Horizont 2016

Why should you care about the

General Data Protection
Regulation (GDPR)?
Robert Lejnert
HPE Information Management & Governance, CEE&I
06/10/2016
Copyright 2015 Hewlett Packard Enterprise Development LP
EU General Data Protection Regulation
(GDPR)
In a nutshell

Confidential For Training Purposes Only 2

General Data Protection Regulation

Basis
Privacy is a Human Right

Objectives
Protect citizens from abusive data usage by
data-controlling and processing organisations
Protect citizens from data breaches
Improved visibility and reduced cost of
compliance for organisations
GDPR Explained
What is GDPR? Why is GDPR important?
Foundation for how organizations protect, &
The largest set of corporate legislation since
derive value from sensitive customer information
employment law was introduced
Mitigate the risk of:
- lost customer confidence & sales
Consolidation & enhancement of existing Data - security breaches
Protection legislation - fines
- sanctions
- potential lawsuits
Mandatory by May 2018 Provides greater control & insight into customer
needs

Who does it affect?

Any business (including multinationals) that holds data on EU citizens regardless of where they are
domiciled

4
What are organizations doing now?
Todays challenges
Current approaches to addressing GDPR are largely ineffective
GDPR is complex meaning organizations find it difficult to map technology
Most solutions are inflexible & cant automate activities on a large scale

Todays reality
Businesses are largely unprepared for the full impact of GDPR
Few organizations would be considered compliant today

Consequences
Less serious violations, the maximum is 10 million or 2% annual turnover (whichever is higher)
More serious violations, the maximum is 20 million or 4% annual turnover (whichever is higher)

5
Compliance is only one part of the GDPR story

GDPR

Revenue Generation
6
How HPE can help with GDPR

Confidential For Training Purposes Only 8

Comply with confidence How HPE can help
HPE can help make GDPR a positive
differentiator
Help organizations identify & take action on customer data
(including sensitive information) in accordance with GDPR

A broad portfolio allowing organizations to classify information

automatically surfacing only the most-critical & sensitive data

Leveraging insight, organizations can also apply governance

policies, detect and respond to data breaches, optimize backup
and recovery, & ultimately protect data in use, in transit, and at
rest

A unique combination of modular solutions and deep information

insight which helps organizations comply with confidence, grow
the trust of their customers, and make GDPR a positive
differentiator for their business

9
Proposed GDPR Information Governance Platform
Over-arching architecture for GDPR for long-term implementation
Unstructured
Apply GDPR Compliance
Classify
rules Legal / Audit

Email Files SharePoint IM

Manage
Review
in place
Connector
framework Rules Application Repository
Unstructured Content Manager
Data

ControlPoint Dispose

Applications Reporting of PII

Structured Data
Structured
Structured Data Manager
HPEs five stages of file/data analysis
HPE ControlPoint helps you identify, organize, control and manage

Dispose ROT

Reduce Archive

Identify & index Analyze Organize Declare

Manage-In-place

Manage & migrate

Migrate to Cloud

12
Data mapping
Identify and index to understand your information landscape
Connect and identify repositories
Common data sources include:
File systems
MS SharePoint
MS Exchange
Notes
Hadoop
HPE TRIM, Records Manager & Content Manager

Index
Metadata only index (light index)
identifies redundant, obsolete and trivial data
Provides insight into data aging and business relevance

Metadata and content index

Yields greater insight into business value and context
Identify sensitive information (PII, PCI & PHI)
Identify potential business records
Data mapping
Advanced analytics to provide deeper understanding and context
Summary reports
Based on file level metadata and hashes:
Redundant: statistics on duplicates
Trivial: file types with no content value
Obsolete: date & policy based
Sensitive information through eduction (PII)
Items of interests (based on training)
Records
Intellectual property
Visualization
Based on advanced content analysis:
Clustering of common content patterns,
Groupings and category matches
Content curation
Policy to drive content clean-up, management or migration
Identify
Redundant, obsolete and trivial (ROT)
data
Duplicates, unauthorized copies
Out of date or no longer used
Junk, executables
Items of interest to protect
Sensitive information
PII, PCI, PHI
Records and critical content
Intellectual property
Apply policy to drive action
Dispose
Migrate
Manage-in-place

15
Automated records declaration
Ensure business critical content is managed appropriately

HPE ControlPoint
Shared drives Selects records based on declaration
policies linked to IDOL categories

Policy Auto-declaration
SharePoint
Categories

Email

Filing Auto-classification
Categories
ECM systems HPE Content Manager
Allocates filing location based on
classifications linked to IDOL categories
Archives and automatic folder creation rules

16
Manage information across the lifecycle
With HPE Content Manager

Capture Manage Share Retain

All data, unstructured, Auto-classification Security & access Detailed metadata,

structured, electronic ISO15489, RM & DM controls Retention & disposal
& physical, Email Check-in/out, Contextual search Complete audit trail
integration, OCR Versioning, Renditions Mobile access VERS, Archiving

DoD5015.2 security,
Desktop, SharePoint BCS or Matter Centric
SharePoint exposure Single instancing
& LOB integration Extensive security
Secure links Tiered storage
Manage-In-Place, Workflow, Approvals
Web publishing Retention policies &
High volume ingestion Reporting
triggers
The information lifecycle

Internal sources Manage and govern

Metadata
Automatic/Manual
System generated
User entered data Use and share
ISO 23081-1 Search
Publish Dispose/Delete
Distribute
Analyse
(Audit)
Security Re-use
Create/ Classify and (Audit)
Capture Automatic/Manual Access
Vocabulary controls

Policy Retain and preserve

Automatic/Manual Archive
Linked to Discover
classification Migrate
Retention/Disposal (Audit)

External sources

18
The Automated Retention Management solution
Iron Mountain Policy Center HPE Content Manager
retention policy management system for records governance-based enterprise content
retention and defensible destruction management across the lifecycle of information

Key Value: Automated End to End Lifecycle Management According to Law

HPE Content Manager users manage many content types and
can access it anywhere
Scanning
software
Microsoft
Office

Mobile devices MS O365 &

SharePoint

HPE
Desktop
Content Email
Manager

SAP

Custom interfaces
Finance &
HR

Property &
rating
Web

20
HPE Structured Data Manager
Enterprise Management for Structured Data

Performance Optimization Application Retirement Test Data Extraction Search & eDiscovery
Reduce data footprint & Decommission redundant Extract subsets of data for Index application data for free
storage costs applications use in application text search across silos
Maintain application Preserve access to retired development Identify and extract relevant
performance data Mask sensitive data sets of data for legal
Improve backup & recovery

21
HPE Structured Data Manager: how it works

Structured Data Manager takes a

Production unique approach to storing, managing
Database
and extracting value from structured
HPE Cloud data that is based on a robust
Active Data Search Ingest/Search
Storage selection of pre-built integrations to
Inactive Data Ingest
cloud storage, comprehensive
Ingest/Search information management systems and
HPE HPE Consolidated Archive high performance analytics platform.
& HPE Records Manager
Legacy SDM We believe that the HPE solution
Database provides excellent flexibility and quick
Search Ingest/Search return-on-investments for enterprises
Inactive Data HPE Big Data
Vertica Analytics
of all sizes.
Ingest
Sara Radicati, The Radicati Group
Implementation use case
Retention policy

proxy records Authorization

Managed data

data
ingestion
delete overwrite delete replace replace

JDBC Script API

.
App1 App2 App3 App4 App n

23
HPE Information Management & Governance
Comply with confidence

Confidential For Training Purposes Only 24

HPEs Information Management & Governance portfolio
Optimized to help protect organizations from risk and empower data-driven organizations

Server Data Protection

Secure Content Management
(Enterprise)

Data Protector Content Manager

Backup Navigator ControlPoint
Storage Optimizer Structured Data Manager
Server Data Protection
(SMB) Information Archiving

Digital Safe
VM Explorer Verity Archiving

Endpoint Information Mgmt. Risk Management / eDiscovery

Investigative Analytics
Connected MX
eDiscovery / Legal Hold
Product mapping: solutions vs GDPR use cases
Use Case
Personal Data Assessment
Defensible Disposition
Secure Content Management
Litigation Readiness and Response
Adaptive Backup and Recovery
Pain Points HPE Solutions
What and where is the information that will HPE ControlPoint
fall under these regulations? HPE Structured Data Manager
How do I identify information for HPE ControlPoint
disposition, in accordance with the right to HPE Structured Data Manager
be forgotten
How do I best apply and enforce policies HPE ControlPoint
to manage information through its HPE Structured Data Manager
lifecycle? HPE Content Manager
HPE Policy Center
HPE Verity suite (archiving module)
How can I quickly and cost-effectively HPE Verity suite (archiving, ECA and
respond to legal matters requiring eDiscovery modules)
information under my management? HPE eDiscovery
HPE Legal Hold
How do I best ensure sensitive data is HPE Data Protector
protected, stored and backed up securely? HPE Storage Optimizer
Backup Navigator
HPE Connected Backup/CMX
26
Data Security
data privacy by design and default

Confidential For Training Purposes Only 27

Encryption and the GDPR

28
Traditional data security

Everything encrypted at the

end point
Data Centric Security for end-to-end protection

Simplified Compliance
More Secure Analytics
Easier Move to the Cloud
Safer Back-End Storage
Field level, format-preserving, reversible data de-identification
Customizable to granular requirements addressed by encryption & tokenization
SST FPE

Credit card SSN/ID Email DOB

1234 5678 8765 4321 934-72-2356 cez@post.pl 11-07-1971

Full 8736 5533 4678 9453 347-98-8309 hryc@sern.ji 20-05-1972

Partial 1234 5681 5310 4321 634-34-2356 hryc@sern.pl 20-05-1972

Obvious 1234 56AZ UYTZ 4321 AZS-UD-2356 hryc@sern.ji 20-05-1972

31
Mapping the Flow of Sensitive Data
4040 1234 1234 9999 4040 1234 1234 9999
Elen Smith Elen Smith

4040 1234 1234 9999

Web Form Fraud Elen Smith
New Account
Detection
Application

4040 1234 1234 9999

Elen Smith

Mainframe
Database
CC
Processing

4040 1234 1234 9999 4040 1234 1234 9999

Elen Smith Elen Smith
Customer
Service
Application Hadoop
Analytics
 The Same Environment With HPE SecureData
4040 1234 1234 9999 4040 6763 0123 9999
Elen Smith Kelt Dqitp
4040 6763 0123 9999
Kelt Dqitp

4040 1234 1234 9999

Web Form with HPE PIE Elen Smith
New Account Fraud
Application Detection

4040 6763 0123 9999

HP Kelt Dqitp
SecureData
Mainframe
Database
CC
Processing

4040 6763 0123 9999 4040 6763 0123 9999

Elen Smith Kelt Dqitp
Customer
Service
Application Hadoop
Analytics
HPE ArcSight

SIEM and advanced analytics platform that dramatically cuts

down the time to detect and respond to threats.

Confidential For Training Purposes Only 34

 229 days Average time bad guys are inside a
network before detection

84% of breaches
occur at the
56% of organizations
have been the 45 Days
target of a Cyber Average time to resolve a
application layer Cyber Attack
attack

67%
of breaches
reported by a 60%
of Organizations
spend more time 10% Percentage of
malware alerts
and money on
3rd party reactive measures deemed to be reliable
Source: HP internal data, Forrester Research, Ponemon Institute, Gartner 35
Intelligent Security Operations
Proactively detecting and managing breaches
Key Points
Servers

Security Operations Centers

Users face an increasing amount of
Logs & information to process
Alerts Alerts
Events
Firewalls Effectiveness depends on
narrowing the funnel, and
NW
accelerating the throughput
Devices Investigation

Lower false positives and less

End- IOCs* noise allows analysts to focus
points Hunt
on the critical events and IOCs

# logs &
events Alerts Increase
Speed up
increases identified speed to
investigation
exponentially detection

IOC: Indicator of Compromised 36

 What does HPE Security ArcSight?

ArcSight monitors, analyzes and detects threats and risks across organizations and enterprises

1: 2: 3: 4: 5: 6: 7:
Collect Normalize Enrich Store Search Detect Analyze
machine data from data from various collected data Years worth of with a simple and Anomalies and Identify and trace
almost any source vendors into a with taxonomy, data through a easy to use user cyber threats with the patterns of
industry network and high compression interface use cases threats or
accepted assets specific ratio of up to 10:1 breaches or even
common event details suspicious
format behaviors
Product mapping: solutions vs GDPR use cases (ESP)
Use Case
Encryption & Pseudonymisation
Breach Response & Reporting
Breach Prevention & Neutralization
Pain Points HPE Solutions
How can I grow my business while ESKM (Enterprise)
ensuring sensitive data is protected? SecureData
How can I protect my brand and SecureMail
business reputation by neutralizing
damaging data breaches?
How do I manage the volumes of
sensitive data-at-rest?
How do I know if I have already been ArcSight, UBA & DMA
breached? SecureData
How to quickly know that a breach has SecureMail
taken place and enable the security ESKM
team to take steps to contain it,
recover and find the root cause.
How can I neutralize the impact of a ArcSight
data breach? Fortify on Demand
How is it possible to protect my data Fortify Application Defender (FoD)
and neutralize the impact of data SecureData
breach, including the need for breach SecureMail
notification? ESKM
Why to chose HPE for GDPR compliance
HPE win points

Only tech firm backed by PwC as a leading provider for GDPR compliance

Our Security & IM&G software & expertise, uniquely positions HPE to prepare organizations for GDPR

Adaptive Backup & Recovery delivers greater information insight, simplicity, risk mitigation and cost
savings

market-leading products across the GDPR value chain

HPE delivers the markets broadest portfolio of modular governance solutions

HPE has market-leading archiving, eDiscovery and Structured Data Management technologies

matching the simplicity, integration and insight into information

39
Thank you
robert.lejnert@hpe.com

40