Embed Size (px)
Citation preview
© 2018 ITC Secure
David Kemp, Micro Focus
GDPR ENABLEMENT IN PRACTICE
GDPR Enablement In Practice- Managing the total information lifecycle to lower cost, meet compliance and reduce information riskDavid Kemp
EMEA Specialist Business Consultant
89
Micro Focus & HPE Software merged 1st September 2017A long history of stability, innovation, and acquisitions
A new company
leveraging 70+ years of
knowledge and IP
‒ FTSE 50
‒ Market Capital $13B
‒ Combined revenue of $4.5B
‒ 40,000+ customers
‒ 18,000+ employees
‒ Present in 50+ countries
+
Innovations:Platespin
Workload Mngt Supporting all major
hardware platforms
Multi-Factor Authentication in Host Connectivity
Innovations: Mobile& SaaS
Geospatial &
machine learning
Scalable real-time correlation
MicroFocus
COBOL
HPE Software
NetworkManagement
How does one incept Legal Guidance on GDPR?
90
What challenges / business outcomes does GDPR create?
RECORDS MANAGEMENT
• What Personal Data do I have, what format and where in my IT real estate?
• How do I isolate and classify it?
• How do I manage it in a form which enables me to execute Personal Data
tasks?
SECURITY
• Externally: How effective is my outer cyber defence shield?
• Internally: How can I prevent accidental or deliberate misuse of Personal
Data?
• Corporate Governance monitoring and enforcement
• Social media monitoring - internal & external where permitted
• Ability to freeze data across a complex IT legacy architecture
• Cross-media visibility and comprehension
• De-duplication, clustering and synthesis of mass data
• Necessity to respect national and international data privacy standards
• Fast and effective response to the Business
What technical delivery does GDPR compliance require for effectiveness?
What are the real drivers of GDPR compliance for Senior Management buy-in?
93
Compelling Business Logic for GDPR Compliance
94
GDPR
Revenue Generation
• Fine• Reputation hit• Government contract
pre-requisite• Enforcement action• Client Audit
• Strategic records management
• Cloud accelerator• M & A accelerator• Due diligence• Security Insurance
premium reduction
Brand Loyalty & Data Mining & Data Exploitation
Which “Entities” should be most engaged in GDPR preparation?B2C corporates
Those acquiring personally identifiable information from private citizens in the normal course of business e.g.
a. Retailers - supermarkets
b. Gaming, Tourism & hotels
c. FSI: Personal insurance & retail banks
d. Mass Transport & logistics – rail / air / ferry
e. Healthcare / Pharma / Hospitals
f. Telcos
B2B corporates
a. Those with a large workforce where the PII is employee data
b. Those which have agents who are B2C
Government agencies
Those who acquire PII due to their engagement with the public e.g.
a. National Hospitals
b. Municipal Authorities
AND OUTSOURCEES!
Engaging Personas
96
Persona Key Challenges
CISO • Internal surveillance and monitoring to avoid employee negative impact on PII
• Automate application of policy to security
VP/Director of Security Operations • Comprehensive view of all existing data and applications
• Monitoring and insight into enterprise-wide threat landscape
CIO/IT • Determine what information is subject to GDPR requirements
• Ensure backup and recovery is aligned to GDPR requirements
CDO/CIGO • Defensibly delete information that has no value to the organization – aligns to “right to be forgotten”
• Manage information based on policy throughout its lifecycle
Legal & Compliance • Determine what information is subject to GDPR requirements
• Proactively prepare for litigation and investigations by consolidating information in a centralized repository
Risk Management • Comply with policy-based management requirements of in-scope information throughout the information lifecycle
• Supervise employee communication
Data Protection Officer • Alerting facility to enable early breach identification
• Synchronization with legal / compliance / risk / business / security to enable compliance
+ HR, Communications, Audit, Finance?
Keys to a practical & swift GDPR Programme implementation
97
1. Identification of Key GDPR Programme steps
• AWARENESS: Brief the board so they are aware of the risks to the business and what needs to happen over the next 16 months to get GDPR effective.
• STAFFING: Appoint / train a Data Protection Officer – 28,000 still to be appointed in EU.
• LEGAL OPINION: Translating the GDPR into deliverables & functionalities + local law
• CONSULTANCY: Assessing policy, procedure, process and people in the light of the legal advice
• DATA DISCOVERY: Conduct a Personal Data location / format / security assessment vs. Opinion
• PROGRAMME PREPAREDNESS: Assessment of exposure & potential mitigants
• POLICY GAP ANALYSIS: Review and update existing data protection policies, training, privacy notices etc
• TECHNICAL GAP ANALYSIS: Where can IT solutions accelerate GDPR “effectiveness”?
• IMPLEMENTATION: Acquiring & installing IT solutions and services
• EXPANDING POLICY ENFORCEMENT: Using the GDPR model as a multi-purpose facility for any regulation
2. GDPR Programme Assessment = Micro Focus Journey to ValueMapping GDPR Compliance Requirements to Technology by;
▪ Understanding as-is capabilities
▪ GAP Analysis vs. Micro Focus GDPR Framework
▪ Discussion & Guide to achieve GDPR effectiveness99
Assessments
Tools, Processes & Organization
Roadmap & Recommendations
3. GDPR readiness reference architecture
AnalyseRecord
Repository
Classify
Data Repositories
Messaging
EmailFiles Read
SharePoint
Action
Applications
DataWarehouses
DocumentManagement
Data ArchiveSocial Media
WebContent
Apply
Store
Eligible Records
Declare
Data Encrypti
on
Find Govern
SecureData
ESKM
Content Manager
SDMControl Point
UD: (Micro Focus ITOM) Universal DiscoverySDM: (Micro Focus IM&G) Structured Data ManagerESKM: (Micro Focus Data Security - Atalla) Enterprise Secure Key Manager
UD
Content Manager
Apply Retention rules
Compliance, Legal Hold & Audit
SDMControl Point
Policy Center
Third PartyDatabase
In summary, Micro Focus is strongly positioned to address GDPR
▪ Broad technology set covering all phases of protection
▪ Robust, cross-silo data classification
▪ Deep information insight for automated policy setting
▪ Advanced analytics for value creation
▪ Partnership strategy to deliver maximum value
▪ Solutions mapped to GDPR-specific use cases for simplicity
VISIT:
▪ General GDPR site: https://software.microfocus.com/en-us/marketing/gdpr
▪ Journey to Value trial site: www.technologyreadinessassessment.com
101
Further GDPR collateral guidance• GDPR Webinar with Microsoft:
https://aka.ms/mwp403
• Micro Focus Secure Content Management suite
https://players.brightcove.net/5456344257001/H1GplFe6LW_default/index.html?videoId=5578264528001
• Modern Workplace GDPR podcast: http://modernworkplace.mpsn.libsynpro.com/
• Secure Content Management demonstration videos: https://www.youtube.com/channel/UCgZpjmQcEeRJcUqxiZPYjGw
David KempSpecialist Business ConsultantMicro Focus LondonTel: 07867 558680E-mail: [email protected]
