In this session Rui will explain what the General Data Protection Regulation (GDPR) is and what the implications are for the mainframe. Get your mainframe ready and compliant with the GDPR before it comes to effect on May 25th, 2018.
(2017) GDPR – What Does It Mean For The Mainframe v0.2
Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training.
Delivering the best in z services, skills, security and software.
GDPR – What Does It Mean For The
Who am I? A quick introduction…
RUI MIGUEL FEIO
• Senior Technical Lead at RSM Partners
• Based in the UK but travels all over the world
• 18 years experience working with mainframes
• Started with IBM as an MVS Sys Programmer
• Specialist in mainframe security
• Experience in other platforms
The Data Protection Act controls how your
personal information is used by organisations,
businesses or the government.
Everyone responsible for using data has to follow
strict rules called ‘data protection principles’.
The UK Data Protection Act
• GDPR is composed of 11 chapters and 99 articles:
– Chapter 1 – General provisions
– Chapter 2 – Principles
– Chapter 3 – Rights of the data subject
– Chapter 4 – Controller and processor
– Chapter 5 – Transfers of personal data to third countries or international
– Chapter 6 – Independent supervisory authorities
– Chapter 7 – Cooperation and consistency
– Chapter 8 – Remedies, liability and penalties
– Chapter 9 – Provisions relating to specific processing situations
– Chapter 10 – Delegated acts and implementing acts
– Chapter 11 – Final provisions
• General Data Protection Regulation to be enforced on 25 May 2018
• This regulation will impact any business, whether based in the EU
or not, that holds the personal data of EU citizens.
• GDPR is driven by two serious threats:
– Reputational damage
– Monetary fines (up to €20m max or 4% of total worldwide
annual turnover, whichever is higher)
• Mandatory for businesses of over 250 employees to appoint
a Data Protection Officer (DPO).
• GDPR has several rules such as ‘the right to be forgotten’
• 1 in 4 companies in the UK have stopped preparing for GDPR
• “If you process data about individuals in the context of selling goods
or services to citizens in other EU countries then you will need to
comply with the GDPR, irrespective as to whether or not you the
UK retains the GDPR post-Brexit.” *
• 84% of financial services firms are not prepared for GDPR**
The Brexit and GDPR
** 2016 Egress article
• Most mainframe sites have not started to prepare for GDPR!
• Main reasons are:
– Belief that it only applies to countries of the European Union
– Mainframe is unhackable so there’s nothing to be done
– Mainframe meets all the GDPR requirements by default
• Funny enough in some cases the GDPR compliance box has been
ticked without the mainframe technical teams being even
• How much customer data do you store on the mainframe?
• What type of data you are collecting?
• How much of that data relates to EU citizens or companies?
• How data is processed, managed, stored and protected?
• Which applications and processes use the data?
• Who has got access to it?
• Is the data properly classified?
Do You Know?
You need to know your data, your processes, your
applications; in summary you need to know your
• 7 Steps to meet the GDPR technical requirements:
– # 1 - Data Discovery & Detection:
• Identify, document and classify the data
• Where is it used, processed and stored?
– # 2 - Access Control & Restriction:
• Access to Data must be restricted
• Access control of applications, processes and databases
needs to be reviewed
Mainframe Technical Perspective (1)
– # 3 - End-point-protection:
• Tapes and other end-point-devices need to be controlled
• Consider this:
– Can the data be accessed by mobile devices?
– Can the data be downloaded to the local terminal and
transferred into a USB memory stick?
– # 4 - Pseudonymisation and Encryption:
• Data should be encrypted and anonymised both at “rest”
and ”in transit”
Mainframe Technical Perspective (2)
– # 5 - Backup and Recovery:
• Think of CIA: Confidentiality, Integrity and Availability
– # 6 - Anti-virus & Malware detection:
• Does not apply to the mainframe (until it does)
• Think of alerting and monitoring
– # 7 - Vulnerability scanning and Penetration testing:
• Consider undertaking these tests at a reasonable frequency
to keep measuring your security effectiveness
Mainframe Technical Perspective (3)
• Although not a direct GDPR requirement (at least not at the
moment), consider Security Certifications.
• It is extremely likely that approved certifications or codes-of-
conduct specifically for GDPR will arrive, and it’s also highly possible
that these will look for security certifications as pre-requisites (e.g.
Consider Security Certifications
• Some examples of products that may help with GDPR:
– IBM zSecure (or Vanguard’s equivalent)
– IBM Multi-Factor Authentication for z/OS
– IBM Security Identity Governance and Intelligence
– RSM Exception Reporter
– RSM Enterprise Connector
– RSM zDetect
– CA Privileged Access Manager
– CA Test Data Manager
– CA Data Content Discovery
Mainframe Technical Software