In October we organised an event in Amsterdam with our partner Scos and Jonathan Armstrong where we covered the changes on GDPR and challenges ahead for businesses.

1. In partnership with SCOS

2. 1
IPSWITCH
Paolo Ferrari
Director, Solution Sales and Professional Services -
EMEA, APAC and LATAM at Ipswitch, Inc.
Sébastien Roques
Regional Sales Manager Northern Europe at Ipswitch,
Inc.

3. 2

4. 3
Jonathan Armstrong
Jonathan is an experienced lawyer with a
concentration on technology and compliance.
His practice includes advising multinational
companies on matters involving risk,
compliance and technology across Europe.
He has handled legal matters in more than 60
countries involving emerging technology,
corporate governance, ethics code
implementation, reputation, internal
investigations, marketing, branding and global
privacy policies

5. Why are we
here today ?

6. 5
World’s biggest data breaches In 2015. Showing losses over 30.000 records and up.

7. SURVEY

9. 8
2016 State of Data Security and Compliance

10. About us….

11. 10
Ipswitch Company Overview
Company Overview
• Founded 1991
• Headquarters: Lexington,
MA
• Remote Offices:
• Alpharetta, GA
• Madison, WI
• Heidelberg, Germany
• 300 Employees
Financials
• Privately Held
• Revenues of $76M+ in
2015
• Over 55% Recurring
Revenue
• Over 50% of Revenues
from Indirect Channel
• 30% from International
• Double Digit EBITDA
Margin
• No Debt
Customer Overview
• 25,000+ Active customers
• Across 168 countries
• Present in a wide array of
industry verticals
• Strong renewal rates on
both product lines

12. 11
One Ipswitch: 2 minute company overview

13. 12
LARGE AND THRIVING
CUSTOMER BASE
Over 25,000 Global SMB,
Government & Enterprise Customers
SECURE CONTROL
of Business Transactions,
Applications and Infrastructure
CORE PRODUCT LINES
IT and Network Monitoring
Secure Information and File
Transfer
The Pioneer in
EASY TO TRY,
BUY AND USE
IT Management Software
2
Option 2
Ipswitch at a Glance

14. 13
MOVEit
Managed File Transfer
WS_FTP
Secure File Transfer
MessageWay
B2B File Transfer and Integration
Ipswitch Analytics
SLA and Compliance Analytics
WhatsUp Gold
Unified Network, Server & App
Monitoring
Event & Log Management
Collects, store and analyze log files
AlertFox
Web Performance Monitoring
Secure Information
and File Transfer
Ipswitch Products
IT Monitoring
and Management

15. 25,000+ active customers in 116 countries

16. All you need to know about GDPR but
are too afraid to ask...
12 October 2016
Jonathan Armstrong

17. @CorderyUK 16
© Cordery 2016
Data Security - Landscape
• Personal data has a value
• Different political reactions
• Different legal systems worldwide
• Different enforcement even within Europe
• Contrasting approach Europe -v- US
• Snowden has changed the game
• Schrems has had a real impact
• GDPR already a reality

18. © Cordery 2016 17
Current UK Legislative background
“Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss
or destruction of, or damage to, personal data.”

19. @CorderyUK 18
© Cordery 2016
Section 13 of the Dutch Personal Data Protection Act
“The controller implements appropriate
technical and organisational measures to
protect personal data against loss or any
unlawful forms of processing. Having regard to
the state of the art and the cost of their
implementation, such measures will guarantee a
level of security appropriate to the risks
represented by the processing and the nature of
the data to be protected. These measures also
seek to prevent the unnecessary collection and
further processing of personal data.”
* unofficial translation

20. @CorderyUK 19
© Cordery 2016
Example: South Wales Police
• South Wales Police had sensitive films from victims
• They recorded the interviews
• They moved the videos between offices, courts etc. on
DVD
• The DVDs were encrypted & stored in a desk drawer
• The DVDs were lost after an office move although the
loss was not reported for two years
• Victim made a formal complaint
• Prosecution prejudiced
• ICO fined South Wales Police £160,000

21. @CorderyUK 20
© Cordery 2016
Prevention
Dutch AP:
“Contingency plan
Every organisation should have a contingency
plan indicating exactly what is to happen in the
event of an emergency. However, such a plan is
useful only if personnel are familiar with it and
regular drills have been held to practise its
implementation...”

22. @CorderyUK 21
© Cordery 2016
New EU data rules
• A = aims
• B = benefits
• C = consequences

23. @CorderyUK 22
© Cordery 2016
New EU data rules - Aims
• Proposed Regulation not Directive (but with carve-outs)
• Data protection by design/default
• Data Protection Impact Assessments (aka PIAs)
• Suppliers outside EU in scope
• Toughened (local not centralised) enforcement bodies -
audits & dawn raids
• Breach reporting in 72 hours
• Distinction between processor and controller
diminishes
• Data Protection Officers
• Transfers to 3rd countries - Binding Corporate Rules

24. @CorderyUK 23
© Cordery 2016
New EU data rules - Benefits
• No general registration requirement?
• One stop shop?
• Consent less of an option?
• Right to be forgotten?
• Right to portability?
• Right to object to profiling?
• Enhanced SAR Regime?

25. @CorderyUK 24
© Cordery 2016
New EU data rules - Consequences
• More to do for controllers and processors
• Liability & compensation (material or non-material
damage)
• Fines of up to 4% of global annual turnover
• Shared investigations across the EU
• Greater reputational risk
• Shareholder/investor engagement

26. @CorderyUK 25
© Cordery 2016
GDPR already a reality
• Data breach reporting laws in Germany, Austria and The
Netherlands (but not identical to GDPR)
• Usually a notification in The Netherlands to the AP must be
done “immediately” and in any case within 72 hours – AP
received 1,500+ notifications in first four months, c.70
regulatory actions
• Increasing fines (for example in The Netherlands €820,000
or 10% of annual net turnover)
• Amendments to introduce parts of GDPR in Belgium
• Privacy policy code in the UK
• CJEU right to be forgotten case (Dutch Regulator has
already investigated 111 RTBF cases up to May 2016)

27. @CorderyUK 26
© Cordery 2016
EU Cybersecurity Directive (NIS)
New EU Cybersecurity Directive
 Requires EU Member States to improve their national
cybersecurity capabilities and improve cooperation between
them on cybersecurity
 Businesses also affected - “operators of essential services”
and key “digital service providers” who will be required to:
- Assess the risks they face and adopt appropriate and
proportionate measures; and,
- Report to regulators major security incidents on their core
services - the “incidents” that will have to be reported are
broadly defined as “any event having an actual adverse
effect on the security of network and information systems.”

28. @CorderyUK 27
© Cordery 2016
Your response
1. Have an action plan
• Take a risk based approach
2. Have a proper data breach response plan;
3. Invest in proper technology;
4. Review vendor contracts – you will need their help to report
security breaches. Check you have the right contract with
them. Find vendors who know GDPR;
5. Put in place a DPIA process;
6. Get your documents and records ready to produce in a
regulatory inspection – factor this into overhead costs;

29. @CorderyUK 28
© Cordery 2016
Your response continued
7. Think of a world without employee consent and tougher
consent generally;
8. Make sure things like the right to be forgotten, the right to not
be subject to profiling are all covered in policies and
procedures;
9. Brief the Board and look at annual reporting requirements;
10. Train staff on all aspects of the law;
11. Set up and undertake regular compliance audits/reviews; and
12. Sense check your plans with specialist lawyers.

30. @CorderyUK 29
© Cordery 2016
Resources
• EU Cyber Security – www.bit.ly/eucyber
• New EU Data Rules – www.bit.ly/gdprfaqs
• Privacy Shield - http://www.corderycompliance.com/privacy-
shield-faqs/
• GDPR film – www.bit.ly/gdprfilm
• Right to be forgotten – http://bit.ly/1tB8Osb
• Cordery news – http://bit.ly/1vnFHJm
• Podcasts – www.bit.ly/techlaw10
• Weltimmo - http://www.corderycompliance.com/european-court-
weltimmo-ruling-on-the-jurisdiction-of-data-protection-
regulators/
• Mossack Fonseca - http://www.corderycompliance.com/mossack-
fonseca-panamaleaks-breach-has-significant-compliance-
consequences-for-most-businesses/
• LinkedIn – www.linkedin.com/in/jparmstrong
• What the Romans teach us about cybersecurity -
https://theanalogiesproject.org/the-analogies/romans-teach-us-
cybersecurity/

31. Questions
Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom
Jonathan Armstrong
Cordery
jonathan.armstrong@corderycompliance.com
+44 (0)207 075 1784
www.twitter.com/armstrongjp