ICLEI – ACCCRN Process Opportunity for Project Identification
The GDPR Opportunity: data identification › binaries › content › assets › hsl › lectoraten...
Transcript of The GDPR Opportunity: data identification › binaries › content › assets › hsl › lectoraten...
eDiscovery Symposium, 26 april 2018
presents:
The GDPR Opportunity: data identification
About me
www.schippers-it.nl2
❑ Rob van Enschot
❑ Age: 34 years
❑ Digital Investigator at Schippers IT
❑ 14 years experience
❑ Product specialist & certified trainer: Nuix & Cellebrite
About Schippers IT
www.schippers-it.nl3
Personal Medium Business Professional
❑ Founded in 1999 by a former police officer
❑ Approved by Ministry of Justice and Security
❑ Value added reseller of forensic hard- and software
About Nuix
www.schippers-it.nl4
▪ 350+ employees
▪ In-house teams of experts in security, investigations, eDiscovery, IG, archives
▪ Stable, long-term executive and development teams
▪ US, Australia, UK, Ireland, Singapore, India, Germany
▪ 65% growth in 2014; 57% in 2015
▪ Average 62% growth every year over 5 years
▪ Growth pattern from Australia, across UK, Europe, North America, Asia and Middle East
▪ Commercialized 2006
▪ 100% funded by cash flow
▪ Profitable since 2008
▪ All major global regulatory agencies and the largest consulting firms and Litigation Service Providers
▪ All the largest electronic investigation cases are done in Nuix
▪ Customers in over 60 countries
▪ Almost 2,000 customers globally
▪ Continued growth of development resources in US and Australia
▪ Large investment in developing next-gen solutions – major 2016 releases:
• Nuix 7.0 Engine: Q2
• Nuix Adaptive Security: Q2
• Nuix Web Review & Analytics V6.2.9: Q2
• Nuix Director V6.2.9: Q2
• Nuix Sensitive Data Finder V2.2: Q2
• Nuix Legal Hold: Q2
• Nuix Management Console: Q1
• Nuix Insight: Q3
Nuix & The Panama Papers
www.schippers-it.nl5
‘Nuix’ provided the technique to process the data
for the investigation of the Panama Papers
• 11,5 millions of documents
• 2,6 TB of data processed
• 400 journalists
• 80 countries
GDPR: Recent investigations
www.schippers-it.nl6
OCTOBER 15, 2016
MAY 18, 2017
JUNE 16, 2017
EU GDPR: Need to knows
www.schippers-it.nl7
GDPR: Organisational compliance includes
www.schippers-it.nl8
People
Hire and assign
people to focus on
regulatory compliance Process
Create and update
IG policies and
data processesTechnology
Identify, manage,
and monitor the
company’s data
GDPR & Compliance
www.schippers-it.nl9
The foundation for companies to be GDPR compliant originates in answering these critical questions:
1. What personal data do you have?
2. Where is your data held?
3. Who is responsible for the data?
4. Are you protecting your customers’ information?
GDPR data identifiers
www.schippers-it.nl10
The EU Data Protection Directive (95/46/EC) defines personal data as follows:
"personal data" shall mean any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity"
Personal Identifiable Information (PII) is any information relating to a living person that makes it possible to identify that person either directly or indirectly.
Sensitive Personal Information (SPI) is any personal data specifically relating to racial origin, political opinions, religious or philosophical beliefs, physical / mental health, sexual orientation, criminal offences (alleged or committed) and biometric data data, e.g. fingerprint, factional recognition, or retinal scan.
SPIracial originpolitical opinionsreligious or philosophical beliefsphysical / mental healthsexual orientationcriminal offences (alleged or committed) biometric data e.g.. Fingerprint, facial recognition, retinal scan etc
PIINameAddressEmail addressMobile device IDGPS locationBank accountEmployee IDIP Address
Regulatory requirements and subject inquiries are designed to protect the individual.
❑ The right to be informed
❑ The right of access
❑ The right of rectification
❑ The right to erasure
❑ The right to restrict processing
❑ The right to data portability
❑ The right to object
❑ The right not to be subjected to
automated decision-making,
including profiling
Privacy regulation requirementsData privacy is a growing area of information management and response for businesses, spurred on by regulations like GDPR.
Companies must be able to perform large scale classification of their data
while answering these questions:
• What types of personally identifiable information do you have on file?
• Where is it located?
• What level of security is required?
• Who has access?
• How will the data be used?
• Do you have consent to use that data?
GDPR & classification
12
GDPR challenges and your response with Nuix
13
FIND
• What GDPR content do I need to find?
• Where would that content be?
• Who has access to it?
• Permissions, should they have access?
UNDERSTAND
• I now know the size & scale of my business data challenge.
• How do I deal with SAR/FOI/Right to be forgotten?
ACT
• How do I promptly handle breach notification?
• How do I respond to SARs as a business process?
• How do I identify a breach and react within 72 hours?
• How do I ensure appropriate Information Governance that
adheres to the regulation?
IDENTIFY: DATA MAPPING & DISCOVERY
• Identifies GDPR relevant content within files (not just metadata)
• Supports 100s of file types; Processes PB of data; Handles structured / unstructured / archive storage
MANAGE: UNDERSTAND & CLASSIFY
• Gives full visibility of all GDPR data wherever it resides
• Performs full data analytics to see who, what, when and their relationships with GDPR data
• Manages the lifecycle of data and to ensure its correct place in enterprise architecture
• Classifies redundant, outdated, and trivial data to manage appropriately
• Connects structured / unstructured and end point data for immediate identification and response
MONITOR: RESPOND TO EVENTS IN REAL TIME
• Produces infrastructure to monitor and maintain EU GDPR identified documents.
• Uses advanced technology to access, understand and act on human-generated information
• Reports data breaches within 72 hours following the occurrence
• Provides ability to run disaster scenarios – to understand your risk
• Encrypts and monitors data with alerting, destruction at source (right to be forgotten), update permissions
GDPR: The 7 process flow stages by Nuix
14
Stage 1: Identify personal data patterns
Stage 2: Develop data mapping
Stage 3: Conduct information audit
Stage 4: Perform scope assessment
Stage 5: Apply remediation
Stage 6: React, respond and report
Stage 7: Install Always On Protection
Data
Mapping
Remediation
Stage 1: Identify personal data patterns
❑ Review data privacy / GDPR policies to ensure they
are appropriate and update accordingly
❑ Develop search rules for processing
❑ Scan data with Nuix parallel processing to:
• Identify data patterns across sample data
sets that establish relevant strings which
comply with GDPR identification requirements
• Build and test pattern recognition entities to
find Personal Identifiable Information (PII)
and other GDPR-relevant data strings
GDPR: The 7 process flow stages by Nuix - Stage 1
15
Data
Mapping
Personal Data
Patterns
Remediation
Stage 2: Develop data mapping
Identify and classify data repositories* across all
data dimensions which could potentially contain
personal data:
❑ Third party data
❑ Cloud storage
❑ NAS / SAN storage
❑ Endpoint data
❑Mobile
❑Multimedia
*Apply risk scoring logic for more intelligent
decisions and remediation ranking
GDPR: The 7 process flow stages by Nuix - Stage 2
16
Data
Mapping
Personal Data
Patterns
Remediation
Stage 3: Conduct information audit
Deploy and commission Nuix configuration, review and
remediation capabilities to allow for interrogation of data repositories as well as endpoints.
Detail staged processing of collecting data based upon:
❑ Risk
❑ Urgency
❑ Availability
❑ Size
Scan/ index data sources in appropriate mode:
❑ Indexless scan
❑ Metadata register
❑ Full text index
GDPR: The 7 process flow stages by Nuix - Stage 3
17
Data
Mapping
Personal Data
Patterns
Information
Audit
Remediation
Stage 4: Perform scope assessment
Using the data evidence and information transparency
created by Nuix:
❑ Review indexed data and create automatic
classification rules through collaboration with data
owners
❑ Determine ‘Plan of Action’
• Document process to launch non-compliance investigations and remediate cause
• Outline process to address requests such as
‘Right to be Forgotten’, ‘Freedom of Information’
requests, etc.
• Define suitable storage infrastructure
• Detail milestones
• Agree on remediation procedures
GDPR: The 7 process flow stages by Nuix - Stage 4
18
Data
Mapping
Personal Data
Patterns
Information
Audit
Scope
Assessmen
t
Stage 5: Apply remediation
After updating organisational policy and practices,
utilise Nuix to carry out remediation and final
clean-up prior to implementation.
❑ Perform data remediation, including
❑ Expired content clean-up
❑ Ownership assignment
❑ Sensitive information migration
❑ Data protection and encryption
❑ Access permissions
❑ Socialise policy and process changes
❑ Re-permission consent
❑ Begin periodic audit of new information via
delta indexing
GDPR: The 7 process flow stages by Nuix - Stage 5
19
Data
Mapping
Personal Data
Patterns
Information
Audit
Scope
Assessmen
t
Remediation
Stage 6: React, respond and report
Continually evaluate environment and respond to
regulatory and subject requests, including
❑ Respond to subject access requests and Right to
be Forgotten
❑ Respond to regulatory requests
❑ Report breaches to in-country GDPR regulator
❑ Report breaches and response data to company’s
Data Protection Officer and Board
GDPR: The 7 process flow stages by Nuix - Stage 6
20
Data
Mapping
Personal Data
Patterns
Information
Audit
Scope
Assessmen
t
Remediation
React, Respond,
Report
GDPR: The 7 process flow stages by Nuix - Stage 7
21
Data
Mapping
Personal Data
Patterns
Information
Audit
Scope
Assessmen
t
Remediation
Monitor and
Protect
React, Respond,
Report
Stage 7: Install Always on protection
Deploy Nuix to develop and deploy processes
such as to establish an ‘Always-On’ watching brief:
❑ Report breaches
❑ Determine escalation
❑ Discover possible breach attack vectors
❑ Understand data exfiltration
❑ Undertake action
Data
Mapping
Personal Data
Patterns
Information
Audit
Scope
Assessmen
t
Remediation
Monitor and
Protect
React, Respond,
Report
GDPR: The 7 process flow stages by Nuix - Review
22
Nuix technology enables you to simplify and manage
privacy data, fostering GDPR compliance.
GDPR: Conclusion
EU GDPR compliance is an opportunity for you to do information governance well
You will need to understand your GDPR requirement to be compliant
You will need a tangible action plan of key workflow steps to achieve a successful GDPR plan
Nuix software supports your GDPR opportunity
23
PROFILING
ACTIVITIES
Activities directed at EU
residents, even if by non EU entities, are covered
DATA PROTECTION
OFFICERS
WHAT IS A BREACH?
DEEPER ‘PERSONAL’
DATA POOL
BIG FINES
PROCESSING OF
PERSONAL DATA
BREACH
NOTIFICATIONS
OUTSIDE OF
THE EU?
Personal data breaches
must be notified to the
regulatory body by the DPO within 72 hrs
Consent mechanisms
may be required for
data collection and processing
Will include IP addresses,
genetic data, data from
cookies and will affect profiling activities
The regulation states a “personal data
breach” is “a breach of security
leading to the accidental or unlawful
destruction, loss, alteration,
unauthorised disclosure of, or access
to, personal data transmitted, stored or otherwise processed”
Data controllers and
processors must designate a Data Protection Officer
Big data analytics will require
explicit consent from the subjects
Penalties start at the
greater of €10m or 2% of gross
revenue rising to €20m or 4% of gross revenue
EU GDPR: Need to knows
24
Questions?
www.schippers-it.nl25
Schippers ITContactdetails
www.schippers-it.nl26
Address
Phonenumber
Website
Tilburgsebaan 30a, 5126 PH Gilze
0161-454449 - 0649020170
www.schippers-it.nl