GDPR (GENERAL DATA PROTECTION REGULATION)
Opća Uredba o zaštiti osobnih podataka građana Europske unije
• Nova uredba koja stupa na snagu u svibnju 2018 (25.05) a zamjenjuje staru uredbu „Data
Protection Directive 95/46/EC” iz 1995 godine
• Donosi nova stroža pravila za štićenje osobnih podataka i niz novih pravila za sve tvrtke
koje na bilo koji način prikupljaju podatke o svojim korisnicima, kupcima, ispitanicima,
zaposlenicima itd.
• Uredba nema utjecaj samo na tvrtke koje posluju u EU, već i na sve tvrtke u svijetu koje
svoje proizvode i usluge nude građanima EU ili na bilo koji način prate navike građana EU
• Kazne za kršenje uredbe iznose do 20 milijuna eura ili 4% ukupnih godišnjih prihoda,
ovisno o tome koji je iznos veći
3
PRAVA GRAĐANA PRI ZAŠTITI OSOBNIH PODATAKA
• Pristup podacima (potvrda o korištenju)
• Pravo na ispravak (dopune i izjave)
• Pravo na zaborav (brisanje po brzom postupku)
• Pravo na prenosivost (upravljanje vlastitim podacima)
• Pravo na prigovor (ako ste protiv – prigovorite)
• Što ne možete (neki podaci moraju ostati)
• Kome se žaliti? (adresa je AZOP – Agencija za zaštitu osobnih podataka)
4
A ŠTO GDPR ZNAČI ZA TVRTKE I JAVNU UPRAVU?
• Jasan pristanak za prikupljanje podataka
• Podaci moraju biti kvalitetno zaštićeni, pristup samo onima čiji je to posao i u skladu s
dopuštenjima
• Europska Unija je odlučna, nema dodatnog vremena, a kazne su velike (25.5.2018)
• Zbog nezakonitog postupanja s osobnim podacima tužiti vas može i osoba kojoj ste
nanijeli štetu
• Hitno se suočiti s ovim izazovom, kreirati multidisciplinarne timove sa specifičnim znanjima
• Usklađivanje s GDPR-om počinje znanjem. Upoznati se s zahtjevom i obučiti interni tim.
Tko će biti u njemu? Osoba odgovorna za zaštitu osobnih podataka, direktor informatike,
pravnici, menadžeri svih poslovnih procesa u kojima tvrtka pristupa osobnim podacima ili
ih obrađuje
5
NEKI OD MITOVA VEZANIH ZA GDPR
• Moja tvrtka je u rangu mikro, male i srednje, te stoga ne podliježem GDPR regulativi –
NETOČNO
• GDPR je pitanje IT sigurnosti – imamo robusnu IT sigurnost i enkripciju podataka i bit
ćemo GDPR sukladni – NETOČNO
• Čuli smo da su kazne značajne, ali inspekcije ipak neće kažnjavati baš svaki propust –
NETOČNO
• Imamo kupce iz EU, ali je naš biznis lociran izvan EU, pa se GDPR ne odnosi na nas –
NETOČNO
• GDPR stupa na snagu svibnja 2018. – imamo dovoljno vremena – NETOČNO
• Mi samo obrađujemo podatke. GDPR (i velike kazne) odnose se samo na organizacije
koje prikupljaju osobne podatke – NETOČNO
• GDPR je problem IT-a i Pravne službe. NETOČNO – GDPR zahvaća sve dijelove
organizacije i sve zaposlenike
6
FIVE REASONS WHY YOU SHOULD CARE ABOUT GDPR
1. It’s not just about fines – it’s about
reputation too
2. It’s the toughest piece of privacy
regulation in the world
3. GDPR will change the way you do
business; your current processes may
become illegal
4. You are likely to need contract changes
with your suppliers and customers
5. If you’re a larger company it will form
part of your audit processes and will
mean new types of staff are needed
8
DATA TYPES - THE CHALLENGES
Structured Semi-structured Unstructured
10
Application Data:
• CRM Systems
• ERP Applications
• Financial
• Marketing
• Vertical apps e.g. retail
• SaaS Apps
• RDBMS
• Big Data
Application Data:
• Document Management
• App File Stores
Files & Folders:
• NAS
• File Servers
• Cloud Storage
• Laptops
• Mobile Devices
• Personal Clouds
Security, Protection, Availability, Retention, Copy management, Lifecycle, Custody, Access, Audit
Personal Data Can Be Anywhere
THERE IS NO SILVER BULLET FOR GDPR
GDPR Components
11
• Processes: analysis, discovery,
process flow, design, management,
ongoing review etc.
• Data Management: protection,
recovery, availability, retention,
lifecycle, location etc.
• Security Management: Physical,
perimeter, breach/vuln. detection,
encryption, access controls, cyber
security, education etc.
• Manual Tasks: ops, delivery,
configuration, search, retrieval,
reporting, redaction etc.
ProcessTasks
Security Data
THERE IS NO SILVER BULLET FOR GDPR
GDPR Components
12
More technology silos leads
to more manual tasks, and
a greater opportunity for
human error or misdeed
This increases cost and
risk significantly
ProcessTasks
Security Data
Copy
Replicate
MailboxArchive
MailboxBackup
DATA COPIES AND SILOS
Products/Silos: 5 – 10
Potential Data Copies: 50+
• Example shown just for
backup & recovery,
retention and compliance
• Each data silo = another
potential door for a data
breach
• More to manage, monitor
report and secure
• Tape is a particularly
problematic
• Complex Search/Auditing
MailServer
Files
File Analytics
ComplianceArchive Mailbox
Archive
MultipleBackups
ComplianceCopy
OutlookPSTs
ComplianceReplica
ArchiveBackup
MultipleBackups
ArchiveBackup
Datacentre File Servers
File Archive
EndpointBackup
ServerBackup
ServerBackup
Personal Cloud & Devices
Dept. FileServers
Remote FileServers
STORAGE CONSUMPTION
Storage Consumption
15
45-60% of their total
storage capacity
consisted of what is
considered “copy data”
Less than 20% of respondents
had a formal copy data
strategy, those few that did
realised significant reductions
in storage capacity growth
Source: IDC CDM Survey, 2016
Primary Data
Copy Data
DATABASE COPIES
82% of respondents had at least
10 copies of each database
SQL and Oracle applications
were present in 75% of the
organisations polled, SAP was in
54% of those polled
16Source: IDC CDM Survey, 2016
GDPR DEMANDS FUNDAMENTAL CHANGES
New GDPR Mandates Require Changes to Storage Management
Strategies for All Global Enterprises
• Identify Personal Data
• Verify Whether Proper Consent Was Obtained
• Examine Backup Retention
• “Retention should be reduced for systems that contain personal
data, and if archiving is not already in place for maintaining these
records for governance purposes, then it should be implemented.”
• Implement Archiving for Governance Purposes
18Source: Gartner 2016 New GDPR Mandates Require Changes to Storage Management Strategies for All Global Enterprises
BACKUP AND ARCHIVE CONFUSION
• Many organisations use archive tools for
space management, but still retain backup
copies for many years as ‘archives’
• Archives require backup, which often
creates a ‘silo inside a silo’
• Tape is still the most used medium for long
term storage
19
MultipleBackups
ArchiveBackup
File Servers& NAS
File Archive
Offsite or 3rd Party
Archive Benefit:
Faster Backup and
DR
A 2016 Gartner straw-poll at a European event revealed that
only 4% used the cloud instead of tape for long term retention
THE KEY DATA MANAGEMENT PRINCIPLES OF GDPR
• Right to be forgotten (RTBF, Article 17)
• Data protection by design and by default (Article 25)
• State-of-the-art (SOTA, Articles 25 & 32)
• Ensure ongoing confidentiality, integrity, availability
and resilience (Article 32)
• 72 hour data breach notification (Articles 33 & 34)
• Data minimisation principle (Article 25)
• Defining use cases and managing consent (Article 6)
• Data transfers (Articles 44-50)
• Data portability (Article 20)
Where Commvault Can Help
Locate personal data, almost anywhere
Most comprehensive available
Integrated beyond any current competitor
Leading backup/recovery, w/ on-demand
encryption, secure role-based access
Identify what data was compromised, inc. laptops
Commvault can reduce and manage data copies
N/A for new policies; search after the fact
Search and Preservation
Export in original format or PDF, XML etc.
THE GDPR BREAKDOWNComplexity Hinders Compliance and Increases Risk
21
LEGACY SYSTEMSDATA CENTERS CLOUD DATA SaaS
PAIN: LACK OF CONTROL AND
ANALYSIS• Archive and search systems create silos
• Lack common search and collate
• Multiple access controls to manage
• Gaps in coverage present risk
PAIN: VISIBILITY OF EXTERNAL DATA• Data held externally is difficult to track
• Protection managed by 3rd party
• Limited ability to archive or manage retention
PAIN: BACKUP AND RECOVERY RISKS• Too many siloed solutions & repositories
• Not easy to set common policies
• Reporting is a challenge
• Variable controls in areas such as auditing
• Complexity leads to gaps in coverage
? ? ? ?
x?
Silo
Silo
THE GDPR BREAKTHROUGHSimply Powerful: An Advanced Data Management Platform
22
LEGACY SYSTEMSDATA CENTERS CLOUD DATA SaaS
GAIN: ROBUST DATA MANAGEMENT• Data is accessible, organized and indexed
• Complete infrastructure awareness
• Centralised governance and control for hybrid clouds
• Consistent data policies across the enterprise
GAIN: UNIFIED CLOUD BACKUP• Single solution to backup the whole enterprise
• Automation ensures backup by default
• Easy to report and audit
• Robust, integrated redundancy for archive policies
GAIN: CONTROL OF EXTERNAL DATA• Backup and archive SaaS data
• Backup and gain visibility of data on mobile devices
• Guard against Malware and data breaches
• Provide secure alternative to personal cloud shares
Data Management
Platform: Indexed
Virtual Repository
Dedupe:Global, Secure
FROM BACKUP & ARCHIVETO INFORMATION MANAGEMENT
Intelligent Data Management
Single Query Searching across Backup &
Archive
Global Data (Cost) Reduction
COLLECTION
Remote & Internal
End Users
Email On-
Premises or
Cloud
Cloud
SolutionsData Center
Access
End User AccessOutlook Plugin
Analyze
• Search & Preservation
• Content-Aware Retention Mgt.
• Data Leakage Detection
• Remote Search of Structured Sources
• Rapid response to data subject inquiries
A
B
C
B
A
1 Yr
30 YrAuto Storage
Tiering
Manage
DELET
E
ZI
P
Produce
or EraseXM
L
Compliance AccessGDPR, FOIA, eDiscovery,
Data Spillage Search
PII information with Commvault Analytics (Data Cube)
24
PII – Personally Identifiable Information: credit cards number, IP address, phone numbers, emails…
With Commvault Analytics (Data Cube) we have the ability to collect data from multiple sources, both structured and unstructured data types, also including third-party services:
• Oracle, Microsoft SQL Server, and other types of databases• Third-party data services, such as Salesforce and Oracle Eloqua• Desktop, laptop, and server file systems• NAS• Microsoft Active Directory and other LDAP directory services• Microsoft Excel spreadsheets and CSV files• Internal websites and public website
GDPR AND CLOUD ADOPTION
ON-PREMISES
Public Cloud SaaSCloud: Controls Passed to 3rd Parties
• Consistency lost
• Cloud systems must meet the same
regulations as on-premises
• Must be within a region that offers
‘similar’ protection as the EU/GDPR
Fully Under Your Control
• Data Management & Security
• Processes, Retention, Recovery etc.
• Consistent by design
COMMVAULT AND THE CLOUD
• Cloud Storage: Offsite Storage,
Backup, Archive, Tape
Replacement
• Migration: Simple to ship and
convert workloads
• Recovery Use-cases: DR, Dev
& Test
• Backup in the Cloud
• Backup for SaaS
• Exchange/O365 Archive &
ComplianceOn-premises
Workloads & Data to the cloud
Blob Storage
Backup, Archive & Search*
Single point of control, reporting, search etc.
*SaaS functions vary by supplier
SaaS
50+ Cloud Storage
Platforms
SUMMARY
• Consider getting some expert help; GDPR is
complex and far reaching
• Dealing with GDPR can also help you to meet
other regulations, such as FOI, MiFID etc.
• Accelerate your Modernisation: Managing
GDPR with Commvault can be beneficial!
28