4. Location
Identifying existing
personal data held
across the business
Governance
Managing data
subject access
rights, data storage
and use
Security
Protecting against
vulnerabilities and
breach
Reporting
For data requests,
breaches, and
accountability
Achieving GDPR Compliance
6. Love Cloud GDPR
09:00-09:30 REGISTRATION
09:30-09:45 Welcome & Introduction Michael Frisby, Vuzion MD
09:45-10:15 Introduction to GDPR Sean Huggett, Cybercrowd, CEO & Consultant
10:15-10:45 Microsoft and GDPR Jonathan Burnett and Samantha Garrett, Partner Technology
Strategists
10:45-11:00 TermSet and GDPR Stewart Connors, Head of Customer & Partner Success
11:00-11:15 COFFEE AND PASTRIES
11:15-11:30 Acronis and GDPR Ronan McCurtin, Senior Sales Director Northern Europe
11:30-11:45 Mimecast and GDPR David Tweedale, Team Leader
11:45-12:00 DocuSign and GDPR Jacqueline de Gernier, AVP Commercial Sales
12:00-12:30 Panel Interview
Vuzion GDPR Support Package
Closing Thoughts
Caroline Wigley (Vuzion), Sean Huggett (Cybercrowd),
Jonathan Burnett (Microsoft), Rowland Dexter (QGate)
Agenda
8. • Came in to force on 24th May 2016 – enforceable from 25th May 2018
• EU Regulation – has direct effect – no local legislation required
• Replaces the Data Protection Act 1998 - transposed into law from Data Protection Directive 1995
• Aims to support the digital single market and give data subjects control over their personal data
• Wide scope & coverage
• Guidance on interpretation and compliance still being developed
• UK Government has confirmed applicability in UK notwithstanding Brexit
Introduction to GDPR
9. Key Definitions
Data Controller
• “the natural or legal person… which … determines the purpose and means of the processing of personal data”
Data Processor
• “a natural or legal person… which processes personal data on behalf of the controller”
Data Subject
• “an identified or identifiable natural person”
Personal Data
• “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data….”
Processing
• “any operation or set of operations which is performed on personal data or on sets of personal data whether or
not by automated means, such as collection, recording, organisation, structuring, storage…”
10. Six Data Protection Principles & Accountability
• Six data protection principles – overview of your most important duties in complying with GDPR
• Introduces ‘accountability principle’ – Data Controllers responsible for being able to demonstrate compliance with the six
principles
processed lawfully, fairly and transparently
collected for specified, explicit & legitimate purposes
adequate, relevant & limited to what is necessary for processing
accurate and kept up to date
kept only for as long as is necessary for processing
processed in a manner that ensures its security
1
2
3
4
5
6
Personal Data shall be:
ACCOUNTABILITY
11. Data Subject Rights
Rights to:
• Information - think about Privacy Notices
• Access - think about Subject Access Requests
• Object to Processing
• Rectification
• Erasure – ‘right to be forgotten’
• Restrict Processing
• Data Portability
12. Obligations & International Transfers
Obligations
• Data Protection Officers (DPO)
• Data Protection Impact Assessments (DPIA)
• Data Protection by Design and by Default
• Controller & Processor Records
• Security of Processing
• Breach Notification
• Processor contracts with guarantees that processing will meet the requirements of GDPR
International Transfers – Restricted & Regulated – Conditions to be Met
• Basis of Adequacy
• Appropriate Safeguards
• Binding Corporate Rules (BCRs)
• International Cooperation Mechanisms: EU-US Privacy Shield
13. Remedies & Liabilities
Liabilities
• Administrative Fines – ‘Effective, Proportionate & Dissuasive’
o Higher of 4% of global turnover or €20m for top tier infringements
o Higher of 2% of global turnover or €10m for lower tier infringements
• Warning of likely infringement
• Reprimand for infringement
• Others, including: order data breach communication, order limitations on processing, order rectification/restriction/erasure
Data Subject Remedies
• Right to judicial remedy where their rights have been infringed as a result of the processing of personal data
• Right to compensation – data subjects who have suffered material or non-material damage
• Controller & Processor joint and several liability
• Collective claims / class-action type litigation possible – higher litigation risks
14. Some Practical Steps
1. Understand Personal Data You Hold:
• Data mapping – identify Personal Data held, how it was/is collected, data flows, who has access, where it is stored
etc.
• Apply the 6 Principles to the Personal Data you hold.
• Assess the risks to rights and freedoms of data subjects associated with your processing / the personal data you
hold.
• Identify transfers to 3rd countries.
2. Review 3rd Party Relationships:
• Identify your 3rd party processors.
• Review the contracts, bring them into compliance – including cloud service providers.
15. 3. Document Your Processing Activities:
• Put the required documentation in place – records of processing activities, records of consent etc.
• Document how you comply with GDPR – demonstrate you are consistently applying best practice.
4. Apply Technical and Organisational Measures:
• Implement strong information governance measures, including policies and procedures covering:
o Data protection
o Information security
o Breach response and notification
• Adopt a ‘Cyber Resilience’ approach covering People, Process & Technology in line with best practice.
• Implement an ISMS / PIMS / Compliance Framework – apply best practice and certify where appropriate
Some Practical Steps
16. Thank you
Speak to a member of the Vuzion team
if you’d like to know more!
17. Love Cloud GDPR
Jonathan Burnett, Partner Technology Strategist
Samantha Garrett, Partner Technology Strategist
Microsoft and GDPR
18. What are the key changes to address the GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data
Protection Officer (if
required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data
using appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate
consents for processing
data
• Keep records detailing
data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required
to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies
19. How do I get started?
Identify what personal data you have and
where it residesDiscover1
Govern how personal data is used
and accessedManage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breachesProtect3
Keep required documentation, manage data
requests and breach notifications
Report4
20.
21. Discover:
Identify what personal data you have and
where it resides
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft Azure
Microsoft Azure Data Catalog
Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
Dynamics 365
Audit Data & User Activity
Reporting & Analytics
Office & Office 365
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
SQL Server and Azure SQL Database
SQL Query Language
Windows & Windows Server
Windows Search
Example solutions
1
22. 2
Example solutions
Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft Azure
Azure Active Directory
Azure Information Protection
Azure Role-Based Access Control (RBAC)
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Security Concepts
Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
Windows & Windows Server
Microsoft Data Classification Toolkit
23. 3
Example solutions
Protect:
Preventing data
attacks:
•
•
•
•
•
•
•
•
Detecting &
responding to
breaches:
•
•
•
•
•
•
Microsoft Azure
Azure Key Vault
Azure Security Center
Azure Storage Services Encryption
Enterprise Mobility + Security (EMS)
Azure Active Directory Premium
Microsoft Intune
Office & Office 365
Advanced Threat Protection
Threat Intelligence
SQL Server and Azure SQL Database
Transparent data encryption
Always Encrypted
Windows & Windows Server
Windows Defender Advanced Threat Protection
Windows Hello
Device Guard
24. 4
Example solutions
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust Center
Service Trust Portal
Microsoft Azure
Azure Auditing & Logging
Azure Data Lake
Azure Monitor
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Reporting & Analytics
Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Windows & Windows Server
Windows Defender Advanced Threat Protection
Report:
25. GDPR Resources
Microsoft Whitepaper on "Beginning your
GDPR Journey"
Microsoft.com/GDPR
servicetrust.microsoft.com
aka.ms/GDPRblogpost
Data Breach & GDPR Demos
26. Next Steps
• Determine if your customers need to be GDPR compliant. If so, act now!
• Familiarize yourself with the Microsoft GDPR Assessment Tool that you
can use to assess your customer’s readiness
• Reassure your customers that Microsoft cloud services will be compliant
with GDPR and we will share our knowledge to help them get compliant
in time for May 25, 2018.
• Learn more about the GDPR and Microsoft Security offerings.
• Identify your offerings and go-to-market strategy, using the Microsoft
Cloud.
• Pilot your services and offerings with a few customers before you go
broad.
31. The Challenge
External
• GDPR will require all EU organisations to focus on discovering PII on behalf customers & former employees
• “Subject Access Request” is not new and will continue
• “Right to be Forgotten” is new & will force organisations to collect all the digital information they hold
Internal
• Organisations information is held multiple IT systems
• Also non approved IT systems (shadow IT/BYOD)
• Information is typically held in documents that are structured and un structured
• Discovering PII is currently a manual process
• This will costs organisations time and money
• “Subject Access Request” Ongoing breaches & Fines
• 49% of organisations had a document breach in the past 2 years*
• 73% of employees are accidentally exposing information stored within documents*
• 63% of organisation’s claim they are unable to locate sensitive data stored in documents*
*Information taken from the Ponemon Institute Research report May 2017.
32. ScanR
Generate Reports
Discover PII in Office docs, PDF,
OCR on the fly.
Multiple Systems
The Solution Identify and retrieve GDPR
Personal Identifiable Information
within documents stored in
multiple systems.
34. Connect to SharePoint, a
File Share or other systems
Documents where we wish to
determine if they contain
sensitive data
35. Choose the types of information
you would like to discover
• Over 100 pre-defined rules or you
can make your own
• Artificial Intelligence for Pattern
Matching
37. Three data sources
read
~19k Documents
read with 79%
containing PII data
Breakdown of what
PII data is
contained where
Locations of the
sensitive data
Which systems
contain the most
sensitive data
Overview Dashboard
38. Search for information across your data sources
Immediately see the records that match
Understand the types of data that contain the information
Query engine
39. 11 Chapters with 99 Articles
http://www.eugdpr.org/article-summaries.html
ScanR will help you comply with Articles: 5, 15, 16, 17, 18, 20, 24, 30, 32, 35, 42, 44, 45.
• Gain understanding of the where the PII data is located
• Gain an understanding of who has access to it
• Gain an understanding of how long it’s being retained
• Retain personal data for a period of time directly related to the original intended purpose
• Find risky files and take action
• Manage a Subject Access Request
• Request a port of the data
• Request a correction to the data
• Request deletion of the data
Articles Contained in the GDPR
40. Summary
ScanR
• Automate the process for discovering PII
• Quickly respond to “Subject Access Request” & “Right to be Forgotten”
• Comply with over 10 of the 99 Articles
Next Step
• Free trial up to 1,000 documents
44. Love Cloud GDPR
Ronan McCurtin, Senior Sales Director Northern Europe
Acronis and GDPR
45. ‒ Key activities
– Privacy impact assessment
– Data access governance
– Data breach notification / resolution
– Secure storage of active data
– Archiving and deleting
Where Acronis supports GDPR compliance
Acronis Backup
Acronis Storage
Acronis Backup Cloud
Acronis Disaster Recovery
Service
46. Requirements for GDPR-compliant backup and storage 1
Requirement Desirable features GDPR recitals supported
Control data storage location • Reporting for compliance • 101: General principles for international data transfers
Encrypt data securely • Encryption on the device, in transit,
and at rest
• 78: Appropriate technical and organizational measures
• 83: Security of processing
Browse backups • Drill-down to easily find required
data
• 63: Right of access
• 65: Right of rectification and erasure
Modify personal data • Easy modification if requested by
data subject
• 59 Procedures for the exercise of the rights of the data subjects
• 63: Right of access
• 64: Identity verification
• 65: Right of rectification and erasure
Export data in a common
format for easy data portability
• ZIP archive for easy portability • 68: Right of data portability
Recover data quickly • Acronis Instant Restore to deliver
15-second recover time objectives
(RTOs)
• 78: Appropriate technical and organizational measures
47. Requirements for GDPR-compliant backup and storage 2
Requirement Desirable features GDPR recitals supported
Minimize compulsory data breach
reporting
• Proactive prevention of malware damage to files
• Specific protection of the Acronis Backup agent to
prevent data breach of backups
85: Notification obligation of breaches to supervisory
authority
86: Notification of data subjects in the case of data
breaches
87: Promptness of reporting / notification
88: Format and procedures of the notification
Blockchain-based data
certification
• Acronis Notary validation of the authenticity and
integrity of backups
78: Appropriate technical and organizational measures
Backup retention, deletion • Flexible setting of retention time of data, archival
rules, etc.
• Ability to delete backup at any moment
66: Right to be forgotten
Logs availability • Logging of operations with data 82: Record of processing activities [correct?]
Role-based access • Multilayered and highly customizable data access
rights
63: Right of access [correct?]
Risk management control • Very flexible backup and Active Protection 84: Risk evaluation and impact assessment [correct?]
48. ‒ Data subject control of data storage location
– Individual must have final say as to where personal data is stored: on-
premises or in a specific EU-based data center
‒ Data encryption
– Strong data encryption on-device, in transit and in the cloud
– And entirely automated encryption process, with the data subject as the
sole holder of the decryption key, meeting GDPR data security
requirements
What to look for in GDPR-compliant backup and storage
49. ‒ Ability to search data inside backups
– Ability to drill down through backups, making it easy to find
required information on behalf of data subjects
‒ Ability to modify personal data
– Easy way to modify personal data if and when requested by data
subjects
What to look for in GDPR-compliant backup and storage
50. ‒ Data export in a common format
– Ability to export personal data in a common and easily usable
format (e.g., ZIP archives) to meet the GDPR data portability
requirements
‒ Quick data recovery
What to look for in GDPR-compliant backup and storage
51. ‒ Flexible setting of retention time of data,
archival rules, etc.
‒ Extensive logging
‒ Multilayered and highly customizable
data access rights
How Acronis helps your company achieve GDPR compliance
52. ‒ Active Protection against ransomware
– Proactively preventing breaches is easier and more cost-effective
suffering breaches and doing the mandatory incident reporting
– Acronis Active Protection™ detects and blocks ransomware attacks
and instantly restores any affected data
‒ Blockchain-based data certification
– Acronis Notary™ provides immutable proof of the integrity of
protected data using blockchain technology
How Acronis helps your company achieve GDPR compliance
53. With an economic incentive to
it, new Ransomware families
appeared fast…
Source: F-Secure
54. Ransomware BigTrends
Advancing into new operating systems
Advancing into new platforms and devices
Ransomware-as-a-Service
Advanced attack techniques
55. Trend 4: Advanced attack techniques
2010
Detection of
non-signed
files
2014
Protection for
Windows only
2016
Detection by
checking file
type/header
2016
Detection of
executable files
2016
Detection in
running
Windows
system
Malware
signed by
stolen
certificate
Injects into
system
processes and
acts on their
behalf
Attacks
Mac OS X
and Linux
Only body
of the file
is encrypted
Uses scripts
and non-
malicious
executables
Infects before
Windows
starts
2014
Exclude know
legitimate
system files
2017
Use of Backup
to protect
against
Ransomware
Attacks &
Encrypts
different
backup files
Next Generation Ransomware families targeting
Backup software
57. … Data Protection evolves too
Acronis CustomersAcronis Labs
Infected and clean
processes farms
Provides processes
behavior data
Updated knowledge base
Acronis Learning
Service
Acronis Cloud Brain
Model training, parameters
optimization
You are protected even
without Internet
Acronis Local
Knowledge Base
Acronis Active Protection 2.0: Learning Infrastructure
58. Complete protection against modern techniques
2016
Detection by
checking file
type/header
Only body
of the file
is encrypted
Entropy
measurement
2010
Detection of non-
signed files
2014
Protection for
Windows only
2016
Detection of
executable files
2016
Detection in
running Windows
system
Malware
signed by stolen
certificate
Injects into
system processes
and acts on their
behalf
Attacks
Mac OS X
and Linux
Uses scripts and
non-malicious
executables
Infects before
Windows starts
2014
Exclude know
legitimate system
files
Checks for
injections in
system processes
(with Machine
Learning)
Protection
Windows, Mac
and Linux
Both executable
and scripts
detection
Pre-Boot anti-
ransomware
protection
Compromised
signatures
check
Acronis Active
ProtectionTM
2017
Use of Backup to
protect against
Ransomware
Attacks &
Encrypts different
backup files
59. Acronis Notary powered by Blockchain
Ensuring that data is authentic and unchanged
“Acronis Notary assures that files are
unchanged since they were backed up.”
Have confidence of data
authenticity
•A public, secure Blockchain
ledger verifies the authenticity
of files
•Backup enables the recovery of
the original document
•Acronis Notary provides
mathematical assurance that
the contents of a file perfectly
match the original contents that
were backed up
60. Thank you
Speak to a member of the Vuzion team
if you’d like to know more!
81. 14+ Years Innovation
Highest level certifications
188 Countries 43 Languages
13 Offices 5 Continents
300k+ corporate customers
200 million total users
#1 Analyst rated
84. Sales
Experience
Significantly improved
Procurement
50x faster
Contract signing
“It speeds up the
process and makes
it more compliant”
HR
10 minutes
Fastest contract returned
“DocuSign has
revolutionised how
we send out HR
contracts at E.ON”
Customer Success
Use case Use case Use case
“Steps that previously
took days through post
now take minutes”
86. Demanding requirements for consent
Under the GDPR, consent must be:
• Freely given
• Specific
• Informed
• Unambiguous
"Consent should be given by a clear affirmative act … such as by a written statement,
including by electronic means, or an oral statement… Silence, pre-ticked boxes or
inactivity should not therefore constitute consent." (Recital 32)
87. Consent will often be required
When collecting an individual’s
personal information relating to:
• Using an individuals sensitive
personal information
• Sending an individual e-marketing
• Sharing an individual’s personal
information with independent third
parties
88. Consent must be verifiable
Businesses must be able to prove that it obtained the individual's
consent, requiring businesses to maintain consent records that
can be checked to verify:
1. That the individual has consented;
2. What they consented to, and;
3. When they consented
Individuals "shall have the right to withdraw his or her consent at any time… It shall be
as easy to withdraw consent as to give consent." (Art 7(4))
89. Common consent challenges
• Marketing / Sales – Personal information for e-marketing
purposes
• HR – Personal information for a job application or for the
provision of employee benefits
• Healthcare – Personal information for the purpose of medical
studies and clinical trials
• Online – Consenting to the use cookies and similar tracking
technologies
90. Re-contracting with Suppliers
Business must ensure:
• Legacy vendors move to new,
GDPR-compliant, data
protection terms
• Future vendors are also
signed up to GDPR-compliant
terms
100. Case Study: Filestream
Company’s Top Challenges
• Manual processes – contracts require manual chasing to fulfill terms and conditions
• Not GDPR-ready – holding of personal data is not currently compliant with legislation
• Inadequate security – Information sent over email is not as secure as it could be
Reasons for Choosing DocuSign
• Security standards – DocuSign meets and exceeds some of the most stringent US, EU,
and global security standards
• Commitment to compliance – DocuSign is actively monitoring regulator guidance and
interpretations of key GDPR requirements
• Digitising process – digital signatures remove need to print and scan paper documents
The Key Benefits
• Quicker signing process – turnaround time is now 40 times faster
• Customer consent – DocuSign’s tools are being utilised to be ready for new legislation
coming into force in May 2018
• Data protection – personal data is protected whenever a third-party comes in contact
with it
“I wouldn’t choose any other
partner but DocuSign for ease
and security – Paul Day,
Technical Director, Filestream
EXECUTIVE OVERVIEW TOP BENEFITS ACHIEVED
Company: Filestream
Headquarters: Berkshire, UK
Founded: 2003
Industry: Software
Website:
www.filestreamsystems.co.uk
Partners: DocuSign
Use Case: Sales
ABOUT
45 minutes
Contract turnaround
time
40 x faster
Quicker signing
experience
GDPR-ready
DocuSign tools being
used for compliance