Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Welcome to
GDPR: Your Journey to
Compliance
Thursday 2 November 2017, 14:00-17:15
Microsoft UK, Paddington, London
Welcome & Introduction
Michael Frisby, Cobweb MD
GDPR: Your Journey to Compliance
Location
Identifying existing
personal data held
across the
business
Governance
Managing data
subject access
rights, data
...
Process track
Technical track
----------Define the
requirement
Create the
plan
Helping You Achieve Compliance
GDPR Webinar...
GDPR: Your Journey to
Compliance
Agenda
13:45-14:00 REGISTRATION
14:00-14:15 Welcome & Introduction Michael Frisby, Cobweb...
Introduction to GDPR
Sean Huggett, Cybercrowd, CEO and Consultant
GDPR: Your Journey to Compliance
• Came in to force on 24th May 2016 – enforceable from 25th May 2018
• EU Regulation – has direct effect – no local legisl...
Key Definitions
Data Controller
• “the natural or legal person… which … determines the purpose and means of the processing...
Six Data Protection Principles & Accountability
• Six data protection principles – overview of your most important duties ...
Data Subject Rights
Rights to:
• Information - think about Privacy Notices
• Access - think about Subject Access Requests
...
Obligations & International Transfers
Obligations
• Data Protection Officers (DPO)
• Data Protection Impact Assessments (D...
Remedies & Liabilities
Liabilities
• Administrative Fines – ‘Effective, Proportionate & Dissuasive’
o Higher of 4% of glob...
Some Practical Steps
1. Understand Personal Data You Hold:
• Data mapping – identify Personal Data held, how it was/is col...
3. Document Your Processing Activities:
• Put the required documentation in place – records of processing activities, reco...
Thank you
Speak to a member of the Cobweb team
if you’d like to know more!
DocuSign and GDPR
GDPR: Your Journey to Compliance
Jacqueline de Gernier, AVP Commercial Sales
Getting to Grips with the GDPR:
How to Fast-Track Your Compliance
Introduction to DocuSign
14+ Years Innovation
Highest level certifications
188 Countries 43 Languages
13 Offices 5 Continents
300k+ corporate custo...
Trust
Legal & Compliance
Bank-Grade Security & Encryption
Platform & Scalability
Capabilities & Usability
Mobile
Customer ...
Financial
Services Insurance High Tech
Communications
/Media Pharmaceutical Real Estate Consumer Everywhere
Sales
Experience
Significantly improved
Procurement
50x faster
Contract signing
“It speeds up the
process and makes
it mor...
GDPR - Changes to Consent
Demanding requirements for consent
Under the GDPR, consent must be:
• Freely given
• Specific
• Informed
• Unambiguous
"Co...
Consent will often be required
When collecting an individual’s
personal information relating to:
• Using an individuals se...
Consent must be verifiable
Businesses must be able to prove that it obtained the individual's
consent, requiring businesse...
Common consent challenges
• Marketing / Sales – Personal information for e-marketing
purposes
• HR – Personal information ...
Re-contracting with Suppliers
Business must ensure:
• Legacy vendors move to new,
GDPR-compliant, data
protection terms
• ...
How DocuSign can be part of a
GDPR Consent solution
Business
Consumers
Customers
Partners
Suppliers
Employees
Business
Disconnected
Systems
Manual
Processes
Fragmented
Policies
Consumers
Customers
Partners
Suppliers
Employees
Business
Consumers
Customers
Partners
Suppliers
Employees
Business
Digital consent
Bespoke reports for GDPR and the data can be extracted
Case Study: Filestream
Company’s Top Challenges
• Manual processes – contracts require manual chasing to fulfill terms and...
Thank you
Email: Jacqueline.degernier@docusign.com
GDPR Seminar – 9th Nov
5pm – 7pm
ETC Venues, Fenchurch Street
discover....
Microsoft
and GDPR
General Data Protection Regulation
Jonathan Burnett, Partner Technology Strategist Samantha Garrett,
Pa...
What are the key changes to address the GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and trai...
How do I get started?
Identify what personal data you have and
where it resides
Discover1
Govern how personal data is used...
Discover:
Identify what personal data you have and
where it resides
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•...
2
Example solutions
Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft Azure
Azure Acti...
3
Example solutions
Protect:
Preventing data
attacks:
•
•
•
•
•
•
•
•
Detecting &
responding to
breaches:
•
•
•
•
•
•
Micr...
4
Example solutions
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust Center
Service Trust Portal
Mic...
GDPR Resources
Microsoft Whitepaper on "Beginning your
GDPR Journey"
Microsoft.com/GDPR
servicetrust.microsoft.com
aka.ms/...
Management
2. Data Encryption
3. Phishing Protection
4. 2 Factor Authentication
5. Cloud Application Security
6. Mobile Se...
15:30-15:45
Tea & Pastries
GDPR: Your Journey to Compliance
TermSet
and GDPR
Stewart Connors, Head of Customer & Partner Success
GDPR: Your Journey to Compliance
GDPR
Automate the process for discovering Personal Identifiable Information (PII)
The Challenge
External
• GDPR will require all EU organisations to focus on discovering PII on behalf customers & former e...
ScanR
Generate Reports
Discover PII in Office docs,
PDF, OCR on the fly.
Multiple Systems
The Solution Identify and retrie...
Product overview ScanR
Connect to SharePoint, a
File Share or other systems
Documents where we wish to
determine if they contain
sensitive data
Choose the types of information
you would like to discover
• Over 100 pre-defined rules or you
can make your own
• Artific...
Documents Marked in place or
reports produced
Three data
sources read
~19k Documents
read with 79%
containing PII
data
Breakdown of
what PII data is
contained where
Loc...
Search for information across your data sources
Immediately see the records that match
Understand the types of data that c...
11 Chapters with 99 Articles
http://www.eugdpr.org/article-summaries.html
ScanR will help you comply with Articles: 5, 15,...
Summary
ScanR
• Automate the process for discovering PII
• Quickly respond to “Subject Access Request” & “Right to be Forg...
www.termset.com
stewart@termset.com
Thank you
Speak to a member of the Cobweb team
if you’d like to know more!
Acronis
and GDPR
Ronan McCurtin, Senior Sales Director Northern Europe
GDPR: Your Journey to Compliance
Where Acronis supports GDPR compliance
• Key activities
• Privacy impact assessment
• Data access governance
• Data breach...
Requirements for GDPR-compliant backup and storage 1
Requirement Desirable features GDPR recitals supported
Control data s...
Requirements for GDPR-compliant backup and storage 2
Requirement Desirable features GDPR recitals supported
Minimize compu...
What to look for in GDPR-compliant backup and storage
• Data subject control of data storage location
• Individual must ha...
What to look for in GDPR-compliant backup and storage
• Ability to search data inside backups
• Ability to drill down thro...
What to look for in GDPR-compliant backup and storage
• Data export in a common format
• Ability to export personal data i...
• Flexible setting of retention time of data,
archival rules, etc.
• Extensive logging
• Multilayered and highly customiza...
How Acronis helps your company achieve GDPR
compliance
• Active Protection against ransomware
• Proactively preventing bre...
With an economic incentive
to it, new Ransomware
families appeared fast…
Source: F-Secure
Ransomware Big Trends
Advancing into new operating systems
Advancing into new platforms and devices
Ransomware-as-a-Servic...
Trend 4: Advanced attack techniques
2010
Detection of
non-signed files
2014
Protection for
Windows only
2016
Detection by
...
Ransomware evolves…
… Data Protection evolves too
Acronis CustomersAcronis Labs
Infected and clean
processes farms
Provides processes
behavior...
Complete protection against modern techniques
2016
Detection by
checking file
type/header
Only body
of the file
is encrypt...
Acronis Notary powered by Blockchain
Ensuring that data is authentic and unchanged
“Acronis Notary assures that files are
...
Thank you
Speak to a member of the Cobweb team
if you’d like to know more!
Mimecast
and GDPR
Data Protection and Data Management
David Tweedale – Team Leader
GDPR: Your Journey to Compliance
© 2017 Mimecast.com All rights reserved.84
Data Protection
Securing personal and sensitive information
Data ManagementData...
© 2017 Mimecast.com All rights reserved.85
Spear-phishing credentials to
exploit point-of-sale systems
Used as
stepping st...
© 2017 Mimecast.com All rights reserved.86
Type of attacks:
• Weaponised
attachments
• Malicious URLs
• Malware-less attac...
© 2017 Mimecast.com All rights reserved.87
Data leaked by disgruntled employee
Employee emails
copy of client
database to
...
© 2017 Mimecast.com All rights reserved.88
Data Leak
Prevention
(DLP)
Technology capabilities:
Data protection
How is data...
© 2017 Mimecast.com All rights reserved.89
Encryption
Technology capabilities:
Data protection
Where is data encrypted?
• ...
© 2017 Mimecast.com All rights reserved.90
Breach
Notifications
Technology capabilities:
Data protection
Key Information
r...
© 2017 Mimecast.com All rights reserved.91
Data Management
Supporting access rights of individuals
Data ManagementData Pro...
© 2017 Mimecast.com All rights reserved.92
GDPR – Subject Access Request
and Data Portability
IT Administrator
searches ac...
© 2017 Mimecast.com All rights reserved.93
Subject Access
Requests
(SAR)
Technology capabilities:
Data management
What is ...
© 2017 Mimecast.com All rights reserved.94
Data Portability
Technology capabilities:
Data management
What is the impact?
•...
© 2017 Mimecast.com All rights reserved.95
GDPR – Right To Be Forgotten
IT Administrator
searches across
data repositories...
© 2017 Mimecast.com All rights reserved.96
Right To Be
Forgotten
Technology capabilities:
Data management
What is the impa...
© 2017 Mimecast.com All rights reserved.97
Mimecast Solution
Simplifying GDPR Compliance for Email
Data Management
Search ...
© 2017 Mimecast.com All rights reserved.98
You need technology that
provides the best possible multi-
layered protection
P...
Thank you
Speak to a member of the Cobweb team
if you’d like to know more!
QGate
and GDPR
Paribus Discovery - One Small Step…
Rowland Dexter, Managing Director
GDPR: Your Journey to Compliance
Who are QGate
• A Dynamics 365 implementation partner (UK HQ), est. 1997
• Working with Dynamics CRM since V4 (2007)
• ISV...
The Problem
Duplicate Data
• A primary element of poor data quality
• However, in regards to GDPR specifically
• How do yo...
The Solution
Paribus Discovery
A batch tool which IDENTIFIES duplicate data
within any SQL based data source
The Paribus Match Engine
Phonetic Data Matching
• Foto Centre, Photo Center
• Kris Dixon, Chris Dickson, Criss Dicksen
• C...
The Paribus Match Engine
 Bill Dixon
 Marketing Manager
 1st National Bank of Arizona
 123 Flat A
Acacia Avenue
Phoeni...
Paribus Discovery - Identify
A business user
can then:
• Review & confirm
the matches
• Review & confirm
the
primary/maste...
Paribus Discovery - Resolve
The CRM admin
user then:
• Uses the
plugin to
execute the
merge/purge
process
Dedicated Paribu...
Paribus Interactive
The user does what
they do today, just
enter data
As they do, Paribus
Interactive searches for
potenti...
Paribus Interactive
Note the results are
from multiple entities
To see the results
click here
Can navigate
direct to the r...
Summary
Paribus Discovery INDENTIFIES Duplicate data
Within Dynamics 365 able to REMOVE (merge/purge)
Open API to build yo...
Thank you
Speak to a member of the Cobweb team
if you’d like to know more!
Panel Interview
Host – Caroline Wigley (Cobweb),
Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft), Michael Olpin
(C...
Closing Thoughts
GDPR: Your Journey to Compliance
Process track
Technical track
----------Define the
requirement
Create the
plan
Helping You Achieve Compliance
GDPR Webinar...
1-day free GDPR health check (worth £1,200)
…
GDPR: Your Journey to Compliance
…the result
Thank you to our presenters
GDPR: Your Journey to Compliance
Thank you
for attending
GDPR: Your Journey to Compliance
Speak to a member of the Cobweb team
if you’d like to know more a...
GDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Upcoming SlideShare
Loading in …5
×

GDPR: Your Journey to Compliance

3,637 views

Published on

2 November 2017 | Microsoft, London, Paddington

Published in: Technology

GDPR: Your Journey to Compliance

  1. 1. Welcome to GDPR: Your Journey to Compliance Thursday 2 November 2017, 14:00-17:15 Microsoft UK, Paddington, London
  2. 2. Welcome & Introduction Michael Frisby, Cobweb MD GDPR: Your Journey to Compliance
  3. 3. Location Identifying existing personal data held across the business Governance Managing data subject access rights, data storage and use Security Protecting against vulnerabilities and breach Reporting For data requests, breaches, and accountability Achieving GDPR Compliance
  4. 4. Process track Technical track ----------Define the requirement Create the plan Helping You Achieve Compliance GDPR Webinars GDPR Workshops GDPR Healthcheck GDPR Assessments Implementation Clinics Virtual Services
  5. 5. GDPR: Your Journey to Compliance Agenda 13:45-14:00 REGISTRATION 14:00-14:15 Welcome & Introduction Michael Frisby, Cobweb MD 14:15-14:45 Introduction to GDPR Sean Huggett, Cybercrowd, CEO & Consultant 14:45-15:00 DocuSign and GDPR Jacqueline de Gernier, AVP Commercial Sales 15:00-15:30 Microsoft and GDPR Jonathan Burnett and Samantha Garrett, Partner Technology Strategists 15:30-15:45 TEA AND PASTRIES 15:45-16:00 TermSet and GDPR Stewart Connors, Head of Customer & Partner Success 16:00-16:15 Acronis and GDPR Ronan McCurtin, Senior Sales Director Northern Europe 16:15-16:30 Mimecast and GDPR David Tweedale, Team Leader 16:30-16:45 QGate and GDPR Rowland Dexter, Managing Director 16:45-17:15 Panel Interview Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft), Michael Olpin (Cobweb) Cobweb GDPR Support Package GDPR Health Check ‘Raffle’ Closing Thoughts
  6. 6. Introduction to GDPR Sean Huggett, Cybercrowd, CEO and Consultant GDPR: Your Journey to Compliance
  7. 7. • Came in to force on 24th May 2016 – enforceable from 25th May 2018 • EU Regulation – has direct effect – no local legislation required • Replaces the Data Protection Act 1998 - transposed into law from Data Protection Directive 1995 • Aims to support the digital single market and give data subjects control over their personal data • Wide scope & coverage • Guidance on interpretation and compliance still being developed • UK Government has confirmed applicability in UK notwithstanding Brexit Introduction to GDPR
  8. 8. Key Definitions Data Controller • “the natural or legal person… which … determines the purpose and means of the processing of personal data” Data Processor • “a natural or legal person… which processes personal data on behalf of the controller” Data Subject • “an identified or identifiable natural person” Personal Data • “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data….” Processing • “any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage…”
  9. 9. Six Data Protection Principles & Accountability • Six data protection principles – overview of your most important duties in complying with GDPR • Introduces ‘accountability principle’ – Data Controllers responsible for being able to demonstrate compliance with the six principles processed lawfully, fairly and transparently collected for specified, explicit & legitimate purposes adequate, relevant & limited to what is necessary for processing accurate and kept up to date kept only for as long as is necessary for processing processed in a manner that ensures its security 1 2 3 4 5 6 Personal Data shall be: ACCOUNTABILITY
  10. 10. Data Subject Rights Rights to: • Information - think about Privacy Notices • Access - think about Subject Access Requests • Object to Processing • Rectification • Erasure – ‘right to be forgotten’ • Restrict Processing • Data Portability
  11. 11. Obligations & International Transfers Obligations • Data Protection Officers (DPO) • Data Protection Impact Assessments (DPIA) • Data Protection by Design and by Default • Controller & Processor Records • Security of Processing • Breach Notification • Processor contracts with guarantees that processing will meet the requirements of GDPR International Transfers – Restricted & Regulated – Conditions to be Met • Basis of Adequacy • Appropriate Safeguards • Binding Corporate Rules (BCRs) • International Cooperation Mechanisms: EU-US Privacy Shield
  12. 12. Remedies & Liabilities Liabilities • Administrative Fines – ‘Effective, Proportionate & Dissuasive’ o Higher of 4% of global turnover or €20m for top tier infringements o Higher of 2% of global turnover or €10m for lower tier infringements • Warning of likely infringement • Reprimand for infringement • Others, including: order data breach communication, order limitations on processing, order rectification/restriction/erasure Data Subject Remedies • Right to judicial remedy where their rights have been infringed as a result of the processing of personal data • Right to compensation – data subjects who have suffered material or non-material damage • Controller & Processor joint and several liability • Collective claims / class-action type litigation possible – higher litigation risks
  13. 13. Some Practical Steps 1. Understand Personal Data You Hold: • Data mapping – identify Personal Data held, how it was/is collected, data flows, who has access, where it is stored etc. • Apply the 6 Principles to the Personal Data you hold. • Assess the risks to rights and freedoms of data subjects associated with your processing / the personal data you hold. • Identify transfers to 3rd countries. 2. Review 3rd Party Relationships: • Identify your 3rd party processors. • Review the contracts, bring them into compliance – including cloud service providers.
  14. 14. 3. Document Your Processing Activities: • Put the required documentation in place – records of processing activities, records of consent etc. • Document how you comply with GDPR – demonstrate you are consistently applying best practice. 4. Apply Technical and Organisational Measures: • Implement strong information governance measures, including policies and procedures covering: o Data protection o Information security o Breach response and notification • Adopt a ‘Cyber Resilience’ approach covering People, Process & Technology in line with best practice. • Implement an ISMS / PIMS / Compliance Framework – apply best practice and certify where appropriate Some Practical Steps
  15. 15. Thank you Speak to a member of the Cobweb team if you’d like to know more!
  16. 16. DocuSign and GDPR GDPR: Your Journey to Compliance Jacqueline de Gernier, AVP Commercial Sales
  17. 17. Getting to Grips with the GDPR: How to Fast-Track Your Compliance
  18. 18. Introduction to DocuSign
  19. 19. 14+ Years Innovation Highest level certifications 188 Countries 43 Languages 13 Offices 5 Continents 300k+ corporate customers 200 million total users #1 Analyst rated
  20. 20. Trust Legal & Compliance Bank-Grade Security & Encryption Platform & Scalability Capabilities & Usability Mobile Customer Success Programmes Experience The DocuSign Difference Why customers choose DocuSign Partners & Integrations Global #1 APIs Choice
  21. 21. Financial Services Insurance High Tech Communications /Media Pharmaceutical Real Estate Consumer Everywhere
  22. 22. Sales Experience Significantly improved Procurement 50x faster Contract signing “It speeds up the process and makes it more compliant” HR 10 minutes Fastest contract returned “DocuSign has revolutionised how we send out HR contracts at E.ON” Customer Success Use case Use case Use case “Steps that previously took days through post now take minutes”
  23. 23. GDPR - Changes to Consent
  24. 24. Demanding requirements for consent Under the GDPR, consent must be: • Freely given • Specific • Informed • Unambiguous "Consent should be given by a clear affirmative act … such as by a written statement, including by electronic means, or an oral statement… Silence, pre-ticked boxes or inactivity should not therefore constitute consent." (Recital 32)
  25. 25. Consent will often be required When collecting an individual’s personal information relating to: • Using an individuals sensitive personal information • Sending an individual e-marketing • Sharing an individual’s personal information with independent third parties
  26. 26. Consent must be verifiable Businesses must be able to prove that it obtained the individual's consent, requiring businesses to maintain consent records that can be checked to verify: 1. That the individual has consented; 2. What they consented to, and; 3. When they consented Individuals "shall have the right to withdraw his or her consent at any time… It shall be as easy to withdraw consent as to give consent." (Art 7(4))
  27. 27. Common consent challenges • Marketing / Sales – Personal information for e-marketing purposes • HR – Personal information for a job application or for the provision of employee benefits • Healthcare – Personal information for the purpose of medical studies and clinical trials • Online – Consenting to the use cookies and similar tracking technologies
  28. 28. Re-contracting with Suppliers Business must ensure: • Legacy vendors move to new, GDPR-compliant, data protection terms • Future vendors are also signed up to GDPR-compliant terms
  29. 29. How DocuSign can be part of a GDPR Consent solution
  30. 30. Business
  31. 31. Consumers Customers Partners Suppliers Employees Business
  32. 32. Disconnected Systems Manual Processes Fragmented Policies Consumers Customers Partners Suppliers Employees Business
  33. 33. Consumers Customers Partners Suppliers Employees Business Digital consent
  34. 34. Bespoke reports for GDPR and the data can be extracted
  35. 35. Case Study: Filestream Company’s Top Challenges • Manual processes – contracts require manual chasing to fulfill terms and conditions • Not GDPR-ready – holding of personal data is not currently compliant with legislation • Inadequate security – Information sent over email is not as secure as it could be Reasons for Choosing DocuSign • Security standards – DocuSign meets and exceeds some of the most stringent US, EU, and global security standards • Commitment to compliance – DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements • Digitising process – digital signatures remove need to print and scan paper documents The Key Benefits • Quicker signing process – turnaround time is now 40 times faster • Customer consent – DocuSign’s tools are being utilised to be ready for new legislation coming into force in May 2018 • Data protection – personal data is protected whenever a third-party comes in contact with it “I wouldn’t choose any other partner but DocuSign for ease and security – Paul Day, Technical Director, Filestream EXECUTIVE OVERVIEW TOP BENEFITS ACHIEVED Company: Filestream Headquarters: Berkshire, UK Founded: 2003 Industry: Software Website: www.filestreamsystems.co.uk Partners: DocuSign Use Case: Sales ABOUT 45 minutes Contract turnaround time 40 x faster Quicker signing experience GDPR-ready DocuSign tools being used for compliance
  36. 36. Thank you Email: Jacqueline.degernier@docusign.com GDPR Seminar – 9th Nov 5pm – 7pm ETC Venues, Fenchurch Street discover.docusign.co.uk/best-practices-for-gdpr
  37. 37. Microsoft and GDPR General Data Protection Regulation Jonathan Burnett, Partner Technology Strategist Samantha Garrett, Partner Technology Strategist GDPR: Your Journey to Compliance
  38. 38. What are the key changes to address the GDPR? Personal privacy Controls and notifications Transparent policies IT and training Organizations will need to: • Train privacy personnel & employee • Audit and update data policies • Employ a Data Protection Officer (if required) • Create & manage compliant vendor contracts Organizations will need to: • Protect personal data using appropriate security • Notify authorities of personal data breaches • Obtain appropriate consents for processing data • Keep records detailing data processing Individuals have the right to: • Access their personal data • Correct errors in their personal data • Erase their personal data • Object to processing of their personal data • Export personal data Organizations are required to: • Provide clear notice of data collection • Outline processing purposes and use cases • Define data retention and deletion policies
  39. 39. How do I get started? Identify what personal data you have and where it resides Discover1 Govern how personal data is used and accessed Manage2 Establish security controls to prevent, detect, and respond to vulnerabilities & data breaches Protect3 Keep required documentation, manage data requests and breach notifications Report4
  40. 40. Discover: Identify what personal data you have and where it resides In-scope: • • • • • • • • • • Inventory: • • • • • • • Microsoft Azure Microsoft Azure Data Catalog Enterprise Mobility + Security (EMS) Microsoft Cloud App Security Dynamics 365 Audit Data & User Activity Reporting & Analytics Office & Office 365 Data Loss Prevention Advanced Data Governance Office 365 eDiscovery SQL Server and Azure SQL Database SQL Query Language Windows & Windows Server Windows Search Example solutions 1
  41. 41. 2 Example solutions Manage: Data governance: • • • • • • • • Data classification: • • • • • • • Microsoft Azure Azure Active Directory Azure Information Protection Azure Role-Based Access Control (RBAC) Enterprise Mobility + Security (EMS) Azure Information Protection Dynamics 365 Security Concepts Office & Office 365 Advanced Data Governance Journaling (Exchange Online) Windows & Windows Server Microsoft Data Classification Toolkit
  42. 42. 3 Example solutions Protect: Preventing data attacks: • • • • • • • • Detecting & responding to breaches: • • • • • • Microsoft Azure Azure Key Vault Azure Security Center Azure Storage Services Encryption Enterprise Mobility + Security (EMS) Azure Active Directory Premium Microsoft Intune Office & Office 365 Advanced Threat Protection Threat Intelligence SQL Server and Azure SQL Database Transparent data encryption Always Encrypted Windows & Windows Server Windows Defender Advanced Threat Protection Windows Hello Device Guard
  43. 43. 4 Example solutions Record-keeping: • • • • • Reporting tools: • • • • • • Microsoft Trust Center Service Trust Portal Microsoft Azure Azure Auditing & Logging Azure Data Lake Azure Monitor Enterprise Mobility + Security (EMS) Azure Information Protection Dynamics 365 Reporting & Analytics Office & Office 365 Service Assurance Office 365 Audit Logs Customer Lockbox Windows & Windows Server Windows Defender Advanced Threat Protection Report:
  44. 44. GDPR Resources Microsoft Whitepaper on "Beginning your GDPR Journey" Microsoft.com/GDPR servicetrust.microsoft.com aka.ms/GDPRblogpost Data Breach
  45. 45. Management 2. Data Encryption 3. Phishing Protection 4. 2 Factor Authentication 5. Cloud Application Security 6. Mobile Security Risk Mitigation Suggestions
  46. 46. 15:30-15:45 Tea & Pastries GDPR: Your Journey to Compliance
  47. 47. TermSet and GDPR Stewart Connors, Head of Customer & Partner Success GDPR: Your Journey to Compliance
  48. 48. GDPR Automate the process for discovering Personal Identifiable Information (PII)
  49. 49. The Challenge External • GDPR will require all EU organisations to focus on discovering PII on behalf customers & former employees • “Subject Access Request” is not new and will continue • “Right to be Forgotten” is new & will force organisations to collect all the digital information they hold Internal • Organisations information is held multiple IT systems • Also non approved IT systems (shadow IT/BYOD) • Information is typically held in documents that are structured and un structured • Discovering PII is currently a manual process • This will costs organisations time and money • “Subject Access Request” Ongoing breaches & Fines • 49% of organisations had a document breach in the past 2 years* • 73% of employees are accidentally exposing information stored within documents* • 63% of organisation’s claim they are unable to locate sensitive data stored in documents* *Information taken from the Ponemon Institute Research report May 2017.
  50. 50. ScanR Generate Reports Discover PII in Office docs, PDF, OCR on the fly. Multiple Systems The Solution Identify and retrieve GDPR Personal Identifiable Information within documents stored in multiple systems.
  51. 51. Product overview ScanR
  52. 52. Connect to SharePoint, a File Share or other systems Documents where we wish to determine if they contain sensitive data
  53. 53. Choose the types of information you would like to discover • Over 100 pre-defined rules or you can make your own • Artificial Intelligence for Pattern Matching
  54. 54. Documents Marked in place or reports produced
  55. 55. Three data sources read ~19k Documents read with 79% containing PII data Breakdown of what PII data is contained where Locations of the sensitive data Which systems contain the most sensitive data Overview Dashboard
  56. 56. Search for information across your data sources Immediately see the records that match Understand the types of data that contain the information Query engine
  57. 57. 11 Chapters with 99 Articles http://www.eugdpr.org/article-summaries.html ScanR will help you comply with Articles: 5, 15, 16, 17, 18, 20, 24, 30, 32, 35, 42, 44, 45. • Gain understanding of the where the PII data is located • Gain an understanding of who has access to it • Gain an understanding of how long it’s being retained • Retain personal data for a period of time directly related to the original intended purpose • Find risky files and take action • Manage a Subject Access Request • Request a port of the data • Request a correction to the data • Request deletion of the data Articles Contained in the GDPR
  58. 58. Summary ScanR • Automate the process for discovering PII • Quickly respond to “Subject Access Request” & “Right to be Forgotten” • Comply with over 10 of the 99 Articles Next Step • Free trial up to 1,000 documents
  59. 59. www.termset.com stewart@termset.com
  60. 60. Thank you Speak to a member of the Cobweb team if you’d like to know more!
  61. 61. Acronis and GDPR Ronan McCurtin, Senior Sales Director Northern Europe GDPR: Your Journey to Compliance
  62. 62. Where Acronis supports GDPR compliance • Key activities • Privacy impact assessment • Data access governance • Data breach notification / resolution • Secure storage of active data • Archiving and deleting Acronis Backup Acronis Storage Acronis Backup Cloud Acronis Disaster Recovery Service
  63. 63. Requirements for GDPR-compliant backup and storage 1 Requirement Desirable features GDPR recitals supported Control data storage location • Reporting for compliance • 101: General principles for international data transfers Encrypt data securely • Encryption on the device, in transit, and at rest • 78: Appropriate technical and organizational measures • 83: Security of processing Browse backups • Drill-down to easily find required data • 63: Right of access • 65: Right of rectification and erasure Modify personal data • Easy modification if requested by data subject • 59 Procedures for the exercise of the rights of the data subjects • 63: Right of access • 64: Identity verification • 65: Right of rectification and erasure Export data in a common format for easy data portability • ZIP archive for easy portability • 68: Right of data portability Recover data quickly • Acronis Instant Restore to deliver 15-second recover time objectives (RTOs) • 78: Appropriate technical and organizational measures
  64. 64. Requirements for GDPR-compliant backup and storage 2 Requirement Desirable features GDPR recitals supported Minimize compulsory data breach reporting • Proactive prevention of malware damage to files • Specific protection of the Acronis Backup agent to prevent data breach of backups 85: Notification obligation of breaches to supervisory authority 86: Notification of data subjects in the case of data breaches 87: Promptness of reporting / notification 88: Format and procedures of the notification Blockchain-based data certification • Acronis Notary validation of the authenticity and integrity of backups 78: Appropriate technical and organizational measures Backup retention, deletion • Flexible setting of retention time of data, archival rules, etc. • Ability to delete backup at any moment 66: Right to be forgotten Logs availability • Logging of operations with data 82: Record of processing activities [correct?] Role-based access • Multilayered and highly customizable data access rights 63: Right of access [correct?] Risk management control • Very flexible backup and Active Protection 84: Risk evaluation and impact assessment [correct?]
  65. 65. What to look for in GDPR-compliant backup and storage • Data subject control of data storage location • Individual must have final say as to where personal data is stored: on-premises or in a specific EU-based data center • Data encryption • Strong data encryption on-device, in transit and in the cloud • And entirely automated encryption process, with the data subject as the sole holder of the decryption key, meeting GDPR data security requirements
  66. 66. What to look for in GDPR-compliant backup and storage • Ability to search data inside backups • Ability to drill down through backups, making it easy to find required information on behalf of data subjects • Ability to modify personal data • Easy way to modify personal data if and when requested by data subjects
  67. 67. What to look for in GDPR-compliant backup and storage • Data export in a common format • Ability to export personal data in a common and easily usable format (e.g., ZIP archives) to meet the GDPR data portability requirements • Quick data recovery
  68. 68. • Flexible setting of retention time of data, archival rules, etc. • Extensive logging • Multilayered and highly customizable data access rights How Acronis helps your company achieve GDPR compliance
  69. 69. How Acronis helps your company achieve GDPR compliance • Active Protection against ransomware • Proactively preventing breaches is easier and more cost- effective suffering breaches and doing the mandatory incident reporting • Acronis Active Protection™ detects and blocks ransomware attacks and instantly restores any affected data • Blockchain-based data certification • Acronis Notary™ provides immutable proof of the integrity of protected data using Blockchain technology
  70. 70. With an economic incentive to it, new Ransomware families appeared fast… Source: F-Secure
  71. 71. Ransomware Big Trends Advancing into new operating systems Advancing into new platforms and devices Ransomware-as-a-Service Advanced attack techniques
  72. 72. Trend 4: Advanced attack techniques 2010 Detection of non-signed files 2014 Protection for Windows only 2016 Detection by checking file type/header 2016 Detection of executable files 2016 Detection in running Windows system Malware signed by stolen certificate Injects into system processes and acts on their behalf Attacks Mac OS X and Linux Only body of the file is encrypted Uses scripts and non- malicious executables Infects before Windows starts 2014 Exclude know legitimate system files 2017 Use of Backup to protect against Ransomware Attacks & Encrypts different backup files Next Generation Ransomware families targeting Backup software
  73. 73. Ransomware evolves…
  74. 74. … Data Protection evolves too Acronis CustomersAcronis Labs Infected and clean processes farms Provides processes behavior data Updated knowledge base Acronis Learning Service Acronis Cloud Brain Model training, parameters optimization You are protected even without Internet Acronis Local Knowledge Base Acronis Active Protection 2.0: Learning Infrastructure
  75. 75. Complete protection against modern techniques 2016 Detection by checking file type/header Only body of the file is encrypted Entropy measurement 2010 Detection of non- signed files 2014 Protection for Windows only 2016 Detection of executable files 2016 Detection in running Windows system Malware signed by stolen certificate Injects into system processes and acts on their behalf Attacks Mac OS X and Linux Uses scripts and non-malicious executables Infects before Windows starts 2014 Exclude know legitimate system files Checks for injections in system processes (with Machine Learning) Protection Windows, Mac and Linux Both executable and scripts detection Pre-Boot anti- ransomware protection Compromised signatures check Acronis Active ProtectionTM 2017 Use of Backup to protect against Ransomware Attacks & Encrypts different backup files
  76. 76. Acronis Notary powered by Blockchain Ensuring that data is authentic and unchanged “Acronis Notary assures that files are unchanged since they were backed up.” Have confidence of data authenticity •A public, secure Blockchain ledger verifies the authenticity of files •Backup enables the recovery of the original document •Acronis Notary provides mathematical assurance that the contents of a file perfectly match the original contents that were backed up
  77. 77. Thank you Speak to a member of the Cobweb team if you’d like to know more!
  78. 78. Mimecast and GDPR Data Protection and Data Management David Tweedale – Team Leader GDPR: Your Journey to Compliance
  79. 79. © 2017 Mimecast.com All rights reserved.84 Data Protection Securing personal and sensitive information Data ManagementData Protection Anti Malware Data Leak Prevention Encryption Breach Notifications
  80. 80. © 2017 Mimecast.com All rights reserved.85 Spear-phishing credentials to exploit point-of-sale systems Used as stepping stone onto victims network Compromised point of sale systems Customer data stolen, including credit card details Large GDPR Fine and costs to investigate and remediate Access gained via spear-phishing attack on a sub-contractor
  81. 81. © 2017 Mimecast.com All rights reserved.86 Type of attacks: • Weaponised attachments • Malicious URLs • Malware-less attacks • Ransomware • Phishing • Insiders Key Strategies • Multi Layered Approach • User Awareness • Advanced Threat Protection • Logging and monitoring of internal user activities • Protected, plan B email route and access Malware can have a devastating impact on organizations contributing to significant GDPR fines related to data lossAnti Malware Technology capabilities: Data protection
  82. 82. © 2017 Mimecast.com All rights reserved.87 Data leaked by disgruntled employee Employee emails copy of client database to personal mail account Data collected by the company is now compromised. Customer sensitive data leaked. GDPR fine imposed. Disgruntled employee wants to leave and cause damage to the business
  83. 83. © 2017 Mimecast.com All rights reserved.88 Data Leak Prevention (DLP) Technology capabilities: Data protection How is data leaving the organization? • Internal department leakage • Email attachments • Shadow IT Key Strategies • Internal communications DLP • Outbound mail inspection • Corporate data sharing • Secure messaging channel Data Loss Protection (DLP) tools prevent inadvertent data breaches by blocking emails containing personal data
  84. 84. © 2017 Mimecast.com All rights reserved.89 Encryption Technology capabilities: Data protection Where is data encrypted? • Data stored in applications • Laptops/Mobile Devices? • Email archives Key Strategies • Secure storage of data • Secure transfer of data • Secure data in transit • Limit data on portable devices Encryption of data in systems and applications reduces the potential impacts of a data breach
  85. 85. © 2017 Mimecast.com All rights reserved.90 Breach Notifications Technology capabilities: Data protection Key Information required? • Analysis of breach • Mitigate negative consequences • Alert data protection officer Key Strategies • Gather data from Security Incident and Event Monitoring (SIEM) system • Identify location of data breach • Identify if personal data was leaked • Mitigate negative effects Organizations have 72 hours to notify relevant authorities once a data breach is discovered
  86. 86. © 2017 Mimecast.com All rights reserved.91 Data Management Supporting access rights of individuals Data ManagementData Protection Anti Malware Data Leak Prevention Encryption Breach Notifications Search and Discovery Secure Repository Chain of Custody Access Control
  87. 87. © 2017 Mimecast.com All rights reserved.92 GDPR – Subject Access Request and Data Portability IT Administrator searches across data repositories Results validated/reviewed Secure transmission of data to data subject Data Subject requests access to data stored on them
  88. 88. © 2017 Mimecast.com All rights reserved.93 Subject Access Requests (SAR) Technology capabilities: Data management What is the impact? • Requests need to be handled quickly • Accurate personal data and additional information • Availability in electronic format Key Strategies • Locate requested personal information quickly • Prepared response templates • Employee training to handle SARs • Self-service portal for SARs Individuals have the right to obtain confirmation that their personal data is being processed
  89. 89. © 2017 Mimecast.com All rights reserved.94 Data Portability Technology capabilities: Data management What is the impact? • Exports need to be timely • Useable format • Safe delivery of that export? Key Strategies • Data must be structured, searchable • Exports to common formats • Ensure the safe delivery of exported data • Subject review and confirm data required Individuals have the right to request an export of their data a format that can be given to another vendor or service
  90. 90. © 2017 Mimecast.com All rights reserved.95 GDPR – Right To Be Forgotten IT Administrator searches across data repositories Time consuming Confirmation given that data is erased Data Subject requests all personal data to be erased
  91. 91. © 2017 Mimecast.com All rights reserved.96 Right To Be Forgotten Technology capabilities: Data management What is the impact? • Complete erasure • Across all systems • Unless overriding policy is in place Key Strategies • Data must be structured, searchable • Dynamic data adjustments • Retention management • Auditable deletion • Ability to review prior to deletion Individuals have the right to request erasure of their personal data held by a data controller (subject to conditions)
  92. 92. © 2017 Mimecast.com All rights reserved.97 Mimecast Solution Simplifying GDPR Compliance for Email Data Management Search and Discovery Secure Repository Chain of Custody Access Control Secure Messaging Advanced Threat Security Mimecast Cloud Archive DLP & Content Security API RBAC & Data Guardian Large File Send Mailbox Continuity Archive Power ToolsSearch and Review Data Protection Anti Malware Data Leak Prevention Encryption Incident Management Mime | OS
  93. 93. © 2017 Mimecast.com All rights reserved.98 You need technology that provides the best possible multi- layered protection PREVENT You need to control, protect, find and access data effectively MANAGE You need to sustain compliance support at all times MAINTAIN Email Cyber Resiliencefor GDPR
  94. 94. Thank you Speak to a member of the Cobweb team if you’d like to know more!
  95. 95. QGate and GDPR Paribus Discovery - One Small Step… Rowland Dexter, Managing Director GDPR: Your Journey to Compliance
  96. 96. Who are QGate • A Dynamics 365 implementation partner (UK HQ), est. 1997 • Working with Dynamics CRM since V4 (2007) • ISV solutions are a key part of our company strategy • Partner friendly established reseller program
  97. 97. The Problem Duplicate Data • A primary element of poor data quality • However, in regards to GDPR specifically • How do you manage personal data when you have multiple instances of the same person • Rob Dixon • Bob Dickson • Robert Dicksen • Dixon R A recent QGate audit showed an average of 7.2 % duplication in CRM
  98. 98. The Solution Paribus Discovery A batch tool which IDENTIFIES duplicate data within any SQL based data source
  99. 99. The Paribus Match Engine Phonetic Data Matching • Foto Centre, Photo Center • Kris Dixon, Chris Dickson, Criss Dicksen • Cheryl Wiatt, Sheryl Wyiatt, Sherril Wyatt Synonyms & Abbreviations & Acronym Matching • Robert, Bob, Bobbie, Rob, Robbie, Roberto • William, Will, Willy, Bill, Billy • Richard, Rich, Ric, Dick, Ricky • International Business Machines, IBM, I.B.M Data Sequence Variation • Florida University, University of Florida • Arizona 1st National Bank, First National Bank of Arizona • 123 (Flat A) Acacia Avenue, Flat A – 123 Acacia Avenue Data Segmentation • QGate Software, Q Gate Software Q-Gate Software • GuideMark, Guide Mark, Guide-Mark • 3Com, 3 Com, 3-Com Gender Analysis • Paul v Paula • Daniel v Danielle • Jo v Joe • Andy v Andie
  100. 100. The Paribus Match Engine  Bill Dixon  Marketing Manager  1st National Bank of Arizona  123 Flat A Acacia Avenue Phoenix Arizona CRM Contact  William Dickson  Manager of Marketing  First Bank of Arizona  (Flat A) 123 Acacia Avenue Phoenix AZ CRM Contact  Billy Dicksen  Marketing Director  1st Bank of National Arizona  123 Acacia Avenue (Flat A) Phoenix Arizona CRM Contact
  101. 101. Paribus Discovery - Identify A business user can then: • Review & confirm the matches • Review & confirm the primary/master record
  102. 102. Paribus Discovery - Resolve The CRM admin user then: • Uses the plugin to execute the merge/purge process Dedicated Paribus for Microsoft Dynamics CRM plugin responsible for the data cleansing (data merging, purging and consolidation) of CRM data. Paribus CRM Plugin
  103. 103. Paribus Interactive The user does what they do today, just enter data As they do, Paribus Interactive searches for potential duplicates and highlights the possibility The more information entered the search is refined
  104. 104. Paribus Interactive Note the results are from multiple entities To see the results click here Can navigate direct to the record
  105. 105. Summary Paribus Discovery INDENTIFIES Duplicate data Within Dynamics 365 able to REMOVE (merge/purge) Open API to build your own removal process Plugin Export results to feed into an external process Paribus Interactive for Dynamics 365 Ahosted SaaS based service providing fuzzy SEARCH and LOOKUP function. www.paribuscloud.com info@paribuscloud.com Rowland.dexter@qgate.co.uk
  106. 106. Thank you Speak to a member of the Cobweb team if you’d like to know more!
  107. 107. Panel Interview Host – Caroline Wigley (Cobweb), Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft), Michael Olpin (Cobweb Finance Director) GDPR: Your Journey to Compliance
  108. 108. Closing Thoughts GDPR: Your Journey to Compliance
  109. 109. Process track Technical track ----------Define the requirement Create the plan Helping You Achieve Compliance GDPR Webinars GDPR Workshops GDPR Healthcheck GDPR Assessments Implementation Clinics Virtual Services
  110. 110. 1-day free GDPR health check (worth £1,200) … GDPR: Your Journey to Compliance …the result
  111. 111. Thank you to our presenters GDPR: Your Journey to Compliance
  112. 112. Thank you for attending GDPR: Your Journey to Compliance Speak to a member of the Cobweb team if you’d like to know more about GDPR!

×