal data that is necessary for the relevant purposes is being processed
February 24, 2017 65
Data Protection Officers
• Data Protection Officers will now be mandatory for the following Data Controllers and Processors:
– Public Authorities (except for courts acting in judicial capacity)
– Organisations whose core activities involve large scale systematic monitoring of data subjects
– Organisations whose core activities involve large scale processing of sensitive data
February 24, 2017 66
Enforcement
• Data protection authorities have new investigative powers under the GDPR including access to premises, conduct audits and issue fines
• DPC will have power to issue fines of up to €20,000,000 or 4% of the total annual turnover of an undertaking – whichever is the greater
February 24, 2017 67
68
1. Review all personal data held by your company
2. Review and update all data privacy notices
3. Need to be able to demonstrate compliance
4. Internal code of conduct • Implement internal policies and measures which take into
account privacy by design and by default
5. Maintain detailed processing records
Practical Steps
69
6. Spread awareness of the GDPR in your organisation
7. Training, review of checklists, reporting lines etc.
8. Allocate responsibility and budget for data protection compliance
9. Certification – may become available from supervisory authorities
10. Some provisions may take more time to become enforceable as they will require additional codes/guides to be published
Practical Steps (continued)
Thank You
70
Brendan GavinSenior Associate, Corporate Law
T: +353 1 691 5284
www.byrnewallace.com
SureSkills Ireland
14 Fitzwilliam Place, Dublin 2, D02 W025, Ireland
Sales: +353 1 240 2262 Reception: +353 1 240 2222 Fax: +353 1 240 2233
SureSkills N. Ireland
Callender House, 58–60 Upper Arthur Street, Belfast BT1 4GJ, United Kingdom
Sales: +44 28 9093 5565Reception: +44 28 9093 5555 Fax: +44 28 9093 5566
SureSkills Canada
1 Rideau St #748, Ottawa, ON K1N 8S7, Canada
Toll Free: +1 855 278 7555
SureSkills USA
Suite 200, 7000 N. MopacExpressway, Austin, TX 78731, USA
Toll Free: +1 855 278 7555
Thank you
SureSkills
