This document outlines the agenda for a conference on GDPR compliance. The agenda includes presentations from legal experts from Microsoft and CommVault, as well as a data protection consultant. Topics that will be discussed include the key changes under GDPR, how to prepare for compliance, managing data proliferation challenges, and the role of the data protection officer. There will also be a question and answer session and networking lunch.
4. Microsoft Partnering With You
for GDPR Compliance
Rebecca Radloff, Head of Legal Microsoft Ireland
February 21, 2017
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
5.
6. Providing clarity and consistency for the protection
of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations that offer goods
and services to people in the European
Union (EU), or that collect and analyze
data tied to EU residents, no matter
where they are located.
7. Personal
privacy
What are the key changes with the GDPR?
Controls and
notifications
Transparent
policies
IT and training
Need to invest in:
• Privacy personnel and
employee training
• Data policies
• Data Protection Officer
(if 250+ employees)
• Processor/Vendor
contract
• Strict security
requirements
• Breach notification
obligation
• Appropriate consents
for data processing
• Confidentiality
• Recordkeeping
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Transparent and easily
accessible policies
regarding:
• Notice of data
collection
• Notice of processing
• Processing details
• Data retention/deletion
8. Microsoft’s commitment to its customers
WITH OUR LONG-STANDING COMMITMENT TO
SECURITY AND PRIVACY, YOU CAN TRUST MICROSOFT
TO PROVIDE THE PRODUCTS AND SERVICES YOU’LL
NEED AS YOU WORK TOWARD GDPR COMPLIANCE.
OUR GOAL IS TO STREAMLINE YOUR GDPR
COMPLIANCE THROUGH SMART TECHNOLOGY,
INNOVATION, AND COLLABORATION.
9. Microsoft’s goal is to streamline your
GDPR compliance through smart
technology, innovation, and
collaboration. Together we’ll help you
build a more secure environment,
simplify your compliance with the GDPR,
and give you the tools and resources
you need to be successful.
Partnering with you to
prepare for GDPR
Preparing
for GDPR
10. What can you do today?
Identify what personal
data you have and
where it resides.
Manage how personal
data is used and
accessed
Establish security controls
to prevent, detect, and
respond to vulnerabilities
& data breaches
Action data requests
and keep required
documentation
Analyze data and
systems, stay compliant
and reduce risk
1 2 3 4 5
Discover Control Protect Report Review
20. Session Overview
GDPR and the Cloud
• The Data Challenges of GDPR
• The Data Copy Problem
• Managing Data Proliferation
• GDPR and Cloud Adoption
• A Side Benefit of GDPR: Modernisation
20
21. Data Types - The Challenges
Structured Semi-structured Unstructured
21
Application Data:
• CRM Systems
• ERP Applications
• Financial
• Marketing
• Vertical apps e.g. retail
• SaaS Apps
• RDBMS
• Big Data
Application Data:
• Email
• Document Management
• App File Stores
Files & Folders:
• NAS
• File Servers
• Cloud Storage
• Laptops
• Mobile Devices
• Personal Clouds
Security, Protection, Availability, Retention, Copy management, Lifecycle, Custody, Access, Audit
Personal Data Can Be Anywhere
22. There is NO Silver Bullet for GDPR
GDPR Components
22
• Processes: analysis, discovery,
process flow, design, management,
ongoing review etc.
• Data Management: protection,
recovery, availability, retention,
lifecycle, location etc.
• Security Management: Physical,
perimeter, breach/vuln. detection,
encryption, access controls, cyber
security, education etc.
• Manual Tasks: ops, delivery,
configuration, search, retrieval,
reporting, redaction etc.
ProcessTasks
Security Data
23. There is NO Silver Bullet for GDPR
GDPR Components
23
More technology silos leads
to more manual tasks, and
a greater opportunity for
human error or misdeed
This increases cost and
risk significantly
ProcessTasks
Security Data
25. Copy
Replicate
Mailbox
Archive
Mailbox
Backup
Data Copies and Silos
Products/Silos: 5 – 10
Potential Data Copies: 50+
• Example shown just for
backup & recovery,
retention and compliance
• Each data silo = another
potential door for a data
breach
• More to manage, monitor
report and secure
• Tape is a particularly
problematic
• Complex Search/Auditing
Email
Mail
Server
Files
File
Analytics
Compliance
Archive Mailbox
Archive
Multiple
Backups
Compliance
Copy
Outlook
PSTs
Compliance
Replica
Archive
Backup
Multiple
Backups
Archive
Backup
Datacentre
File Servers
File Archive
Endpoint
Backup
Server
Backup
Server
Backup
Personal Cloud & Devices
Dept. File
Servers
Remote File
Servers
26. Storage Consumption
Storage Consumption
26
45-60% of their total
storage capacity
consisted of what is
considered “copy data”
Less than 20% of respondents
had a formal copy data
strategy, those few that did
realised significant reductions
in storage capacity growth
Source: IDC CDM Survey, 2016
Primary Data
Copy Data
27. Database Copies
82% of respondents had at least
10 copies of each database
SQL and Oracle applications were
present in 75% of the
organisations polled, SAP was in
54% of those polled
27
Source: IDC CDM Survey, 2016
28. Einstein was Right: Space and Time are Connected!
• 62% of respondents stated that the copy refresh process
took 1⁄2 a day or more to execute
• 32% refreshed every few days with 42% refreshing weekly
• Over 80% of organisations polled used home-grown
methods for data masking, less than 5% used off the shelf
products, the remaining either didn’t know or had no
masking tools at all
• 74% of these organisations in the IDC poll expected their
storage spending to increase in the next fiscal year
28
Source: IDC CDM Survey, 2016
30. In Europe, GDPR Demands Fundamental Changes
New GDPR Mandates Require Changes to Storage
Management Strategies for All Global Enterprises
• Identify Personal Data
• Verify Whether Proper Consent Was Obtained
• Examine Backup Retention
• “Retention should be reduced for systems that contain personal
data, and if archiving is not already in place for maintaining these
records for governance purposes, then it should be implemented.”
• Implement Archiving for Governance Purposes
30
Source: Gartner 2016 New GDPR Mandates Require Changes to Storage Management Strategies for All Global Enterprises
31. Backup and Archive Confusion
• Many organisations use archive tools for
space management, but still retain backup
copies for many years as ‘archives’
• Archives require backup, which often
creates a ‘silo inside a silo’
• Tape is still the most used medium for
long term storage
31
Multiple
Backups
Archive
Backup
File Servers
& NAS
File Archive
Offsite or 3rd Party
Archive Benefit: Faster
Backup and DR
A 2016 Gartner straw-poll at a European event revealed that
only 4% used the cloud instead of tape for long term retention
32. The Key Data Management Principles of GDPR
• Right to be forgotten (RTBF, Article 17)
• Data protection by design and by default (Article 25)
• State-of-the-art (SOTA, Articles 25 & 32)
• Ensure ongoing confidentiality, integrity, availability
and resilience (Article 32)
• 72 hour data breach notification (Articles 33 & 34)
• Data minimisation principle (Article 25)
• Defining use cases and managing consent (Article 6)
• Data transfers (Articles 44-50)
• Data portability (Article 20)
32
Where Commvault Can Help
Locate personal data, almost anywhere
Most comprehensive available
Integrated beyond any current competitor
Leading backup/recovery, w/ on-demand
encryption, secure role-based access
Identify what data was compromised, inc. laptops
Commvault can reduce and manage data copies
N/A for new policies; search after the fact
Partial
Partial
33. The GDPR Breakdown
Complexity Hinders Compliance and Increases Risk
33
LEGACY SYSTEMSDATA CENTERS CLOUD DATA SaaS
PAIN: LACK OF CONTROL AND ANALYSIS
• Archive and search systems create silos
• Lack common search and collate
• Multiple access controls to manage
• Gaps in coverage present risk
PAIN: VISIBILITY OF EXTERNAL DATA
• Data held externally is difficult to track
• Protection managed by 3rd party
• Limited ability to archive or manage retention
PAIN: BACKUP AND RECOVERY RISKS
• Too many siloed solutions & repositories
• Not easy to set common policies
• Reporting is a challenge
• Variable controls in areas such as auditing
• Complexity leads to gaps in coverage
? ? ? ?
x?
Silo
Silo
34. The GDPR Breakthrough
Simply Powerful: An Advanced Data Management Platform
34
LEGACY SYSTEMSDATA CENTERS CLOUD DATA SaaS
GAIN: ROBUST DATA MANAGEMENT
• Data is accessible, organized and indexed
• Complete infrastructure awareness
• Centralised governance and control for hybrid clouds
• Consistent data policies across the enterprise
GAIN: UNIFIED CLOUD BACKUP
• Single solution to backup the whole enterprise
• Automation ensures backup by default
• Easy to report and audit
• Robust, integrated redundancy for archive policies
GAIN: CONTROL OF EXTERNAL DATA
• Backup and archive SaaS data
• Backup and gain visibility of data on mobile devices
• Guard against Malware and data breaches
• Provide secure alternative to personal cloud shares
Data Management
Platform: Indexed
Virtual Repository
Dedupe:
Global, Secure
35. From Backup & Archive
to Information Management
Intelligent Data Management
Single Query Searching across Backup & Archive
Global Data (Cost) Reduction
COLLECTION
Remote & Internal
End Users
Email On-
Premises or
Cloud
Cloud Solutions Data Center
Access
End User Access
Outlook Plugin
Analyse
• Search & Preservation
• Content-Aware Retention Mgt.
• Data Leakage Detection
• Remote Search of Structured Sources
• Rapid response to data subject inquiries
A
B
C
B
A
1 Yr
30 Yr
Auto Storage
Tiering
Manage
DELETE
ZIP
Produce or
Erase
XML
Compliance Access
GDPR, FOIA, eDiscovery,
Data Spillage Search
36. Audit, Automation and Change & Incident Management
36
Simple, Comprehensive, Role Based UX
Audit
Policies
Reports
Automation
Resilience
Efficiency
Single Manager
Context
3rd Party
Service
Management
What a
single
manager
really
delivers…
37. The Recovery Conundrum
A ‘Right to Be Forgotten’ issue
• Applications and Unstructured Data require
different approaches after an outage
• Process management can help in both
cases e.g. service desk systems
37
?
Request to be
forgotten
Outage: Corruption
Recovery
Access Without Recovery
• Commvault provides access for apps to
mount databases without recovering
them; VMs can be started without
recovery too
• Unstructured data can be collated for
review and subsequent secure deletion
39. GDPR and Cloud Adoption
ON-PREMISES
Public Cloud SaaS
Cloud: Controls Passed to 3rd Parties
• Consistency lost
• Cloud systems must meet the same
regulations as on-premises
• Must be within a region that offers
‘similar’ protection as the EU/GDPR
Fully Under Your Control
• Data Management & Security
• Processes, Retention, Recovery etc.
• Consistent by design
40. Commvault, Azure and O365
• Azure Storage: Offsite Storage,
Backup, Archive, Tape Replacement
• Migrate to Azure: Simple to ship and
convert workloads
• Recovery Use-cases: DR, Dev & Test
• Backup in the Cloud
• Backup O365 and ODFB
• Exchange/O365 Archive &
Compliance
• 3rd Party SaaS, Cloud Storage and
IaaS also supported On-premises
Workloads & Data to the cloud
Blob Storage
Backup &
Archive Data
Single point of control,
reporting, search etc.
41. Rationalise Your Cloud Strategy
41
Cloud
Disaster
Recovery
Governance & Insight:
Across Your Hybrid
Cloud
Enterprise
Cloud
Backup
Cloud
Migration
Services
42. Summary
• Get some expert help: Sureskills have the skills,
people and relationships you need
• Dealing with GDPR can also help you to meet
other regulations, such as FOI, MiFID etc.
• Manage GDPR: Accelerate Modernisation
42
48. Reasons for Lack of DP Buy-in
• Organizational culture and attitudes towards Data Protection
• Negative perception of Data Protection
• Data Protection not seen as a boardroom topic
• Higher priority business need always take pre-eminence over DP
• Not a corporate objective
• DP relegated to the ‘back burner’
• Lack of board level Champions on Data Protection
• Perception that DP is an IT issue, not Management
• No Budget for DP
• Reactive DP risk management
• “It happened to them. It’ll never happen to us. We’re so solid!!”
49. The principle of accountability under GDPR states that the
“Controller shall be responsible for, and be able to demonstrate
compliance with Data Protection Principles/Concepts”.
Article 5(2) GDPR
50. • Proactive involvement in all things DP
Art.38(1)
• Support and resource provision
Art.38(2)
• Independence and objectivity
Art.38(3)
• Uninhibited & unrestricted Access
Art.38(3 part B)
• Secrecy and confidentiality
Art.38(3 part B)
DPO Role in 5 Sentences …
51. Management Buy-in Skills Required by DPOs
• Proactive
• 6th Sense (risk
based)
• Timing &
context
• Diplomacy
• Apolitical
• Approachable
• Written
• verbal
• Nonverbal
• visual
Communication Negotiation
Conflict
Management
Persuasion
52. • Know your Stakeholders
• Have a plan or implementation roadmap
• Have a DP budget. Quantify DP issues monetarily
• Audit all data processing activities
• Identify data entry and exit points
• Effectively manage your “gate-keepers”
• Identify high risk areas
• Be proactive and not reactive
• Build bridges not walls – Management needs it
• Earn trust, don’t demand it
• Think creatively
• Don’t always say no but be creative in your response
How Can I Ensure Management Buy-in?
53. Q1 2017
Q2 2017
Data
Analysis &
Audit
Q3 2017
Strategic
Privacy
Planning
Policy
Development
& Review
Q1 2018
Q2 2018
Staff
Training &
Awareness
Go Live
GDPR: Implementation Roadmap
Q4 2017
Business
Support &
Compliance
Monitoring
57. Brendan Gavin, Senior Associate, Corporate Law
Getting your Company Ready for GDPR
57GDPR - Discover The Smart Solution, 21 February 2017
58. Data Protection – Review
Current law based on 1995 Directive: Data Protection Acts
1988 & 2003:
• Outdated
• Inconsistencies in national implementing laws across the
EU.
New law: the General Data Protection Regulation (the
GDPR)
• Adopted 27 April 2016 Currently in grace period until it
comes into force on 25 May 2018
February 24, 2017 58
59. Key Changes to the Law
1. Expands Definition of Personal Data
2. Applies to Data Processors
3. Extra-territoriality
4. New Rights for Data Subjects
5. Data Breaches
6. Data Protection Officers
7. Data Protection Impact Assessments
8. Enforcement
February 24, 2017 59
60. Personal Data
• GDPR now expressly includes IP addresses and UDIDs
• Pseudonymous data –truly anonymous data very difficult to
achieve – relaxed rules
• Definition of sensitive data also extended to include genetic
and biometric data
• Don’t rely on consent – can be revoked and difficult to
regulate
• Be clear on your legal basis for processing
February 24, 2017 60
61. Data Processors
• Previous law focused obligations on data controllers
• No longer a requirement to register
• Direct obligations now imposed on processors
• Data processors now subject to enforcement and fines
• Mandatory terms for contracts with controllers
February 24, 2017 61
62. Territorial Scope
• EU established
• Non – EU established if:
– offering goods and services within the EU or
– monitoring behaviour of EU data subjects
• Transfers of data outside the EU
– EU approved ‘adequacy’ list
– EU-US Privacy Shield
• Know where your data is
February 24, 2017 62
63. New Rights for Data Subjects
• Erasure - stemming from Google right to be forgotten case
• Portability – to allow data subjects to transfer data from one controller
to another
• Access to your data – can no longer charge for data access requests and
must be processed within 1 month (reduced from 40 days previously)
• Right to complain to Data Protection Authorities
• Right to sue for breaches of your rights
February 24, 2017 63
64. Data Breaches
• Current law recommends notification to DPC within 48 hours
• GDPR makes notification of data breaches mandatory within 72 hours
• New requirement to notify affected data subjects
• Now uniform requirement across Member States, this was previously
only the case in the telecoms sector
February 24, 2017 64
65. Data Protection Impact Assessments
• Privacy by design – data protection must now be taken into account
when designing new technologies
• Privacy by default – must be able to demonstrate that only personal
data that is necessary for the relevant purposes is being processed
February 24, 2017 65
66. Data Protection Officers
• Data Protection Officers will now be mandatory for the following Data
Controllers and Processors:
– Public Authorities (except for courts acting in judicial capacity)
– Organisations whose core activities involve large scale systematic monitoring of
data subjects
– Organisations whose core activities involve large scale processing of sensitive
data
February 24, 2017 66
67. Enforcement
• Data protection authorities have new investigative powers under the
GDPR including access to premises, conduct audits and issue fines
• DPC will have power to issue fines of up to €20,000,000 or 4% of the
total annual turnover of an undertaking – whichever is the greater
February 24, 2017 67
68. 68
1. Review all personal data held by your company
2. Review and update all data privacy notices
3. Need to be able to demonstrate compliance
4. Internal code of conduct
• Implement internal policies and measures which take into
account privacy by design and by default
5. Maintain detailed processing records
Practical Steps
69. 69
6. Spread awareness of the GDPR in your organisation
7. Training, review of checklists, reporting lines etc.
8. Allocate responsibility and budget for data protection
compliance
9. Certification – may become available from supervisory
authorities
10. Some provisions may take more time to become
enforceable as they will require additional codes/guides to be
published
Practical Steps (continued)