Upload
vuzion
View
3.718
Download
0
Embed Size (px)
Citation preview
Welcome to
Love Cloud GDPR
Thursday 2 November 2017, 09:30-12:30
Microsoft UK, Paddington, London
Love Cloud GDPR
Michael Frisby, Vuzion MD
Welcome and Introduction
A Massive
Transformation
Opportunity
Dedicated to
Partner Success
Overcoming the
challenges of our
time
Location
Identifying existing
personal data held
across the business
Governance
Managing data
subject access
rights, data storage
and use
Security
Protecting against
vulnerabilities and
breach
Reporting
For data requests,
breaches, and
accountability
Achieving GDPR Compliance
Process track
Technical track
---------------------Define the
requirement
Create the
plan
The Partner Opportunity
GDPR Webinars
GDPR Workshops
GDPR Healthcheck
GDPR Assessments
Implementation Clinics
Annuity Services
Love Cloud GDPR
09:00-09:30 REGISTRATION
09:30-09:45 Welcome & Introduction Michael Frisby, Vuzion MD
09:45-10:15 Introduction to GDPR Sean Huggett, Cybercrowd, CEO & Consultant
10:15-10:45 Microsoft and GDPR Jonathan Burnett and Samantha Garrett, Partner Technology Strategists
10:45-11:00 TermSet and GDPR Stewart Connors, Head of Customer & Partner Success
11:00-11:15 COFFEE AND PASTRIES
11:15-11:30 Acronis and GDPR Ronan McCurtin, Senior Sales Director Northern Europe
11:30-11:45 Mimecast and GDPR David Tweedale, Team Leader
11:45-12:00 DocuSign and GDPR Jacqueline de Gernier, AVP Commercial Sales
12:00-12:30 Panel Interview
Vuzion GDPR Support PackageClosing Thoughts
Caroline Wigley (Vuzion), Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft), Rowland Dexter (QGate)
Agenda
Love Cloud GDPR
Sean Huggett, Cybercrowd, CEO & Consultant
Introduction to GDPR
• Came in to force on 24th May 2016 – enforceable from 25th May 2018
• EU Regulation – has direct effect – no local legislation required
• Replaces the Data Protection Act 1998 - transposed into law from Data Protection Directive 1995
• Aims to support the digital single market and give data subjects control over their personal data
• Wide scope & coverage
• Guidance on interpretation and compliance still being developed
• UK Government has confirmed applicability in UK notwithstanding Brexit
Introduction to GDPR
Key Definitions
Data Controller
• “the natural or legal person… which … determines the purpose and means of the processing of personal data”
Data Processor
• “a natural or legal person… which processes personal data on behalf of the controller”
Data Subject
• “an identified or identifiable natural person”
Personal Data
• “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data….”
Processing
• “any operation or set of operations which is performed on personal data or on sets of personal data whether or
not by automated means, such as collection, recording, organisation, structuring, storage…”
Six Data Protection Principles & Accountability
• Six data protection principles – overview of your most important duties in complying with GDPR
• Introduces ‘accountability principle’ – Data Controllers responsible for being able to demonstrate compliance with the six
principles
processed lawfully, fairly and transparently
collected for specified, explicit & legitimate purposes
adequate, relevant & limited to what is necessary for processing
accurate and kept up to date
kept only for as long as is necessary for processing
processed in a manner that ensures its security
1
2
3
4
5
6
Personal Data shall be:
AC
CO
UN
TAB
ILITY
Data Subject Rights
Rights to:
• Information - think about Privacy Notices
• Access - think about Subject Access Requests
• Object to Processing
• Rectification
• Erasure – ‘right to be forgotten’
• Restrict Processing
• Data Portability
Obligations & International Transfers
Obligations
• Data Protection Officers (DPO)
• Data Protection Impact Assessments (DPIA)
• Data Protection by Design and by Default
• Controller & Processor Records
• Security of Processing
• Breach Notification
• Processor contracts with guarantees that processing will meet the requirements of GDPR
International Transfers – Restricted & Regulated – Conditions to be Met
• Basis of Adequacy
• Appropriate Safeguards
• Binding Corporate Rules (BCRs)
• International Cooperation Mechanisms: EU-US Privacy Shield
Remedies & Liabilities
Liabilities
• Administrative Fines – ‘Effective, Proportionate & Dissuasive’
o Higher of 4% of global turnover or €20m for top tier infringements
o Higher of 2% of global turnover or €10m for lower tier infringements
• Warning of likely infringement
• Reprimand for infringement
• Others, including: order data breach communication, order limitations on processing, order rectification/restriction/erasure
Data Subject Remedies
• Right to judicial remedy where their rights have been infringed as a result of the processing of personal data
• Right to compensation – data subjects who have suffered material or non-material damage
• Controller & Processor joint and several liability
• Collective claims / class-action type litigation possible – higher litigation risks
Some Practical Steps
1. Understand Personal Data You Hold:
• Data mapping – identify Personal Data held, how it was/is collected, data flows, who has access, where it is stored
etc.
• Apply the 6 Principles to the Personal Data you hold.
• Assess the risks to rights and freedoms of data subjects associated with your processing / the personal data you
hold.
• Identify transfers to 3rd countries.
2. Review 3rd Party Relationships:
• Identify your 3rd party processors.
• Review the contracts, bring them into compliance – including cloud service providers.
3. Document Your Processing Activities:
• Put the required documentation in place – records of processing activities, records of consent etc.
• Document how you comply with GDPR – demonstrate you are consistently applying best practice.
4. Apply Technical and Organisational Measures:
• Implement strong information governance measures, including policies and procedures covering:
o Data protection
o Information security
o Breach response and notification
• Adopt a ‘Cyber Resilience’ approach covering People, Process & Technology in line with best practice.
• Implement an ISMS / PIMS / Compliance Framework – apply best practice and certify where appropriate
Some Practical Steps
Thank you
Speak to a member of the Vuzion team
if you’d like to know more!
Love Cloud GDPR
Jonathan Burnett, Partner Technology Strategist
Samantha Garrett, Partner Technology Strategist
Microsoft and GDPR
What are the key changes to address the GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data
Protection Officer (if
required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data
using appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate
consents for processing
data
• Keep records detailing
data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required
to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies
How do I get started?
Identify what personal data you have and
where it residesDiscover1
Govern how personal data is used
and accessedManage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breachesProtect3
Keep required documentation, manage data
requests and breach notificationsReport4
Discover:Identify what personal data you have and where it resides
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft AzureMicrosoft Azure Data Catalog
Enterprise Mobility + Security (EMS)Microsoft Cloud App Security
Dynamics 365Audit Data & User Activity
Reporting & Analytics
Office & Office 365 Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
SQL Server and Azure SQL Database
SQL Query Language
Windows & Windows ServerWindows Search
Example solutions
1
2
Example solutions
Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft AzureAzure Active Directory
Azure Information Protection
Azure Role-Based Access Control (RBAC)
Enterprise Mobility + Security (EMS)Azure Information Protection
Dynamics 365Security Concepts
Office & Office 365 Advanced Data Governance
Journaling (Exchange Online)
Windows & Windows ServerMicrosoft Data Classification Toolkit
3
Example solutions
Protect:
Preventing data attacks:
•
•
•
•
•
•
•
•
Detecting & responding to breaches:
•
•
•
•
•
•
Microsoft AzureAzure Key VaultAzure Security CenterAzure Storage Services Encryption
Enterprise Mobility + Security (EMS)Azure Active Directory PremiumMicrosoft Intune
Office & Office 365 Advanced Threat ProtectionThreat Intelligence
SQL Server and Azure SQL DatabaseTransparent data encryptionAlways Encrypted
Windows & Windows ServerWindows Defender Advanced Threat ProtectionWindows HelloDevice Guard
4
Example solutions
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust CenterService Trust Portal
Microsoft AzureAzure Auditing & LoggingAzure Data LakeAzure Monitor
Enterprise Mobility + Security (EMS)Azure Information Protection
Dynamics 365Reporting & Analytics
Office & Office 365 Service AssuranceOffice 365 Audit LogsCustomer Lockbox
Windows & Windows ServerWindows Defender Advanced Threat Protection
Report:
GDPR Resources
Microsoft Whitepaper on "Beginning your GDPR Journey"
Microsoft.com/GDPR
servicetrust.microsoft.com
aka.ms/GDPRblogpost
Data Breach & GDPR Demos
Next Steps
• Determine if your customers need to be GDPR compliant. If so, act now!
• Familiarize yourself with the Microsoft GDPR Assessment Tool that you
can use to assess your customer’s readiness
• Reassure your customers that Microsoft cloud services will be compliant
with GDPR and we will share our knowledge to help them get compliant
in time for May 25, 2018.
• Learn more about the GDPR and Microsoft Security offerings.
• Identify your offerings and go-to-market strategy, using the Microsoft
Cloud.
• Pilot your services and offerings with a few customers before you go
broad.
Management
2. Data Encryption
3. Phishing Protection
4. 2 Factor Authentication
5. Cloud Application Security
6. Mobile Security
Risk Mitigation Suggestions
Love Cloud GDPR
Stewart Connors, Head of Customer & Partner Success
TermSet and GDPR
GDPRAutomate the process for discovering Personal Identifiable Information (PII)
The Challenge
External• GDPR will require all EU organisations to focus on discovering PII on behalf customers & former employees• “Subject Access Request” is not new and will continue• “Right to be Forgotten” is new & will force organisations to collect all the digital information they hold
Internal• Organisations information is held multiple IT systems• Also non approved IT systems (shadow IT/BYOD)• Information is typically held in documents that are structured and un structured• Discovering PII is currently a manual process• This will costs organisations time and money
• “Subject Access Request” Ongoing breaches & Fines• 49% of organisations had a document breach in the past 2 years*• 73% of employees are accidentally exposing information stored within documents*• 63% of organisation’s claim they are unable to locate sensitive data stored in documents*
*Information taken from the Ponemon Institute Research report May 2017.
ScanR
Generate Reports
Discover PII in Office docs, PDF, OCR on the fly.
Multiple Systems
The Solution Identify and retrieve GDPR Personal Identifiable Information within documents stored in multiple systems.
Product overview ScanR
Connect to SharePoint, a File Share or other systems
Documents where we wish to determine if they contain sensitive data
Choose the types of information you would like to discover
• Over 100 pre-defined rules or you can make your own
• Artificial Intelligence for Pattern Matching
Documents Marked in place or reports produced
Three data sources read
~19k Documents read with 79%
containing PII data
Breakdown of what PII data is
contained where
Locations of the sensitive data
Which systems contain the most
sensitive data
Overview Dashboard
Search for information across your data sources
Immediately see the records that match
Understand the types of data that contain the information
Query engine
11 Chapters with 99 Articles
http://www.eugdpr.org/article-summaries.html
ScanR will help you comply with Articles: 5, 15, 16, 17, 18, 20, 24, 30, 32, 35, 42, 44, 45.• Gain understanding of the where the PII data is located• Gain an understanding of who has access to it• Gain an understanding of how long it’s being retained• Retain personal data for a period of time directly related to the original intended purpose• Find risky files and take action• Manage a Subject Access Request
• Request a port of the data• Request a correction to the data• Request deletion of the data
Articles Contained in the GDPR
Summary
ScanR• Automate the process for discovering PII
• Quickly respond to “Subject Access Request” & “Right to be Forgotten”
• Comply with over 10 of the 99 Articles
Next Step
• Free trial up to 1,000 documents
Thank you
Speak to a member of the Vuzion team
if you’d like to know more!
Love Cloud GDPR
Coffee and Pastries
11:00-11:15
Love Cloud GDPR
Ronan McCurtin, Senior Sales Director Northern Europe
Acronis and GDPR
‒ Key activities
– Privacy impact assessment
– Data access governance
– Data breach notification / resolution
– Secure storage of active data
– Archiving and deleting
Where Acronis supports GDPR compliance
Acronis BackupAcronis Storage
Acronis Backup CloudAcronis Disaster Recovery
Service
Requirements for GDPR-compliant backup and storage 1
Requirement Desirable features GDPR recitals supported
Control data storage location • Reporting for compliance • 101: General principles for international data transfers
Encrypt data securely • Encryption on the device, in transit, and at rest
• 78: Appropriate technical and organizational measures• 83: Security of processing
Browse backups • Drill-down to easily find required data
• 63: Right of access• 65: Right of rectification and erasure
Modify personal data • Easy modification if requested by data subject
• 59 Procedures for the exercise of the rights of the data subjects• 63: Right of access• 64: Identity verification• 65: Right of rectification and erasure
Export data in a common format for easy data portability
• ZIP archive for easy portability • 68: Right of data portability
Recover data quickly • Acronis Instant Restore to deliver 15-second recover time objectives(RTOs)
• 78: Appropriate technical and organizational measures
Requirements for GDPR-compliant backup and storage 2
Requirement Desirable features GDPR recitals supported
Minimize compulsory data breach reporting
• Proactive prevention of malware damage to files• Specific protection of the Acronis Backup agent to
prevent data breach of backups
85: Notification obligation of breaches to supervisory authority86: Notification of data subjects in the case of data breaches87: Promptness of reporting / notification88: Format and procedures of the notification
Blockchain-based data certification
• Acronis Notary validation of the authenticity and integrity of backups
78: Appropriate technical and organizational measures
Backup retention, deletion • Flexible setting of retention time of data, archival rules, etc.
• Ability to delete backup at any moment
66: Right to be forgotten
Logs availability • Logging of operations with data 82: Record of processing activities [correct?]
Role-based access • Multilayered and highly customizable data access rights
63: Right of access [correct?]
Risk management control • Very flexible backup and Active Protection 84: Risk evaluation and impact assessment [correct?]
‒ Data subject control of data storage location– Individual must have final say as to where personal data is stored: on-
premises or in a specific EU-based data center
‒ Data encryption– Strong data encryption on-device, in transit and in the cloud
– And entirely automated encryption process, with the data subject as the sole holder of the decryption key, meeting GDPR data security requirements
What to look for in GDPR-compliant backup and storage
‒ Ability to search data inside backups– Ability to drill down through backups, making it easy to find
required information on behalf of data subjects
‒ Ability to modify personal data– Easy way to modify personal data if and when requested by data
subjects
What to look for in GDPR-compliant backup and storage
‒ Data export in a common format– Ability to export personal data in a common and easily usable
format (e.g., ZIP archives) to meet the GDPR data portability requirements
‒ Quick data recovery
What to look for in GDPR-compliant backup and storage
‒ Flexible setting of retention time of data, archival rules, etc.
‒ Extensive logging
‒Multilayered and highly customizable data access rights
How Acronis helps your company achieve GDPR compliance
‒ Active Protection against ransomware– Proactively preventing breaches is easier and more cost-effective
suffering breaches and doing the mandatory incident reporting
– Acronis Active Protection™ detects and blocks ransomware attacks and instantly restores any affected data
‒ Blockchain-based data certification– Acronis Notary™ provides immutable proof of the integrity of
protected data using blockchain technology
How Acronis helps your company achieve GDPR compliance
With an economic incentive to
it, new Ransomware families
appeared fast…
Source: F-Secure
Ransomware Big Trends
Advancing into new operating systems
Advancing into new platforms and devices
Ransomware-as-a-Service
Advanced attack techniques
Trend 4: Advanced attack techniques
2010
Detection of non-signed
files
2014
Protection for Windows only
2016
Detection by checking file type/header
2016
Detection of executable files
2016
Detection in running
Windows system
Malware signed by
stolen certificate
Injects into system
processes and acts on their
behalf
AttacksMac OS X and Linux
Only body of the file
is encrypted
Uses scripts and non-malicious
executables
Infects before Windows
starts
2014
Exclude know legitimate
system files
2017
Use of Backup to protect
against Ransomware
Attacks & Encrypts different
backup files
Next Generation Ransomware families targeting Backup software
Ransomware evolves…
… Data Protection evolves too
Acronis CustomersAcronis LabsInfected and clean
processes farms
Provides processes behavior data
Updated knowledge base
Acronis Learning Service
Acronis Cloud Brain
Model training, parameters optimization
You are protected even without Internet
Acronis Local Knowledge Base
Acronis Active Protection 2.0: Learning Infrastructure
Complete protection against modern techniques
2016
Detection by checking file type/header
Only body of the file
is encrypted
Entropy
measurement
2010
Detection of non-signed files
2014
Protection for Windows only
2016
Detection of executable files
2016
Detection in running Windows
system
Malware signed by stolen
certificate
Injects into system processes and acts on their
behalf
AttacksMac OS X and Linux
Uses scripts and non-malicious
executables
Infects before Windows starts
2014
Exclude know legitimate system
files
Checks for
injections in
system processes
(with Machine
Learning)
Protection
Windows, Mac
and Linux
Both executable
and scripts
detection
Pre-Boot anti-
ransomware
protection
Compromised
signatures
check
Acronis Active
ProtectionTM
2017
Use of Backup to protect against
Ransomware
Attacks & Encrypts different
backup files
Acronis Notary powered by BlockchainEnsuring that data is authentic and unchanged
“Acronis Notary assures that files are unchanged since they were backed up.”
Have confidence of data authenticity
•A public, secure Blockchainledger verifies the authenticity of files
•Backup enables the recovery of the original document
•Acronis Notary provides mathematical assurance that the contents of a file perfectly match the original contents that were backed up
Thank you
Speak to a member of the Vuzion team
if you’d like to know more!
Love Cloud GDPR
David Tweedale, Team Leader
Mimecast and GDPR
© 2017 Mimecast.com All rights reserved.62
Data ProtectionSecuring personal and sensitive information
Data ManagementData Protection
Anti Malware
Data Leak Prevention
EncryptionBreach
Notifications
© 2017 Mimecast.com All rights reserved.63
Spear-phishing credentials to exploit point-of-sale systems
Used as stepping stone
onto victims network
Compromisedpoint of sale
systems
Customer data stolen, including
credit card details
Large GDPR Fine and costs to
investigate and remediate
Access gained via spear-phishing
attack on a sub-contractor
© 2017 Mimecast.com All rights reserved.64
Type of attacks:
• Weaponised attachments
• Malicious URLs
• Malware-less attacks
• Ransomware
• Phishing
• Insiders
Key Strategies
• Multi Layered Approach
• User Awareness
• Advanced Threat Protection
• Logging and monitoring of internal user activities
• Protected, plan B email route and access
Malware can have a devastating impact on organizations contributing to significant GDPR fines related to data loss Anti Malware
Technology capabilities: Data protection
© 2017 Mimecast.com All rights reserved.65
Data leaked by disgruntled employee
Employee emails copy of client database to
personal mail account
Data collected by the company is
now compromised.
Customer sensitive data
leaked. GDPR fine imposed.
Disgruntled employee wants
to leave and cause damage to the
business
© 2017 Mimecast.com All rights reserved.66
Data Leak Prevention
(DLP)
Technology capabilities: Data protection
How is data leaving the organization?
• Internal department leakage
• Email attachments
• Shadow IT
Key Strategies
• Internal communications DLP
• Outbound mail inspection
• Corporate data sharing
• Secure messaging channel
Data Loss Protection (DLP) tools prevent inadvertent data breaches by blocking emails containing personal data
© 2017 Mimecast.com All rights reserved.67
Encryption
Technology capabilities: Data protection
Where is data encrypted?
• Data stored in applications
• Laptops/Mobile Devices?
• Email archives
Key Strategies
• Secure storage of data
• Secure transfer of data
• Secure data in transit
• Limit data on portable devices
Encryption of data in systems and applications reduces the potential impacts of a data breach
© 2017 Mimecast.com All rights reserved.68
Breach Notifications
Technology capabilities: Data protection
Key Information required?
• Analysis of breach
• Mitigate negative consequences
• Alert data protection officer
Key Strategies
• Gather data from Security Incident and Event Monitoring (SIEM) system
• Identify location of data breach
• Identify if personal data was leaked
• Mitigate negative effects
Organizations have 72 hours to notify relevant authorities once a data breach is discovered
© 2017 Mimecast.com All rights reserved.69
Data ManagementSupporting access rights of individuals
Data ManagementData Protection
Anti Malware
Data Leak Prevention
EncryptionBreach
NotificationsSearch and Discovery
Secure Repository
Chain of Custody
Access Control
© 2017 Mimecast.com All rights reserved.70
GDPR – Subject Access Request and Data Portability
IT Administrator searches across
data repositories
Results validated/reviewed
Secure transmission of
data to data subject
Data Subject requests access to
data stored on them
© 2017 Mimecast.com All rights reserved.71
Subject Access Requests (SAR)
Technology capabilities: Data management
What is the impact?
• Requests need to be handled quickly
• Accurate personal data and additional information
• Availability in electronic format
Key Strategies
• Locate requested personal information quickly
• Prepared response templates
• Employee training to handle SARs
• Self-service portal for SARs
Individuals have the right to obtain confirmation that their personal data is being processed
© 2017 Mimecast.com All rights reserved.72
Data Portability
Technology capabilities: Data management
What is the impact?
• Exports need to be timely
• Useable format
• Safe delivery of that export?
Key Strategies
• Data must be structured, searchable
• Exports to common formats
• Ensure the safe delivery of exported data
• Subject review and confirm data required
Individuals have the right to request an export of their data a format that can be given to another vendor or service
© 2017 Mimecast.com All rights reserved.73
GDPR – Right To Be Forgotten
IT Administrator searches across
data repositories
Time consuming Confirmation given that data is
erased
Data Subject requests all
personal data to be erased
© 2017 Mimecast.com All rights reserved.74
Right To Be Forgotten
Technology capabilities: Data management
What is the impact?
• Complete erasure
• Across all systems
• Unless overriding policy is in place
Key Strategies
• Data must be structured, searchable
• Dynamic data adjustments
• Retention management
• Auditable deletion
• Ability to review prior to deletion
Individuals have the right to request erasure of their personal data held by a data controller (subject to conditions)
© 2017 Mimecast.com All rights reserved.75
Mimecast SolutionSimplifying GDPR Compliance for Email
Data Management
Search and Discovery
Secure Repository
Chain of Custody
Access Control
Secure Messaging
Advanced Threat Security Mimecast Cloud Archive
DLP & Content Security APIRBAC &
Data GuardianLarge File Send
Mailbox Continuity
Archive Power ToolsSearch and Review
Data Protection
Anti Malware
Data Leak Prevention
EncryptionIncident
Management
Mime | OS
© 2017 Mimecast.com All rights reserved.76
You need technology that
provides the best possible multi-
layered protection
PREVENT
You need to control,
protect, find and
access data effectively
MANAGE
You need to sustain
compliance support
at all times
MAINTAIN
Email Cyber Resilience for GDPR
© 2017 Mimecast.com All rights reserved.77
Thank you
Speak to a member of the Vuzion team
if you’d like to know more!
Love Cloud GDPR
Jacqueline de Gernier, AVP Commercial Sales
DocuSign and GDPR
Getting to Grips with the GDPR: How to Fast-Track Your Compliance
Introduction to DocuSign
14+ Years InnovationHighest level certifications
188 Countries 43 Languages13 Offices 5 Continents
300k+ corporate customers200 million total users#1 Analyst rated
TrustLegal & ComplianceBank-Grade Security & EncryptionPlatform & Scalability
Capabilities & UsabilityMobileCustomer Success Programmes
Experience
The DocuSign DifferenceWhy customers choose DocuSign
Partners & IntegrationsGlobal #1 APIs
Choice
FinancialServices Insurance High Tech
Communications/Media Pharmaceutical Real Estate Consumer Everywhere
Sales
ExperienceSignificantly improved
Procurement
50x fasterContract signing
“It speeds up the process and makes it more compliant”
HR
10 minutesFastest contract returned
“DocuSign has revolutionised how we send out HR contracts at E.ON”
Customer Success
Use case Use case Use case
“Steps that previously took days through post now take minutes”
GDPR - Changes to Consent
Demanding requirements for consent
Under the GDPR, consent must be:
• Freely given
• Specific
• Informed
• Unambiguous
"Consent should be given by a clear affirmative act … such as by a written statement, including by electronic means, or an oral statement… Silence, pre-ticked boxes or
inactivity should not therefore constitute consent." (Recital 32)
Consent will often be required
When collecting an individual’s personal information relating to:
• Using an individuals sensitive personal information
• Sending an individual e-marketing
• Sharing an individual’s personal information with independent third parties
Consent must be verifiable
Businesses must be able to prove that it obtained the individual's consent, requiring businesses to maintain consent records that can be checked to verify:
1. That the individual has consented;
2. What they consented to, and;
3. When they consented
Individuals "shall have the right to withdraw his or her consent at any time… It shall be as easy to withdraw consent as to give consent." (Art 7(4))
Common consent challenges
• Marketing / Sales – Personal information for e-marketing purposes
• HR – Personal information for a job application or for the provision of employee benefits
• Healthcare – Personal information for the purpose of medical studies and clinical trials
• Online – Consenting to the use cookies and similar tracking technologies
Re-contracting with Suppliers
Business must ensure:
• Legacy vendors move to new, GDPR-compliant, data protection terms
• Future vendors are also signed up to GDPR-compliant terms
How DocuSign can be part of a GDPR Consent solution
Business
Consumers
Customers
Partners
Suppliers
EmployeesBusiness
DisconnectedSystems
ManualProcesses
Fragmented Policies
Consumers
Customers
Partners
Suppliers
EmployeesBusiness
Consumers
Customers
Partners
Suppliers
EmployeesBusiness
Digital consent
Bespoke reports for GDPR and the data can be extracted
Case Study: Filestream
Company’s Top Challenges
• Manual processes – contracts require manual chasing to fulfill terms and conditions• Not GDPR-ready – holding of personal data is not currently compliant with legislation• Inadequate security – Information sent over email is not as secure as it could be
Reasons for Choosing DocuSign
• Security standards – DocuSign meets and exceeds some of the most stringent US, EU, and global security standards
• Commitment to compliance – DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements
• Digitising process – digital signatures remove need to print and scan paper documents
The Key Benefits
• Quicker signing process – turnaround time is now 40 times faster • Customer consent – DocuSign’s tools are being utilised to be ready for new legislation
coming into force in May 2018 • Data protection – personal data is protected whenever a third-party comes in contact
with it
“I wouldn’t choose any other partner but DocuSign for ease
and security – Paul Day, Technical Director, Filestream
EXECUTIVE OVERVIEW TOP BENEFITS ACHIEVED
Company: Filestream
Headquarters: Berkshire, UK
Founded: 2003
Industry: Software
Website: www.filestreamsystems.co.uk
Partners: DocuSign
Use Case: Sales
ABOUT
45 minutesContract turnaround
time
40 x fasterQuicker signing
experience
GDPR-readyDocuSign tools being used for compliance
Thank youEmail: [email protected]
GDPR Seminar – 9th Nov5pm – 7pm
ETC Venues, Fenchurch Street
discover.docusign.co.uk/best-practices-for-gdpr
Love Cloud GDPR
Host - Caroline Wigley (Vuzion), Sean Huggett (Cybercrowd), Jonathan Burnett (Microsoft),
Rowland Dexter (QGate)
Panel Interview
Love Cloud GDPR
Closing Thoughts
Process track
Technical track
---------------------Define the
requirement
Create the
plan
The Partner Opportunity
GDPR Webinars
GDPR Workshops
GDPR Healthcheck
GDPR Assessments
Implementation Clinics
Annuity Services
Thank you
to
our presenters
Thank you
for attending
Love Cloud GDPR
Speak to a member of the Vuzion team
if you’d like any further information about GDPR!