Good afternoon, good morning, or good evening, depending on where you are. Welcome to this KuppingerCole webinar on GDPR compliance with countdown to adequacy. This is Mike Small with KuppingerCole. I'm a senior Analyst with KuppingerCole and my co-presenter today is Gabrielle gums, who is VP of product strategy for stealth bit technologies. So today's webinar is hosted by KuppingerCole and cope. Cole was founded in 2004 by Martin Kuppinger and Tim Cole. And we provide research services, advisory services, and events with a focus on compliance and security issues.
And here you can see some of the kinds of research events and advisory services that we provide in the upcoming future. We've got events on consumer identity and there's a consumer identity world tour, which goes through Singapore, Seattle, and Paris over the next couple of months. And in February next year, we've got the next generation marketing executive summit followed by digital finance world in Frankfurt, in Germany.
So basically the guidelines for this webinar are that you will be muted centrally. You don't have to mute or, or mute yourself. We will control these features.
The webinar is being recorded and the podcast of the recording will be available tomorrow as regards questions and answers. You can answer questions at any time using the questions facility on the control panel that you see on your, on, on your desktop. I will open the, the panel for questions at the end of the session after Gabrielle has given his talk. And we'll try to answer the questions that you posed through this question widget. So to explain, what's going to happen. This webinar is divided into three parts.
I will start off by describing the six critical steps that I think, and I believe, and we co Cole think that organizations need to take, to ensure compliance with GDPR. And then in the second part, Gabriel guns of stealth bit technologies will discuss the necessary articles for meeting adequacy by the GDPR deadline and explain the guidelines towards meeting these requirements. And this will then be followed by a set of questions and answers.
So this, this presentation, this set of slides was created by me in response to the number of lawyer presentations that I've seen. It, it's quite clear that you need to understand the law in order to drive a car, but you don't normally expect to have a lawyer driving for you. And so the GDPR is an important regulation that is coming in, and the input to what you need to do from lawyers is very important.
However, at the end of the day, it is going to be the guys and gals in the it team that, and the it and the security team that are going to have to make sure that the systems that you have and the data that you hold is being held and manipulated in a way, which is correct and corresponds with the requirements of the regulation. So to go back to the regulation itself, this has a checkered history. It took a long time and it had the most number of amendments tabled to any regulation that has gone through the EU, but it was passed.
And I in May, 2016, and it will apply to all EU member from May, 2018. And unlike the previous way in which privacy was managed, which was through directives, which were implemented differently in each of the different EU countries, this is a regulation, which means that it is the same for everyone. And everyone has to obey the regulations in the same way.
It's actually rather different to the current legislation where all of the responsibility lay with the data controller and in this regulation, it applies to both the data controller, as well as data processes.
So cloud service providers beware, and it doesn't matter where your service is located. If you are holding data, which is related to any living entity, any living, breathing, human being that is at that point in the EU, then this regulation applies to you. So when you look at the principles that lie behind this, there are six key principles, and these are the personally identifiable data must be processed fairly and lawfully. And what that means is something I'll talk about in a moment. And that means that it can only be processed for specified explicit and legitimate pro process purposes.
You need to make sure that what you collect is relevant and the minimum necessary.
It must be accurate and kept up to date, but kept no longer than is necessary. And one of the key things is that the controller is responsible and liable to ensure and demonstrate that they are compliant. So these are new challenges, which are going to be important for what we do to our it systems.
Now, when we look at personal data, there are two basic kinds that are identified, basically personal data, which is any information relating to an identified or identifiable or natural person. And there is sensitive data which is identified and there is pro prohibits the processing of personal data, which reveals things like race or ethnic origin, your political opinions, your religious beliefs, trade union membership, and the process of genetic data, your health or your sex life.
So personal data has one level of requirements associated with it and sensitive personal data has even more requirements associated with it.
So you, you need, you can see that we're already starting to look at the kinds of classifications that are going to be implicit in dealing with this data.
Now, lawful processing is defined as a number of different things. It could be where the subject has given consent. It can be where it is necessary for the performance of a contract or for compliance with legal obligations or to protect vital interests or being carried out into public interest. Now. So there are all of these different laws, and there is a very concise and clear set of documentation.
However, the interpretation of many of these things is still not clear. And one of the challenges that many organizations face is trying to get clarification on the interpretation.
In fact, although we can expect some clarification from the article 29 working parties, what will really, it will only really fully become clear when we have the first legal arguments in a court of law about what is adequate and what is not adequate.
So in the meanwhile, we have to do the best that we can based on what we read and how we interpret it.
However, although GDPR is often portrayed in terms of threats and fear and uncertainty. In fact, it actually gives a number of benefits.
It, it levels the playing field because no longer can you think that a, a data data controller or an organization that's located in some other part of the world, has the ability to find out things about you that they wouldn't have. If in fact, they had been located in Europe, Europe, it encourages organizations to actually seek out and get a grip on the customer data.
They hold, it makes it much clearer to the end users and consumers of these services, what consent they have given. And ideally it is going to help organization to build a much more trusted and sustainable relationship with their customers.
So having seen all of this, what you need is some kind of an action plan in order to meet these challenges. And this action plan clearly applies to the people that are going to be responsible for processing this data. And this actually starts with discovering the data.
Now I've had a number of conversations with a number of organizations, and it seems that very few organizations feel really confident that they know where all the data that they have that is classified as being personally identifiable in fact, is in indeed it is worse than many imagined because whilst you might think that all of the data is in customer relationship management systems. In fact, really most organizations have an awful lot of data that's held in their direct sales websites and so forth that users actually sign onto these sites with multiple identities.
And so there are problems that come to do with that.
And not only that much of the data is circulating around in unstructured format. So a typical marketing manager at the moment might decide to buy a, a list of email addresses and personal details in order to run a marketing campaign. And this arrives via an email and then gets distributed via an email in something like an Excel spreadsheet. Clearly this is going to be a challenge. So the first problem you have is to discover it. And so if you don't have one, you probably already need a discovery project.
And you also need at the same time to make sure that you have policies that clearly define who is responsible for which pieces of PII that you hold. And to do this, you may find that there are some tools that will help you with doing this many of the data leak prevention type tools, actually as a ancillary function, give you the ability to identify the content of, of different kinds of files using some kind of syntax analysis to look for things that may well be personally identifiable information.
And you need to set yourself some targets because remember that there is less than a year to go before this, that this regulation comes in. So you really need to make sure that you have found the data that you hold.
So, you know, the extent of your problem before that time now having discovered it, you need to understand how it is currently controlled. Do you actually have a policy for personally identifiable information that says why you collect it, what you collect it for, who is responsible for the collection, who is responsible for all of these different things. So with that policy, you then can actually use this to help you to review your existing systems against this regulation and see why you are holding it, what you're holding it for.
And you also need to look at your access government systems to define and implement the controls of who can access this data and how this data can be used.
So I, I, if, if you don't have access controls in place, then how do you know it's not actually being used or sold in different kinds of ways? And one of the key issues that you need to consider is how you are going to deal with consent and aggregation. This is one of the areas that it is not at all clear, but many organizations are using aggregation to bring together data.
And that may well be out of, out of line with what you are allowed to do in terms of consent. And at the end of this, you need to make sure that you can prove compliance. It isn't good enough to say you are compliant. You're going to need to be able to prove it. And that means having the right kinds of records and tools, which in fact are similar to an extensions of the kinds of things that you would expect to have around access governance.
We've only talked about the control that you have in normal access terms here.
But one of the, one of the different dimensions to this is consent for a lot of this data, the processing is under the explicit consent of the data subject, who gives that consent for a defined purpose. So in the worst possible case, you can, you can imagine that a particular field of data has to be under the consent control of the data subject, who can give it and withdraw it just like they could. You previously might have had entitlement management run by some kind of approval system internally. You now have an individual consumer being able to give or withdraw consent now.
So who in your organization is actually responsible for making sure that you have consent to process data? If your marketing department is buying lists of email addresses, how do they assure that there is consent given for the purpose that they're going to use it?
How do you make sure that your systems are compliant in that when you tick a box in using somebody's system, that, that in fact, the box to text of the box is appropriate and that you are recording the technical controls that go with that and that they are appropriate and being implemented.
So you need to review your existing systems and see how they're meeting it. And one of the challenges is to do with age and family consent, which is where I, I in effect minors can have the consent overridden by their parents or their guardians. So we're going to have to have a way of linking this consent with these potentially multiple identities that people have when they, when they sign themselves in, in different kinds of ways.
Using the cloud is another challenge, because it may well be that you are already holding a lot of data in the cloud, or it may be that you don't even know that you've got, got data in the cloud. And one of the challenges is with this unstructured data where people have their own spreadsheets and word documents that contain stuff and uploading it to cloud services, do you know what's happening? Do you have a policy for putting PII in the cloud?
If you don't, then how, how can you ever ever say to someone that they've done something wrong, if they upload it, H can you discover what you've got in the cloud and how can you control it?
So those kinds of things can in fact, be helped using cloud access security brokers, and also to some extent, the tools that come through DL come with DLP systems, and you also might want to consider control over the location of where that data is being held and processed to make sure that it doesn't slip outside of the control that you have on it, by being held in a, in, in a particular geographic area with a rather less than benign legal system.
So there are also a lot of cloud certifications of the certification wars have already started.
We have cloud industry certification program, and another one, two, which are specifically related to European cloud service providers, but you are going to need to prove compliance. And is it good enough for your cloud service provider that they are certified to 27,018? Or does it need more than that for you to be sure?
Data breaches is a lot, is one area that there's been a lot of talk about, particularly to do with the fact that there are some specific and rather high penalties associated with the unauthorized breach of information.
But what I would simply say to everyone is, do you have a good process for managing a data breach? Because many organizations don't have a process. They don't have a system and they have never tested it. And the worst, the scenario that you can envisage is where your CEO turns up at the office on a, a weekday morning and finds the television news team, standing outside his office, asking him for his comments on the fact that his organization has just lost 20,000 or 200,000 email addresses or the data of all of their customers.
So review your current process, make sure you have a current process that works, test it and implement any changes that you need to ensure compliance. And these changes are particularly going to be in relation to notification of the relevant data of data protection authorities, and also the notification of the subjects that are whose data has been compromised.
And finally, we get round to the, the simple need that most large organizations are going to have to appoint a data protection officer. Although this doesn't have to be someone that works for you.
This is good because the data protection officer is going to be someone who will have a lot of responsibilities. So make sure you find out who they are, make sure there is one nominated and make sure you work with them. You also need to review whether or not, and where you need to have data protection, impact assessments. And if you are not already conducting them to work out a process for conducting them where you need them.
And when you come down to defining and designing your new systems that are going to hold this data, make sure that you include privacy by design and privacy by default in these systems to help you with this.
So in summary, basically what we are saying is that the requirements for GDPR are going to have to be implemented by the it it team and the it security team. And the proper planning is going to prevent the payment of unnecessary fines.
And the key areas that you need to be looking at are the discovery of the person, the identifiable information that you hold, how you are going to ensure that you control that data to make sure that it is only used and seen in a way that meets the, the requirements of lawful processing, which includes the need for consent, how you are going to control what data goes into the cloud and how you're going to be sure that your cloud providers are in fact, going to be compliant, making sure that you have a breach notification plan that is tested.
And that includes the requirements of GDPR and that you have nominated, and it got a data protection officer, and you are thinking about how you are going to design and develop data privacy by design and default into your new systems. And so that is the end of my, part of this. What we're now going to do is to hand over to Gabriel gums, who is going to give his response and how steal bits can help. So over to Gabriel.
So where was I? So that being said, yeah, I, what I would like to do is actually start by presenting some data that we collected earlier this year.
And the reason for that is before I jump right into the, the house Del bits helps and how we've give you some examples of how we've helped our customers. I find it especially important to, to share with you the way more of your peers are approaching U GDPR.
I, I think that helps to at an absolute minimum, again, kind of peel back some of the, the, the fear and the uncertainty that goes along with these things and, and just have a look at how other organizations are preparing for, for, for compliance as well, too.
So a bit of background about the study itself.
So we conducted the research amongst 370,000 information security professionals in the, in the ISC, the information security community on LinkedIn, and the research was designed to measure the overall impact of this new regulation and, and how companies are, are planning on achieving that compliance participants in the study itself. They were a total of 520 organizations from different geographic regions. So they did not just represent the EU by, by, by any means or the us for that matter.
As we know, the regulation extends to anyone who is going to be processing you citizen data, there was a predominant portion of EU demographics. So in fact, 59% of the respondents in the report, you're, you're, you're going to see some details from were from Europe with another 29% being from north America. And from there, it starts tailing off about 3% in the Asia Pacific region, and another 1% throughout Latin America and 8% of that representing the rest of the, the world with regards to the size of these organization that participated in the study.
The company signs were predominantly in the somewhere between 250 to 5,000 employee range. So that represented 80% of the participants while 20% were in the 5,000 to 20,000 or above range, as the verticals broke down, somewhat unsurprisingly, that technology vertical did dominate the results. I think that might be just a, a byproduct of the overall participation within the information security LinkedIn community, and then it's evenly spread throughout financial services, government entities, higher education, healthcare, retail, energy.
And then from there, it tails off into other verticals as well, too. The primary respondents of the, of the, the research were also in the information security community.
Again, not a surprise given where we, we targeted this particular study and they represented 48% of the respondents, you know, the 21% directly in the it industry. And then from there, it tails off as well. And with regards to the personas of those folks, that, that we, we engaged 22% of those represented CSOs or CSOs chief security officer security officers, and another 27% were managers within the it security space.
Another 20% there again were directors within the security space. And then we had another 12% that were security Analyst and somewhat disappointing.
We only had about 4% that represented privacy officers and DPOs, I say disappointing, not because we had a low participation in DPOs privacy officers, but because that number greatly reflects the number of actual privacy officers and DPOs that we see out in the world. And I know we're gonna see that number rise.
We, we know it has to just based on the requirements of GDPR, but it is a bit of a lagging indicator at the moment as to where organizations are with their, their readiness and, and how they are preparing to respond. So let's jump right in because that readiness to respond is certainly a byproduct of where they see U GDPR as being a priority, or at least I would expect that.
And so one of the first questions we asked about priorities was the relative importance of GDPR and where, where that fell within the organization's purview.
And so what we see is a total of 72% or seven out of 10 organizations, certainly do see it as a priority. And we've seen that number rise in the last six to eight months as more organizations began to examine their overall exposure. And so that's a good thing, right? So 70% is certainly a, a respectable number for of organizations to, to see this as being a priority, but given the overall impact of, of privacy, both on the business, as well as, as us, as, as consumers of, of all types of industry and, and the importance we place on our privacy.
I think having that, that 30% hanging out there to be, to be completely accurate and fair to the numbers, 28%.
I, I shouldn't round that up, but 28% not seeing as a priority is certainly quite troublesome and that I believe reflects why we, we still haven't seen nearly the number of, of, of DPOs kind of rising throughout these organizations. And what we've also seen as I think Martin touched on earlier is a lot of responsibility is falling to the CSO and the CSOs. And I have some, some numbers on that. And then in a couple of slides ahead.
And so what we're also seeing is that those folks tend to be wearing multiple hats from that, from that perspective, I, without, without interjecting too much of my own opinion on that matter, I, I will, I will say though, that the reason that the folks who drafted the legislation, the, the regulation found it necessary to appoint a privacy officer, I don't believe was, was for the, for the explicit purpose of just having yet another, another role to do more things.
It was because having someone who's sole responsibility or more importantly, who will be accountable for ensuring that organizations are within compliance is a very important thing.
Somewhat anecdotally, a number of years ago, as part of a different research security related project.
I, I performed when we were looking at behaviors and outcomes in attempting to, to find actual correlations between the different security behaviors that do lead to real increases in security posture. The number one correlate data point that we always were able to come back to and, and point to definitively was accountability that is to see above and beyond all of the technical controls and, and all of the regulation and, and, and all of the tools and, and whatever else that that may have been in place.
Many of those things had varying degrees of success, but accountability always ranked the highest. That is to say, when there's, when there's a, a one person or group of persons, whether it be a body of, of individuals that are responsible, that are accountable for the outcomes of, of an initiative, especially ones as important as these, we find that the, we find that the postures tend to be far better than those, where there are not.
And so, again, 28% not seeing this as a priority and the, the low number of, of individuals that we see directly accountable for GDPR as a priority for me is one of the most concerning bits of data I can find out on this. And so what I want, what I want the audience to take away from, from here is I certainly would look to that as being one of the first things that, that, that you look to put in place. And it doesn't mean you have to run out and hire someone so manure any of those things, but certainly appoint someone to be accountable and responsible for these activities.
I think when that happens, we'll see, see that priority number, continue to rise seven out of 10, pretty good. That's where we stand at the moment, but I do believe that number will continue to rise. Let's continue to have a look at priority as we sought it. So the breakout of priority left to right, we saw the technology industry
Representing one of the verticals that saw U GDPR, the as, as a, a high priority than most.
This is very much in line with what I would expect given the data that most technology companies handle that is to say that most of their, their, their, most of their consumers, most of their customers are submitting some form of data to them. And, and there's some demographic data that, that these technology companies are ingesting so that they can attempt to better monetize that data and further increase their revenue technology companies are extremely good at monetizing data.
It is it by and large primarily what most of them do, even if that doesn't appear in the surface to, to be what, what they are. One of the, the quotes that, that I, I, I like to hold hold up quite often, is the old saying that if you are not, if you are not the consumer, you can be sure that you're the product.
And that is to say with a lot of technology we consume on the, on the internet these days, a lot of these things being somewhat free, we are in exchange, giving up a lot of our information for that, for, for those, for the, for the ability to, to consume those services.
As we see them as being either a bit of a luxury or convenience to us. But in that respect, if, if you are not consuming, even when you are, you can, certain, you can be certain that you are the, you are the product. And so technology companies see this as a priority for the most part.
And, and that is a, a good thing as they are the ones that are heavily consuming. A lot of those data that starts tailing off and moving as we move further to the right, as we, we look at folks within the energy space and financial services, I certainly would've expected that to have been higher again, somewhat anecdotally. I believe that that, that number represents a bit of their confidence. That based on the number of regulations that they've had over the years to ensure a certain level of privacy for their customers, that they see this as just a further extension of that.
And so the priority for, for them is somewhat different
As we move further, the healthcare industry, I, I would, again, I I'd like to believe that that's one of the reasons why they're in that same space, but I don't have that same level of confidence. And in government retail, it just falls right off, right?
The, they, they're not seeing this largely as a priority of theirs at all. And, and again, without attempting to, to put too much of my own spin on it, it's hard to really pinpoint why those things are, but supplies to say that all these numbers should, should certainly be much higher. And I think what we're, we're going to see is that when 2018 rolls around, we may see more folks scrambling. And hopefully what we don't see are folks falling afoul of GDPR in general, let's move right along.
So ownership, good Martin, again, touched on this a bit earlier.
And we do, we see that, although the respondent said that this DPO role in GDPR responsibilities would be placed in the security side of the house, it really should be a dotted line role to the information technology side of the house in legal and security. And again, so this is troubling, however, not surprising, right?
Info sec, in general, the information security arms of our organizations, they'll look to first to address compliance more often than not as they are the gatekeepers of the tools that enforce policy. So, although we, we are going to come together with our legal departments and our compliance departments and our it and security to draft our own internal, our own internal policies to help ensure that we are meeting U GDPR regulatory requirements. The ownership of, of those activities appear to be falling mostly towards the information security and the technology arms of our organizations.
I do take slight issues with this. Again, my, my, I am, I'm far more embolden by the fact that there is ownership than where that ownership lies. I think as long as again, there's, there's dotted lines to the other parts of the organization so that they have, I would say, equal input again from the, the compliance side of the house and the, and the legal side of the house, cuz they're certainly the first ones we're gonna call when, when there is an incident, right? Even if there isn't a breaching, there's just an incident.
You know, those are the folks that we're going to be looking to first for, for advice and, and guidance and counsel and how we should proceed. And that is why I think there should be a healthy relationship between those two while I don't believe they, they need to own it.
They, they certainly should be a healthy relationship between the two, but information security being the place where those technical controls are going to, to, to enforce those policies. It certainly makes sense that at least on day one, that's where a lot of that ownership is going to lie. I think we're gonna see a shift in this as well, DPOs at the moment that, that, that I've, that I've encountered, they tend to there's no, there's no one set kind of place where, where that, that role has been reporting to.
I've seen in some relations where it's reporting directly into chief council that actually tend half a dozen or so organizations I've spoken to where that is the case. They actually were all in the finance space and they have a number of other functions, including some compliance that roll into to chief council.
First, we still see a lot of, of DPOs reporting directly into the, the CTO part of the organization.
Again, if that is the way it, it is aligned within your organization, because it makes most sense for, for that, for that company, based on the way they do things internally, that's perfectly good.
I would, I would challenge that all organizations do look at the way they, they perform their own, their own internal task and decide upon that rather than simply follow the, the herd, if you would. And this slide certainly represents the herd, right?
I mean, again, information security leading the pack there, but that doesn't necessarily mean that it is, it is right for your organization. So I, I, I want to call it out and highlight it, but, but put that caveat on.
So still within the priorities conversation, we then asked which articles were of most concern to organizations. And again here, no big surprise, right? Really the privacy by design and by default being a great framework for organizations, regardless of the regulation, that article 23 is where most organizations lay their concerns. What is a little surprising?
However, is that that 30% isn't a bit higher. I certainly would've expected it to, to be no less than, than an additional 20, if not 40 points higher than that.
And I, I would argue probably should be, be more.
And the reason I say that is, is that by designing that default, if you follow that, that train of thought as, as if you, if you use that, as you guiding principle for how you go about adhering to all of the other articles, that is to say that when you perform any activity with regards to the processing of personal data, if by design and default your systems and your processes are taken into account privacy, it should, it will inherently make the rest of your duties fall in line without, without the need for, without the need for additional resources, wasted resources as might be a better way to, to explain that that right.
And then right alongside with what I would call no great statistical differences between some of these. We see the, the other major articles of concern, article number five principles relating to personal data processing.
So again, that makes sense. And for me, the same is true. If you are following a privacy by design default, the, the principles that are called upon for, for the ways within which you're going to process that data should fall right in line with that as well. The security of the processing.
Again, we, we, we see, we see here that followed along with the data protection impact assessment. We see all of those things falling right in line and right behind of privacy by, by default design. So no real surprise here other than I would've personally expected article 23 to have come in a bit higher, but it's a good thing for that 70% of organizations that are taking GDPR as a priority, they are then also adequately recognizing that article 23 should be the article of their most concern responsibility transfer.
So each GDP are going to effect the responsibilities of the CSO, CSO, whoever the head of security is some of those responsibilities we're going to see shift. And, and this is gonna re so this will be resulted in moving risk management, some of the governance activities, business enablement, those project delivery life cycles over to the DPO.
And if you study this slide a bit closer, you'll understand why I struggle with a CSO also wearing a DPO hat and or vice versa having been in, in the role before there is a lot of, there is a ready, a significant challenge ahead of you with regards to the overall data protection and the, and, and the, the overall security needs of, of an organization, large or small adding to that, all of the, the, the challenges that DPOs going to face. I think that we, we may find that a CSO who's solely responsible for all of DPO activities.
Well, might be a bit overburdened. It's perfectly okay to, to begin on this path today. But I think as, as we mature in our, in our GDPR activities, we're going to need to, to shift some of those things off. And that role of the DPO will be much like a compliance officer. And in a number of organizations, we've seen chief compliance officers wearing that DPO hat and, or transitioning into a full-time DPO role. And that feels a bit more natural if you would, just based on the alignment of responsibilities.
And so with those additional responsibilities now overseeing sensitive data handling and impacted, and the impact in those business process. We, we mapped out in a bit of detail here and also some additional resources on the website as well, to what those look like. And I probably should have did a bit of housekeeping early on what I'm presenting here is very much a, a slice of the overall research. And if you're interested to, to see the, the entire paper and all of the, the, the statistics you should visit the, the STKs website for those.
All right, so let's start getting a little closer to the, the meat of things. So what exactly should we be budgeting for?
So some of the folks over at Pricewaterhouse Coopers recently conducted a survey of north of 200 CIOs and CSOs, and then general council, CPOs CMOs.
They, they pretty much looked at all of the, the C level executive folks within an organization that are responsible for data protection privacy on the whole, and, and looked at what they were, they were planning to spend and where and why and how. And so 77% of them plan to spend no less than 1 million on U GDP.
It used to be a time when a million dollars sound sounded like a lot of money, but I think it's, it's safe to say that for, for most of us, that actually sounds like it might not be nearly enough resources, but no less than that will be going into to projects and, and, and other security initiatives or, or privacy initiatives related to GDPR.
And here were the primary eight ways they outlined that budget spent.
So data inventory and mapping, pardon me, Martin, touching this early in, in his part of the, the presentation as well, in order for you to protect citizen data, it seems somewhat obvious that you should know what citizen data looks like within your environment and where it's located. That data inventory and mapping is absolutely mandatory. It is step one.
You, you need to identify where that sensitive data is, and because you have to understand how it's being processed, you're going to need to map out how that data is processed within your environment. So what does that mean? That means we have to understand where that data enters our organization, how it's processed within your organization, where it ends up post processing. So let's just take example of, of, of a, a large, a large technology firm who provides a platform for selling things online, if you would, right.
So they have a number of, of, of web portals on, on media internet, whereby they take in information from across the world. Some of that information, because prior to GDPR, they, they had not seen a necessity for kind of slicing these things out. And that's perfectly acceptable. There's no need for them to go back and separate systems. They just now need to understand how the data enters, where it enters, how it's processed and handled on the way, way in.
So they began mapping out their, their applications based on exactly that they know the starting point where the data enters the organization. And from there, they begin tracing the systems internally as to where that data's handed off. Cause it gets handed into multiple places. Some of that data finds its way over to the customer relationship. Porwal some of that data finds itself into their inventory management systems on the parts of that data find itself into big data silos that they process again, because these technology companies are so good at monetizing information.
They process it there for better understanding of their customer's needs. That information then finds itself into parts of the marketing organiza marketing organization so that they can then further target their customers based on what they know that they like. So you see where just that simple, that simple size of taking in that data once now finds its way into multiple parts organization. And that processing is very important to understand. And so that mapping activity is, is extremely important. I'm spending a lot of time on it.
Cause as you can see, now that data has also multiplied itself inside the environment. So now that exact same data lives within no less than four or five places within the organization. And it from a, a, a mapping excise perspective, it starts looking like a tree branching to all these different places. And from a data inventory, a data discovery classification perspective, we were, we've now begin to discover data types, similar data types throughout the entire organization. And we need to begin to classify those so that we can further follow them throughout the organization.
That is the, the technical controls that will be necessary for being able to, to again, take, take that privacy by design and default stance. That's going to help us stay within, within the boundaries of GDPR.
I don't want to read each of these off. So I'll just touch on a few others that, that, that I believe are equally important, where folks should be budgeting for training employees to be GDPR proficient for as great as all of the technologies are that we're going to employ do these things. It's extremely important that employees understand what their role and responsibilities are.
As data handlers within our environment, we talked, we talked a bit about the DPO and that person should be looked at as, as the ultimate data owner. However, within the environment, you're going to have producers and stewards and handlers. And so all of the, all of the, the, the different roles in the organization, and again, I'll, I'll, I'll rattle a couple, those off your data, creators, your owners, your stewards, the DPO that themselves, all of those folks need to understand their role in ensuring that we're adhering to all the different articles of GDPR.
So training your employees is extremely important as well. Otherwise it reduces the impact of the spend. We're going to put into our technologies as well. Stress testing, GDPR, reliant, stress testing, GDPR resilience of solutions proposed absolutely mandatory. It is going to be an ongoing thing from the very first GDPR compliance artifact that you produce. It doesn't end there. It is an ongoing thing forever. GDPR will not go away as well. It shouldn't right. And so we need to, we need to test and stress test our GDPR systems to ensure that they are keeping up with the business itself.
As the businesses grow, we bring on new customers, we bring in new partners, maybe we merge, maybe invite other organizations, whatever the case is. We, we, we need to ensure that we're able to keep pace with those things and coordinate, integrate the solutions crowdsource from the business. So this kind of goes back to my point of, although we're going to have one part of the business being accountable for GDPR, we need to make sure that we're including everyone within the business and understanding where, where their needs are to you. All right.
So where can, and where does steal bits help with this? So
You have about five minutes now. Gabrielle.
Very good. Very good. Thank you.
So I'll, I'll ill try and, and keep some of this brief. And the good news is a lot of what I'm I'm showing here is, is, is represented in egregious detail on the website. So there are a number of articles that, that our solutions and services directly map to. So for our customers, it's, it's a really good opportunity for them to, to not overly con confuse and conflate how they're going to achieve these things.
It's there are, there are a number of, of projects whereby it's, it's not always good to, to have a single vendor representing this, this much of your needs, but in the case of GDPR, it actually becomes one of those environments where it's really necessary, because so much of, of, of what happens in one of these articles impacts another. You want that continuity. And so articles 5 24, 25, 32 33, and actually 30 is not represented here because we we've built out a data mapping solution as well.
That applies to that.
We have a number of, of ways of mapping to, to all of those different articles and helping our customers actually achieve that compliance. And if I touch just really quickly on one of the real world examples of, of, of a customer who did that. So they began with an RFP several months ago with a, a large consultancy.
And they, they saw the, the, the results. And I, I threw a quote opinion. The number was intimidating. The number that was intimidating was actually just the number of data elements that they found the sheer volume of sensitive data with re relation to use citizens. Data that they have within their environment was, was just sting to them. And it was because of what I pointed out a minute ago. They knew they, they were taking in customer data. And so they had a general idea.
At least they thought they had a general idea of how much data that was until they realized that the processing of that data, the handling of that data extended out in so many different parts of the organization. And that's where that number became quite intimidating for them.
What, what would've for every one instance of, of, of a, a, a citizen's identity that they found, it was replicated upwards of 10 times in different parts of the environment. So let me power it through here a little bit, and let's talk a bit about some of the solutions and how we can, we can do that. So the primary solution we have for addressing GDPR is going to be our flagship solution, our stealth audit solution. And what it does is it gathers and analyzes data from all of the systems throughout the environment.
And it's going to gather data on who has access to the systems who has access to the data, what the data is it's gonna go out and it's actually going to locate the sensitive data.
It's going to classify it. It's going to place classification tags on that data so that we can interact. It's gonna tell us who should have access to that data. It it's gonna perform those overall data access governance activities. That gives us that large holistic view of where data's entered in the organization. Who's handling it, who has access to it, why they have access to it.
And some of the, the, the more complex, the more complex parts of, of, of data access governance. For example, folks tend to move around within an organization and access tends to be granted and taken and quite more easily than it's taken away.
And so some of the other use cases with regards to, to E GDPR and overall data governance that it's going to address are doing things like privilege, account discovery, compliance automation, so that we are able to generate those artifacts automatically based on all that data, we're gathering security, configuration assessments, all the things that go to feed into your Pia, your privacy impact assessments, file activity monitoring.
So once we understand where the data is, who has access to it, we can now also monitor what's happening to that data who Ising that data when they're accessing it, what they did to it and so forth.
Following on that our self intercept solution then brings in a layer of security control to that. So now we can enforce who is accessing it. So now we know that I have access, I should have access and maybe Martin shouldn't have access. And so now we need to be able to enforce those access controls on the data itself, as well as the mechanisms that grant access to that data.
So looking at things like critical, active directory objects, and GPOs that are going to be granting that access authentication and file permissions, who actually has permissions to the files to access them themselves. And then extremely importantly, as well, too, we have our stealth recover solution. Why is this one important?
Well, because things are going to happen. We're going to have incidents, we're going to have changes. And one of the primary, well, what are the not primary, but certainly one of the more significant parts of GDPR is that reporting aspect, whenever there is an incident, and when things happen, we need to be able to get back to a state secure state, as fast as possible. So that's what self recover does it then allows our customers to in the event that something does, does go wrong. It finds ourselves outside of those boundaries of, of compliance.
We're able to then quickly recover as it says, right on the tin. As, as, as, as you focus in that side of the pod, the, the product, that's exactly what it says on the tin there, it allows you to get back to that, that, that state of, of compliance right away.
All right.
So, as I mentioned before, I, I covered heavy bit of ground. I, I want everyone to know that if I'd like you to visit our, our website, stbi.com, we have a, a large amount of data on the topic. I'm extremely informative.
It, it's not all it, it's certainly not, not a bunch of heavy marketing, fluffy material. There's a lot of informational materials there to help you understand the requirements, the needs and how you can address those and how we can help you address those as well. All right. Where did I fall?
One time, I think right about the 32nd mark. So shall we turn it back over and open the floor questions?
Okay.
So we, we are actually just, we're, we're actually just coming up to the top of the hour, so I'm not really sure we have time for many of the questions. There is a question log, and perhaps what we can do is to send the question log to, to, to you Gabrielle, so that maybe you can take some time to answer the specific questions. Many of the questions have really been ones about the, the actual legislation itself.
And so anyone who is trying to implement this really needs to read the GDPR, the GDPR regulation, which is freely available from the EU Lex website, in terms of clarification of, of that you need to talk to a lawyer, but basically it is pretty clear and pretty explicit what it is that's required of you. So I think with, with that, I'm going to have to say, because we're out of time to say, thank you very much, Gabrielle, for your detailed presentation on your survey and how stealth bits can help with this.
The, the, the recording of this will be available afterwards. And it may well be that the people that have asked questions that haven't been already answered will be able to receive a response from Gabrielle or myself by email. So thank you very much, everyone, and I wish you a very nice remainder of your day, wherever you are.
Thank you, Gabrielle. Thanks again. Thank you.
Pleasure. Cheers. Take care everyone. Bye now.
Bye bye.
