Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SureSkills GDPR - Discover the Smart Solution

In today’s digital business, information is currency. But is your data really protected and delivering value? How can you gain competitive advantage, while ensuring you stay compliant with the onerous upcoming EU General Data Protection Regulation?

  • Be the first to comment

SureSkills GDPR - Discover the Smart Solution

  1. 1. Title Slide Four With full image background © 2017 SureSkills 1 Be tomorrow ready. GDPR – Discover the Smart Solution
  2. 2. Agenda 2  8:30 – 9:00 : Registration  9:00 – 9:10 : Welcome and opening Remarks – Kevin Reid, SureSkills CTO  9:10 – 9:30 : Rebecca Radloff, Head of Legal @ Microsoft – Partnering with You for GDPR Compliance  9:30 – 9:50 : Kevin Reid, SureSkills CTO – The role of IT and technology in Data Protection  9:50 – 10:10 : Nigel Tozer, Solutions Marketing Director @ CommVault – Meeting the challenges of GDPR in a Hybrid Cloud  10:10 – 10:20 : Coffee break  10:20 – 10:40 : Lanre Oluwatona, Data Protection Consultant @ ICS Skills – The role of the Data Protection Officer and getting Management Buy in  10:40 – 11:00 : Brendan Gavin, Senior Associate @ Byrne Wallace – How to get ready for GDPR Compliance  11:00 – 11:30 : Q & A  11:30 – 12:30 : Lunch & Networking © 2017 SureSkills
  3. 3. Welcome 3  Plan for the day  Presenter Introduction  Problem Statement  Data growth  Speed of change  Stealth IT / Distributed compute and storage environments  Budget constraints (people and technology)  Existing regulations & audit compliance  Upcoming regulation - GDPR © 2017 SureSkills
  4. 4. Microsoft Partnering With You for GDPR Compliance Rebecca Radloff, Head of Legal Microsoft Ireland February 21, 2017 This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
  5. 5. Providing clarity and consistency for the protection of personal data Enhanced personal privacy rights Increased duty for protecting data Mandatory breach reporting Significant penalties for non-compliance The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located.
  6. 6. Personal privacy What are the key changes with the GDPR? Controls and notifications Transparent policies IT and training Need to invest in: • Privacy personnel and employee training • Data policies • Data Protection Officer (if 250+ employees) • Processor/Vendor contract • Strict security requirements • Breach notification obligation • Appropriate consents for data processing • Confidentiality • Recordkeeping Individuals have the right to: • Access their personal data • Correct errors in their personal data • Erase their personal data • Object to processing of their personal data • Export personal data Transparent and easily accessible policies regarding: • Notice of data collection • Notice of processing • Processing details • Data retention/deletion
  8. 8. Microsoft’s goal is to streamline your GDPR compliance through smart technology, innovation, and collaboration. Together we’ll help you build a more secure environment, simplify your compliance with the GDPR, and give you the tools and resources you need to be successful. Partnering with you to prepare for GDPR Preparing for GDPR
  9. 9. What can you do today? Identify what personal data you have and where it resides. Manage how personal data is used and accessed Establish security controls to prevent, detect, and respond to vulnerabilities & data breaches Action data requests and keep required documentation Analyze data and systems, stay compliant and reduce risk 1 2 3 4 5 Discover Control Protect Report Review
  10. 10. •
  11. 11. Protect devices with industry-leading encryption, anti-malware technologies, and identity and access solutions
  12. 12. Safeguard customer data in the cloud, including personal data, with industry-leading security measures and privacy policies
  13. 13. Secure your IT environment and achieve compliance with enterprise-grade user and administrative controls
  14. 14. Protect customer data both in the cloud, and on-premises, with industry-leading security capabilities
  15. 15. Safeguard customer data in the cloud, including personal data, with industry-leading security measures and privacy policies
  16. 16. The Role of IT and technology in Data Protection 18  What do we mean by data protection  What is happening in the market  Key requirements to implement data protection  Who does what and how  SureSkills BaaS  Service Onboarding © 2017 SureSkills
  17. 17. © 2017 COMMVAULT SYSTEMS, INC. ALL RIGHTS RESERVED. Meeting the Challenges of GDPR in a Hybrid Cloud • February 2017
  18. 18. Session Overview GDPR and the Cloud • The Data Challenges of GDPR • The Data Copy Problem • Managing Data Proliferation • GDPR and Cloud Adoption • A Side Benefit of GDPR: Modernisation 20
  19. 19. Data Types - The Challenges Structured Semi-structured Unstructured 21 Application Data: • CRM Systems • ERP Applications • Financial • Marketing • Vertical apps e.g. retail • SaaS Apps • RDBMS • Big Data Application Data: • Email • Document Management • App File Stores Files & Folders: • NAS • File Servers • Cloud Storage • Laptops • Mobile Devices • Personal Clouds Security, Protection, Availability, Retention, Copy management, Lifecycle, Custody, Access, Audit Personal Data Can Be Anywhere
  20. 20. There is NO Silver Bullet for GDPR GDPR Components 22 • Processes: analysis, discovery, process flow, design, management, ongoing review etc. • Data Management: protection, recovery, availability, retention, lifecycle, location etc. • Security Management: Physical, perimeter, breach/vuln. detection, encryption, access controls, cyber security, education etc. • Manual Tasks: ops, delivery, configuration, search, retrieval, reporting, redaction etc. ProcessTasks Security Data
  21. 21. There is NO Silver Bullet for GDPR GDPR Components 23 More technology silos leads to more manual tasks, and a greater opportunity for human error or misdeed This increases cost and risk significantly ProcessTasks Security Data
  22. 22. Compliance is Simpler with Less Data
  23. 23. Copy Replicate Mailbox Archive Mailbox Backup Data Copies and Silos Products/Silos: 5 – 10 Potential Data Copies: 50+ • Example shown just for backup & recovery, retention and compliance • Each data silo = another potential door for a data breach • More to manage, monitor report and secure • Tape is a particularly problematic • Complex Search/Auditing Email Mail Server Files File Analytics Compliance Archive Mailbox Archive Multiple Backups Compliance Copy Outlook PSTs Compliance Replica Archive Backup Multiple Backups Archive Backup Datacentre File Servers File Archive Endpoint Backup Server Backup Server Backup Personal Cloud & Devices Dept. File Servers Remote File Servers
  24. 24. Storage Consumption Storage Consumption 26 45-60% of their total storage capacity consisted of what is considered “copy data” Less than 20% of respondents had a formal copy data strategy, those few that did realised significant reductions in storage capacity growth Source: IDC CDM Survey, 2016 Primary Data Copy Data
  25. 25. Database Copies 82% of respondents had at least 10 copies of each database SQL and Oracle applications were present in 75% of the organisations polled, SAP was in 54% of those polled 27 Source: IDC CDM Survey, 2016
  26. 26. Einstein was Right: Space and Time are Connected! • 62% of respondents stated that the copy refresh process took 1⁄2 a day or more to execute • 32% refreshed every few days with 42% refreshing weekly • Over 80% of organisations polled used home-grown methods for data masking, less than 5% used off the shelf products, the remaining either didn’t know or had no masking tools at all • 74% of these organisations in the IDC poll expected their storage spending to increase in the next fiscal year 28 Source: IDC CDM Survey, 2016
  27. 27. So How DO You Deal Data Proliferation?
  28. 28. In Europe, GDPR Demands Fundamental Changes New GDPR Mandates Require Changes to Storage Management Strategies for All Global Enterprises • Identify Personal Data • Verify Whether Proper Consent Was Obtained • Examine Backup Retention • “Retention should be reduced for systems that contain personal data, and if archiving is not already in place for maintaining these records for governance purposes, then it should be implemented.” • Implement Archiving for Governance Purposes 30 Source: Gartner 2016 New GDPR Mandates Require Changes to Storage Management Strategies for All Global Enterprises
  29. 29. Backup and Archive Confusion • Many organisations use archive tools for space management, but still retain backup copies for many years as ‘archives’ • Archives require backup, which often creates a ‘silo inside a silo’ • Tape is still the most used medium for long term storage 31 Multiple Backups Archive Backup File Servers & NAS File Archive Offsite or 3rd Party Archive Benefit: Faster Backup and DR A 2016 Gartner straw-poll at a European event revealed that only 4% used the cloud instead of tape for long term retention
  30. 30. The Key Data Management Principles of GDPR • Right to be forgotten (RTBF, Article 17) • Data protection by design and by default (Article 25) • State-of-the-art (SOTA, Articles 25 & 32) • Ensure ongoing confidentiality, integrity, availability and resilience (Article 32) • 72 hour data breach notification (Articles 33 & 34) • Data minimisation principle (Article 25) • Defining use cases and managing consent (Article 6) • Data transfers (Articles 44-50) • Data portability (Article 20) 32 Where Commvault Can Help Locate personal data, almost anywhere Most comprehensive available Integrated beyond any current competitor Leading backup/recovery, w/ on-demand encryption, secure role-based access Identify what data was compromised, inc. laptops Commvault can reduce and manage data copies N/A for new policies; search after the fact Partial Partial
  31. 31. The GDPR Breakdown Complexity Hinders Compliance and Increases Risk 33 LEGACY SYSTEMSDATA CENTERS CLOUD DATA SaaS PAIN: LACK OF CONTROL AND ANALYSIS • Archive and search systems create silos • Lack common search and collate • Multiple access controls to manage • Gaps in coverage present risk PAIN: VISIBILITY OF EXTERNAL DATA • Data held externally is difficult to track • Protection managed by 3rd party • Limited ability to archive or manage retention PAIN: BACKUP AND RECOVERY RISKS • Too many siloed solutions & repositories • Not easy to set common policies • Reporting is a challenge • Variable controls in areas such as auditing • Complexity leads to gaps in coverage ? ? ? ? x? Silo Silo
  32. 32. The GDPR Breakthrough Simply Powerful: An Advanced Data Management Platform 34 LEGACY SYSTEMSDATA CENTERS CLOUD DATA SaaS GAIN: ROBUST DATA MANAGEMENT • Data is accessible, organized and indexed • Complete infrastructure awareness • Centralised governance and control for hybrid clouds • Consistent data policies across the enterprise GAIN: UNIFIED CLOUD BACKUP • Single solution to backup the whole enterprise • Automation ensures backup by default • Easy to report and audit • Robust, integrated redundancy for archive policies GAIN: CONTROL OF EXTERNAL DATA • Backup and archive SaaS data • Backup and gain visibility of data on mobile devices • Guard against Malware and data breaches • Provide secure alternative to personal cloud shares Data Management Platform: Indexed Virtual Repository Dedupe: Global, Secure
  33. 33. From Backup & Archive to Information Management Intelligent Data Management Single Query Searching across Backup & Archive Global Data (Cost) Reduction COLLECTION Remote & Internal End Users Email On- Premises or Cloud Cloud Solutions Data Center Access End User Access Outlook Plugin Analyse • Search & Preservation • Content-Aware Retention Mgt. • Data Leakage Detection • Remote Search of Structured Sources • Rapid response to data subject inquiries A B C B A 1 Yr 30 Yr Auto Storage Tiering Manage DELETE ZIP Produce or Erase XML Compliance Access GDPR, FOIA, eDiscovery, Data Spillage Search
  34. 34. Audit, Automation and Change & Incident Management 36 Simple, Comprehensive, Role Based UX Audit Policies Reports Automation Resilience Efficiency Single Manager Context 3rd Party Service Management What a single manager really delivers…
  35. 35. The Recovery Conundrum A ‘Right to Be Forgotten’ issue • Applications and Unstructured Data require different approaches after an outage • Process management can help in both cases e.g. service desk systems 37 ? Request to be forgotten Outage: Corruption Recovery Access Without Recovery • Commvault provides access for apps to mount databases without recovering them; VMs can be started without recovery too • Unstructured data can be collated for review and subsequent secure deletion
  36. 36. GDPR and the Cloud
  37. 37. GDPR and Cloud Adoption ON-PREMISES Public Cloud SaaS Cloud: Controls Passed to 3rd Parties • Consistency lost • Cloud systems must meet the same regulations as on-premises • Must be within a region that offers ‘similar’ protection as the EU/GDPR Fully Under Your Control • Data Management & Security • Processes, Retention, Recovery etc. • Consistent by design
  38. 38. Commvault, Azure and O365 • Azure Storage: Offsite Storage, Backup, Archive, Tape Replacement • Migrate to Azure: Simple to ship and convert workloads • Recovery Use-cases: DR, Dev & Test • Backup in the Cloud • Backup O365 and ODFB • Exchange/O365 Archive & Compliance • 3rd Party SaaS, Cloud Storage and IaaS also supported On-premises Workloads & Data to the cloud Blob Storage Backup & Archive Data Single point of control, reporting, search etc.
  39. 39. Rationalise Your Cloud Strategy 41 Cloud Disaster Recovery Governance & Insight: Across Your Hybrid Cloud Enterprise Cloud Backup Cloud Migration Services
  40. 40. Summary • Get some expert help: Sureskills have the skills, people and relationships you need • Dealing with GDPR can also help you to meet other regulations, such as FOI, MiFID etc. • Manage GDPR: Accelerate Modernisation 42
  41. 41. Thank You @NigelTozer
  42. 42. Role of the Data Protection Officer in Obtaining Management Buy-in Lanre Oluwatona Irish Computer Society
  43. 43. Accountability Lawfulness, Fairness And Transparency Purpose Limitation Data Minimisation Accuracy storage limitation Integrity & Confidentiality Data Protection Principles Rebranded
  44. 44. Reasons for Lack of DP Buy-in • Organizational culture and attitudes towards Data Protection • Negative perception of Data Protection • Data Protection not seen as a boardroom topic • Higher priority business need always take pre-eminence over DP • Not a corporate objective • DP relegated to the ‘back burner’ • Lack of board level Champions on Data Protection • Perception that DP is an IT issue, not Management • No Budget for DP • Reactive DP risk management • “It happened to them. It’ll never happen to us. We’re so solid!!”
  45. 45. The principle of accountability under GDPR states that the “Controller shall be responsible for, and be able to demonstrate compliance with Data Protection Principles/Concepts”. Article 5(2) GDPR
  46. 46. • Proactive involvement in all things DP Art.38(1) • Support and resource provision Art.38(2) • Independence and objectivity Art.38(3) • Uninhibited & unrestricted Access Art.38(3 part B) • Secrecy and confidentiality Art.38(3 part B) DPO Role in 5 Sentences …
  47. 47. Management Buy-in Skills Required by DPOs • Proactive • 6th Sense (risk based) • Timing & context • Diplomacy • Apolitical • Approachable • Written • verbal • Nonverbal • visual Communication Negotiation Conflict Management Persuasion
  48. 48. • Know your Stakeholders • Have a plan or implementation roadmap • Have a DP budget. Quantify DP issues monetarily • Audit all data processing activities • Identify data entry and exit points • Effectively manage your “gate-keepers” • Identify high risk areas • Be proactive and not reactive • Build bridges not walls – Management needs it • Earn trust, don’t demand it • Think creatively • Don’t always say no but be creative in your response How Can I Ensure Management Buy-in?
  49. 49. Q1 2017 Q2 2017 Data Analysis & Audit Q3 2017 Strategic Privacy Planning Policy Development & Review Q1 2018 Q2 2018 Staff Training & Awareness Go Live GDPR: Implementation Roadmap Q4 2017 Business Support & Compliance Monitoring
  50. 50. Contact
  51. 51. Brendan Gavin, Senior Associate, Corporate Law Getting your Company Ready for GDPR 57GDPR - Discover The Smart Solution, 21 February 2017
  52. 52. Data Protection – Review Current law based on 1995 Directive: Data Protection Acts 1988 & 2003: • Outdated • Inconsistencies in national implementing laws across the EU. New law: the General Data Protection Regulation (the GDPR) • Adopted 27 April 2016 Currently in grace period until it comes into force on 25 May 2018 February 24, 2017 58
  53. 53. Key Changes to the Law 1. Expands Definition of Personal Data 2. Applies to Data Processors 3. Extra-territoriality 4. New Rights for Data Subjects 5. Data Breaches 6. Data Protection Officers 7. Data Protection Impact Assessments 8. Enforcement February 24, 2017 59
  54. 54. Personal Data • GDPR now expressly includes IP addresses and UDIDs • Pseudonymous data –truly anonymous data very difficult to achieve – relaxed rules • Definition of sensitive data also extended to include genetic and biometric data • Don’t rely on consent – can be revoked and difficult to regulate • Be clear on your legal basis for processing February 24, 2017 60
  55. 55. Data Processors • Previous law focused obligations on data controllers • No longer a requirement to register • Direct obligations now imposed on processors • Data processors now subject to enforcement and fines • Mandatory terms for contracts with controllers February 24, 2017 61
  56. 56. Territorial Scope • EU established • Non – EU established if: – offering goods and services within the EU or – monitoring behaviour of EU data subjects • Transfers of data outside the EU – EU approved ‘adequacy’ list – EU-US Privacy Shield • Know where your data is February 24, 2017 62
  57. 57. New Rights for Data Subjects • Erasure - stemming from Google right to be forgotten case • Portability – to allow data subjects to transfer data from one controller to another • Access to your data – can no longer charge for data access requests and must be processed within 1 month (reduced from 40 days previously) • Right to complain to Data Protection Authorities • Right to sue for breaches of your rights February 24, 2017 63
  58. 58. Data Breaches • Current law recommends notification to DPC within 48 hours • GDPR makes notification of data breaches mandatory within 72 hours • New requirement to notify affected data subjects • Now uniform requirement across Member States, this was previously only the case in the telecoms sector February 24, 2017 64
  59. 59. Data Protection Impact Assessments • Privacy by design – data protection must now be taken into account when designing new technologies • Privacy by default – must be able to demonstrate that only personal data that is necessary for the relevant purposes is being processed February 24, 2017 65
  60. 60. Data Protection Officers • Data Protection Officers will now be mandatory for the following Data Controllers and Processors: – Public Authorities (except for courts acting in judicial capacity) – Organisations whose core activities involve large scale systematic monitoring of data subjects – Organisations whose core activities involve large scale processing of sensitive data February 24, 2017 66
  61. 61. Enforcement • Data protection authorities have new investigative powers under the GDPR including access to premises, conduct audits and issue fines • DPC will have power to issue fines of up to €20,000,000 or 4% of the total annual turnover of an undertaking – whichever is the greater February 24, 2017 67
  62. 62. 68 1. Review all personal data held by your company 2. Review and update all data privacy notices 3. Need to be able to demonstrate compliance 4. Internal code of conduct • Implement internal policies and measures which take into account privacy by design and by default 5. Maintain detailed processing records Practical Steps
  63. 63. 69 6. Spread awareness of the GDPR in your organisation 7. Training, review of checklists, reporting lines etc. 8. Allocate responsibility and budget for data protection compliance 9. Certification – may become available from supervisory authorities 10. Some provisions may take more time to become enforceable as they will require additional codes/guides to be published Practical Steps (continued)
  64. 64. Thank You 70 Brendan Gavin Senior Associate, Corporate Law T: +353 1 691 5284 E:
  65. 65. SureSkills Ireland 14 Fitzwilliam Place, Dublin 2, D02 W025, Ireland Sales: +353 1 240 2262 Reception: +353 1 240 2222 Fax: +353 1 240 2233 SureSkills N. Ireland Callender House, 58–60 Upper Arthur Street, Belfast BT1 4GJ, United Kingdom Sales: +44 28 9093 5565 Reception: +44 28 9093 5555 Fax: +44 28 9093 5566 SureSkills Canada 1 Rideau St #748, Ottawa, ON K1N 8S7, Canada Toll Free: +1 855 278 7555 SureSkills USA Suite 200, 7000 N. Mopac Expressway, Austin, TX 78731, USA Toll Free: +1 855 278 7555 Thank you SureSkills