EU GDPR Guide 2017
Contents Welcome message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 GDPR: A ticking time-bomb for organisations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 GDPR: Key points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Are companies ready for GDPR?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 The channel and GDPR? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 GDPR technology solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2
|
store.exertis.co.uk
Welcome to the European Union General Data Protection Regulation Guide Welcome to our GDPR handbook. With just one year for organisations to be compliant with the new law that comes into force on 25th May 2018, IT security should be front of mind for businesses of all sizes. Whether it’s cybercrime or human error, high profile security breaches are seldom out of the news and of course there are many from smaller organisations that go unreported. The disruption to business, even closure in some instances, and the loss of reputation that these can cause through malware, ransomware or poor business practice and procedure requires IT security to have a renewed focus at board level. GDPR, with its increased penalties for non-compliance, only adds to the necessity for organisations to look at how they collect, store, use and share personal data of EU citizens, and to prioritise their investment in IT security. It also presents an opportunity for resellers to help their customers, many of whom still seem to be unaware of the GDPR, become compliant by making sure they are aware of the regulations, how they apply them to their business and how the deployment of the right technology and security solutions can provide the right level of prevention and detection against security breaches. This handbook is designed to point out some of the key points surrounding the GDPR but organisations should take expert advice on the legal complexities that exist. Where Exertis can assist resellers is by providing the products and services from our portfolio of security vendors that are offering solutions in this area. These are referenced in the publication. Please feel free to contact us for further help and support. Regards
Jason Hill Exertis, Sales Director, Security
3
|
store.exertis.co.uk
4
|
store.exertis.co.uk
GDPR: A ticking time-bomb for organisations We are now half way through the transitional period for the adoption of the General Data Protection Regulation (GDPR) which comes into force in May 2018. Since its announcement, there has been a torrent of information - advice, reports, warnings, research and forecasts – on the subject from the EU, government, lawyers, IT companies, media, GDPR “experts” and the like. Perhaps, not surprising given the wide ranging scope of the regulation and the possibility of huge financial repercussions for non-compliancy. The maximum penalty is 4% of annual revenue or €20 million, whichever is the higher, putting data protection on a similar scale to the level of fines imposed on companies for corruption or bribery and substantially more than the previous maximum £500,000 penalty in the UK. National Data Protection Authorities (NDPAs) will have increased powers to impose fines, carry out an audit, require a business to provide information and if necessary gain access to their premises. For some businesses, the challenge associated with better data protection and their method of data processing, including the use of subcontractors and Cloud Service Providers (CSP) will require a fundamental change to their security operations and the technology deployed. Whilst the central purpose of GDPR may be clear – the protection of European citizens’ data held by organisations that have a reason to process, store and share it – some parts remain ambiguous, open to interpretation and indeed in some cases are being clarified along the way. However, what is certain is that the rules apply to the UK, irrespective of Brexit. This has already been confirmed by government ministers and irrespective of that affirmation, it ignores the fact that a great many UK organisations operate across borders providing a service or operating a business. Indeed what triggers the applicability of GDPR is whether the data a business handles is about EU individuals or has the potential to identify individuals that find themselves in the EU, not about whether the company is in the EU. GDPR therefore applies to companies that are processing the personal data of EU residents even if they are not established within the EU. This will come into force where the activity relates
5
|
store.exertis.co.uk
to offering goods or services to EU citizens (regardless if there is a cost associated) and the monitoring of behaviour take place in the EU. Companies that process EU citizens’ personal data but do not have physical presence in the EU will also have to appoint an EU representative. In short, no matter where an organisation is based or where it manages, stores or processes data relating to EU individuals, it must still abide by the rules. GDPR also applies to “controllers” and “processors”, the definition of these are broadly the same as in the existing Data Protection Act… Controllers - means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. Processor - in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. However, in current legislation only the data controller is liable for any data breach. In GDPR, both the controller and any subcontracted processors are equally liable for a data breach. Moreover, there is no end to liability. If a data processor subcontracts some or all of its obligations to another processor, that organisation is still liable. Contractors including CSPs will need to ascertain whether the processing of data includes personal data in order to mitigate their risks. Unfortunately, GDPR compliancy isn’t a straightforward check list exercise or a technology issue alone. Its impact is organisation wide (business process, legal, governance, people and training). Many aspects of GDPR concern process and operational aspects of data protection, some of which can be enabled or at least be made more cost-effective by technology. Whilst there is no magic wand solution, security vendors and resellers can play an important role in helping companies to get prepared for GDPR compliancy.
GDPR: Key points It should be noted that the GDPR regulations are comprehensive and complex with over 200 pages of documentation. There are numerous sources of information, some are referenced at the end of this handbook. Below are just some of the key points. (1) Global application: GDPR applies to all companies that process personal data of European Union citizens.
(2) Personal Data: GDPR widens the definition of personal data and includes information such as an online identifier e.g. an IP address. In broad terms, GDPR will apply to any information that can be used to identify an individual. Personal data itself includes obvious categories (name, identification number, etc.) but also includes location data, physical and physiological information. It includes for the first time characteristics such as genetic, mental, economic or social
information and there is particular sensitivity about what it refers to as special categories — racial, ethnic, political, religious, health, biometric and sexual orientation. Profiling and personal preferences, which demonstrate a person’s conduct and behaviour, are also within the scope of GDPR. For example, the fact that an individual liked a particular tweet or Facebook post would constitute personal data. In reality, hardly any personal data will not fall under GDPR. For some companies, the classification of data already in their possession maybe an initial challenge in terms of separating personal data from other information that is held.
(3) Obtaining valid consent: New rules have been introduced relating to the collection of data. In particular, consent must be explicit for certain categories unless, for example, it is required by law. It will require the use of simple language, clarity on how the information is going to be used and organisations will need to be able to prove that affirmative consent has been given. Silence or inactivity no longer constitutes consent and it must be as easy to withdraw consent as it is to give it. In addition, businesses can no longer require consent in exchange for their services. Consumers have often complained that opting out or unsubscribing has been difficult to obtain and hard to validate. This changes with GDPR. In addition, existing consents may no longer be valid. There is no question that the new rules provide greater protection for personal data and how it is used. Previously, companies could rely on an implied consent for use of data. Now it has to be explicitly given, even if it has been already collected. Identity Methods, a provider of Identity Management and Data Security solutions in the UK, reported that 67% of people were concerned about not having complete control over the information they provide on-line. Hardly surprising therefore that 93% of their public survey were in favour of heavy fines for companies not adhering to regulations on personal data. There is also a requirement for the data to be accurate and up-to-date. This means that companies must have good records relating to personal data and be able to review its history and accuracy. Whilst this requirement may only apply to companies employing over 250 people unless the processing is deemed to be of high risk to individuals, sensitive or performed on a regular basis, it would seem to be best practice to keep records.
6
|
store.exertis.co.uk
(4) The “Right to be Forgotten�: GDPR requires organisations not to hold onto data for longer than is absolutely necessary, nor to change the use of the data from which it was originally collected and most importantly to be able to delete any data at the request of the data subject. As a result, organisations will need to ensure they have the process and technology in place to handle such requests. This includes ensuring that data is not only erased on their system but also on any third party systems that have access to the information.
(5) Extended liability: Previously, only data controllers were held responsible for data processing activities but this has been extended to all organisations that touch personal data.
(6) Privacy by design, Privacy by default: GDPR requires that privacy is included in systems and processes by design. According to the EU, privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into account from the inception of any new technology. An organisation needs to be able to show that they have adequate security in place and that compliance is monitored. In practice this means that an IT department must take privacy into account during the whole life cycle of the system or process development. Privacy by default means that strict privacy settings automatically apply once a customer acquires a new product or service with no manual change to the privacy settings required on the part of the user. Personal information must by default only be kept for the amount of time necessary to provide the product or service. In addition, only information on an individual should be disclosed that is necessary to provide that service. The regulation also stipulates that personal information should not by default be accessible to an indefinite number of individuals.
7) Appointment of a DPO: GDPR requires the mandatory appointment of a Data Protection Officer (DPO) in all public authorities and any company that processes lots of personal information of individuals or sensitive information on a regular or systematic basis. The GDPR does away with the criterion of number of employees in a company and focuses instead on what an organisation does with the data. The GDPR also allows the data protection officer functions to be performed by either an employee of the controller or processor or by a third party service provider, creating opportunities for consulting and legal firms to offer outside
7
|
store.exertis.co.uk
DPO services. There are numerous articles on the exact role of a DPO.
(8) Privacy Impact Assessments (PIAs): GDPR requires data controllers to conduct PIAs to assess privacy risks to individuals in the collection, use, and disclosure of their personal data. Specifically, data controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimized. The impact assessment should happen before organisations start processing personal data. When risks are identified, the GDPR expects that an organisation formulates measures to address these risks. Those measures may take the form of technical controls such as encryption or anonymisation of data. Companies processing personal data are obliged to keep detailed records of the data they hold, as well as the details of the processing conducted on that data. The requirements may vary by size of company but it is certainly best practice to do so, particularly as it may help reduce any breach fines imposed. For example, maintaining a record of a data transfer to a third country would be a sensible action.
So, what sort of information must a breach notification contain? • The nature of the personal data breach including, where possible: - The categories and approximate number of individuals concerned; and - The categories and approximate number of personal data records concerned • The name and contact details of the data protection officer (if an organisation has one) or other contact point where more information can be obtained • A description of the likely consequences of the personal data breach; and • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measurements taken to mitigate any possible adverse effects For many organisations, this may require training of personnel to ensure data breaches are properly understood and recognised, and making changes to internal data security policies. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation, internal reporting procedures in place and a data breach plan with specific roles and responsibilities for individuals within the company.
(10) Transfer of data: (9) Data Breach Notification: GDPR harmonises the various data breach notification laws in Europe and is aimed at ensuring organisations constantly monitor for breaches of personal data. Businesses will need to ensure they have the technologies and processes in place to detect and respond to a data breach. GDPR requires all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. This covers personal breaches; a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Breaches are assessed on a case-by-case basis, and a notifiable breach has to be reported to the relevant supervisory authority (NDPA) within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period so it allows companies to provide information in phases. Failing to notify a breach when required to do so can result in a significant fine up to €10 million or 2% of your global turnover. Either fine could be crippling to an organisation, in particular to SMEs.
8
|
store.exertis.co.uk
GDPR imposes restrictions on the transfer of personal data outside the European Union, to “third countries”(countries outside the EU) in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Data transfers have increased rapidly due to the rise in social media and the adoption of cloud services. The current EU Data Protection Directive allows transfers only to third countries that demonstrate “equivalent” data protection laws: importantly the US is not one of those countries. The transfer of personal data comes where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. GDPR also allows subjects to request that their data is provided to them or a third party in a “structured, commonly used and machine readable format”. Requests must be acknowledged in a timely manner (within one month of the request). In most cases, this should be relatively straightforward if the data is held in a structured form. Increasingly, however, data is held in unstructured formats. Where there are multiple standards such as video, this may be more challenging.
Are companies ready for GDPR? Although companies have been given around 2 years in which to comply, it appears that many organisations are struggling to meet the requirements. A number of surveys seem to indicate that companies are behind with their preparations. SonicWall polled 821 IT professionals across the globe last year and 80% revealed that they knew little about GDPR and within that group 97% didn’t even have a plan in place. This was supported by a 2016 survey from Symantec conducted with 900 businesses in UK, France and Germany which reported that 96% didn’t fully understand GDPR. Indeed 23% said their organisation would not be fully compliant and of this group 20% felt that it would be impossible for their business to be fully compliant. According to SonicWall, companies felt more able to comply with impending rules on e-mail security but much less so when it came to document access: under GDPR, companies will have to create procedures that limit who can access shared files hosted on platforms like Dropbox or Sharepoint. The UK picture doesn’t look particularly rosy based on a new survey from Identity Methods. They reported that less than 15% of UK organisations are ready
for GDPR, with 38% still not aware of the new rules and fewer still (14%) have planned their compliance. A 2016 Baker McKenzie report suggested, “45% of businesses either do not have the tools to ensure their organisation complies with the main requirements under the GDPR; or could only obtain such tools at significant cost”. Companies need to understand that GDPR isn’t a set of guidelines for best practice, it’s a new set of laws. Certainly the laws shouldn’t be a surprise for marketers who will appreciate use of customer data has been a hot topic for years compounded by the advent of social media, cloud computing and IoT. It’s surprising therefore that according to the Chartered Institute of Marketing (CIM), “only 5% of marketers fully understand what the GDPR means for their business and 50% say they don’t really understand it at all, or [literally] don’t know.” Taking ownership, whether it’s marketing, IT or finance, needs to happen at board level if businesses want to meet the challenge. be deployed to help organisations meet GDPR compliancy, a number of which are set out in this handbook.
The channel and GDPR? Resellers will undoubtedly have customers that are at risk of non-compliancy of the new regulations. Clearly, the channel can play a huge role in advising and guiding them through the key points of GDPR and where investment is needed. Resellers can be the trusted advisers to help organisations adhere to security disciplines needed for GDPR regulations, so they can protect customer personal information, and avoid the data breaches, heavy fines and loss of reputation that may result from non-compliance. Most data breaches occur from a poor understanding of the data landscape and the lack of appropriate data security controls. Understanding the risk is key and having a plan to mitigate the consequences of a breach is even more critical. Put simply, organisations need to know what type of data they possess, where it resides, what’s protecting it and what do they need to do in the event of a breach.
9
|
store.exertis.co.uk
GDPR isn’t prescriptive in terms of what technology to deploy although it advocates the deployment of security practices. It only suggests: “The pseudonymisation and encryption of data; ability to ensure confidentiality, integrity, availability and resilience of processing; the ability to restore data after an incident; and a process for testing, assessing and evaluating effectiveness of security”. Naturally there are a number of security vendors that offer solutions that can be deployed to help organisations meet GDPR compliancy, a number of which are set out in this handbook.
GDPR technology solutions The following solutions to enable GDPR compliancy, outlined and supplied by our vendors, are detailed in the following section.
To be GDPR-compliant and maintain it, you will need to carry out regular audits and deploy network security solutions that will enable you to: • Protect the perimeter – deploy next-generation firewalls to reduce the network’s exposure to cyber threat, mitigate the risk of data leaks that could lead to a data breach resulting in stiff penalties assessed under GDPR, and deliver the forensic insight required to prove compliance and execute appropriate remediation following a breach. The SonicWall next-generation firewalls protect against emerging threats and feature deep packet inspection; real-time decryption and inspection of SSL sessions; adaptive, multi-engine sandboxing; and full control and visualisation of applications
As well as providing training and raising awareness about the steps needed to reach compliance, Kaspersky Lab’s security solutions allow you to put into place robust breach detection, investigation and internal reporting procedures, helping to comply specifically with Mandatory Breach Notification and Privacy By Design. Our offering consists of the following: • Training, including cybersecurity awareness and incidence response • The DLP feature of our Exchange and SharePoint products
10
|
store.exertis.co.uk
• Facilitate secure mobile access – foster the secure flow of covered data while enabling employees to access the corporate applications and data they need in the way they prefer, and with the devices they choose. Enhance data security (while removing access obstructions) by combining identity components, device variables and temporal factors (time, location etc) to deliver an adaptive, risk-based approach that ensures the right access all the time, every time while concurrently improving data protection and GDPR compliance • Ensure email security – to fulfil GDPR requirements, achieve full control and visibility over email activity to mitigate the threat of phishing and other email-based attacks on protected information, while enabling the secure and compliant exchange of sensitive and confidential data
• Our Kaspersky Anti-Targeted Attack solution (KATA), as well as next year’s Endpoint Detection and Response (EDR) solution • The encryption feature of our Endpoint for Business product (KESB) Through our training and solutions that have been built with data protection in mind, we can give you the tools you need to put GDPR at the forefront of your operations, allowing you to comply with regulations and be alerted to a security breach as soon as possible.
CipherCloud’s CASB platform enables global enterprises to leverage the cloud while avoiding risk and legal entanglements by assuring data privacy, residency, and sovereignty. For organizations that need to comply with GDPR regulations, the platform offers: • GDPR-specific policies to detect and protect personallyidentifiable information including: • National identity numbers for more than 20 European countries • Names, addresses, phone numbers, and email addresses
Preventing breaches is by far the best way to ensure compliance. There are of course a number of common technologies and practices that can increase your data protection and enable GDPR compliance: encryption, network and e-mail security, access control and governance. Identity and access management (IAM) is one solution, pertaining to access control and governance, which by granting people appropriate access to systems, data and applications can help towards GDPR compliancy. There are four fundamental principles that make up IAM: • Authentication – this is what a user does to identify themselves to a system that they are attempting to access • Authorisation – once a user is identified, what level of access – or permissions – do they have? Which resources should they access and what can they do with that resource? • Administration – these critical activities (traditionally performed by IT) manage user authentication and authorisation. The more complex an organisation, the more likely that IAM administrative load will require automation • Audit – GDPR requires organisations to periodically – as well as on-demand – prove that authentication, authorisation and administration are happening in a way that does not place personal data at risk or was not the culprit in the event of a breach
11
|
store.exertis.co.uk
• Private healthcare and insurance information • Banking account and routing information including IBAN, SWIFT and ABA codes • Policy controls based on source, location, content, and destination of files and database content in the cloud • Proactive remediation of policy violations with blocking, quarantining, notification, and end-to-end file encryption • Activity monitoring and geographic anomaly detection to spot suspicious activity from non-EU locations • Strong encryption and tokenization with local key management to effectively maintain EU data residency and sovereignty, regardless of cloud provider location
With IAM, the chances of GDPR success are greatly enhanced: an organisation knows exactly who all users are, what those users are supposed to be able to access and if a breach does occur, the impact is greatly reduced. Most business are, most likely, already deploying the first basic IAM technologies. However, simple improvement in each of these four key areas can smooth the path to GDPR compliance.
GDPR puts an obligation on companies to have an effective, regularly tested Disaster Recovery (DR) solution in place: Article 32(1) (a)-(d) Appropriate technical and organizational measures are described as including (Article 32(1) (a)-(d)): • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • A process for regularly testing, accessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing So what are the building blocks of an effective Disaster Recovery solution?
1. Backup Backup is the foundation of any DR solution. However, not all backups are the same. Here are just a few things to look for in a backup software: • Image based snap shot technology (technology like tape can be hugely unreliable) • Ability to back up regularly (With StorageCraft backups can be scheduled as often as every 15 minutes for critical data) • Easy and fast verification that your backups work (can you easily spin these up?) • A solution like StorageCraft that can protect all environments (Windows, Linux, Physical, Virtual), your remote workers and SaaS applications (Office 365 and G Suite) 2. On/Off Premise As best practice, firstly back up to a local Backup and Recovery Device (BDR) and then replicate these backups to an offsite location. What this means for your business is that you can very quickly recover data from your onsite BDR box. However, in the event that you cannot access your site, having an offsite backup gives you a full business continuity solution. StorageCraft provides a purpose-built Disaster Recovery Cloud allowing you to flip a switch and failover to a secondary network running in the cloud in just minutes. 3. Testing You MUST be able to test your DR plan. Don’t let a disaster be your first test! A good DR plan will be easy to test. This is the only way that you can validate that your Recovery Time Objectives can be met. StorageCraft offers automated DR testing which allows service providers ensure their customers can restore in all situations. 4. Recovery It may seem obvious but sadly, this is where many so-called “DR solutions” fail. Your Disaster Recovery must be able to recover your data every time and on time. When a disaster like Ransomware hits, you want to be 100% confident you can recover your data and get on with the job! StorageCraft Technology is an award winning developer of Business Continuity and Disaster Recovery solutions. Whether you are protecting SaaS applications, restoring files and folders or entire systems, StorageCraft offers rock-solid backup and recovery.
12
|
store.exertis.co.uk
Efficient log management tools such as LogPoint’s Security Information and Event Management (SIEM) system can help ensure compliance to the new regulation by providing rapid yet thorough search, sorting, filtering and analysis of millions of data logs. Monitoring and reporting for compliance LogPoint’s out-of-the box and custom compliance reports – including GDPR - help you fulfill organizational data compliance requirements quickly and efficiently. The SIEM also enables enterprises and organisations to proactively monitor their networks and identify security threats in real-time to prevent cyber-attacks and fulfil their compliance requirements, including GDRP. Access to systems where personal or financial data (eg HR systems, customer databases, SAP) is stored can be monitored; the
With the increasing market trends of BYOD and IoT, there are many new ways that companies will be forced to devise new approaches to protecting and monitoring data, in order to come into compliance with GDPR. One of them is Network Access Management (NAM). Portnox next generation Network Access Control Management solutions are simple to deploy and provides real-time, all the time visibility into any device attempting to access your network as well as those already logged on. With Portnox solutions security teams can: • See – 100% real-time actionable visibility. See all of your IoT devices with a centralizedand agentless approach that is infrastructure vendor agnostic. • Control – Segment your network and automatically sort IoT devices according to type orgroup. Mitigate risks by limiting access, placing in quarantine or blocking an infected device to immediately remediate security issues. • Automate – delivering unique automatic actions, enabling security teams to reduce time andcost associated with manual responses. With Portnox, the chances to achieve GDPR compliance increase greatly. Security teams are able to see and profile all network devices, remediate any security issues and automate actions that have traditionally been conducted manually. With Portnox you are in control. It is that simple.
13
|
store.exertis.co.uk
SIEM provides an overview of the security on these systems and alerts when they are accessed. If a data breach happens In the event of a data breach, an organisation is required to swiftly identify the breach and document the extent of the compromised data. This calls for new security and data protection policies as well as new roles and responsibilities within an organisation. If a breach happens, LogPoint quickly identifies the source of the leak, enabling you to get a complete overview of what exactly has been accessed, inform regulators and act quickly to contain the problem.
GDPR is not just introducing stricter rules for the protection of personal data belonging to individuals, it also names measures deemed appropriate for the job – naming encryption as one of them. Generally, the main benefits of the encryption technology is strength – thanks to powerful algorithms and growing key length (bits) – wide availability and relatively low cost of implementation, embraced even by some national authorities. One example, DESlock Encryption by ESET, offers more than just the basics. It also offers business clients a solution that is simple to deploy, easy to use for even non-technical users and, one that allows for the remote management of keys, settings and security policy. It also allows users to safely encrypt hard drives, removable media, files and email. In addition, DESlock Encryption allows companies to meet the data security obligations required by GDPR by easily enforcing encryption policies, while keeping productivity high. Apart from all that, DESlock Encryption by ESET solved one of the biggest usability challenges: How can users share encrypted information?
Centrify and GDPR – the breach stops here. Centrify’s Identity Platform protects against the leading point of attack for cyberthreats and data breaches – compromised credentials. A key aspect of GDPR is the requirement for breach notification; therefore stopping breaches is vital to ensure that an unwelcome spotlight doesn’t fall on your company. GDPR requires that companies follow the “state of the art” for cybersecurity, and practice “data protection by design and by default”. Implementing recognised security certification schemes, or following their principles, helps demonstrate the intent to do this. The Centrify Identity Platform allows for the implementation of many of the cybersecurity controls required by ISO 27001, HM Government’s “Cyber Essentials” and others that relate to GDPR.
14
|
store.exertis.co.uk
Single sign-on (SSO), risk-based access control through machine-learning and multifactor authentication significantly increase security, whilst also improving user experience. Securing access through a least-privilege model and managing admin/root passwords helps to secure the platforms on which applications run and also reduces the risk of breaches in hybrid IT environments. By securing access to apps and infrastructure, both onpremise and in the cloud, from any device, and for all types of users (including secure remote access), Centrify helps in the constant battle against being breached and may save the embarrassment and damage to reputation of such an event taking place.
Getting to a Business Aligned Data Protection Strategy Supporting a GDPR policy EU GDPR – how does it affect your Backup Platform? Data protection safeguards should be built into products and services from the earliest stage of development, these should mean quick recovery of data in event of a breach or failure should be the norm, not the exception.
How can Quest’s Rapid Recovery Data Protection solution help your GDPR challenges?
Organisations need Data Protection solutions that can:
• Simple point
• Analyse, index, store and recover data based on its value to your business.
• Click recovery for users
• Provide comprehensive, centrally-managed and swift backup and recovery of data.
Rapid recovery optimises user experience:
• Encrypt your backup data for security purposes.
• Restore critical machines in minutes
• Have a solution that can plug gaps in protection of applications and plan for future backup resources.
• Up to 288 backups per day
What should an organisation’s Data Protection solution cover to align with GDPR?
• Fast and granular, object and file level recovery
1. Classify your data – what drives the business? What data is important? What data is not important?
Rapid reocvery can automate your backup process: • Automated data integrity & consistency checking • Automated agent & agentless protection for your environment • A Single interface
• < 5 min backup times
• Application and file system aware • File/Folder search and index functionality Rapid recovery modernises backup for cloud
2. How large is your backup window? – Do you have enough time to complete data backup on time and efficiently?
• Easy connection to public clouds
3. Recovery Time Objectives – How much time does it take to restore data and services to users in the event of a failure/outage?
• Restore from physical to virtual, to cloud
4. Recovery Point Objective – How much data can you afford to lose? 5. Data Consistency – If you recover file or database information, do you know that is will be useable and consistent to the latest information?
• Replicate & archive data • Protect anything, anywhere • Encrypt your data in flight and at rest Rapid recovery enables your business to be: • Always on • Always available
6. Ensuring consistency – works directly with the file systems and applications themselves
Disclaimer
Sources, acknowledgements and reference points
This document is purely for guidance, and does not constitute legal advice or legal analysis. All organisations that process data need to be aware that the General Data Protection Regulation will apply directly to them. The responsibility to become familiar with the regulation and comply with its provisions from 25th May 2018 onwards therefore lies with the organisation. This guide is intended as a starting point only, and organisations may need to seek independent legal advice when reviewing or developing their own processes and procedures or dealing with specific legal issues or queries.
Information Commissioner’s Office
15
|
store.exertis.co.uk
www.eugdpr.org Computer Weekly iapp idc gov.uk
store.exertis.co.uk linkedin.com/company/exertis-uk a
Business
@ExertisIT