SlideShare a Scribd company logo

GDPR READY SOLUTION FOR UNSTRUCTURED DATA

XeniT Solutions nv
XeniT Solutions nv

Several companies may be well on the way to define how to handle GDPR compliance for structured data. But many companies still haven't come up with a good way to handle GDPR compliance for unstructured data.. This whitepaper provides the main information about unstructured data and the Xenit solution to manage documents under the regulation.

Business
1 of 34
Download to read offline
GDPR FOR UNSTRUCTURED DATA 7 CHALLENGES FOR SECURING YOUR DOCUMENTS  In collaboration with
G D P R F O R U N S T R U C T U R E D D A T A D I S C L A I M E R This white paper is a commentary on the GDPR, as Xenit interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. As a result, this white paper is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. P A G E 0 2   |   W W W . X E N I T . E U Published March, 2018 Version 1.0 Copyright 2018  by XeniT Solutions. In collaboration with CDI-PARTNERS
G D P R F O R U N S T R U C T U R E D D A T A I N T R O D U C T I O N Beginning on May 25, 2018, the General Data Protection Regulation (GDPR) will implement a new legal framework in the European Union (EU) for the protection and distribution of personal data. GDPR is becoming the most crucial regulation through EU’s data privacy legislations, the due date is right around the corner and the penalties for non-compliance are severe (€ 20m or 4% of global annual turnover). As the attention to the regulation is at the top, there is now a growing concern about GDPR compliancy by all organizations that are affected by it. GDPR will increase privacy for individuals and organizations must implement capabilities to ensure appropriate rights and adequate protection to safeguard the privacy of those individuals whose data they control. Companies have a general obligation to implement technical and organizational measures to show that they have considered and integrated data protection into their processing activities (ICO). P A G E 0 3   |   W W W . X E N I T . E U MISSION Several companies may be well on the way to define how to handle GDPR compliance for structured data. But many companies still haven't come up with a good way to handle GDPR compliance for unstructured data.. This whitepaper provides the main information about unstructured data and the Xenit solution to manage documents under the regulation. "Did you know that most of the data breaches reported are related to unstructured data?"
G D P R F O R U N S T R U C T U R E D D A T A I N A N U T S H E L L The solution summary explains the high-level GDPR area that Xenit can solve, these can be further broken down to show what Xenit products can help in which area. In a nutshell, Xenit, together with Alfresco, the leading Content Services platform, can help you in: 1. Discovering Personal Identifiable Information in documents 2. Tagging documents containing different types of Personal Data 3. Security rules based upon PII-type (No PII, PII, Sensitive, Medical, Criminal) 4. Monitoring and controlling  P A G E 0 4   |   W W W . X E N I T . E U Detection 25% Protection 25% Respect 25% Monitoring 25% Basic and most advanced algorithm to identify documents that contain persona; data Alfred Archive to store documents, encrypt them  Alfred Desktop and Alfred Finder make it really easy to send links to documents and sharing them with a restricted audience DETECT PROTECTRESPECT MONITOR Within the Alfred Architecture, Alfred Edge to log every consultation
G D P R F O R U N S T R U C T U R E D D A T A As there are no real examples of data breaches or other GDPR infringements, we have to look elsewhere if we want more insights in the effects of the GDPR. A good place to look for information is the United Kingdom. Although data breach notification is not mandatory, it is considered to be a best practice and close to 3000 breaches are reported each year. Did you know that most of them are related to unstructured or semi- structured data? Documents, spreadsheets, mails and even paper files? One reason could be that it is far easier to properly protect data that are stored in databases, accessed through applications, than it is to have control over what happens to unstructured data. Unstructured data are found everywhere, in emails and documents, stored on local or network drives, in the Cloud or on USB Keys. And they are easily copied and distributed. Unstructured doesn't mean chaotic. There can be a structure in the way the documents are stored, easy linking these documents to contracts, offers or individuals. And they are vulnerable. The most common type of data breach is sending these documents containing personal data to the wrong recipient by post, fax or email. Once an email has been sent it is impossible to control it, or is it? Here a document management system comes in. You no longer send an email, you send a secure link and only users, with appropriate rights, have access. But this is not the only advantage. Audit trail, usage tracking, retention policies, and legal archiving are just a few advantages that can easily be implemented with a document management system such as Alfresco. P A G E 0 5   |   W W W . X E N I T . E U
P A G E 0 6   |   STRUCTURED DATA  Structured data refers to information with a high degree of organization, such that inclusion in a relational database is seamless and readily searchable by simple, straightforward search engine algorithms or other search operations. Structured data is relatively simple to enter, store (in database), query, and analyze.  20% UNSTRUCTURED DATA Unstructured data is more like human language. It is not stored into a relational database and the information does not have a pre-defined data model or is not organized in a pre-defined manner. Typical example of unstructured data is text. 80%
G D P R F O R U N S T R U C T U R E D D A T A G D P R 7 C H A L L E N G E S To make this very tangible, here are 7 challenges for securing your company’s documents. 1. First, how do you know what documents to protect? How do you know they contain personal data? 2. Secondly, you have to adequately protect these documents. 3. Then, there is the aspect of responsibility: organisations must prove that they process personal data in a responsible way. And they need prove of having a legitimate purpose or consent to hold the document. 4. If data are on a portable device and it is important to work offline, how can this be protected? 5. And if something has gone wrong? How to know what data have been lost or stolen? 6. Personal data cannot be kept longer than necessary, or must be removed after a legitimate demand to be forgotten. 7. Sometimes it is needed to share documents with another party. How will you know who you have shared the document with and for what legitimate reason? And how to inform the 3rd party of a request to be forgotten?  P A G E 0 7   |   W W W . X E N I T . E U "GDPR will touch every department, every function and every operation inside your organization. It will not only change the way you manage information, it will change the way people behave.”
GDPR CHALLENGES for securing your company documents Identify documents containing personal data and label them appropriately. State of the art security of the documents and the metadata Monitor and control access to the documents and store the right metadata to proof legitimate purpose. Make documents available offline in a secure way. Detect breaches and take appropriate action. Keep track of the right time to delete documents and to permanently delete the documents so no backup copies exist. Control the usage of documents by external parties.
G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 1   - I D E N T I F Y D O C U M E N T S C O N T A I N I N G P E R S O N A L D A T A A N D L A B E L T H E M A P P R O P R I A T E L Y . As we have seen, unstructured data are found everywhere, in emails and documents, stored on local or network drives, in the Cloud or on USB Keys. If we want to adequately protect personal data stored in these documents, the first hurdle to take is to know what kind of personal data is in which document. As documents are created or modified all the time, this classification has to be a recurring process. The results of the classification process must be stored in a such a way, security tools are able to use this information. If we look at Alfresco, every change in a document – e.g. creation or modification – can trigger a policy that calls for the classification process. Then, the results of the process can be stored as metadata of the document. How this metadata has to be used will be described in Challenge 3 on page 14. P A G E 0 9   |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A This process scans every individual file for personal data, regardless of the file type. The most basic algorithm will search for structured data-types: National Number, Bank Account Numbers, Credit Card Numbers. This algorithm can be enhanced with company-specific structured data-types. For instance, Client Numbers that contain a check-digit. A more advanced algorithm takes company-specific data as input and scans documents and files for this data. For instance, the names and addresses from the client database are used as input and documents that contain this information are flagged. The most advanced algorithms use artificial intelligence such as natural language processing to search for certain data-types in plain text. This type of algorithm will return a probability. A threshold will have to be defined and tested on a representative random sample of documents. Next to searching the content of the document, the type of document and the place it is stored can also be used: for instance, all documents in the folder ‘employment contracts’. The second part of the challenge was ‘label the documents appropriately’. We have already mentioned that this information can be stored as metadata in Alfresco. We will keep whether the document contains personal data, if so, which type of personal data, the content found and, if possible, the link to the individual person. As you can see, by using the classification algorithm we transform unstructured personal data into semi-structured personal data. The advantage is that we can implement more strict security on the documents and control how and by whom these documents are used. The disadvantage is that we have created more data that has to be protected. P A G E   1 0 |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 2   - S T A T E O F T H E A R T S E C U R I T Y O F D O C U M E N T S A N D M E T A D A T A When we store documents and other files, we not only store files that might contain personal data, we also create personal data by doing this. When we run a classification algorithm, as discussed in the previous paragraph, we extract personal data from a document and store it in metadata. As a result, databases and indexes are filled with personal data in a semi-structured way. This makes finding and retrieving documents far easier, but it also increases the risk related with keeping personal data. But there is more. Personal data is information related to an identified or identifiable natural person. For compliance reasons we will keep records of persons accessing, copying, and printing documents containing personal data. This audit trail links natural persons, for instance employees, to the documents they use. By definition, this information is also personal data. And usage history is not harmless, it can lead to criminal convictions. In the UK there are some examples of hospital staff convicted for accessing medical files for non-professional reasons. This is in fact the very reason of keeping an audit trail, but unauthorized access to this information is a data breach in its own right. P A G E   1 1   |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A Security of processing is covered in article 32 of the GDPR. We need to have appropriate security related to the risk to the rights and freedoms of natural persons. This is a very broad description that will lead to a lot of interpretation and discussion. Typically, documents are stored on local or network drives or in the Cloud and distributed by email or by copying them on USB keys. Protecting documents in this way is not easy and options are limited to granting read or write access. When we store documents in Alfresco, we gain a lot of options. Next to the original document, we can generate and store previews. These can even be personalized with a watermark. It is far easier to address people leaving documents on the printer (a possible personal data breach!) when their name is on every page. P A G E   1 2   |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A Instead of sending documents by email, we will send links to documents or links to PDF previews. For very sensitive documents a separate login process can be enforced. This reduces the risk of sending documents to the wrong person (the number one type of data breach). And when a person asks to be forgotten, we can automatically inform the receiving third party of this request. We will need to protect the documents, the database, the indexes, and the log files. For sensitive metadata, for instance the national number, we will use one-way encryption or cryptographic hashing. Only a user that knows the correct key can retrieve the documents related to the key, but the indexes can’t be used to retrieve all the existing keys. Documents stored in Alfred Archive are always protected and set up according best object storage practices. There is no direct access on a file system basis, which neutralizes 99% of known malware & intrusion risks. Furthermore, documents in the store are encrypted, with proper handling of the private and public key. Access to the document store is under detailed auditing. Life points can set the document to be 'immutable'. Moreover, a health processor continuously checks the binary integrity of all content - which can include the validity of a digital signature. As for metadata, the database that contains the metadata can be encrypted on database level. Specific metadata fields with personal data can be encrypted and will not be exploitable by any direct access to the database. Index information is protected with encryption as well. No system can directly access the indexes in our reference architecture, as we have a safety gateway in front of the archive, and we have the Alfresco content services in front of the document store. P A G E   1 3   |   W W W . X E N I T . E U
"Storing files and documents in Alfresco with Alfred Archive ensures adequate and appropriate security to your company’s most vulnerable digital assets."
G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 3   - M O N I T O R A N D C O N T R O L A C C E S S T O T H E D O C U M E N T S A N D S T O R E T H E R I G H T M E T A D A T A Organizations must prove that they process personal data in a responsible way. And they need proof of having a legitimate purpose or consent to hold documents containing personal data. Organizations need to ensure that their data processing activities are carried out in accordance with the regulation. In particular, organizations should pay close attention to the principles of transparency and data minimization while implementing new data processing activities. Article 24 states "...the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”. Good security is just a first layer, preventing unauthorized access to the data. On top of that, companies must also have internal rules, written down in policies, how personal data is treated. And they must be able to demonstrate that these rules are followed. P A G E   1 5 |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A When we store documents in Alfresco, we can use the metadata to control who has access to which document. And this can be far more granular than with traditional access rights. Not only the place the document is stored (e.g. the HR-network drive) or the type of document (e.g. a medical questionnaire), but also the content of the document can be used. A rule could be “Exclude all documents where the person requesting access is mentioned”. These kinds of rules are of course highly dependent on the context of a company or even a specific process within that company. They can control access to specific documents or flag this type of behavior in the audit module. For instance, a local hospital lists all employees accessing medical files of famous patients. This list is reviewed by the management on a weekly basis. Excluding access would interfere with providing care in an emergency situation, but the staff knows that, without a legitimate reason, they face dismissal when accessing these files. For documents, as for structured data (fields stored in databases), organizations must determine and communicate the lawful basis and the purpose for processing. When storing documents containing personal data in Alfresco, it is possible – and recommended – to store the lawful basis and a reference to the consent application as meta-data. When an opt-out is recorded, all documents that where dependent on the consent of a data- subject can be deleted with one simple instruction. These functionalities are supported by Alfred GDPR. Alfred GDPR applies a double filtering for GDPR access control. First of all, classical Access Control Lists are used. They assign the right to view or modify documents to groups of users. Access control lists are the base permission management mechanism in Alfresco. Extending this to cope with GDPR would complicate matters a lot. Therefore, we have a filtering mechanism in Alfred GDPR that is based upon meta-data and GDPR roles. As an example, your organization can create a “GDPR sensitive” role, assigned to a limited number of people, and only they will be able to perform operations (consult or share) on “GDPR sensitive” documents. P A G E   1 6   |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 4   - M A K E D O C U M E N T S A V A I L A B L E O F F L I N E I N A S E C U R E W A Y People use different devices for different purposes and in different circumstances. Think about your habits: when you work at the office or at home, writing documents and creating content, you will use a computer. But to consult these documents, for instance while you are traveling, you will use a tablet or a laptop. Although increasingly more people are always connected, storing documents locally on a device is still a common practice. This implies that the protection of these precious documents depends on the security of the portable device. When an unencrypted portable device – a smartphone or a laptop - is lost or stolen and when there is the possibility that this device contains files with personal data, you will have to report this loss as a personal data breach! The notification to the supervisory authority must contain a description of the likely consequences of the personal data breach. But, how many companies know which files are on which device? My guess, not so many. P A G E   1 8 |   W W W . X E N I T . E U So, the challenge has two aspects: how to store the documents in a secure way and how to keep control over these files once they are stored on a portable device.
G D P R F O R U N S T R U C T U R E D D A T A Securing the storage is not so hard if you can secure the device they are on. You can encrypt hard-disks and memory cards and protect access to the device by password policies. But what if you don’t have control over the device? And how can you know which files are on the device? And can you limit the possibilities to copy the files to another device like an USB-key or block sending these files by e-mail? To face this challenge, Xenit is working on securing the content, through the Alfred GDPR Architecture and some features of the two products, Alfred Desktop and Alfred Finder, built on top of the Alfresco functionalities. Alfred Desktop, a desktop application for Alfresco, keeps track of local content and removes it as soon as the user is done with it. For off-line editing and modification, working copies are created in a download directory. This working copy is under control of Alfred Desktop and it will only exist locally as long as it is needed. However, the corporate desktop policies remain important: local drives that can contain sensitive information should be encrypted at any time. With Alfred Desktop and Alfred Finder, a web application for finding documents on an Alfresco back end, organizations can set a “GDPR download policy”. In this policy, customers can enforce whether the original document format (Microsoft Office) or PDF should be downloaded. P A G E   1 9 |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A Additionally, a watermark can be added to a downloaded file. Via the watermark, identification information is attached according to customer requirements. Typically, that covers “who” downloaded, a unique document ID, the GDPR categorization and it might contain consent information whether the document can be distributed outside of the organization. Alfred Edge allows to handle different types of access control to Alfresco: mobile users can have other policies than desktop users. We can disable downloading documents from a mobile device, but allow the previewing of such documents, while desktop users are allowed to download a document. Note that 'previewing' in many cases does an implicit browser download: customers that want to fully block such risk should explore pure 'streaming' solutions on top of our Alfred  GDPR Architecture. P A G E   2 0 |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 5   - D E T E C T B R E A C H E S A N D T A K E A P P R O P R I A T E A C T I O N S Article 4 defines a Personal Data Breach as follows: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” A little quiz: What is not a personal data breach? 1. Someone accidentally deletes a document and there is no backup 2. Someone alters a document filled in by a client 3. A person sitting next to me on the train can see the screen of my laptop when I’m reviewing an employee file. As you might have guested, all these could be Personal Data Breaches. And not all data breaches can be detected automatically. How would a system know a file is accidentally deleted or that you have left your laptop unattended without locking the screen? To minimize these types of risks, you need to set up internal policies and create awareness, by training and a lot of communication. P A G E   2 1   |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A A lot of breaches can be detected. And you will have to take measures to detect these. The higher the likelihood of breaches happening and the higher the impact of a possible data breach, the more sophisticated breach- detection must be. Modern security systems search for uncommon behavior: signing in from Belgium and 10 minutes later from Singapore, downloading files in large quantities, using an unknown device. These are just simple examples; more sophisticated statistical analysis will search for patterns. Behavior that doesn’t match these patterns is seen as suspicious. Another technique is to use honeypot files: Files that only exist to be hacked. When such a file is touched, you know someone is in poking around in your system. As mentioned before documents or more general files on network servers or local disks are difficult to control. If they can be copied onto a USB Keys or sent by mail, there totally out of control. To mitigate the risk of local and email copies of privacy related documents, Alfred GDPR promotes and facilitates collaboration by sending links. No need to make or send copies of documents, but share by link. P A G E 2 3   |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A Alfred Edge, an intelligent gateway, is the core of the Alfred GDPR architecture. All access to Alfresco is centralized in the gateway. The gateway defines a very narrow and business driven interfaces, with strict rules about what data and what queries different (GDPR) user profiles are allowed to access. All other other access to Alfresco is blocked. All requests are logged and retained (with proper protection of private information!). Customers can then define breach patterns and have the gateway in real time filter and monitor for such behavior.  Alfred Edge supports different interaction channels: intranet users, internet users, 3rd party systems. Using strong and positive identification, we then apply rules of expected behavior as defined by the customer. Frequent access to private or sensitive documents can be detected and escalated. Searches on GDPR related meta-data (name, national id numbers) can be filtered, detected and blocked. If user x tries to access data about user y,  e.g. via a broad query on the repository, we log and escalate such requests. Obviously, standard access control and GDPR roles will hide any information users are not entitled to access, but breach detection will bring such attempts to the attention of GDPR officers and DPO. When the system becomes aware of a breach, different actions can be taken. The access to the system can be blocked, an alert will be shown on a console, an entry will be written in a log file. Which actions are appropriate depends on the sensitivity of the information in the system. In all cases, the breach has to be reviewed by the Data Protection Officer if there is one, or someone with a comparable responsibility, if not. Depending on their assessment, the authorities must be notified. P A G E   2 4 |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E   6 - K E E P T R A C K O N T H E R I G H T T I M E T O D E L E T E D O C U M E N T S   At this point is quite evident how GDPR is an on-going process and companies have to put in place a long term plan to demonstrate their compliance. Another important change introduced by the GDPR is data minimization. This means, not only structured data (data in databases) must be deleted after a certain time, but also unstructured data has to be removed. Data and documents that are being kept on basis of consent must be deleted as soon as the consent is withdrawn. As for the other challenges, implementing these functionalities on documents and files is more difficult than it is for structured data. Not only do you need to establish the right retention period, you need to keep this information with the document, and find a way to delete the document after the retention period has passed. We already talked about the need to keep a link to the consent that has been given in a previous paragraph. P A G E   2 5 |   W W W . X E N I T . E U "Keep only the information you need for as long as you need it."
G D P R F O R U N S T R U C T U R E D D A T A In the simplest form, retention periods are fixed; you need to keep a document for x years. But it can become more complicated very fast. Keep the dossier (all the documents related to a certain contract) y years after the contract ends. In this case you could be obliged to keep certain documents for decades. The retention period is not fixed, but a rule. By consequence, you can't set the date of deletion the moment you store the file on your environment. And deletion actually means removing all copies of the document from your system (and shredding the paper versions). For years companies are investing in backup solutions, so they can retrieve information that has been deleted. And now we need to find a way to selectively delete or at least block access to certain files on backups. How simple would this be if we didn’t store multiple copies of the same document on file servers and if we didn’t keep back-ups. P A G E   2 6 |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A Alfred GDPR helps to manage document retention, including GDPR related information. This means that the all GDPR aspect of your documents, including a clear view on PII (personally identifiable information) are under your control. Records management is the ‘art of throwing away’, so governance to remove sensitive information is as important as to retain information. Building upon Alfresco Content Services, our powerful meta-data scheme allows to encode various GDPR retention and protection policies. Retention is ensured as long as consent is given. Once consent is withdrawn, a simple query allows to collect information to be removed. Needless to say that audit and protection mechanisms are provided to protect against any unintended operation. Optionally, Alfred GDPR enables object storage for all your (GDPR) documents. By applying the proper versioning policy, and protecting against loss of documents via built-in (Geo) replication, there is no need for two or three tier back-up strategies. As a consequence, you have direct control over all documents and their history within one management layer. With smart versioning policies and object storage you simply eliminate the need to keep or clean back-ups. P A G E   2 7 |   W W W . X E N I T . E U Request a free day assessment
G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E   7 - C O N T R O L T H E   U S A G E O F D O C U M E N T S B Y E X T E R N A L P A R T I E S As we have seen documents, spreadsheets and other files are easily copied and shared across devices. This can be unwanted behavior, an employee copying customer data on a USB key before leaving the company, but mostly this is wanted behavior, working on a document with colleagues, sharing information within a department, sending out a work order to an external partner. And our seventh challenge is about the last example. How do you control information you shared with an external party? Why would this be necessary? The most important article covering this situation is Article 19 “Notification obligation regarding rectification or erasure of personal data or restriction of processing. The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.” When you share personal data with third parties, you should be able to notify them after a request for deletion or rectification. When you share structured data, this will almost always be done under a formal contract, transferring files or granting access to your databases through web services. Contracts should address the procedure to comply with Article 19. P A G E   2 8 |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A Sharing word or PDF documents and spreadsheets, will often be done in an informal way: by sending out emails or using file sharing utilities like Dropbox . Once again, the solution lies in using a content management system. You stop sending out emails with documents, you share links to documents in your system. And not only can you keep track of who you shared the information with, you know if and when this party has read the document and if and when the information was downloaded. With this knowledge, you could even automate notifications after a request for deletion. If someone asks to be forgotten and the information was not downloaded, just revoke access rights. When the information was downloaded, send out a mail with the notification. With Alfred GDPR we try, first, to minimize copies of documents, creating a single source of (document) truth which is easier to protect. Instead of email attachments to third parties, linking and sharing of documents are promoted and facilitated. With linking and sharing, full audit and access control are at your disposal. Tooling-wise, Alfred Desktop and Alfred Finder make it really easy to send links to documents and sharing them with a restricted audience. Downloads can be disabled, such that we only offer a service to consult the document, not to download a copy. P A G E   2 9 |   W W W . X E N I T . E U So, when a data subject asks to be forgotten, can you inform all parties that have received information?
GDPR CHALLENGES FOR UNSTRUCTURED DATA
G D P R F O R U N S T R U C T U R E D D A T A Alfresco allows to share a folder or a document with partners and people you assign. Using Alfred Edge’s cloud authentication, these documents can even be shared outside your company walls with strong authentication for your external partners and customers. Links can entail strong authentication of the person accessing your document; we can make them secure, valid for a limited time and inside a specific geographic zone. When employees, for good reasons, download a document for internal purposes, full audit information is available. Every consultation is logged. Even sending a document attached in an email can be added to the audit log if the operations is executed out of the safe harbor of Alfred GDPR. Some previewers operate by downloading a document locally before displaying it. With streaming technology, a document never has to be downloaded, you can consult the content without a local copy. Alfred GDPR optionally offers such a streaming viewer if you need the additional protection. Last but not least, it is possible to watermark (PDF) documents such that there private or sensitive character is explicit and awareness about their private nature is increased. Water-marking is possible in preview and in the creation of a “GDPR protected PDF copy”.  . P A G E   3 1 |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A C O N L U S I O N Through the seven challenges, we have listed what you need to comply with the GDPR. Combined with unique GDPR functionalities of Alfred GDPR, Alfresco is the most appropriate environment to store, modify, archive, and delete your files. Alfresco is your chance to manage unstructured data under the regulation. P A G E 3 2   |   W W W . X E N I T . E U
G D P R F O R U N S T R U C T U R E D D A T A C O N T A C T P A G E 0 2   | C O N T A C T Peter Morel CONTACTS Sales Director and Co-Founder @Xenit peter.morel@xenit.eu Bart Van Bouwel Managing Partner @ CDI-PARTNERS bart.van.bouwel@cdi-partners.be
THANK YOU

Recommended

Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Steven Meister
 
Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the Cloud
IESL - The Institution of Engineers, Sri Lanka
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänster
Transcendent Group
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
JudgeEagle
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
Symantec
 
Protecting Data Privacy Beyond the Trusted System of Record
Protecting Data Privacy Beyond the Trusted System of RecordProtecting Data Privacy Beyond the Trusted System of Record
Protecting Data Privacy Beyond the Trusted System of Record
Cor Ranzijn
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of data
dan hyde
 

Recommended

Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Are you prepared for eu gdpr indirect identifiers? what are indirect identifi...
Steven Meister
 
Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the Cloud
IESL - The Institution of Engineers, Sri Lanka
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänster
Transcendent Group
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
JudgeEagle
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
Symantec
 
Protecting Data Privacy Beyond the Trusted System of Record
Protecting Data Privacy Beyond the Trusted System of RecordProtecting Data Privacy Beyond the Trusted System of Record
Protecting Data Privacy Beyond the Trusted System of Record
Cor Ranzijn
 
Sovereignty: the state of data
Sovereignty: the state of dataSovereignty: the state of data
Sovereignty: the state of data
dan hyde
 
How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
Premier EPOS
 
GDPR webinar for business leaders
GDPR webinar for business leadersGDPR webinar for business leaders
GDPR webinar for business leaders
Deeson
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) Journey
Microsoft Österreich
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
Michelangelo van Dam
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
How to implement gdpr in your document repository
How to implement gdpr in your document repository How to implement gdpr in your document repository
How to implement gdpr in your document repository
XeniT Solutions nv
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPR
MissMarvel70
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
The REAL Impact of Big Data on Privacy
The REAL Impact of Big Data on PrivacyThe REAL Impact of Big Data on Privacy
The REAL Impact of Big Data on Privacy
Claudiu Popa
 
Getting Started with GDPR Compliance
Getting Started with GDPR ComplianceGetting Started with GDPR Compliance
Getting Started with GDPR Compliance
DATAVERSITY
 
Beyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditBeyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal Audit
Omo Osagiede
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
Tim Gough
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
Ulf Mattsson
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
Ulf Mattsson
 
Supporting GDPR Compliance through Data Classification
Supporting GDPR Compliance through Data ClassificationSupporting GDPR Compliance through Data Classification
Supporting GDPR Compliance through Data Classification
Index Engines Inc.
 
Getting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensicsGetting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensics
Druva
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
shekharkanodia
 
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By DesignGDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
John Eckman
 
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceThe GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
ObservePoint
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
Second Step to Forensic Readiness_ Types and Sources of Digital Evidence.pdf
Second Step to Forensic Readiness_ Types and Sources of Digital Evidence.pdfSecond Step to Forensic Readiness_ Types and Sources of Digital Evidence.pdf
Second Step to Forensic Readiness_ Types and Sources of Digital Evidence.pdf
ELIJAH
 

More Related Content

What's hot

Privacy by design
Privacy by designPrivacy by design
Privacy by design
Michelangelo van Dam
 
How to implement gdpr in your document repository
How to implement gdpr in your document repository How to implement gdpr in your document repository
How to implement gdpr in your document repository
XeniT Solutions nv
 
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By DesignGDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
John Eckman
 

What's hot (20)

How to get your business GDPR ready
How to get your business GDPR readyHow to get your business GDPR ready
How to get your business GDPR ready
 
GDPR webinar for business leaders
GDPR webinar for business leadersGDPR webinar for business leaders
GDPR webinar for business leaders
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) Journey
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
How to implement gdpr in your document repository
How to implement gdpr in your document repository How to implement gdpr in your document repository
How to implement gdpr in your document repository
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPR
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
The REAL Impact of Big Data on Privacy
The REAL Impact of Big Data on PrivacyThe REAL Impact of Big Data on Privacy
The REAL Impact of Big Data on Privacy
 
Getting Started with GDPR Compliance
Getting Started with GDPR ComplianceGetting Started with GDPR Compliance
Getting Started with GDPR Compliance
 
Beyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal AuditBeyond GDPR Compliance - Role of Internal Audit
Beyond GDPR Compliance - Role of Internal Audit
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniquesISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
 
May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...May 6 evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...
 
Supporting GDPR Compliance through Data Classification
Supporting GDPR Compliance through Data ClassificationSupporting GDPR Compliance through Data Classification
Supporting GDPR Compliance through Data Classification
 
Getting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensicsGetting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensics
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By DesignGDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
GDPR FTW, or, How I Learned to Stop Worrying and Love Privacy By Design
 
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in ComplianceThe GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
 

Similar to GDPR READY SOLUTION FOR UNSTRUCTURED DATA

Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
Potential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackPotential Advantages Of An Insider Attack
Potential Advantages Of An Insider Attack
Susan Kennedy
 
CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015
Jörn Weber
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
IlonaThornburg83
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
RSIS International
 
The Sherpa Approach: Meeting the Demands of the Digital Age
The Sherpa Approach: Meeting the Demands of the Digital AgeThe Sherpa Approach: Meeting the Demands of the Digital Age
The Sherpa Approach: Meeting the Demands of the Digital Age
Sherpa Software
 

Similar to GDPR READY SOLUTION FOR UNSTRUCTURED DATA (20)

Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
Second Step to Forensic Readiness_ Types and Sources of Digital Evidence.pdf
Second Step to Forensic Readiness_ Types and Sources of Digital Evidence.pdfSecond Step to Forensic Readiness_ Types and Sources of Digital Evidence.pdf
Second Step to Forensic Readiness_ Types and Sources of Digital Evidence.pdf
 
Governing the Chaos
Governing the ChaosGoverning the Chaos
Governing the Chaos
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow Mapping
 
A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
 
Potential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackPotential Advantages Of An Insider Attack
Potential Advantages Of An Insider Attack
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
 
ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR ZyLAB ACEDS Webinar- GDPR
ZyLAB ACEDS Webinar- GDPR
 
Smart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislationSmart Data Module 5 d drive_legislation
Smart Data Module 5 d drive_legislation
 
Come cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeoCome cambia la cybersecurity con il regolamento privacy europeo
Come cambia la cybersecurity con il regolamento privacy europeo
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 
Setting the right GDPR priorities
Setting the right GDPR prioritiesSetting the right GDPR priorities
Setting the right GDPR priorities
 
CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
 
BRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEBBRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEB
 
The Sherpa Approach: Meeting the Demands of the Digital Age
The Sherpa Approach: Meeting the Demands of the Digital AgeThe Sherpa Approach: Meeting the Demands of the Digital Age
The Sherpa Approach: Meeting the Demands of the Digital Age
 
Data security and privacy
Data security and privacyData security and privacy
Data security and privacy
 

More from XeniT Solutions nv

Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...
XeniT Solutions nv
 
Driving full-scale productivity and collaboration with the Alfresco connector...
Driving full-scale productivity and collaboration with the Alfresco connector...Driving full-scale productivity and collaboration with the Alfresco connector...
Driving full-scale productivity and collaboration with the Alfresco connector...
XeniT Solutions nv
 
How do you secure an electronic signature?
How do you secure an electronic signature?How do you secure an electronic signature?
How do you secure an electronic signature?
XeniT Solutions nv
 
How to increase user's productivity with Alfred Desktop and Alfred Finder
How to increase user's productivity with Alfred Desktop and Alfred FinderHow to increase user's productivity with Alfred Desktop and Alfred Finder
How to increase user's productivity with Alfred Desktop and Alfred Finder
XeniT Solutions nv
 
How to Scale Information Dissemination to the Virtual Digital Workspace
How to Scale Information Dissemination to the Virtual Digital WorkspaceHow to Scale Information Dissemination to the Virtual Digital Workspace
How to Scale Information Dissemination to the Virtual Digital Workspace
XeniT Solutions nv
 
Key points quality leaders should know about intelligent information manageme...
Key points quality leaders should know about intelligent information manageme...Key points quality leaders should know about intelligent information manageme...
Key points quality leaders should know about intelligent information manageme...
XeniT Solutions nv
 
Decouple and simplify access to Alfresco with Alfred Edge - Webinar September...
Decouple and simplify access to Alfresco with Alfred Edge - Webinar September...Decouple and simplify access to Alfresco with Alfred Edge - Webinar September...
Decouple and simplify access to Alfresco with Alfred Edge - Webinar September...
XeniT Solutions nv
 

More from XeniT Solutions nv (20)

Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...
 
Driving full-scale productivity and collaboration with the Alfresco connector...
Driving full-scale productivity and collaboration with the Alfresco connector...Driving full-scale productivity and collaboration with the Alfresco connector...
Driving full-scale productivity and collaboration with the Alfresco connector...
 
How to solve your toughest performance issues in Alfresco
How to solve your toughest performance issues in AlfrescoHow to solve your toughest performance issues in Alfresco
How to solve your toughest performance issues in Alfresco
 
How do you secure an electronic signature?
How do you secure an electronic signature?How do you secure an electronic signature?
How do you secure an electronic signature?
 
How to increase user's productivity with Alfred Desktop and Alfred Finder
How to increase user's productivity with Alfred Desktop and Alfred FinderHow to increase user's productivity with Alfred Desktop and Alfred Finder
How to increase user's productivity with Alfred Desktop and Alfred Finder
 
How to Scale Information Dissemination to the Virtual Digital Workspace
How to Scale Information Dissemination to the Virtual Digital WorkspaceHow to Scale Information Dissemination to the Virtual Digital Workspace
How to Scale Information Dissemination to the Virtual Digital Workspace
 
THE ALFRESCO FOUNDATION ARCHITECTURE FOR INTEGRATED FULL DIGITAL INSURANCE PR...
THE ALFRESCO FOUNDATION ARCHITECTURE FOR INTEGRATED FULL DIGITAL INSURANCE PR...THE ALFRESCO FOUNDATION ARCHITECTURE FOR INTEGRATED FULL DIGITAL INSURANCE PR...
THE ALFRESCO FOUNDATION ARCHITECTURE FOR INTEGRATED FULL DIGITAL INSURANCE PR...
 
Webinar | New release Alfred Desktop 3.7
Webinar | New release Alfred Desktop 3.7Webinar | New release Alfred Desktop 3.7
Webinar | New release Alfred Desktop 3.7
 
Webinar: How to turn Alfresco Digital Business Platform into a Managed Service
Webinar: How to turn Alfresco Digital Business Platform into a Managed ServiceWebinar: How to turn Alfresco Digital Business Platform into a Managed Service
Webinar: How to turn Alfresco Digital Business Platform into a Managed Service
 
Key points quality leaders should know about intelligent information manageme...
Key points quality leaders should know about intelligent information manageme...Key points quality leaders should know about intelligent information manageme...
Key points quality leaders should know about intelligent information manageme...
 
Decouple and simplify access to Alfresco with Alfred Edge - Webinar September...
Decouple and simplify access to Alfresco with Alfred Edge - Webinar September...Decouple and simplify access to Alfresco with Alfred Edge - Webinar September...
Decouple and simplify access to Alfresco with Alfred Edge - Webinar September...
 
Leuven European actuarial journal conference 20180911
Leuven European actuarial journal conference 20180911Leuven European actuarial journal conference 20180911
Leuven European actuarial journal conference 20180911
 
How to configure alfred desktop in your alfresco project in two days
How to configure alfred desktop in your alfresco project in two daysHow to configure alfred desktop in your alfresco project in two days
How to configure alfred desktop in your alfresco project in two days
 
Xenit diary dev con 2018
Xenit diary dev con 2018Xenit diary dev con 2018
Xenit diary dev con 2018
 
REDUCING TOTAL COST OF OWNERSHIP AND INCREASING SCALABILITY WITH XENIT SOLUTI...
REDUCING TOTAL COST OF OWNERSHIP AND INCREASING SCALABILITY WITH XENIT SOLUTI...REDUCING TOTAL COST OF OWNERSHIP AND INCREASING SCALABILITY WITH XENIT SOLUTI...
REDUCING TOTAL COST OF OWNERSHIP AND INCREASING SCALABILITY WITH XENIT SOLUTI...
 
Introducing Alfred Desktop 3.6
Introducing Alfred Desktop 3.6 Introducing Alfred Desktop 3.6
Introducing Alfred Desktop 3.6
 
Introducing Alfred Finder 2.0
Introducing Alfred Finder 2.0 Introducing Alfred Finder 2.0
Introducing Alfred Finder 2.0
 
20151201 swm elba_alfresco_user_day_wien
20151201 swm elba_alfresco_user_day_wien20151201 swm elba_alfresco_user_day_wien
20151201 swm elba_alfresco_user_day_wien
 
Usg people netherlands Alfresco User Day Amsterdam 3 dec 2015
Usg people netherlands Alfresco User Day Amsterdam 3 dec 2015Usg people netherlands Alfresco User Day Amsterdam 3 dec 2015
Usg people netherlands Alfresco User Day Amsterdam 3 dec 2015
 
Fred frankfurt alfresco user day de 2015
Fred frankfurt alfresco user day de 2015Fred frankfurt alfresco user day de 2015
Fred frankfurt alfresco user day de 2015
 

Recently uploaded

Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
pujan9679
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
Roofing Contractor
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 

Recently uploaded (20)

Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 
WheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond InsightsWheelTug Short Pitch Deck 2024 | Byond Insights
WheelTug Short Pitch Deck 2024 | Byond Insights
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
 
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book nowKalyan Call Girl 98350*37198 Call Girls in Escort service book now
Kalyan Call Girl 98350*37198 Call Girls in Escort service book now
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableBerhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTSJAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
JAJPUR CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN JAJPUR ESCORTS
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 

GDPR READY SOLUTION FOR UNSTRUCTURED DATA

  • 1. GDPR FOR UNSTRUCTURED DATA 7 CHALLENGES FOR SECURING YOUR DOCUMENTS  In collaboration with
  • 2. G D P R F O R U N S T R U C T U R E D D A T A D I S C L A I M E R This white paper is a commentary on the GDPR, as Xenit interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. As a result, this white paper is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. P A G E 0 2   |   W W W . X E N I T . E U Published March, 2018 Version 1.0 Copyright 2018  by XeniT Solutions. In collaboration with CDI-PARTNERS
  • 3. G D P R F O R U N S T R U C T U R E D D A T A I N T R O D U C T I O N Beginning on May 25, 2018, the General Data Protection Regulation (GDPR) will implement a new legal framework in the European Union (EU) for the protection and distribution of personal data. GDPR is becoming the most crucial regulation through EU’s data privacy legislations, the due date is right around the corner and the penalties for non-compliance are severe (€ 20m or 4% of global annual turnover). As the attention to the regulation is at the top, there is now a growing concern about GDPR compliancy by all organizations that are affected by it. GDPR will increase privacy for individuals and organizations must implement capabilities to ensure appropriate rights and adequate protection to safeguard the privacy of those individuals whose data they control. Companies have a general obligation to implement technical and organizational measures to show that they have considered and integrated data protection into their processing activities (ICO). P A G E 0 3   |   W W W . X E N I T . E U MISSION Several companies may be well on the way to define how to handle GDPR compliance for structured data. But many companies still haven't come up with a good way to handle GDPR compliance for unstructured data.. This whitepaper provides the main information about unstructured data and the Xenit solution to manage documents under the regulation. "Did you know that most of the data breaches reported are related to unstructured data?"
  • 4. G D P R F O R U N S T R U C T U R E D D A T A I N A N U T S H E L L The solution summary explains the high-level GDPR area that Xenit can solve, these can be further broken down to show what Xenit products can help in which area. In a nutshell, Xenit, together with Alfresco, the leading Content Services platform, can help you in: 1. Discovering Personal Identifiable Information in documents 2. Tagging documents containing different types of Personal Data 3. Security rules based upon PII-type (No PII, PII, Sensitive, Medical, Criminal) 4. Monitoring and controlling  P A G E 0 4   |   W W W . X E N I T . E U Detection 25% Protection 25% Respect 25% Monitoring 25% Basic and most advanced algorithm to identify documents that contain persona; data Alfred Archive to store documents, encrypt them  Alfred Desktop and Alfred Finder make it really easy to send links to documents and sharing them with a restricted audience DETECT PROTECTRESPECT MONITOR Within the Alfred Architecture, Alfred Edge to log every consultation
  • 5. G D P R F O R U N S T R U C T U R E D D A T A As there are no real examples of data breaches or other GDPR infringements, we have to look elsewhere if we want more insights in the effects of the GDPR. A good place to look for information is the United Kingdom. Although data breach notification is not mandatory, it is considered to be a best practice and close to 3000 breaches are reported each year. Did you know that most of them are related to unstructured or semi- structured data? Documents, spreadsheets, mails and even paper files? One reason could be that it is far easier to properly protect data that are stored in databases, accessed through applications, than it is to have control over what happens to unstructured data. Unstructured data are found everywhere, in emails and documents, stored on local or network drives, in the Cloud or on USB Keys. And they are easily copied and distributed. Unstructured doesn't mean chaotic. There can be a structure in the way the documents are stored, easy linking these documents to contracts, offers or individuals. And they are vulnerable. The most common type of data breach is sending these documents containing personal data to the wrong recipient by post, fax or email. Once an email has been sent it is impossible to control it, or is it? Here a document management system comes in. You no longer send an email, you send a secure link and only users, with appropriate rights, have access. But this is not the only advantage. Audit trail, usage tracking, retention policies, and legal archiving are just a few advantages that can easily be implemented with a document management system such as Alfresco. P A G E 0 5   |   W W W . X E N I T . E U
  • 6. P A G E 0 6   |   STRUCTURED DATA  Structured data refers to information with a high degree of organization, such that inclusion in a relational database is seamless and readily searchable by simple, straightforward search engine algorithms or other search operations. Structured data is relatively simple to enter, store (in database), query, and analyze.  20% UNSTRUCTURED DATA Unstructured data is more like human language. It is not stored into a relational database and the information does not have a pre-defined data model or is not organized in a pre-defined manner. Typical example of unstructured data is text. 80%
  • 7. G D P R F O R U N S T R U C T U R E D D A T A G D P R 7 C H A L L E N G E S To make this very tangible, here are 7 challenges for securing your company’s documents. 1. First, how do you know what documents to protect? How do you know they contain personal data? 2. Secondly, you have to adequately protect these documents. 3. Then, there is the aspect of responsibility: organisations must prove that they process personal data in a responsible way. And they need prove of having a legitimate purpose or consent to hold the document. 4. If data are on a portable device and it is important to work offline, how can this be protected? 5. And if something has gone wrong? How to know what data have been lost or stolen? 6. Personal data cannot be kept longer than necessary, or must be removed after a legitimate demand to be forgotten. 7. Sometimes it is needed to share documents with another party. How will you know who you have shared the document with and for what legitimate reason? And how to inform the 3rd party of a request to be forgotten?  P A G E 0 7   |   W W W . X E N I T . E U "GDPR will touch every department, every function and every operation inside your organization. It will not only change the way you manage information, it will change the way people behave.”
  • 8. GDPR CHALLENGES for securing your company documents Identify documents containing personal data and label them appropriately. State of the art security of the documents and the metadata Monitor and control access to the documents and store the right metadata to proof legitimate purpose. Make documents available offline in a secure way. Detect breaches and take appropriate action. Keep track of the right time to delete documents and to permanently delete the documents so no backup copies exist. Control the usage of documents by external parties.
  • 9. G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 1   - I D E N T I F Y D O C U M E N T S C O N T A I N I N G P E R S O N A L D A T A A N D L A B E L T H E M A P P R O P R I A T E L Y . As we have seen, unstructured data are found everywhere, in emails and documents, stored on local or network drives, in the Cloud or on USB Keys. If we want to adequately protect personal data stored in these documents, the first hurdle to take is to know what kind of personal data is in which document. As documents are created or modified all the time, this classification has to be a recurring process. The results of the classification process must be stored in a such a way, security tools are able to use this information. If we look at Alfresco, every change in a document – e.g. creation or modification – can trigger a policy that calls for the classification process. Then, the results of the process can be stored as metadata of the document. How this metadata has to be used will be described in Challenge 3 on page 14. P A G E 0 9   |   W W W . X E N I T . E U
  • 10. G D P R F O R U N S T R U C T U R E D D A T A This process scans every individual file for personal data, regardless of the file type. The most basic algorithm will search for structured data-types: National Number, Bank Account Numbers, Credit Card Numbers. This algorithm can be enhanced with company-specific structured data-types. For instance, Client Numbers that contain a check-digit. A more advanced algorithm takes company-specific data as input and scans documents and files for this data. For instance, the names and addresses from the client database are used as input and documents that contain this information are flagged. The most advanced algorithms use artificial intelligence such as natural language processing to search for certain data-types in plain text. This type of algorithm will return a probability. A threshold will have to be defined and tested on a representative random sample of documents. Next to searching the content of the document, the type of document and the place it is stored can also be used: for instance, all documents in the folder ‘employment contracts’. The second part of the challenge was ‘label the documents appropriately’. We have already mentioned that this information can be stored as metadata in Alfresco. We will keep whether the document contains personal data, if so, which type of personal data, the content found and, if possible, the link to the individual person. As you can see, by using the classification algorithm we transform unstructured personal data into semi-structured personal data. The advantage is that we can implement more strict security on the documents and control how and by whom these documents are used. The disadvantage is that we have created more data that has to be protected. P A G E   1 0 |   W W W . X E N I T . E U
  • 11. G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 2   - S T A T E O F T H E A R T S E C U R I T Y O F D O C U M E N T S A N D M E T A D A T A When we store documents and other files, we not only store files that might contain personal data, we also create personal data by doing this. When we run a classification algorithm, as discussed in the previous paragraph, we extract personal data from a document and store it in metadata. As a result, databases and indexes are filled with personal data in a semi-structured way. This makes finding and retrieving documents far easier, but it also increases the risk related with keeping personal data. But there is more. Personal data is information related to an identified or identifiable natural person. For compliance reasons we will keep records of persons accessing, copying, and printing documents containing personal data. This audit trail links natural persons, for instance employees, to the documents they use. By definition, this information is also personal data. And usage history is not harmless, it can lead to criminal convictions. In the UK there are some examples of hospital staff convicted for accessing medical files for non-professional reasons. This is in fact the very reason of keeping an audit trail, but unauthorized access to this information is a data breach in its own right. P A G E   1 1   |   W W W . X E N I T . E U
  • 12. G D P R F O R U N S T R U C T U R E D D A T A Security of processing is covered in article 32 of the GDPR. We need to have appropriate security related to the risk to the rights and freedoms of natural persons. This is a very broad description that will lead to a lot of interpretation and discussion. Typically, documents are stored on local or network drives or in the Cloud and distributed by email or by copying them on USB keys. Protecting documents in this way is not easy and options are limited to granting read or write access. When we store documents in Alfresco, we gain a lot of options. Next to the original document, we can generate and store previews. These can even be personalized with a watermark. It is far easier to address people leaving documents on the printer (a possible personal data breach!) when their name is on every page. P A G E   1 2   |   W W W . X E N I T . E U
  • 13. G D P R F O R U N S T R U C T U R E D D A T A Instead of sending documents by email, we will send links to documents or links to PDF previews. For very sensitive documents a separate login process can be enforced. This reduces the risk of sending documents to the wrong person (the number one type of data breach). And when a person asks to be forgotten, we can automatically inform the receiving third party of this request. We will need to protect the documents, the database, the indexes, and the log files. For sensitive metadata, for instance the national number, we will use one-way encryption or cryptographic hashing. Only a user that knows the correct key can retrieve the documents related to the key, but the indexes can’t be used to retrieve all the existing keys. Documents stored in Alfred Archive are always protected and set up according best object storage practices. There is no direct access on a file system basis, which neutralizes 99% of known malware & intrusion risks. Furthermore, documents in the store are encrypted, with proper handling of the private and public key. Access to the document store is under detailed auditing. Life points can set the document to be 'immutable'. Moreover, a health processor continuously checks the binary integrity of all content - which can include the validity of a digital signature. As for metadata, the database that contains the metadata can be encrypted on database level. Specific metadata fields with personal data can be encrypted and will not be exploitable by any direct access to the database. Index information is protected with encryption as well. No system can directly access the indexes in our reference architecture, as we have a safety gateway in front of the archive, and we have the Alfresco content services in front of the document store. P A G E   1 3   |   W W W . X E N I T . E U
  • 14. "Storing files and documents in Alfresco with Alfred Archive ensures adequate and appropriate security to your company’s most vulnerable digital assets."
  • 15. G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 3   - M O N I T O R A N D C O N T R O L A C C E S S T O T H E D O C U M E N T S A N D S T O R E T H E R I G H T M E T A D A T A Organizations must prove that they process personal data in a responsible way. And they need proof of having a legitimate purpose or consent to hold documents containing personal data. Organizations need to ensure that their data processing activities are carried out in accordance with the regulation. In particular, organizations should pay close attention to the principles of transparency and data minimization while implementing new data processing activities. Article 24 states "...the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”. Good security is just a first layer, preventing unauthorized access to the data. On top of that, companies must also have internal rules, written down in policies, how personal data is treated. And they must be able to demonstrate that these rules are followed. P A G E   1 5 |   W W W . X E N I T . E U
  • 16. G D P R F O R U N S T R U C T U R E D D A T A When we store documents in Alfresco, we can use the metadata to control who has access to which document. And this can be far more granular than with traditional access rights. Not only the place the document is stored (e.g. the HR-network drive) or the type of document (e.g. a medical questionnaire), but also the content of the document can be used. A rule could be “Exclude all documents where the person requesting access is mentioned”. These kinds of rules are of course highly dependent on the context of a company or even a specific process within that company. They can control access to specific documents or flag this type of behavior in the audit module. For instance, a local hospital lists all employees accessing medical files of famous patients. This list is reviewed by the management on a weekly basis. Excluding access would interfere with providing care in an emergency situation, but the staff knows that, without a legitimate reason, they face dismissal when accessing these files. For documents, as for structured data (fields stored in databases), organizations must determine and communicate the lawful basis and the purpose for processing. When storing documents containing personal data in Alfresco, it is possible – and recommended – to store the lawful basis and a reference to the consent application as meta-data. When an opt-out is recorded, all documents that where dependent on the consent of a data- subject can be deleted with one simple instruction. These functionalities are supported by Alfred GDPR. Alfred GDPR applies a double filtering for GDPR access control. First of all, classical Access Control Lists are used. They assign the right to view or modify documents to groups of users. Access control lists are the base permission management mechanism in Alfresco. Extending this to cope with GDPR would complicate matters a lot. Therefore, we have a filtering mechanism in Alfred GDPR that is based upon meta-data and GDPR roles. As an example, your organization can create a “GDPR sensitive” role, assigned to a limited number of people, and only they will be able to perform operations (consult or share) on “GDPR sensitive” documents. P A G E   1 6   |   W W W . X E N I T . E U
  • 17.
  • 18. G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 4   - M A K E D O C U M E N T S A V A I L A B L E O F F L I N E I N A S E C U R E W A Y People use different devices for different purposes and in different circumstances. Think about your habits: when you work at the office or at home, writing documents and creating content, you will use a computer. But to consult these documents, for instance while you are traveling, you will use a tablet or a laptop. Although increasingly more people are always connected, storing documents locally on a device is still a common practice. This implies that the protection of these precious documents depends on the security of the portable device. When an unencrypted portable device – a smartphone or a laptop - is lost or stolen and when there is the possibility that this device contains files with personal data, you will have to report this loss as a personal data breach! The notification to the supervisory authority must contain a description of the likely consequences of the personal data breach. But, how many companies know which files are on which device? My guess, not so many. P A G E   1 8 |   W W W . X E N I T . E U So, the challenge has two aspects: how to store the documents in a secure way and how to keep control over these files once they are stored on a portable device.
  • 19. G D P R F O R U N S T R U C T U R E D D A T A Securing the storage is not so hard if you can secure the device they are on. You can encrypt hard-disks and memory cards and protect access to the device by password policies. But what if you don’t have control over the device? And how can you know which files are on the device? And can you limit the possibilities to copy the files to another device like an USB-key or block sending these files by e-mail? To face this challenge, Xenit is working on securing the content, through the Alfred GDPR Architecture and some features of the two products, Alfred Desktop and Alfred Finder, built on top of the Alfresco functionalities. Alfred Desktop, a desktop application for Alfresco, keeps track of local content and removes it as soon as the user is done with it. For off-line editing and modification, working copies are created in a download directory. This working copy is under control of Alfred Desktop and it will only exist locally as long as it is needed. However, the corporate desktop policies remain important: local drives that can contain sensitive information should be encrypted at any time. With Alfred Desktop and Alfred Finder, a web application for finding documents on an Alfresco back end, organizations can set a “GDPR download policy”. In this policy, customers can enforce whether the original document format (Microsoft Office) or PDF should be downloaded. P A G E   1 9 |   W W W . X E N I T . E U
  • 20. G D P R F O R U N S T R U C T U R E D D A T A Additionally, a watermark can be added to a downloaded file. Via the watermark, identification information is attached according to customer requirements. Typically, that covers “who” downloaded, a unique document ID, the GDPR categorization and it might contain consent information whether the document can be distributed outside of the organization. Alfred Edge allows to handle different types of access control to Alfresco: mobile users can have other policies than desktop users. We can disable downloading documents from a mobile device, but allow the previewing of such documents, while desktop users are allowed to download a document. Note that 'previewing' in many cases does an implicit browser download: customers that want to fully block such risk should explore pure 'streaming' solutions on top of our Alfred  GDPR Architecture. P A G E   2 0 |   W W W . X E N I T . E U
  • 21. G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E 5   - D E T E C T B R E A C H E S A N D T A K E A P P R O P R I A T E A C T I O N S Article 4 defines a Personal Data Breach as follows: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” A little quiz: What is not a personal data breach? 1. Someone accidentally deletes a document and there is no backup 2. Someone alters a document filled in by a client 3. A person sitting next to me on the train can see the screen of my laptop when I’m reviewing an employee file. As you might have guested, all these could be Personal Data Breaches. And not all data breaches can be detected automatically. How would a system know a file is accidentally deleted or that you have left your laptop unattended without locking the screen? To minimize these types of risks, you need to set up internal policies and create awareness, by training and a lot of communication. P A G E   2 1   |   W W W . X E N I T . E U
  • 22.
  • 23. G D P R F O R U N S T R U C T U R E D D A T A A lot of breaches can be detected. And you will have to take measures to detect these. The higher the likelihood of breaches happening and the higher the impact of a possible data breach, the more sophisticated breach- detection must be. Modern security systems search for uncommon behavior: signing in from Belgium and 10 minutes later from Singapore, downloading files in large quantities, using an unknown device. These are just simple examples; more sophisticated statistical analysis will search for patterns. Behavior that doesn’t match these patterns is seen as suspicious. Another technique is to use honeypot files: Files that only exist to be hacked. When such a file is touched, you know someone is in poking around in your system. As mentioned before documents or more general files on network servers or local disks are difficult to control. If they can be copied onto a USB Keys or sent by mail, there totally out of control. To mitigate the risk of local and email copies of privacy related documents, Alfred GDPR promotes and facilitates collaboration by sending links. No need to make or send copies of documents, but share by link. P A G E 2 3   |   W W W . X E N I T . E U
  • 24. G D P R F O R U N S T R U C T U R E D D A T A Alfred Edge, an intelligent gateway, is the core of the Alfred GDPR architecture. All access to Alfresco is centralized in the gateway. The gateway defines a very narrow and business driven interfaces, with strict rules about what data and what queries different (GDPR) user profiles are allowed to access. All other other access to Alfresco is blocked. All requests are logged and retained (with proper protection of private information!). Customers can then define breach patterns and have the gateway in real time filter and monitor for such behavior.  Alfred Edge supports different interaction channels: intranet users, internet users, 3rd party systems. Using strong and positive identification, we then apply rules of expected behavior as defined by the customer. Frequent access to private or sensitive documents can be detected and escalated. Searches on GDPR related meta-data (name, national id numbers) can be filtered, detected and blocked. If user x tries to access data about user y,  e.g. via a broad query on the repository, we log and escalate such requests. Obviously, standard access control and GDPR roles will hide any information users are not entitled to access, but breach detection will bring such attempts to the attention of GDPR officers and DPO. When the system becomes aware of a breach, different actions can be taken. The access to the system can be blocked, an alert will be shown on a console, an entry will be written in a log file. Which actions are appropriate depends on the sensitivity of the information in the system. In all cases, the breach has to be reviewed by the Data Protection Officer if there is one, or someone with a comparable responsibility, if not. Depending on their assessment, the authorities must be notified. P A G E   2 4 |   W W W . X E N I T . E U
  • 25. G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E   6 - K E E P T R A C K O N T H E R I G H T T I M E T O D E L E T E D O C U M E N T S   At this point is quite evident how GDPR is an on-going process and companies have to put in place a long term plan to demonstrate their compliance. Another important change introduced by the GDPR is data minimization. This means, not only structured data (data in databases) must be deleted after a certain time, but also unstructured data has to be removed. Data and documents that are being kept on basis of consent must be deleted as soon as the consent is withdrawn. As for the other challenges, implementing these functionalities on documents and files is more difficult than it is for structured data. Not only do you need to establish the right retention period, you need to keep this information with the document, and find a way to delete the document after the retention period has passed. We already talked about the need to keep a link to the consent that has been given in a previous paragraph. P A G E   2 5 |   W W W . X E N I T . E U "Keep only the information you need for as long as you need it."
  • 26. G D P R F O R U N S T R U C T U R E D D A T A In the simplest form, retention periods are fixed; you need to keep a document for x years. But it can become more complicated very fast. Keep the dossier (all the documents related to a certain contract) y years after the contract ends. In this case you could be obliged to keep certain documents for decades. The retention period is not fixed, but a rule. By consequence, you can't set the date of deletion the moment you store the file on your environment. And deletion actually means removing all copies of the document from your system (and shredding the paper versions). For years companies are investing in backup solutions, so they can retrieve information that has been deleted. And now we need to find a way to selectively delete or at least block access to certain files on backups. How simple would this be if we didn’t store multiple copies of the same document on file servers and if we didn’t keep back-ups. P A G E   2 6 |   W W W . X E N I T . E U
  • 27. G D P R F O R U N S T R U C T U R E D D A T A Alfred GDPR helps to manage document retention, including GDPR related information. This means that the all GDPR aspect of your documents, including a clear view on PII (personally identifiable information) are under your control. Records management is the ‘art of throwing away’, so governance to remove sensitive information is as important as to retain information. Building upon Alfresco Content Services, our powerful meta-data scheme allows to encode various GDPR retention and protection policies. Retention is ensured as long as consent is given. Once consent is withdrawn, a simple query allows to collect information to be removed. Needless to say that audit and protection mechanisms are provided to protect against any unintended operation. Optionally, Alfred GDPR enables object storage for all your (GDPR) documents. By applying the proper versioning policy, and protecting against loss of documents via built-in (Geo) replication, there is no need for two or three tier back-up strategies. As a consequence, you have direct control over all documents and their history within one management layer. With smart versioning policies and object storage you simply eliminate the need to keep or clean back-ups. P A G E   2 7 |   W W W . X E N I T . E U Request a free day assessment
  • 28. G D P R F O R U N S T R U C T U R E D D A T A C H A L L E N G E   7 - C O N T R O L T H E   U S A G E O F D O C U M E N T S B Y E X T E R N A L P A R T I E S As we have seen documents, spreadsheets and other files are easily copied and shared across devices. This can be unwanted behavior, an employee copying customer data on a USB key before leaving the company, but mostly this is wanted behavior, working on a document with colleagues, sharing information within a department, sending out a work order to an external partner. And our seventh challenge is about the last example. How do you control information you shared with an external party? Why would this be necessary? The most important article covering this situation is Article 19 “Notification obligation regarding rectification or erasure of personal data or restriction of processing. The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.” When you share personal data with third parties, you should be able to notify them after a request for deletion or rectification. When you share structured data, this will almost always be done under a formal contract, transferring files or granting access to your databases through web services. Contracts should address the procedure to comply with Article 19. P A G E   2 8 |   W W W . X E N I T . E U
  • 29. G D P R F O R U N S T R U C T U R E D D A T A Sharing word or PDF documents and spreadsheets, will often be done in an informal way: by sending out emails or using file sharing utilities like Dropbox . Once again, the solution lies in using a content management system. You stop sending out emails with documents, you share links to documents in your system. And not only can you keep track of who you shared the information with, you know if and when this party has read the document and if and when the information was downloaded. With this knowledge, you could even automate notifications after a request for deletion. If someone asks to be forgotten and the information was not downloaded, just revoke access rights. When the information was downloaded, send out a mail with the notification. With Alfred GDPR we try, first, to minimize copies of documents, creating a single source of (document) truth which is easier to protect. Instead of email attachments to third parties, linking and sharing of documents are promoted and facilitated. With linking and sharing, full audit and access control are at your disposal. Tooling-wise, Alfred Desktop and Alfred Finder make it really easy to send links to documents and sharing them with a restricted audience. Downloads can be disabled, such that we only offer a service to consult the document, not to download a copy. P A G E   2 9 |   W W W . X E N I T . E U So, when a data subject asks to be forgotten, can you inform all parties that have received information?
  • 31. G D P R F O R U N S T R U C T U R E D D A T A Alfresco allows to share a folder or a document with partners and people you assign. Using Alfred Edge’s cloud authentication, these documents can even be shared outside your company walls with strong authentication for your external partners and customers. Links can entail strong authentication of the person accessing your document; we can make them secure, valid for a limited time and inside a specific geographic zone. When employees, for good reasons, download a document for internal purposes, full audit information is available. Every consultation is logged. Even sending a document attached in an email can be added to the audit log if the operations is executed out of the safe harbor of Alfred GDPR. Some previewers operate by downloading a document locally before displaying it. With streaming technology, a document never has to be downloaded, you can consult the content without a local copy. Alfred GDPR optionally offers such a streaming viewer if you need the additional protection. Last but not least, it is possible to watermark (PDF) documents such that there private or sensitive character is explicit and awareness about their private nature is increased. Water-marking is possible in preview and in the creation of a “GDPR protected PDF copy”.  . P A G E   3 1 |   W W W . X E N I T . E U
  • 32. G D P R F O R U N S T R U C T U R E D D A T A C O N L U S I O N Through the seven challenges, we have listed what you need to comply with the GDPR. Combined with unique GDPR functionalities of Alfred GDPR, Alfresco is the most appropriate environment to store, modify, archive, and delete your files. Alfresco is your chance to manage unstructured data under the regulation. P A G E 3 2   |   W W W . X E N I T . E U
  • 33. G D P R F O R U N S T R U C T U R E D D A T A C O N T A C T P A G E 0 2   | C O N T A C T Peter Morel CONTACTS Sales Director and Co-Founder @Xenit peter.morel@xenit.eu Bart Van Bouwel Managing Partner @ CDI-PARTNERS bart.van.bouwel@cdi-partners.be