How to implement gdpr in your document repository

How to implement GDPR in the document repository
Xenit - December, 11 2017
December, 5 2017
4 pm - 5 pm CET

Agenda
• CDI-Partners Testimonial: GDPR Principles [15 min]
• Alfresco Testimonial: How Alfresco can help your
organization comply with the GDPR [15 min]
• Xenit Testimonial: A managed shared drive [15 min]
• Top tips to start preparing for the GDPR [5 min]
• Xenit Use Case [5 min]
• Q&A session [5 min]
How to implement GDPR in the
document repository

CDI-Partners
GDPR Principles
www.xenit.eu
Bart Van Bouwel – Managing Partner
CDI-Partners
GDPR Principles

CDI-Partners Testimonial
Bart Van Bouwel – Managing Partner - CDI-Partners
“Did you know that most data breaches reported are related to
unstructured data? Documents, spreadsheets, mails and even
paper files? Without a clear focus on documents, companies
can’t claim adequate protection of personal data.”

How to implement GDPR in the document repository
Bart Van Bouwel
bart.van.bouwel@cdi-partners.be

General Data Protecting Regulation
Purpose
Give individuals control over their personal data
Applies to
All companies that process personal data of EU citizens
European Regulation
One law across the EU, enforced as of May 25th, 2018

Some Principles
Lawfully, fairly and transparent
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited  Data Minimization
Processing must be
Consult, correct, request deletion, portability of their personal data
Rights of Data Subjects
Privacy by design – Privacy by default
Data Breach notification is mandatory

Fines
Up to € 20.000.000 or 4 % of total worldwide annual turnover
Proportional to the scale of the infringements
Other measures possible
Issue warnings and reprimands
Order to comply with the data subject's requests
Order to bring processing operations into compliance
Order to communicate a personal data breach to the data subject
Impose a temporary or definitive limitation including a ban on processing
…

Personal Data
Home & work information
Health information
Finger print &
Genetic information
Family & demographic
information
Online behaviour & shopping information
Union membership
Political opinions
Religion & Race
Information relating to an identified or identifiable natural person
Personal data can be structured (databases) or unstructured (documents, listings, reports, spreadsheets, …)

Stored in databases
Accessed through applications
More control  More easy to protect
Structured data
In documents and files
Stored on local or network drives / Cloud / USB Keys / …
Easily copied and distributed
Less control  More difficult to protect
Unstructured data
Structured data or Unstructured data?
Where to start?
Where to focus

GDPR in practice
No GDPR examples available
Based upon EU Data Protection Directive 1995
Data breach notification is a best practice
Maximum fine £ 500.000
Data Protection Act 1998 (UK)
Information available about breaches and sanctions
ICO – Information Commissioners’ Office

Examples of Data Breaches
Data Protection Act - Source: ICO (January – March 2017) – 678 breaches
Loss/theft of paperwork
13%
Unauthorised or unlawful
processing
21%
Data posted/faxed
incorrect recipient
11%Data emailed to incorrect
recipient
11%
Cyber incident
14%
Failure to redact data
7%
Failure to use bcc
5%
Data left in insecure
location
4%
Other
9%
Loss/theft of unencrypted device
4% Verbal Disclosure
1%
Document related
>50% related to documents

Fines by ICO
Marketing
42%
Process
30%
Theft
(employee)
19%
IT - Security
9%
Categories of Fines
Data Protection Act - Source: ICO (January – September 2017)
• 42% Marketing
 Mostly deliberate actions with positive ROI
• Biggest risk are found in the 58%
• Some examples
– Sensitive data lost in the mail
– Employees accessing or stealing sensitive data
– A cyber attack stealing 30.000 emails
– Leaving paper files in a cabinet that was sold
– A laptop containing sensitive documents that was stolen
– Backing up sensitive documents to a free cloud storage
• All these fines where given for breaches relating to
unstructured data
• Most breaches and almost all cases that are fined are
from undeliberate or deliberate acts from within the
company

Conclusion
• Fines will be given after someone files a complaint
– Focus on solutions to prevent data breaches
• Start with
– Processes related to rights of individuals
• Privacy statements / proof of consent / demands to access – correct – erase data
– Unstructured data
• What functionalities do you need for your documents?

Challenges for unstructured data
1. Identify documents containing personal data and label them appropriately
2. State of the art security of the documents and the metadata
3. Monitor and control access to the documents, store metadata to prove legitimate
purpose
4. Make documents available offline in a secure way
5. Detect breaches
6. Keep track of the right time to delete documents and permanently delete the
documents so no backup copies exist
7. Control the usage of documents by external parties

CDI-Partners
GDPR Principles
www.xenit.eu
Alfresco
How the Alfresco Digital Business Platform can help your company comply with GDPR
George Parapadakis – Director, Business Solutions Strategy - EMEA

Alfresco Testimonial
George Parapadakis – Business Solutions Strategy - Alfresco
“GDPR will touch every department, every function
and every operation inside your organization. It will
not only change the way you manage information, it
will change the way people behave.”

The Alfresco
Digital Business Platform for
George Parapadakis
November 2017

Over 24 GDPR Articles we can help with…
• Lawful Processing, Minimisation, Consent, PII detection
• Right of Access
• Right to Correct data (Rectification)
• Right to be Forgotten (Erasure)
• Right to Data Portability
• Right to Object / Withdraw consent
• Data Protection and Security (Pseudonymisation)
• Keeping Records of Processing
• Report Data Breaches
• Data Protection Impact Assessments
• 3rd Party Notification
• Automated Decision Making
• Policy Management
• Certification
• Data Residency
Article 15
Article 16
Article 20
Article 25, 32
Article 7, 18, 21
Article 30
Article 17
Article 5, 6, 7, 9
Article 19
Article 40
Article 45, 46
Article 42
Article 33, 34
Article 35, 36
Article 22

Alfresco Digital Business Platform
Application Development Framework
Alfresco Process
Services
Alfresco Content
Services
Integrations / Extensions
Open APIs and Open Standards
On-Prem, Cloud, Hybrid, Managed
Intelligence and Analytics
Alfresco Governance Services

Alfresco
GDPR
Framework
Managing Policies & Certify Users
policy authoring, review, approval, distribution and
sign-off (ACS)
Identify, protect and manage GDPR sensitive
content
metadata and aspects to create a GDPR Asset
Register (ACS)
Classification Marks to secure access to PII (AGS)
Execute disposition policies (AGS)
Manage GDPR related processes
Define and execute Subject Access Requests, data
portability, erasure, etc. (APS)
Manage Breach Notifications and Impact
assessments (APS)
Compliance & Audit Reporting

Policy Management
6
Capture Audit Trail
Policy
Template
Collaborative
Authoring
Author
Author
Author
Author
Revise
Approve & Certificate

GDPR Asset Register
Security Marks
Finance
Legal
Marketing
HR
Group A
Audit Trail
…..
Redacted /
Pseudonymised

Subject Access Request
Capture Audit Trail
Amend
Systems
Collect
Data
Notify
3rd
parties
Withdraw
Consent
Assemble
Output
Prepare
Response
Review
Response
Respond to
Customer
Capture
Audit Trail
TriageValidate
Request
Amendments
Consent
Withdrawal
Data Portability
Erasure
Email
Phone
Letter
In Person
Internal ACS
File System
LoB Integration
External Process
External ECM
Cloud EFSS
Manual

Typical GDPR Reports
Asset Register
SAR Dashboard
Record of Processing
Certification
Impact Assessments
Policy Impact List, by law

Digital Business Platform
=
“Data Privacy By Design”
ü Secure place for GDPR information & metadata
ü Maximise automation to enforce compliance controls
ü Proactively collect audit trails & evidence

For more information:
Alfresco.com/gdpr
George.Parapadakis@Alfresco.com

CDI-Partners
GDPR Principles
www.xenit.eu
Xenit
Alfred GDPR Approach
Ronny Timmermans – CEO and Managing Director

Xenit Testimonial
Ronny Timmermans – CEO, Managing Director - Xenit
“Governance has always been a concern of Xenit and a particular strength of
Alfresco. GDPR makes us more aware that data are valuable assets, with
privacy and sensitivity implications for every individual we interact with in our
corporate environment. Building upon the enterprise capabilities of Alfresco
and leveraging our Alfred products, data protection comes by design and not
as an afterthought. ”

| © 2017 XeniT Solutions. All rights reserved.
www.xenit.eu 9
GDPR DATA CLASSIFICATION
PERSONAL DATA
[Cat 1]
a name, an identification number, location
data, an online identifier or to one or more
factors specific to the physical, economic,
cultural or social identity
SENSITIVE INFORMATION
[Cat 2]
on racial or ethnic origin, political
opinions, religious or philosophical beliefs,
or trade union membership, and the
processing of genetic data, biometric data
SENSITIVE DATA
[Cat 3]
Relating to criminal
convictions and offences
DATA PROCESSING MANDATE
• A private company can claim legitimate interest to process Cat 1
• Consent to process Sensitive information
• Cat 3 can be processed under the control of an Official Authority

www.xenit.eu
Alfred Protection Principles
Protection Principle 1
Unless you know the key (name, other id) you
cannot retrieve information about a person.
Protection Principle 2
Only when you have the appropriate role, you
can view and consult Cat1, Cat2 and Cat3 data
in the user interface.

www.xenit.euwww.xenit.eu
Alfred GDPR package
• Build upon Alfresco ACS, can be enriched with:
• Alfresco Process Services
• Alfresco Governance Services
• Alfred GDPR contains:
• GDPR edition of Alfred Desktop and Alfred Finder
• Alfred Edge with audit, query control and GDPR
access rules
• Alfred GDPR Model and Behaviour
• Option Module: Alfred GDPR Detect PII
www.xenit.eu

www.xenit.eu
Alfred GDPR Desktop and Finder
• Alfred Desktop and Alfred Finder control what you can:
• Search
• Modify
• See (list, export …)
• Extended Control to:
• Search Forms
• Meta-Data Forms
• Results Columns
• Filter Values
Define GDPR access roles based upon information
classification

www.xenit.eu
Alfred GDPR Server package
• Document Model extensions for GDPR classification
• GDPR access control filters
• Custom behaviour to:
• Execute governance actions on Cat 1, Cat2, Cat3
documents
• Request to forget
• Record consent to use
• Extend corporate customers policies:
• Additional classification, extended ACL, RACI control

www.xenit.eu
Alfred GDPR Detect
• 2017 Release
• Detect PII patterns (account number, id number) and
personal information based upon regular expression
and post-qualification
• Can handle documents and emails
• Uses search services to identify documents with
personal data
• 2018 Release: Applying Machine Learning to classify
information in three GDPR classes

www.xenit.euAlfred GDPR Approach

www.xenit.eu
CDI-Partners
GDPR Principles
www.xenit.eu
Xenit
GDPR Challenges

www.xenit.eu
GDPR Challenges
Data classification
Identify documents containing
personal data and label them
appropriately
Document and metadata
Security
State of the art security of the
documents and the metadata
Access control
Monitor and control access to
the documents, store metadata
to proof legitimate purpose
Safe offline storage
Make documents available
offline in a secure way
Third parties
Control the usage of
documents by
external parties
Breaches
Detect breaches
Documents deletion
Keep track of the right time to
delete documents and
permanently delete the
documents. No backup copies

www.xenit.eu
Identify documents containing personal data and
label them appropriately
• Alfred Detect for identification
• Regular expression
• NLP for detection of “names”
• Alfred Desktop and Alfred Finder to add the
information as meta-data
• Alfred GDPR AMP for data qualification aspects
• Audit labelling and unlabelling GDPR aspects

www.xenit.eu
State of the art security of the documents and
the metadata
• Alfred Edge – Access control on properties
according to GDPR roles
• Display and modify properties according to GDPR
roles
• Encryption of GDPR information
• Encryption of database
• Protection of your indexes
BEST PRACTI

www.xenit.eu
Monitor and control access to the documents,
store metadata to proof legitimate purpose
• Send out controlled URL (HMAC)
• Who has accessed
• Validity period
• API auditing
• Block before any damage
• Full Alfresco auditing
• Alfred provides extended auditing in which
changing of ACL’s can be monitored
BEST PRACTI

www.xenit.eu
Make documents available off-line in a secure
way
• Alfred Desktop GDPR
• Local encryption of documents
• Clean up after “editing”
• Fully transparent to the users
• Alfred Desktop and Alfred Finder GDPR
• Control the role to download GDPR
information
• Watermark off-line content (PDF)
BEST PRACTI

www.xenit.eu
Detect breaches
• Alfred Edge (API Gateway)
• All accesses (internal and external) are logged
• Set alarms on export or search operations on
large privacy sensitive data
• Check “denied access” failure internally and
externally and take appropriate action
• Alfresco auditing
BEST PRACTI

www.xenit.eu
Delete or shield privacy related
documents “as soon as appropriate”
• Set a good retention policy
• As soon as appropriate set more stringent ACL rules
on documents
• On the desktop, remove after consultation or
editing (automated by Alfred Desktop)
• Alfresco Governance Services for complex cases

www.xenit.eu
Use documents control by external parties
• Share by link
• Share content = explicit action for GDPR related
documents
• Register who sent the link
• Register who got the link
• Audit use via link
• Control life time of the link
• Optionally: Identify who accesses the resource
via link (via OAuth2 and
LinkedIn/Twitter/Gmail)
BEST PRACTI

www.xenit.eu
CDI-Partners
GDPR Principles
www.xenit.eu
Xenit
Top tips to start preparing for the GDPR

www.xenit.eu
Top tips to start preparing for the
GDPR
Share a controlled copy
Encrypt the sensitive information
Show on a need to know basis
Share
Encrypt
Show
Audit & Report
• When sharing a copy of a Cat1-3 document, the system requires you to share the
copy and to indicate with who you are sharing
• Mark copies that are shared with
• Watermark (you “x” have received from “y’)
• Self-identifying document
Dispose
• Metadata
• Encryption at rest of documents
• You can only search what you need to know (encryption)
• You can only retrieve (decryption) what you require
Audit everything and report appropriately
Dispose as soon as possible (not sooner)
BEST PRACTI

www.xenit.eu
CDI-Partners
GDPR Principles
www.xenit.eu
Xenit
Xenit Use Case: Screening 3M documents and 8M emails for sensitive data
Thijs Lemmens - ECM Architect
Giovanni Boscarino - ECM Senior Software Engineer

www.xenit.eu 28

www.xenit.eu 29

www.xenit.eu 30

www.xenit.eu 31

www.xenit.eu 32
Q&A
www.xenit.eu

www.xenit.eu
Get in touch
Experienced Alfresco partner to help drive your Digital Transformation.
General Protection Data Regulation
A solution to manage your unstructured data
BUSINESS FEATURES 2017

How to implement gdpr in your document repository

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to How to implement gdpr in your document repository

Similar to How to implement gdpr in your document repository (20)

More from XeniT Solutions nv

More from XeniT Solutions nv (20)

Recently uploaded

Recently uploaded (20)

How to implement gdpr in your document repository