Getting ready for GDPR Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions
GDPR Background Single EU-wide Regulation Harmonizes Global User Data Protection across all EU member states Regulation = Directly Applicable Extra-territorial applicability All companies processing user date in EU 2
WHAT IS GDPR? On 25 th May 2018 an evolution of the EU Data Protection Directive, the General Data Protection Regulation (GDPR) will come into force Applies to all companies worldwide that collect, process and deal with personal data for citizens of 28 European Union (EU) Countries You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have Source: UK Data Regulator Information Commissioners Offices (ICO) March 2016 Any non EU company working with personal data relating to EU Citizens will have to comply with GDPR including Great Britain even after it leaves the EU Significant monetary fines for non-compliance of up to Euro 20 Million or 4% of annual global turnover 3
GDPR Scope Broad Scope Applies to personal data of EU Citizens Applies to any processing Personal Data: Information relating to an identified or identifiable natural person ( data subject ): name, identification number, location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Processing: Any (set of) operation(s) which is performed on (sets of) personal data: collection, recording, organization, structuring, storage, adaption, 4 4
Regulation Highlights & Stats Reach Applies to all EEA Member States Applies to both Data Controllers and Data Processors (such as cloud providers) Non EU based companies are also impacted Rights Centred around Privacy as a Human Right and the Subject Extended Right to be forgotten A New Right to Data Portability Enhanced Data Subject Access Right (DSAR) Data Protection Impact Assessment Must be undertaken for certain data processing activities Creates increased flow down obligations from data controller to data processor Sound DPIA execution will improve overall compliance Privacy by Design Enhanced to minimise data collection Stricter rules on retention Increased consent from consumers A less is more mentality for data collection and usage Breach Reporting Notification of Data Loss within 72 hours of awareness Both local authorities and consumer must be notified 5
ROLE OF DPO The GDPR Enforcement Regime European Data Protection Board Supervisory Authority (National Level) Data Protection Officer ( DPO ) Obligation to appoint Processing carried out by a public authority Conducts large scale of systematic monitoring Auditing on a regular basis Data Protection Officer (Company Level) 6 of Y
Data Focused View End-User Data Public Cloud Remote Offices Data Center GDPR Compliance Data Use/Consent Right of Access Right to Be Forgotten Cross-Border Transfers Cybersecurity Search / Access Data Deletion & Migration Audited Retention Choice of Cloud Locations Private Clouds Data Security Consulting Services 7
How Dell can help with their Data Protection Solutions? GDPR Focus Areas 1. Data Search / Indexing 2. Data Extraction Right of Access 3. Data Erasure Right to be forgotten 4. Data Minimization / Retention 5. Cross-border transfer limitations 8
Potential Solutions Search Enhancements Description Index content and backups develop searches to reasonably identify content specific to individuals making requests GDPR Focus Right of Access Right to be forgotten DPS Offerings DP Search SourceOne Mozy Isilon Search 1
Data Search DP Search Search capability for backup data Included as part of Data Protection Suite Process content from multiple input sources Avamar and NetWorker Servers in Data Protection Suite Support cross-server and cross-platform searches Supported actions on search hits Preview, Download, Restore 2
Data Search DP Search - Continued Narrow down search scope Unified Search Yield search results fast Visualize search results Google-like interface 3
Use Case Recover to File Share Alex unable to locate his files IT comes to rescue IT finds the file within minutes with Data Protection Search IT extracts the files and sends over to Alex 4
Data Archiving and Indexing Dell EMC SourceOne Information Governance Platform Archiving Email Management Archiving for governance and operational improvements Microsoft SharePoint Information governance readiness and storage management File Management Information governance readiness and storage management Discovery Manager ediscovery and legal hold tools for managed and archived content 5
Data Search and Extraction SourceOne Discovery Manager - Workflow Prepare Discovery Manager Create a Matter Search and Hold Content Review &Tag Content Assigned to Matter Export Content from Matter Application Admin User Admin Matter Owner Assigns matter managers Matter Manager Assigns/un-assigns investigators Provides information to investigators through matter properties Manages matter-specific tags Identity Admin TagAdmin Investigator Collect & Assign Investigator Review Investigator Export 6
Potential Solutions Managed Retention Description Establish and enforce retention of email and unstructured data on an organizational basis GDPR Focus Right of Access Right to be forgotten Data Minimization DPS Offerings SourceOne Data Domain 7
Data Minimization/Retention Dell EMC Data Domain Efficient Protect more data faster with industry leading speed and scale Reduce storage required by 10 30x Reliable End-to-end data verification, fault detection, and self healing Flexible Integrates with leading backup, archiving, and enterprise applications or directly with primary storage Deploy protection storage however you want it Cloud-enabled Natively tier deduped data to the cloud for modern long-term retention Deliver data protection as a service with logical data isolation 8
Potential Solutions Legacy Tape Remediation Description If legacy tapes are in scope index to enable search; then dispose or land data on accessible disk or local cloud for ongoing use GDPR Focus Right of Access Right to be forgotten Data Minimization DPS Offerings Tape remediation ECS Virtustream 9 of Y
Cross-Border Transfer Limitations Dell EMC Data Domain Cloud Tier Ultimate Flexibility and Control Elastic Cloud Storage 3 rd Party Clouds Long-term Retention 1
Potential Solutions Private and/or Local Clouds Description Cross-border (outside EU) transfers can be limited and potentially subject to ongoing changes in the law (eg. Privacy Shield) GDPR Focus Cross-border data transfers DPS Solutions Virtustream Mozy ECS (local private cloud) Data Domain (local infrastructure) 2
Elastic Cloud Storage A modern storage platform to bridge traditional and modern workloads. Lower TCO than public cloud Higher Storage Density SCALABLE Shared global storage that scales into Exabyte Globally distributed infrastructure INTELLIGENT Support for real-time data ingestion and analytics FLEXIBLE ECS Appliance Software only ECS Dedicated Cloud (ECS DC) ENTERPRISE-READY Enhanced enterprise capabilities (litigation hold support, Swift multi-part upload, etc.) #1 Scale-Out Object Market Leader COST EFFECTIVE 48% lower TCO than public cloud storage Lower TCO than tape 3
Potential Solutions Security of Data Description Controllers must implement an appropriate level of security for data that is being processed GDPR Focus Cybersecurity DPS Solutions Data Domain (Encryption) RSA & SecureWorks 4 of Y
Summary GDPR can not be resolved through technology alone You require a structured plan including A. Governance and preparation: Assess and audit information assets Privacy Document and identify location of personal data Gap analysis and remediation against GDPR by B. Implement processes for handling of personal data Design DPIA process Process of User consent / Data Extraction / Employees leaving organization Update procedures and policies C. Decide on use of technologies (search, extraction, deletion, retention, ) Once in place you can better understand how your existing or new technology should be applied to ensure current and future compliance with GDPR 5
Questions? 6