gdpr solution cheat sheet - partnernet | veritas web view · 2017-03-22cheat sheet. cheat...

Sales Cheat Sheet – GDPR Solution

Cheat Sheet For Channel & Partners

Quick Reference

Basic InformationThe General Data Protection Regulation (GDPR) is a European Union regulation that comes into force in 2018 and will replace existing data protection laws throughout all 28 member states with a single common law that can be used in all EU countries. GDPR updates and enhances existing data protection law with a greater emphasis on transparency, accountability and individuals’ rights. Data protection authorities will have greater powers to sanction organizations who breach the GDPR (fines can be up to €20M or 4% of turnover) so the regulations need to be taken seriously. Any organization that processes or stores personal data for individuals in the EU will need to demonstrate that they take data protection seriously and can show full accountability for the data they keep.

Solution Value PropositionGDPR is a complex set of requirements which can’t be addressed solely with technology; organizations will need to adopt the right business processes in conjunction with appropriate technology solutions. The Veritas approach with GPDR is to provide customers with the building blocks they need to solve the different problems that will arise as they develop their plan to deal with the regulations. Veritas can help customers with their GDPR requirements for unstructured data in several clear and beneficial ways which when combined will give the customer an overall solution for dealing with the GDPR challenge. If ever there was a reason to make organizations think about the ever-increasing amounts of data they store, GDPR is it. By holding onto data, organizations increase the risk of retaining too much personal data and with that, the potential sanctions they could face by the regulator when things go wrong.

Ultimately, this solution is intended to help customers implement an information governance strategy that will allow them to know what they store, find personal data easily, control how it is stored, ensure it is protected and finally make sure their personal data is always managed according to GDPR standards.

Solution Summary DescriptionThe Veritas GDPR Solution gives customers the tools that they need to effectively manage their unstructured information so that they can comply with the different aspects of GDPR. These requirements can be broken down into specific tasks or jobs that an organization will need to consider as it works towards the adoption of GDPR standards. The definition of these jobs helps Veritas to position the products that a customer needs depending upon their requirements. They should be able to relate to the following high level descriptions which will lead to deeper discussions about the GDPR problems they have and which ones they need us to help them solve.

High Level GDPR Jobs

Locate Uncover personal data, make it visible and understand the risks Search Make personal data searchable –help to deal with data subject rights Minimize Store personal data in a GDPR compliant manner with retention controls Protect Protect personal data from breach, loss or damage to mitigate risks

© 2017 Veritas Technologies LLC. Confidential Partner Use Only - Version 1.0All rights reserved. Veritas and the Veritas Logo are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates



Monitor Ensure personal data is always managed to GDPR standards – ongoing risk assessments

Product Summary Description

The solution summary explained the high-level GDPR jobs that Veritas can solve, these can be further broken down to show what products can help in which area. The actual regulation consists of a number of specific articles (99 in total) which are referenced in more detail in the appendix. However, by reducing them down to just five key areas the conversation becomes easier and individuals who are familiar with the full text of GDPR will be able to relate to the five areas we talk about. Being able to explain how Veritas can solve specific parts of the regulation is fundamental to gaining their confidence in selecting the products they need to satisfy their overall GDPR requirements.

See Appendix for more details about the GDPR Article numbers.




Key Features and Customer BenefitsThe Veritas GDPR solution will allow customers to locate unstructured data sources, identify if they contain personal data, make the sources searchable, introduce storage & retention controls, protect data from loss or damage and finally help to make sure personal data sources remain secure with the appropriate controls in place to comply with GDPR. The high-level jobs explained in the Solution Summary Description can be further expanded into specific requirements that our products can solve; as explained below. (Refer to product specific data sheets for full product descriptions)

LOCATE - Uncover personal data, make it visible and understand the risksGaining visibility of what personal data you are currently holding is a critical first step in pursuit of complying with the GDPR regulation. Being able to build up a data map of where this information is being stored, who has access to it, how long it is being retained form a necessary understanding of how the business is processing and managing personal data.

Data Insighto Discover unstructured data and navigate using metadata, age, permissions and usage. Can also help

establish ownership based on usage patterns. Extensive reporting capability to help organizations categorize data by age, type and owner. Additional context (tags) can be added to using a metadata framework to include organizational details such as department or business data owner. Can also consume third party content classification detail to add even more context. Will help with the data mapping exercise to understand the scale of data in terms of age & volume as part of a data clean up exercise and to find sensitive files such as PSTs or database dumps that could contain personal data.

Enterprise Vault.Cloudo Is traditionally called an archive cloud service but could also be considered a GDPR compliant data store

which provides many requirements of the regulation. It provides a good destination for email through an SMTP journal process to support on premise Exchange or Office365. Once data is stored within EV it provides a solution for many of the other GDPR requirements such as Search, Control, Protect & Monitor.

Information Mapo A highly visual user interface which quickly allows users to view information about unstructured data

using metadata collected as part of the NBU backup process. The intuitive UI can then filter data based upon many different criteria such as location, server, file type, age and size. Also, provides ability to export high level detail or graphics for further reporting purposes with option to export full file & path detail for analysis with other tools. Will help with the data mapping exercise to understand the scale of data in terms of age & volume as part of a data clean up exercise and to find sensitive files such as PSTs or database dumps that could contain personal data.

Enterprise Vaulto Is traditionally called an archive product (on-premise) but could also be considered a GDPR compliant

data store which provides many requirements of the regulation. It provides a good destination to consolidate many sources of data such as email journals, mailboxes, files and numerous other sources




through partner connectors. Once data is stored within EV it provides a solution for many of the other GDPR requirements such as Search, Control, Protect & Monitor.

SEARCH - Make personal data searchable –help to deal with data subject rightsAny citizen of the EU can now submit a Subject Access Request (SAR) to any organization, globally, requesting visibility of all the personal data being held on them. They can also request that data be corrected (if factually incorrect), ported (to a suitable export format) or deleted. Ensuring that your organization can undertake and service these requests in a timely manner is critical.

Enterprise Vaulto Once data is stored within EV, it is automatically indexed and can optionally be classified (to help

identify types of personal data). It can then be very easily searched either by the built-in user search tools or the more advanced Discovery Accelerator or the eDiscovery Platform. This provides and easy solution to search for personal data but it does first have to be ingested into Enterprise Vault.

Enterprise Vault.Cloudo Once data is stored within EV.Cloud, it is automatically indexed so can then be very easily searched

either by the built-in user search tools for Personal Archive, the more advanced admin Discovery tool or the eDiscovery Platform. This provides and easy solution to search for personal once it’s been ingested into Enterprise Vault.Cloud.

eDiscovery Platformo This is already a proven trusted solution used by many customers for legal, regulatory, and investigative

matters which lends itself well to GDPR. The Veritas eDiscovery Platform was purpose-built for eDiscovery, making it easy for organizations to defensibly solve challenges across the entire eDiscovery lifecycle from legal hold and collections through to analysis, review, and production. As well as being able to search EV repositories, it is also able to directly search across popular email platforms, file systems and other sources to provide a complex review platform with a deep level of index and analytics as part of an audited review workflow. The workflow process allows personal data to be identified, tagged, redacted if needed and then exported in several commonly accepted formats for release to the data subject. This makes it ideal to be used for Subject Access Requests to satisfy the data subject rights in GDPR.




MINIMIZE - Store personal data in a GDPR compliant manner with retention controlsMinimize the amount of Personal Data being stored and ensure that it is being kept (and then deleted) for a period of time which is directly related to the purpose for which it is being kept. The correct application of suitable retention policies and automating the eventually deletion of this data therefore forms a cornerstone of your GDPR compliance story.

Data Insighto As well as providing better visibility into and organizations unstructured data, an additional benefit is

being able to proactively manage date through the use of custom scripts. This allows Data Insight to drive actions such as copy, move and delete as well as with integration to Enterprise Vault FSA to control how and when files are archived.

Enterprise Vaulto In terms of various GDPR requirements, EV can provide several storage features to help with data

minimisation of Personal Data. Through classification it can automatically tag files or emails that contain personal data which can control the retention process at an item level. Once tagged, it makes it easy to find personal data using the search tools. For existing customers, once upgraded to EV12 they can choose to classify historical data, which can help establish the level of risk or allow them to expire data as needed.

Enterprise Vault.Cloud Whilst classification isn’t currently available for EV.Cloud, it does provide retention options as email is

archived, this provides a default level of retention. Users can also extend the retention period of items by using custom tags.

InfoScale Accesso This is a software-defined NAS solution that provides a cost-effective answer to the challenge and

complexity of deploying expensive NAS hardware to deal with ever growing volumes of unstructured data. Veritas Access provides resiliency, multi-protocol access, compression and de-duplication as well as storage tiering with the option of data movement to and from the public cloud based. Customers can reduce storage costs by using low-cost disks and by storing infrequently accessed data in the cloud. All of this provides a single solution to help deal with the many data protection challenges of GDPR




PROTECT - Protect personal data from breach, loss or damage to mitigate risksPersonal Data must now, by law, be protected from damage, loss or breach. This means that it is more important than ever to review your data protection and security processes and procedures to ensure that you meet these stringent recovery, availability and breach prevention (and notification) requirements.

Data Insighto As well as helping with personal data visibility and control, Data Insight also has features to help with

security processes that to help mitigate risks such as data breaches from insider or external sources. It can provide insights into malicious and anomalous activity based on access patterns to help indicate or even alert when a data loss/ breach situation occurs.

Enterprise Vaulto This provides a GDPR compliant storage repository and when consolidating sources of personal data

into Enterprise Vault there are also protection benefits. Once personal data is stored in EV, access can be controlled to prevent deletion or un-authorized access. EV also supports many storage devices that can add further controls such as data encryption or resiliency options such as data replication.

Enterprise Vault.Cloudo Personal data that is stored in EV.Cloud automatically has the benefits that a cloud service provides to

guarantee data is protected, kept highly resilient and secure.

Backup Execo Aimed at SME sized organizations BE is designed to protect the entire infrastructure regardless

of platform: virtual, physical, or cloud. Deeply integrated with VMware, Microsoft and Linux platforms, BE can protect one to thousands of servers and virtual machines all from the same user console, providing optimal performance and efficiency. It supports virtually every popular Windows-based server, storage, hypervisor, database application and cloud platform used in Small/Medium organizations today. It offers a variety of protection and recovery mechanisms to ensure Personal Data can be quickly and easily recovered in the event of a disaster.

NetBackupo As an Enterprise grade data protection platform, NBU plays an important part to ensure that all

sources of personal data are protected. Combined integration with Information Map for visibility and E for copy data management increases the overall value to this protection platform. NBU supports virtually every popular server, storage, hypervisor, database application and cloud platform used in the enterprise today and offers a variety of protection and recovery mechanisms to ensure Personal Data can be quickly and easily recovered in the event of a disaster




InfoScaleo InfoScale Storage and Availability provides high availability, disaster recovery and enterprise grade

storage management tools for all leading operating systems and applications across physical and virtual environments. It can ensure the uptime and resiliency of any system processing or storing Personal Data.

MONITOR - Ensure personal data is always managed to GDPR standards/ongoing risk assessment

Putting processes and technologies in place to ensure that the company is continually applying best practice information governance principles to the use and storage of Personal Data will be critical and organizations will have to show that they are doing this. The adoption of GDPR standards is not a one-off project, they need to become a default part of how any organization operates, therefore being able to demonstrate that this is indeed the case is just as important. The privacy by default and by design aspect of GDPR is something the regulators will expect and if organizations can’t demonstrate they are accountable for how they process personal data then it will inevitably impact any sanctions that are imposed.

Data Insighto There are so many aspects of GDPR that Data Insight helps with, it could be considered a foundational

product as part of an overall GDPR solution. It fulfills the MONITOR requirement through a combination of the features already described and will help organizations to not only implement GDPR standards but ensure that they are maintained. This will help with the need to demonstrate GDPR compliance whether because of a GDPR impact assessment or thorough more scrutiny with internal or external audits. Beyond the assistance, it lends to the LOCATE, CONTROL and PROTECT tasks Data Insight can also be used to find open or badly permissioned shares and help remediate access control lists to ensure sources of personal data are secured.

eDiscovery Platformo With an ongoing need to respond to Subject Access Requests (SARs) from data subjects, eDP will also

form a core part of the tool set to comply with GDPR. The right to be forgotten (RTBF) is also a requirement that eDP will help with not just in its ability to find specific personal data but also as a follow up process to ensure data has been deleted once a RTBF request has been processed. Therefore, eDP will be an essential part of the Veritas GDPR solution to ensure an organisation can demonstrate GDPR compliance.

Enterprise Vaulto With EV offering GDPR compliant storage options, it becomes easier to manage the data it stores

according to the demands of GDPR. Personal Data can be classified on ingest and retention set as needed; data can be re-classified as needed and retention times either increased or decreased. In the case of email the journal can also be searched when needed in order to gauge the level of personal data that’s being exchanged, either between specific or multiple addresses.

Enterprise Vault.Cloud




o This can leverage the email journal in the same manner as EV; users can extend retention via their personal archive but can’t reduce. EV.Cloud doesn’t currently have an automatic classification capability so EV on premise is a better solution for customers who want this facility.

Supporting Facts and Stats IDC estimates that the game-changing GDPR creates a total market opportunity of $3.5 billion for

security and storage software vendors. They also stated that GDPR is a game changer for organizations because of the scale of potential fines (4% of revenue or €20M).

Gartner estimates that by the end of 2018, over 50% of companies will not be in full compliance with GDPR. They also advise organizations to prepare for GDPR accountability and transparency requirements since they believe few organizations have identified all processes where personal data is involved. They highlight the issue of effectively managing the backup process to avoid over retention of personal data and recommend the adoption of file analysis and archive products to help identify storage locations and respond to data subject requests.

PWC research at the end of 2016 established that 54% of the CxOs they spoke too said the GDPR is their highest priority item for data-privacy & security and 38% said that GDPR is one of their top priorities. Data discovery is one of the most important tasks for 71% of organizations have started to plan for GDPR. Most organizations also plan to spend more than $1M on GDPR preparation (77% of respondents).

Target CustomersAll customers / especially 1000+ / customers who likely to hold lots of personal data Commercial & Public Organizations

o GDPR applies to any organization that processes personal data Organizations > 1000 employees

o Large organizations more likely to have a greater risk profile & appetite to invest in GDPR solutionso But fines will apply based on company turnover so smaller but high value organizations are at risk

EV Customerso Upsell Data Insight & File System Archiving

NBU Customerso Upsell Data Insight

Target Personas


https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-gdpr-series-pulse-survey.pdf



Users / Influencerso Backup / Storage / DB Admino Info Securityo Data Analyst

Board Influencerso Legalo HRo CIO / CISO / CFO

Decision Makerso Compliance / Risk Officero Information Gov Manager / CDOo Data Protection Officero IT Directoro External Partners

Key Influencers’ Challenges

IT Personas

o Admins

o Storage Manager

o IT Manager

o CIO

• Aligning IT business strategy around GDPR at minimal costs.• Improving IT business processes to ensure GDPR compliance.• Ensure IT can meet the timelines for GDPR requests.• Implementing cost effective storage/backup platform• Optimizing data availability and integrity• Identifying sources of personal data• Deleting obsolete or aged data• Securing & controlling access to data sources• Managing retention of personal data• Prevention of & reaction to data breach incidents• Reacting to requests from data subjects’ rights• Demonstrate operational processes ensure accountability of PII

Legal/Compliance/Risk

o Legal Counsel

o Data Protection Officer

o Compliance Manager

o Risk Manager

Need to be prepared for GDPR before May 25th 2018 Preparing & training organisation for GDPR readiness Building out data maps to show where personal data is used Ensuring Data minimisation requirements are met Able to respond to data subject requests (SARs/RTBF) Minimizing risk to organisation




Qualifying an OpportunityThe following questions are good starting points to get the conversation going any combination of these will lead to a discussion about the challenge of how an organization will react to the requirements of GDPR. Remember this is specific to areas of un-structured data

1. Does your organisation have a GDPR project plan in place?

2. If there is a plan in place who owns the project?

3. Has the project been funded – who’s the budget holder?

4. Who is actively working on GDPR - what teams/individuals have you spoken to about GDPR?

5. Have you or are you planning to engage a business or legal consultancy to run a GDPR project

6. What is your understanding of GDPR and how will it impact your organisation or job?

7. Do you have a clear understanding of where all sources of personal data are located?

8. What do you think is your organisations biggest challenge with GDPR?

9. Does your organisation have a designated data protection officer?

10. Does your organisation maintain data maps for all or any of your key services/applications?

11. How do you plan to be able to identify potential sources of personal data?

12. How confident are you that sources of personal data are secured and access is monitored?

13. How will you deal with the GDPR data minimisation requirements (retention)?




14. Do you currently have retention polices for unstructured data – are you able to enforce them?

15. How do you currently responding to SARs - how frequently & who owns the process?

16. What does your right to be forgotten process look like - or what would be your ideal process?

17. Breach notifications - do you have a process to respond to these or who do you think would be responsible?

18. Have you identified what technology/capabilities that can help you deal with GDPR

19. What other vendors are you evaluating or using?

20. Do you have specific evaluation criteria for your GDPR challenges?

Service OpportunityServices will be offered to help our customers respond to GDPR and implement the Veritas components they need.

From February 2017

GDPR Workshop

o $$: Fee Waived

o Background to GDPR and first step introduction forGDPR Information Governance compliance solution

Solution Deployment

o $$ Cost/Scope Defined

o Deployment and operational efficiency services for DI, EV, eDP, VIC

From April 2017

GDPR Assessment

o $25-35K (Fixed price, scope defined)

o Built on existing assessment experience with VIC 2.0 Beta and DI.

o Discover risks to data privacy, likely locations of personal data, usage risksand control and compliance issues




From August 2017

GDPR Classification Service

o $ Scope Defined

o DI, EV, VIC 2.0 GA

o Direct and Partner proposed consulting service for aligningcustomers’ data policy to manage Personal Data

Objection Handling

There are certainly going to be any number objections you’ll hear from your customers which will initially range from “we’re not a regulated industry” through to “we’re a US company…why should we care” and then variations as to why it’s not really a problem for them. But one thing that is clear is that any organization which stores or processes data on EU residents will be impacted by GDPR and this is something they need to take seriously and can’t ignore it.

There are several topics of objection that could be listed here but as this whole subject matter is something that will evolve as more feedback comes in from the field, a separate Objection Handling document is available from PartnerNet.

Technical Requirements and Additional Resources

To access further GDPR content including Sales Play Book, GDPR, Solution Brief, Video, FAQs and other useful information visit the GDPR solution page on PartnerNet.

If you need any additional help or if you have any questions regarding GDPR, please email:[email protected]


mailto:[email protected]

https://partnernet.veritas.com/portal/faces/products/information-governance

https://partnernet.veritas.com/portal/faces/products/information-governance

Sales Cheat Sheet – GDPR APPENDIX

Cheat Sheet Channel/Internal Only

Key Articles Relating to GDPR

GDPR is made up of 99 individual articles but the following are the key ones of interest in terms of the areas that Veritas products can help with. For exact context, the full regulation should be referenced and a link to this is provided at the end of this section.

Article 4: This article has all the definitions used in the regulation, it's a useful reference but this key one shown is important to understand.

• Article 4: Defines "personal data" asInformation relating to an identified or identifiable natural person ‚data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person

Article 5: This article is a key foundation of GDPR so is shown in its original form

• Article 5 (1) - Principles relating to processing personal data:Processed lawfully, fairly and in a transparent manner in relation to the data subject(“lawfulness, fairness and transparency”)

• Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall, in accordance with Article 83(1), not be considered incompatible with the initial purposes; (“purpose limitation”);

• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”)

• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organizational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

• processed in a way that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”);

• Article 5 (2) - Principles relating to processing personal data:• The controller shall be responsible for and be able to demonstrate compliance with

paragraph 1 (“accountability”)


Sales Cheat Sheet – GDPR APPENDIX

Cheat Sheet Channel/Internal Only

Data Subjects RightsThese are the key articles that defines an individual's right to control their personal data

• Article 15: Individuals’ right to access their data• Article 16: Individual’s right to have their data rectified• Article 17: Right to be forgotten / Right to erasure• Article 18: Right to restrict processing• Article 20: Right to data portability

General ObligationsThis is the key article that stipulates personal data should be protected using state of the art as well as technical and organisational measures. This also references Article 42 which is about being able to demonstrate compliance through a certification process

• Article 25: Data protection by default and by design

Security of Personal DataThis relates to the need to use "state of the art" methods to protect & secure personal data and also the breach notification process to the supervisory authority and also the data subjects when appropriate.

• Article 32: Security of Processing• Article 33: Notification of a personal data breach to the supervisory authority• Article 34: Communication of a personal data breach to the data subject

Codes of Conduct and CertificationThis explains that the supervisory authority can establish a voluntary certification mechanism help organisations gain recognition for being able to demonstrate they comply with GDPR. Certification bodies will be appointed by the supervisory authority.

• Article 42: Certification

Transfer of Personal Data to Third Countries or International OrganisationsThese all relate to the transfer of personal data to countries outside of the EU, it references the principles safeguards required with a lot of detail about Binding Corporate Rules (BCRs) and exceptions. These rules are intended to ensure that the protection offered to EU residents by GDPR is not undermined.

• Article 44-50: International data transfers under “appropriate safeguards”

The approved EU source of the complete GDPR Regulation is as follows.http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN


http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

gdpr solution cheat sheet - partnernet | veritas web view · 2017-03-22cheat sheet. cheat...

Documents