The European Union s (EU) General Data Protection Regulation AFFECTS EVERYONE GLOBALLY

Transcription

1 The European Union s (EU) General Data Protection Regulation AFFECTS EVERYONE GLOBALLY

2 Are you prepared for the European Union s latest data protection regulation?... 3 A question of trust: context and background... 6 What protections are currently in place?... 8 What will the rules mean for EU citizens?...10 How will my organization be affected? Table of Contents How can you prepare? Four Steps to Prepare for GDPR Appoint a data protection officer Understand how GDPR affects your organization Inform and train your staff Review your systems and data Metalogix helps make compliance easy Start Preparing for the General Data Protection Regulation Glossary...24

3 Synopsis Are you prepared for the European Union s latest data protection regulation? Many organizations store private data within their company s SharePoint, yet data tends to sprawl across the environment. Discover how organizations with SharePoint environments can safeguard Personally Identifiable Information (PII) on their systems as well as ensure the PII is stored safely and securely in compliance with the European Union s (EU) reforms. When sharing our personal information with stores, corporations, and governments, we trust them with safeguarding our private data. Yet cyber thieves and criminals are targeting our personally identifiable information -- ranging from our home addresses, to government identification numbers, and credit card details now more than ever. Organizations are also increasingly storing sensitive data inside Microsoft SharePoint. When data breaches occur, consumer trust in those organizations erodes, while companies are impacted financially and legally.

4 Login details of customers stolen ebay 145,000,000 early 2014 Ashley Madison 37,000,000 Summer 2015 Hackers stole the login credentials of a single JP Morgan employee. This was the largest intrusion of any American bank in history. JP Morgan Chase 76,000,000 Summer 2014 Customer details published online

5 In the wake of these headlines, and many more unpublicized data breaches, the EU plans to pass the new General Data Protection Regulations (GDPR) by mid This new law is intended to ensure greater protection of EU citizens data and will have a significant impact on how global businesses store the details of these citizens. It will require a significant overhaul in how organizations store, manage, and secure Personably Identifiable Information (PII). It can impose fines on non-compliant firms of up to 20 million Euros or up to 4% of annual revenue whichever is greater. Few businesses are prepared for these new rules, and risk significant fines. This ebook will explain the new regulations in detail, as well as examine the impact they will have on your organization and how you can prepare.

6 A question of trust: context and background The EU regularly carries out Eurobarometer surveys. These EU-wide studies attempt to gauge feelings and opinions of European citizens on a range of subjects. The most recent study on data protection Attitudes on Data Protection and Electronic Identity in the European Union 2 - showed Europeans are concerned about the level of control they have over data they place online. 79 % 70 % The survey also revealed EU citizens have different levels FIGURE 1: Percentage of trust EU citizens have for specific organizations. Source: European Commission 61 % 55 % of trust for different kinds of organizations. 39 % 32 % 22 % Health and Medical National public authorities Banks and financial institutions European Institutions Shops and department stores Phone companies and internet service providers Internet companies

7 The above chart shows that EU citizens demonstrate a lack of trust in the way certain organizations collect and use their data. In particular, search engines, and cloud based enterprise Why are EU citizens concerned about privacy? It shouldn t be forgotten that George Orwell s dystopian classic 1984 about a totalitarian state which constantly monitors its citizens was written by a European. In addition, 20th century Europe was subjected to several totalitarian regimes that used citizens private data to monitor, control, and coerce behaviour. These historical events have contributed to making EU citizens highly suspicious of organizations that collect their personal data. The Edward Snowden revelations about US government surveillance has only added to this. collaboration companies such as Microsoft, Google, Amazon, Facebook, and Dropbox are particularly low. The GDPR is intended to give these citizens greater confidence in how their PII is stored and managed by all these organizations. Trust is the critical pillar for business. If customers feel confident that companies will process their data securely and transparently, they are more likely to buy products and use their services. A data breach can result in irreparable reputation damage, fines, and legal action. 2

8 1. Currently, EU citizens PII is protected by the Data Protection Directive. Because Directives can be interpreted in different ways by different countries, the level of protection varies between EU countries. What protections are currently in place? For instance, Germany and Spain are widely seen as the toughest enforcers of data protection while other countries are relatively relaxed. The Directive was adopted in 1995 and was intended to enforce the right to privacy as decreed by EU law. The GDPR will come into force at a time of significant change in the management of EU citizens privacy. The current protections are disorganized, and have been made irrelevant by various changes and developments in recent years, most notably the following: 2. Since the Directive was introduced 20 years ago, technology and globalization have radically changed the existing state of data protection and collection. Google and Facebook did not exist when this law was introduced, cloud computing was little more than a notion, and Internet adoption was fairly limited around the globe. In two decades, we have seen enormous global change in how PII is stored and exchanged, and increasingly more EU citizens place their personal information in far-off cloud servers.

9 3. In October , the European Court of Justice annulled the EU-US Safe Harbor agreement which had existed since This bilateral arrangement existed so that US companies could process EU citizens data in servers outside of the EU as long as they could demonstrate that they would comply with the Data Protection Directive. However, in the light of the Edward Snowden revelations, the EU judged that Safe Harbor did not protect against US government agencies accessing the PII of EU citizens. These three interrelated developments have catalyzed the EU into securing a data protection policy that will: Establish uniform laws which all EU states must adhere to. Be in alignment with the advances we have seen in technology and globalization over the last few decades. Ensure companies outside of the EU, whom hold the data of EU citizens, comply with the new rules. Failure to do so will result in legal and financial repercussions. 3

10 What will the rules mean for EU citizens? The new policy for the protection of personal data will give EU citizens greater security and confidence that their data will be managed securely. The GDPR aims to: Provide a right to be forgotten whereby an individual can have information, vidoes or photgraphs deleted from internet records and search engine results Require companies to ask consumers for explicit consent when processing their data Ensure easier access to one s own data

11 Organizations will have to announce all data breaches, preferably within 24 hours EU rules will apply to the activities of companies that are not physically present in the EU (i.e. a company based in the US, Hong Kong, Johannesburg, Buenos Aires, etc ) Organizations will become more accountable Non-compliance with this regulation will prove to be costly and damaging to companies. It will affect organizations of all sizes, and in locations across the globe. It is essential to understand how the new laws will apply to your business, and ensure you are in compliance. Fines will be a burden to a business, however the long-term reputational damage could potentially be far greater. With a few steps, you can ensure the security of your customers data, and increase their confidence and trust in your online services.

12 How will my organization be affected? The EU s new data protection regulation will impact each organization differently. If your organization processes the data of European citizens, you will be impacted. As mentioned at the beginning of this ebook, the fine for noncompliance is slated at 20,000,000 Euros or 4% of the company s global turnover, whichever is greater. Given the legal and financial impact of GDPR, it is striking that 50% only of companies are aware of the changes that will be needed as a result of the GDPR, according to a recent TRUSTe survey. A clearer understanding of how the regulation will affect global organizations is needed.

13 My situation How the changes will affect me My organization is based in the EU and collects data on EU citizens. The national laws you ve been following until now will be replaced. Instead of individual national bodies (such as the ICO in the UK or the CNIL in France) with their own interpretation of data protection rules, all countries will now have to conform to a unified set of rules across Europe. My organization processes the data of EU citizens, but is based outside the EU. You will have to reassess how you store data relating to EU citizens. You ll also have to consider your marketing activities. Practices such as profiling where you target ads at consumers based on pages visited and tastes, may become illegal. Now that Safe Harbor is being retired, companies based in the US will have to negotiate EU Model Contracts. EU Model Contracts are an alternative to Safe Harbor, and allow companies to negotiate their own specific contract with the EU when transferring EU citizens data outside the Union (useful for any provider not within the EU-US Safe Harbor).

14 Figure 2: Internet penetration by world region percent The ramifications of the GDPR are potentially enormous. As a global region, Europe is second only to 88 % 72 % 71 % chart demonstrates: North America when it comes to Internet penetration as the following Source: Internet World Stats % 49 % 42 % 38 % 13 % North America Europe Oceana Latin America/ Caribbean Middle East World Average Asia Africa

15 How can you prepare? With millions of active European users every day, companies who engage with EU customers will have to seriously consider how they manage their data. Servers are situated in locations worldwide, and the implications of these new regulations are very significant. If you employ Europeans, if your customers are based within the bloc or if you, in any way, monitor or engage with their activity, you will be affected. You can start preparing today. We have developed a check list of steps to follow in order to prepare, and implement the necessary changes to ensure compliance.

16 Four Steps to Prepare for GDPR 4 1. Appoint a data protection officer The GDPR recommends that every organization has a data protection officer. This person s role is to ensure the company is complying with the regulations. Most importantly, this individual will have to be independent. They will be responsible for reporting their organizations to relevant bodies in cases of non-compliance. The majority of large organizations have an existing data protection officer, yet smaller firms will have to employ someone for the new role, or outsource to consultants. The officer will need to know the organization inside-out and also stay up-to-date with the latest rules and regulations. It is imperative that this individual be employed straight away.

17 2. Understand how GDPR affects your organization The regulation will impact the manner in which you conduct business in different ways, depending on the type of data you collect through various activities. Some organizations hold images of customers, ID numbers, passport data, IP history, and more. Depending on the kind of information you collect, you will have to decide on a strategy for managing it in relation to the new rules. 3. Inform and train your staff The research from TRUSTe mentioned on page 7 indicates that 50% of companies are not even aware of the changes that the GDPR will require. We can safely presume that the figure would be far higher if the survey results excluded responses from IT professionals. However, since most of your employees - from the shop floor to HR to salespeople to marketers - process the PII of customers and clients in some form, the new rules will affect how they work. This isn t simply a matter for IT, your entire business must become more responsible and aware of how it treats the data of EU customers.

18 How to make compliance training engaging 4. Review your systems and data Ensure your policies, procedures, and technology comply with GDPR. Would you be able to answer the following questions? Below are proven tips that help make compliance training engaging for employees: Where are the servers located where you store customer data? Use gamification to engage. When developing a PII training program, gamification is a proven method to engage employees. Make it personal. Use sample personal scenarios where you discuss how an employee would feel if their credit card details were stolen from an online retail shop. Another example would be if their PII was stolen due to a data security breach of their health insurance provider. Make it practical. Focus on how colleagues need to change their behaviour. What is your current policy for informing customers of a data breach? How do you back up and encrypt data? Do you outsource data management to third parties. If yes, are these third parties complying with GDPR? Would you be able to locate and delete all data relating to a customer under the right to be forgotten clause? If you struggle to answer any of these questions, it is essential that you implement a plan to ensure your business is in compliance with GDPR.

19 Metalogix helps make compliance easy Many corporations and organizations store sensitive content and PII in SharePoint. Microsoft s cloud and On-Premises platforms are among the most widely used tools for organizations to collaborate and store mission critical content. However, SharePoint data tends to sprawl as employees create and edit content throughout SharePoint environments over many years. The burden of managing such content, and deciphering relevant from stale information is a growing concern.

20 Metalogix has the only solution currently available that helps companies to comply with GDPR and implement procedures to discover, classify, and secure content containing PII. The Metalogix ControlPoint and Sensitive Content Manager solution is critical for data protection officers, as its ability to discover and secure access to content is the SharePoint s out-of-the-box security features do not provide organizations with the adequate level of security needed to conform to GDPR. If you have a large SharePoint environment, staying on top of PII in your environments and knowing where it s all located is a growing challenge. In many cases, business users unknowingly store sensitive content within SharePoint and fail to take steps at securing that data. foundation of any information security strategy. Once the regulation comes into force, ControlPoint and Sensitive Content Manager can maintain the security of customer data, ensuring organizations comply both now and in the future.

21 How does the Metalogix solution do this? Identify, classify, and secure data SharePoint content is not only challenging to manage, but also increasingly difficult to secure. The traditional approach of solely securing content by managing permissions or user access to sites and site collections is no longer sufficient in an age of cyber thieves. Hackers with stolen credentials can penetrate a company s perimeter and steal sensitive data within the application. As such, new approaches and technologies are needed to protect against data leakage and theft. ControlPoint and Sensitive Content Manager cut out the risk here. The solution detects suspicious user behaviour or file downloads, identifies and classifies sensitive content, and implements actions which will ensure enterprise-wide security and compliance. ControlPoint and Sensitive Content Manager save organizations the effort of manually trawling through vast quantities of data to identify that which is PII. Instead, its patented machine learning technology can detect and classify PII on systems with significantly higher degrees of accuracy than traditional out-of-the-box solutions. Thus reducing the time needed to identify and classify held data, and ensure it is protected according to EU s standards.

22 Demonstrate compliance is easy The GDPR will place a far greater responsibility on organizations to prove they are managing the PII of customers in a responsible and transparent manner. ControlPoint s auditing and governance policy actions help you produce audit reports rapidly with an unparalleled level of granularity. You ll be able to see who has accessed which sensitive content over any period of time, helping you comply with GDPR far more easily. A single console, instantly available ControlPoint provides a central console from which to view all your company s SharePoint farms whether they re in the cloud or On-Premises. Your Data Protection Officer will therefore have an instant overview of how data is stored across your systems. This means complying with GDPR becomes much easier one person will have a single overview of all activity across your systems. Automatically alert, isolate & remove policy violating files When combined with Metalogix s Sensitive Content Manager solution, ControlPoint allows organizations to automate the process of locating files that do not conform to policy. The solution carries out real time monitoring of information uploaded to your SharePoint environment. It can instantly flag content containing PII such as government ID or social security numbers and quarantine the files until they have been approved by designated content reviewers. Thus avoiding the risk of storing PII in unsecure locations. Ensure governance strategies are followed Ideally, employees will be aware of the implications of GDPR and will follow the rules by the book, yet this can t always be guaranteed. ControlPoint and Sensitive Content Manager allow you to implement custom workflows that will force colleagues to comply with policy whenever uploading data with includes PII.

23 Start Preparing for the General Data Protection Regulation The long term benefits of implementing The EU s GDPR will be ratified in 2016, and it is expected that organizations will have to be compliant by It is essential to begin preparing for the changes straight away and reduce the risk of major fines and reputational damage for noncompliance. In the short term, these changes will result in some extra effort. Nonetheless, in the long run they will contribute to a greater sense of security and confidence for your customers. As this ebook has shown, compliance doesn t need to be painful, and simply following a few simple steps now will save you a lot of effort down the line. ControlPoint and Sensitive Content Manager are market leading tools helping organizations using SharePoint to easily manage the Personably Identifiable Information that the new rules affect. To see for yourself how ControlPoint and Sensitive Content Manager can benefit your orginazation, request a free demo.

24 Glossary DATA PROTECTION DIRECTIVE the existing EU data protection legislation which will be superseded by the wider reaching GDPR. DIRECTIVE a legal act of the EU which sets a target for all member states but which allows them to decide how they will reach the target and interpret it semi-flexibly. EUROPEAN UNION (EU) a politico-economic union comprising of 28 member states largely based in Europe (although it includes some extra- European territories such as Reunion in the Indian Ocean). EU MODEL CONTRACTS an alternative to Safe Harbor, it allows companies to negotiate their own specific contract with the EU when transferring EU citizens data outside the Union (useful for any provider not within the EU-US safe harbor). GENERAL DATA PROTECTION REGULATION (GDPR) a single law to unify all data protection across the EU and replace the Data Protection Directive. It will come into effect before the end of 2016, and all affected organizations will have to comply with the law by PERSONABLY IDENTIFIABLE INFORMATION (PII) the EU defines this as: Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an address, your bank details, your posts on social networking websites, your medical information, or your computer s IP address 1. REGULATION a legal act of the EU. When passed it immediately comes into effect across all member states. SAFE HARBOR REGIME invalid as of October 2015, was a process for US companies to comply with the EU s existing data protection directive. 1

25 About Metalogix Metalogix is the premier provider of unified management software to migrate, manage and secure content across enterprise collaboration platforms in the cloud and on-premises. Over 20,000 clients trust Metalogix to optimize the availability, performance, and security of their content across the collaboration lifecycle. For more information visit us at or call us at Follow us on: US Copyright 2015 Metalogix International GmbH. All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of noncommercial uses permitted by copyright law.