The GDPR Opportunity: data identification › binaries › content › assets › hsl › lectoraten...

eDiscovery Symposium, 26 april 2018

presents:

The GDPR Opportunity: data identification

About me

www.schippers-it.nl2

❑ Rob van Enschot

❑ Age: 34 years

❑ Digital Investigator at Schippers IT

❑ 14 years experience

❑ Product specialist & certified trainer: Nuix & Cellebrite

About Schippers IT


Personal Medium Business Professional

❑ Founded in 1999 by a former police officer

❑ Approved by Ministry of Justice and Security

❑ Value added reseller of forensic hard- and software

About Nuix


▪ 350+ employees

▪ In-house teams of experts in security, investigations, eDiscovery, IG, archives

▪ Stable, long-term executive and development teams

▪ US, Australia, UK, Ireland, Singapore, India, Germany

▪ 65% growth in 2014; 57% in 2015

▪ Average 62% growth every year over 5 years

▪ Growth pattern from Australia, across UK, Europe, North America, Asia and Middle East

▪ Commercialized 2006

▪ 100% funded by cash flow

▪ Profitable since 2008

▪ All major global regulatory agencies and the largest consulting firms and Litigation Service Providers

▪ All the largest electronic investigation cases are done in Nuix

▪ Customers in over 60 countries

▪ Almost 2,000 customers globally

▪ Continued growth of development resources in US and Australia

▪ Large investment in developing next-gen solutions – major 2016 releases:

• Nuix 7.0 Engine: Q2

• Nuix Adaptive Security: Q2

• Nuix Web Review & Analytics V6.2.9: Q2

• Nuix Director V6.2.9: Q2

• Nuix Sensitive Data Finder V2.2: Q2

• Nuix Legal Hold: Q2

• Nuix Management Console: Q1

• Nuix Insight: Q3

Nuix & The Panama Papers


‘Nuix’ provided the technique to process the data

for the investigation of the Panama Papers

• 11,5 millions of documents

• 2,6 TB of data processed

• 400 journalists

• 80 countries

GDPR: Recent investigations


OCTOBER 15, 2016

MAY 18, 2017

JUNE 16, 2017

EU GDPR: Need to knows


GDPR: Organisational compliance includes


People

Hire and assign

people to focus on

regulatory compliance Process

Create and update

IG policies and

data processesTechnology

Identify, manage,

and monitor the

company’s data

GDPR & Compliance


The foundation for companies to be GDPR compliant originates in answering these critical questions:

1. What personal data do you have?

2. Where is your data held?

3. Who is responsible for the data?

4. Are you protecting your customers’ information?

GDPR data identifiers


The EU Data Protection Directive (95/46/EC) defines personal data as follows:

"personal data" shall mean any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity"

Personal Identifiable Information (PII) is any information relating to a living person that makes it possible to identify that person either directly or indirectly.

Sensitive Personal Information (SPI) is any personal data specifically relating to racial origin, political opinions, religious or philosophical beliefs, physical / mental health, sexual orientation, criminal offences (alleged or committed) and biometric data data, e.g. fingerprint, factional recognition, or retinal scan.

SPIracial originpolitical opinionsreligious or philosophical beliefsphysical / mental healthsexual orientationcriminal offences (alleged or committed) biometric data e.g.. Fingerprint, facial recognition, retinal scan etc

PIINameAddressEmail addressMobile device IDGPS locationBank accountEmployee IDIP Address

Regulatory requirements and subject inquiries are designed to protect the individual.

❑ The right to be informed

❑ The right of access

❑ The right of rectification

❑ The right to erasure

❑ The right to restrict processing

❑ The right to data portability

❑ The right to object

❑ The right not to be subjected to

automated decision-making,

including profiling

Privacy regulation requirementsData privacy is a growing area of information management and response for businesses, spurred on by regulations like GDPR.

Companies must be able to perform large scale classification of their data

while answering these questions:

• What types of personally identifiable information do you have on file?

• Where is it located?

• What level of security is required?

• Who has access?

• How will the data be used?

• Do you have consent to use that data?

GDPR & classification

12

GDPR challenges and your response with Nuix

13

FIND

• What GDPR content do I need to find?

• Where would that content be?

• Who has access to it?

• Permissions, should they have access?

UNDERSTAND

• I now know the size & scale of my business data challenge.

• How do I deal with SAR/FOI/Right to be forgotten?

ACT

• How do I promptly handle breach notification?

• How do I respond to SARs as a business process?

• How do I identify a breach and react within 72 hours?

• How do I ensure appropriate Information Governance that

adheres to the regulation?

IDENTIFY: DATA MAPPING & DISCOVERY

• Identifies GDPR relevant content within files (not just metadata)

• Supports 100s of file types; Processes PB of data; Handles structured / unstructured / archive storage

MANAGE: UNDERSTAND & CLASSIFY

• Gives full visibility of all GDPR data wherever it resides

• Performs full data analytics to see who, what, when and their relationships with GDPR data

• Manages the lifecycle of data and to ensure its correct place in enterprise architecture

• Classifies redundant, outdated, and trivial data to manage appropriately

• Connects structured / unstructured and end point data for immediate identification and response

MONITOR: RESPOND TO EVENTS IN REAL TIME

• Produces infrastructure to monitor and maintain EU GDPR identified documents.

• Uses advanced technology to access, understand and act on human-generated information

• Reports data breaches within 72 hours following the occurrence

• Provides ability to run disaster scenarios – to understand your risk

• Encrypts and monitors data with alerting, destruction at source (right to be forgotten), update permissions

GDPR: The 7 process flow stages by Nuix

14

Stage 1: Identify personal data patterns

Stage 2: Develop data mapping

Stage 3: Conduct information audit

Stage 4: Perform scope assessment

Stage 5: Apply remediation

Stage 6: React, respond and report

Stage 7: Install Always On Protection

Data

Mapping

Remediation

Stage 1: Identify personal data patterns

❑ Review data privacy / GDPR policies to ensure they

are appropriate and update accordingly

❑ Develop search rules for processing

❑ Scan data with Nuix parallel processing to:

• Identify data patterns across sample data

sets that establish relevant strings which

comply with GDPR identification requirements

• Build and test pattern recognition entities to

find Personal Identifiable Information (PII)

and other GDPR-relevant data strings

GDPR: The 7 process flow stages by Nuix - Stage 1

15

Data

Mapping

Personal Data

Patterns

Remediation

Stage 2: Develop data mapping

Identify and classify data repositories* across all

data dimensions which could potentially contain

personal data:

❑ Third party data

❑ Cloud storage

❑ NAS / SAN storage

❑ Endpoint data

❑Mobile

❑Multimedia

*Apply risk scoring logic for more intelligent

decisions and remediation ranking


16

Data

Mapping

Personal Data

Patterns

Remediation

Stage 3: Conduct information audit

Deploy and commission Nuix configuration, review and

remediation capabilities to allow for interrogation of data repositories as well as endpoints.

Detail staged processing of collecting data based upon:

❑ Risk

❑ Urgency

❑ Availability

❑ Size

Scan/ index data sources in appropriate mode:

❑ Indexless scan

❑ Metadata register

❑ Full text index


17

Data

Mapping

Personal Data

Patterns

Information

Audit

Remediation

Stage 4: Perform scope assessment

Using the data evidence and information transparency

created by Nuix:

❑ Review indexed data and create automatic

classification rules through collaboration with data

owners

❑ Determine ‘Plan of Action’

• Document process to launch non-compliance investigations and remediate cause

• Outline process to address requests such as

‘Right to be Forgotten’, ‘Freedom of Information’

requests, etc.

• Define suitable storage infrastructure

• Detail milestones

• Agree on remediation procedures


18

Data

Mapping

Personal Data

Patterns

Information

Audit

Scope

Assessmen

t

Stage 5: Apply remediation

After updating organisational policy and practices,

utilise Nuix to carry out remediation and final

clean-up prior to implementation.

❑ Perform data remediation, including

❑ Expired content clean-up

❑ Ownership assignment

❑ Sensitive information migration

❑ Data protection and encryption

❑ Access permissions

❑ Socialise policy and process changes

❑ Re-permission consent

❑ Begin periodic audit of new information via

delta indexing


19

Data

Mapping

Personal Data

Patterns

Information

Audit

Scope

Assessmen

t

Remediation

Stage 6: React, respond and report

Continually evaluate environment and respond to

regulatory and subject requests, including

❑ Respond to subject access requests and Right to

be Forgotten

❑ Respond to regulatory requests

❑ Report breaches to in-country GDPR regulator

❑ Report breaches and response data to company’s

Data Protection Officer and Board


20

Data

Mapping

Personal Data

Patterns

Information

Audit

Scope

Assessmen

t

Remediation

React, Respond,

Report


21

Data

Mapping

Personal Data

Patterns

Information

Audit

Scope

Assessmen

t

Remediation

Monitor and

Protect

React, Respond,

Report

Stage 7: Install Always on protection

Deploy Nuix to develop and deploy processes

such as to establish an ‘Always-On’ watching brief:

❑ Report breaches

❑ Determine escalation

❑ Discover possible breach attack vectors

❑ Understand data exfiltration

❑ Undertake action

Data

Mapping

Personal Data

Patterns

Information

Audit

Scope

Assessmen

t

Remediation

Monitor and

Protect

React, Respond,

Report

GDPR: The 7 process flow stages by Nuix - Review

22

Nuix technology enables you to simplify and manage

privacy data, fostering GDPR compliance.

GDPR: Conclusion

EU GDPR compliance is an opportunity for you to do information governance well

You will need to understand your GDPR requirement to be compliant

You will need a tangible action plan of key workflow steps to achieve a successful GDPR plan

Nuix software supports your GDPR opportunity

23

PROFILING

ACTIVITIES

Activities directed at EU

residents, even if by non EU entities, are covered

DATA PROTECTION

OFFICERS

WHAT IS A BREACH?

DEEPER ‘PERSONAL’

DATA POOL

BIG FINES

PROCESSING OF

PERSONAL DATA

BREACH

NOTIFICATIONS

OUTSIDE OF

THE EU?

Personal data breaches

must be notified to the

regulatory body by the DPO within 72 hrs

Consent mechanisms

may be required for

data collection and processing

Will include IP addresses,

genetic data, data from

cookies and will affect profiling activities

The regulation states a “personal data

breach” is “a breach of security

leading to the accidental or unlawful

destruction, loss, alteration,

unauthorised disclosure of, or access

to, personal data transmitted, stored or otherwise processed”

Data controllers and

processors must designate a Data Protection Officer

Big data analytics will require

explicit consent from the subjects

Penalties start at the

greater of €10m or 2% of gross

revenue rising to €20m or 4% of gross revenue

EU GDPR: Need to knows

24

Questions?


Schippers ITContactdetails


Address

E-mail

Phonenumber

Website

Tilburgsebaan 30a, 5126 PH Gilze

[email protected]

0161-454449 - 0649020170

www.schippers-it.nl

The GDPR Opportunity: data identification › binaries › content › assets › hsl › lectoraten...

Documents

Transcript of The GDPR Opportunity: data identification › binaries › content › assets › hsl › lectoraten...