3. Location
Identifying existing
personal data held
across the
business
Governance
Managing data
subject access
rights, data
storage and use
Security
Protecting against
vulnerabilities and
breach
Reporting
For data requests,
breaches, and
accountability
Achieving GDPR Compliance
4. Process track
Technical track
----------Define the
requirement
Create the
plan
Helping You Achieve Compliance
GDPR Webinars
GDPR Workshops
GDPR Healthcheck
GDPR Assessments
Implementation Clinics
Virtual Services
5. GDPR: Your Journey to
Compliance
Agenda
13:45-14:00 REGISTRATION
14:00-14:15 Welcome & Introduction Michael Frisby, Cobweb MD
14:15-14:45 Introduction to GDPR Sean Huggett, Cybercrowd, CEO & Consultant
14:45-15:00 DocuSign and GDPR Jacqueline de Gernier, AVP Commercial Sales
15:00-15:30 Microsoft and GDPR Jonathan Burnett and Samantha Garrett, Partner Technology
Strategists
15:30-15:45 TEA AND PASTRIES
15:45-16:00 TermSet and GDPR Stewart Connors, Head of Customer & Partner Success
16:00-16:15 Acronis and GDPR Ronan McCurtin, Senior Sales Director Northern Europe
16:15-16:30 Mimecast and GDPR David Tweedale, Team Leader
16:30-16:45 QGate and GDPR Rowland Dexter, Managing Director
16:45-17:15 Panel Interview Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft),
Michael Olpin (Cobweb)
Cobweb GDPR Support Package
GDPR Health Check ‘Raffle’
Closing Thoughts
7. • Came in to force on 24th May 2016 – enforceable from 25th May 2018
• EU Regulation – has direct effect – no local legislation required
• Replaces the Data Protection Act 1998 - transposed into law from Data Protection Directive 1995
• Aims to support the digital single market and give data subjects control over their personal data
• Wide scope & coverage
• Guidance on interpretation and compliance still being developed
• UK Government has confirmed applicability in UK notwithstanding Brexit
Introduction to GDPR
8. Key Definitions
Data Controller
• “the natural or legal person… which … determines the purpose and means of the processing of personal data”
Data Processor
• “a natural or legal person… which processes personal data on behalf of the controller”
Data Subject
• “an identified or identifiable natural person”
Personal Data
• “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person
is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data….”
Processing
• “any operation or set of operations which is performed on personal data or on sets of personal data whether or not by
automated means, such as collection, recording, organisation, structuring, storage…”
9. Six Data Protection Principles & Accountability
• Six data protection principles – overview of your most important duties in complying with GDPR
• Introduces ‘accountability principle’ – Data Controllers responsible for being able to demonstrate compliance with the six
principles
processed lawfully, fairly and transparently
collected for specified, explicit & legitimate purposes
adequate, relevant & limited to what is necessary for processing
accurate and kept up to date
kept only for as long as is necessary for processing
processed in a manner that ensures its security
1
2
3
4
5
6
Personal Data shall be:
ACCOUNTABILITY
10. Data Subject Rights
Rights to:
• Information - think about Privacy Notices
• Access - think about Subject Access Requests
• Object to Processing
• Rectification
• Erasure – ‘right to be forgotten’
• Restrict Processing
• Data Portability
11. Obligations & International Transfers
Obligations
• Data Protection Officers (DPO)
• Data Protection Impact Assessments (DPIA)
• Data Protection by Design and by Default
• Controller & Processor Records
• Security of Processing
• Breach Notification
• Processor contracts with guarantees that processing will meet the requirements of GDPR
International Transfers – Restricted & Regulated – Conditions to be Met
• Basis of Adequacy
• Appropriate Safeguards
• Binding Corporate Rules (BCRs)
• International Cooperation Mechanisms: EU-US Privacy Shield
12. Remedies & Liabilities
Liabilities
• Administrative Fines – ‘Effective, Proportionate & Dissuasive’
o Higher of 4% of global turnover or €20m for top tier infringements
o Higher of 2% of global turnover or €10m for lower tier infringements
• Warning of likely infringement
• Reprimand for infringement
• Others, including: order data breach communication, order limitations on processing, order rectification/restriction/erasure
Data Subject Remedies
• Right to judicial remedy where their rights have been infringed as a result of the processing of personal data
• Right to compensation – data subjects who have suffered material or non-material damage
• Controller & Processor joint and several liability
• Collective claims / class-action type litigation possible – higher litigation risks
13. Some Practical Steps
1. Understand Personal Data You Hold:
• Data mapping – identify Personal Data held, how it was/is collected, data flows, who has access, where it is stored etc.
• Apply the 6 Principles to the Personal Data you hold.
• Assess the risks to rights and freedoms of data subjects associated with your processing / the personal data you hold.
• Identify transfers to 3rd countries.
2. Review 3rd Party Relationships:
• Identify your 3rd party processors.
• Review the contracts, bring them into compliance – including cloud service providers.
14. 3. Document Your Processing Activities:
• Put the required documentation in place – records of processing activities, records of consent etc.
• Document how you comply with GDPR – demonstrate you are consistently applying best practice.
4. Apply Technical and Organisational Measures:
• Implement strong information governance measures, including policies and procedures covering:
o Data protection
o Information security
o Breach response and notification
• Adopt a ‘Cyber Resilience’ approach covering People, Process & Technology in line with best practice.
• Implement an ISMS / PIMS / Compliance Framework – apply best practice and certify where appropriate
Some Practical Steps
15. Thank you
Speak to a member of the Cobweb team
if you’d like to know more!
16. DocuSign and GDPR
GDPR: Your Journey to Compliance
Jacqueline de Gernier, AVP Commercial Sales
17. Getting to Grips with the GDPR:
How to Fast-Track Your Compliance
19. 14+ Years Innovation
Highest level certifications
188 Countries 43 Languages
13 Offices 5 Continents
300k+ corporate customers
200 million total users
#1 Analyst rated
22. Sales
Experience
Significantly improved
Procurement
50x faster
Contract signing
“It speeds up the
process and makes
it more compliant”
HR
10 minutes
Fastest contract returned
“DocuSign has
revolutionised how
we send out HR
contracts at E.ON”
Customer Success
Use case Use case Use case
“Steps that previously
took days through post
now take minutes”
24. Demanding requirements for consent
Under the GDPR, consent must be:
• Freely given
• Specific
• Informed
• Unambiguous
"Consent should be given by a clear affirmative act … such as by a written statement,
including by electronic means, or an oral statement… Silence, pre-ticked boxes or
inactivity should not therefore constitute consent." (Recital 32)
25. Consent will often be required
When collecting an individual’s
personal information relating to:
• Using an individuals sensitive
personal information
• Sending an individual e-marketing
• Sharing an individual’s personal
information with independent third
parties
26. Consent must be verifiable
Businesses must be able to prove that it obtained the individual's
consent, requiring businesses to maintain consent records that
can be checked to verify:
1. That the individual has consented;
2. What they consented to, and;
3. When they consented
Individuals "shall have the right to withdraw his or her consent at any time… It shall be
as easy to withdraw consent as to give consent." (Art 7(4))
27. Common consent challenges
• Marketing / Sales – Personal information for e-marketing
purposes
• HR – Personal information for a job application or for the
provision of employee benefits
• Healthcare – Personal information for the purpose of medical
studies and clinical trials
• Online – Consenting to the use cookies and similar tracking
technologies
28. Re-contracting with Suppliers
Business must ensure:
• Legacy vendors move to new,
GDPR-compliant, data
protection terms
• Future vendors are also
signed up to GDPR-compliant
terms
38. Case Study: Filestream
Company’s Top Challenges
• Manual processes – contracts require manual chasing to fulfill terms and conditions
• Not GDPR-ready – holding of personal data is not currently compliant with legislation
• Inadequate security – Information sent over email is not as secure as it could be
Reasons for Choosing DocuSign
• Security standards – DocuSign meets and exceeds some of the most stringent US,
EU, and global security standards
• Commitment to compliance – DocuSign is actively monitoring regulator guidance
and interpretations of key GDPR requirements
• Digitising process – digital signatures remove need to print and scan paper
documents
The Key Benefits
• Quicker signing process – turnaround time is now 40 times faster
• Customer consent – DocuSign’s tools are being utilised to be ready for new
legislation coming into force in May 2018
• Data protection – personal data is protected whenever a third-party comes in
contact with it
“I wouldn’t choose any other
partner but DocuSign for ease
and security – Paul Day,
Technical Director, Filestream
EXECUTIVE OVERVIEW TOP BENEFITS ACHIEVED
Company: Filestream
Headquarters: Berkshire, UK
Founded: 2003
Industry: Software
Website:
www.filestreamsystems.co.uk
Partners: DocuSign
Use Case: Sales
ABOUT
45 minutes
Contract turnaround
time
40 x faster
Quicker signing
experience
GDPR-ready
DocuSign tools being
used for compliance
40. Microsoft
and GDPR
General Data Protection Regulation
Jonathan Burnett, Partner Technology Strategist Samantha Garrett,
Partner Technology Strategist
GDPR: Your Journey to Compliance
41. What are the key changes to address the GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data
Protection Officer (if
required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data
using appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate
consents for processing
data
• Keep records detailing
data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required
to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies
42. How do I get started?
Identify what personal data you have and
where it resides
Discover1
Govern how personal data is used
and accessed
Manage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breaches
Protect3
Keep required documentation, manage data
requests and breach notifications
Report4
43.
44. Discover:
Identify what personal data you have and
where it resides
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft Azure
Microsoft Azure Data Catalog
Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
Dynamics 365
Audit Data & User Activity
Reporting & Analytics
Office & Office 365
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
SQL Server and Azure SQL Database
SQL Query Language
Windows & Windows Server
Windows Search
Example solutions
1
45. 2
Example solutions
Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft Azure
Azure Active Directory
Azure Information Protection
Azure Role-Based Access Control (RBAC)
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Security Concepts
Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
Windows & Windows Server
Microsoft Data Classification Toolkit
46. 3
Example solutions
Protect:
Preventing data
attacks:
•
•
•
•
•
•
•
•
Detecting &
responding to
breaches:
•
•
•
•
•
•
Microsoft Azure
Azure Key Vault
Azure Security Center
Azure Storage Services Encryption
Enterprise Mobility + Security (EMS)
Azure Active Directory Premium
Microsoft Intune
Office & Office 365
Advanced Threat Protection
Threat Intelligence
SQL Server and Azure SQL Database
Transparent data encryption
Always Encrypted
Windows & Windows Server
Windows Defender Advanced Threat Protection
Windows Hello
Device Guard
47. 4
Example solutions
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust Center
Service Trust Portal
Microsoft Azure
Azure Auditing & Logging
Azure Data Lake
Azure Monitor
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Reporting & Analytics
Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Windows & Windows Server
Windows Defender Advanced Threat Protection
Report:
48. GDPR Resources
Microsoft Whitepaper on "Beginning your
GDPR Journey"
Microsoft.com/GDPR
servicetrust.microsoft.com
aka.ms/GDPRblogpost
Data Breach
54. The Challenge
External
• GDPR will require all EU organisations to focus on discovering PII on behalf customers & former employees
• “Subject Access Request” is not new and will continue
• “Right to be Forgotten” is new & will force organisations to collect all the digital information they hold
Internal
• Organisations information is held multiple IT systems
• Also non approved IT systems (shadow IT/BYOD)
• Information is typically held in documents that are structured and un structured
• Discovering PII is currently a manual process
• This will costs organisations time and money
• “Subject Access Request” Ongoing breaches & Fines
• 49% of organisations had a document breach in the past 2 years*
• 73% of employees are accidentally exposing information stored within documents*
• 63% of organisation’s claim they are unable to locate sensitive data stored in documents*
*Information taken from the Ponemon Institute Research report May 2017.
55. ScanR
Generate Reports
Discover PII in Office docs,
PDF, OCR on the fly.
Multiple Systems
The Solution Identify and retrieve GDPR
Personal Identifiable Information
within documents stored in
multiple systems.
57. Connect to SharePoint, a
File Share or other systems
Documents where we wish to
determine if they contain
sensitive data
58. Choose the types of information
you would like to discover
• Over 100 pre-defined rules or you
can make your own
• Artificial Intelligence for Pattern
Matching
60. Three data
sources read
~19k Documents
read with 79%
containing PII
data
Breakdown of
what PII data is
contained where
Locations of the
sensitive data
Which systems
contain the most
sensitive data
Overview Dashboard
61. Search for information across your data sources
Immediately see the records that match
Understand the types of data that contain the information
Query engine
62. 11 Chapters with 99 Articles
http://www.eugdpr.org/article-summaries.html
ScanR will help you comply with Articles: 5, 15, 16, 17, 18, 20, 24, 30, 32, 35, 42, 44, 45.
• Gain understanding of the where the PII data is located
• Gain an understanding of who has access to it
• Gain an understanding of how long it’s being retained
• Retain personal data for a period of time directly related to the original intended purpose
• Find risky files and take action
• Manage a Subject Access Request
• Request a port of the data
• Request a correction to the data
• Request deletion of the data
Articles Contained in the GDPR
63. Summary
ScanR
• Automate the process for discovering PII
• Quickly respond to “Subject Access Request” & “Right to be Forgotten”
• Comply with over 10 of the 99 Articles
Next Step
• Free trial up to 1,000 documents
67. Where Acronis supports GDPR compliance
• Key activities
• Privacy impact assessment
• Data access governance
• Data breach notification / resolution
• Secure storage of active data
• Archiving and deleting
Acronis Backup
Acronis Storage
Acronis Backup Cloud
Acronis Disaster Recovery
Service
68. Requirements for GDPR-compliant backup and storage 1
Requirement Desirable features GDPR recitals supported
Control data storage location • Reporting for compliance • 101: General principles for international data transfers
Encrypt data securely • Encryption on the device, in
transit, and at rest
• 78: Appropriate technical and organizational measures
• 83: Security of processing
Browse backups • Drill-down to easily find required
data
• 63: Right of access
• 65: Right of rectification and erasure
Modify personal data • Easy modification if requested by
data subject
• 59 Procedures for the exercise of the rights of the data subjects
• 63: Right of access
• 64: Identity verification
• 65: Right of rectification and erasure
Export data in a common
format for easy data
portability
• ZIP archive for easy portability • 68: Right of data portability
Recover data quickly • Acronis Instant Restore to deliver
15-second recover time objectives
(RTOs)
• 78: Appropriate technical and organizational measures
69. Requirements for GDPR-compliant backup and storage 2
Requirement Desirable features GDPR recitals supported
Minimize compulsory data breach
reporting
• Proactive prevention of malware damage to files
• Specific protection of the Acronis Backup agent to
prevent data breach of backups
85: Notification obligation of breaches to supervisory
authority
86: Notification of data subjects in the case of data
breaches
87: Promptness of reporting / notification
88: Format and procedures of the notification
Blockchain-based data
certification
• Acronis Notary validation of the authenticity and
integrity of backups
78: Appropriate technical and organizational measures
Backup retention, deletion • Flexible setting of retention time of data, archival
rules, etc.
• Ability to delete backup at any moment
66: Right to be forgotten
Logs availability • Logging of operations with data 82: Record of processing activities [correct?]
Role-based access • Multilayered and highly customizable data access
rights
63: Right of access [correct?]
Risk management control • Very flexible backup and Active Protection 84: Risk evaluation and impact assessment [correct?]
70. What to look for in GDPR-compliant backup and storage
• Data subject control of data storage location
• Individual must have final say as to where personal data is
stored: on-premises or in a specific EU-based data center
• Data encryption
• Strong data encryption on-device, in transit and in the cloud
• And entirely automated encryption process, with the data
subject as the sole holder of the decryption key, meeting GDPR
data security requirements
71. What to look for in GDPR-compliant backup and storage
• Ability to search data inside backups
• Ability to drill down through backups, making it easy
to find required information on behalf of data subjects
• Ability to modify personal data
• Easy way to modify personal data if and when
requested by data subjects
72. What to look for in GDPR-compliant backup and storage
• Data export in a common format
• Ability to export personal data in a common and easily
usable format (e.g., ZIP archives) to meet the GDPR
data portability requirements
• Quick data recovery
73. • Flexible setting of retention time of data,
archival rules, etc.
• Extensive logging
• Multilayered and highly customizable data
access rights
How Acronis helps your company achieve GDPR compliance
74. How Acronis helps your company achieve GDPR
compliance
• Active Protection against ransomware
• Proactively preventing breaches is easier and more cost-
effective suffering breaches and doing the mandatory
incident reporting
• Acronis Active Protection™ detects and blocks
ransomware attacks and instantly restores any affected
data
• Blockchain-based data certification
• Acronis Notary™ provides immutable proof of the
integrity of protected data using Blockchain technology
75. With an economic incentive
to it, new Ransomware
families appeared fast…
Source: F-Secure
76. Ransomware Big Trends
Advancing into new operating systems
Advancing into new platforms and devices
Ransomware-as-a-Service
Advanced attack techniques
77. Trend 4: Advanced attack techniques
2010
Detection of
non-signed files
2014
Protection for
Windows only
2016
Detection by
checking file
type/header
2016
Detection of
executable files
2016
Detection in
running
Windows
system
Malware
signed by
stolen
certificate
Injects into
system
processes and
acts on their
behalf
Attacks
Mac OS X
and Linux
Only body
of the file
is encrypted
Uses scripts
and non-
malicious
executables
Infects before
Windows
starts
2014
Exclude know
legitimate
system files
2017
Use of Backup
to protect
against
Ransomware
Attacks &
Encrypts
different
backup files
Next Generation Ransomware families targeting
Backup software
79. … Data Protection evolves too
Acronis CustomersAcronis Labs
Infected and clean
processes farms
Provides processes
behavior data
Updated knowledge base
Acronis Learning
Service
Acronis Cloud Brain
Model training, parameters
optimization
You are protected even
without Internet
Acronis Local
Knowledge Base
Acronis Active Protection 2.0: Learning Infrastructure
80. Complete protection against modern techniques
2016
Detection by
checking file
type/header
Only body
of the file
is encrypted
Entropy
measurement
2010
Detection of non-
signed files
2014
Protection for
Windows only
2016
Detection of
executable files
2016
Detection in
running Windows
system
Malware
signed by stolen
certificate
Injects into
system processes
and acts on their
behalf
Attacks
Mac OS X
and Linux
Uses scripts and
non-malicious
executables
Infects before
Windows starts
2014
Exclude know
legitimate system
files
Checks for
injections in
system processes
(with Machine
Learning)
Protection
Windows, Mac
and Linux
Both executable
and scripts
detection
Pre-Boot anti-
ransomware
protection
Compromised
signatures
check
Acronis Active
ProtectionTM
2017
Use of Backup to
protect against
Ransomware
Attacks &
Encrypts different
backup files
81. Acronis Notary powered by Blockchain
Ensuring that data is authentic and unchanged
“Acronis Notary assures that files are
unchanged since they were backed up.”
Have confidence of data
authenticity
•A public, secure Blockchain
ledger verifies the authenticity
of files
•Backup enables the recovery of
the original document
•Acronis Notary provides
mathematical assurance that
the contents of a file perfectly
match the original contents that
were backed up
82. Thank you
Speak to a member of the Cobweb team
if you’d like to know more!
101. Who are QGate
• A Dynamics 365 implementation partner (UK HQ), est. 1997
• Working with Dynamics CRM since V4 (2007)
• ISV solutions are a key part of our company strategy
• Partner friendly established reseller program
102. The Problem
Duplicate Data
• A primary element of poor data quality
• However, in regards to GDPR specifically
• How do you manage personal data when you have multiple instances of the same
person
• Rob Dixon
• Bob Dickson
• Robert Dicksen
• Dixon R
A recent QGate audit showed an average of 7.2 % duplication in CRM
104. The Paribus Match Engine
Phonetic Data Matching
• Foto Centre, Photo Center
• Kris Dixon, Chris Dickson, Criss Dicksen
• Cheryl Wiatt, Sheryl Wyiatt, Sherril Wyatt
Synonyms & Abbreviations & Acronym Matching
• Robert, Bob, Bobbie, Rob, Robbie, Roberto
• William, Will, Willy, Bill, Billy
• Richard, Rich, Ric, Dick, Ricky
• International Business Machines, IBM, I.B.M
Data Sequence Variation
• Florida University, University of Florida
• Arizona 1st National Bank, First National Bank of Arizona
• 123 (Flat A) Acacia Avenue, Flat A – 123 Acacia Avenue
Data Segmentation
• QGate Software, Q Gate Software Q-Gate Software
• GuideMark, Guide Mark, Guide-Mark
• 3Com, 3 Com, 3-Com
Gender Analysis
• Paul v Paula
• Daniel v Danielle
• Jo v Joe
• Andy v Andie
105. The Paribus Match Engine
Bill Dixon
Marketing Manager
1st National Bank of Arizona
123 Flat A
Acacia Avenue
Phoenix
Arizona
CRM Contact
William Dickson
Manager of Marketing
First Bank of Arizona
(Flat A) 123 Acacia Avenue
Phoenix
AZ
CRM Contact
Billy Dicksen
Marketing Director
1st Bank of National Arizona
123 Acacia Avenue (Flat A)
Phoenix
Arizona
CRM Contact
106. Paribus Discovery - Identify
A business user
can then:
• Review & confirm
the matches
• Review & confirm
the
primary/master
record
107. Paribus Discovery - Resolve
The CRM admin
user then:
• Uses the
plugin to
execute the
merge/purge
process
Dedicated Paribus for
Microsoft Dynamics
CRM plugin
responsible for the
data cleansing (data
merging, purging and
consolidation)
of CRM data.
Paribus CRM
Plugin
108.
109. Paribus Interactive
The user does what
they do today, just
enter data
As they do, Paribus
Interactive searches for
potential duplicates and
highlights the possibility
The more information
entered the search is
refined
110. Paribus Interactive
Note the results are
from multiple entities
To see the results
click here
Can navigate
direct to the record
111. Summary
Paribus Discovery INDENTIFIES Duplicate data
Within Dynamics 365 able to REMOVE (merge/purge)
Open API to build your own removal process Plugin
Export results to feed into an external process
Paribus Interactive for Dynamics 365
Ahosted SaaS based service providing fuzzy SEARCH and LOOKUP function.
www.paribuscloud.com
info@paribuscloud.com
Rowland.dexter@qgate.co.uk
112. Thank you
Speak to a member of the Cobweb team
if you’d like to know more!
113. Panel Interview
Host – Caroline Wigley (Cobweb),
Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft), Michael Olpin
(Cobweb Finance Director)
GDPR: Your Journey to Compliance