Good afternoon, ladies and gentlemen, welcome to our Ko cold webinar. Step by step guide to GDPR compliance. This webinar is supported by manage engine. The speakers today are direct Melbourne active directory and VP at manager engine and me Martin Koor I'm founder and principal Analyst Analyst at Ko Cole. Before we start some quick information about keeping cold, some housekeeping information and a look at the agenda, and then we'll directly dive into the topic of today. Keeping cold is an Analyst company.
We are headquarter in Germany, but have people in various countries in the us and the Asia Asia Pacific region and the UK. We write neutral advice, expertise. And so leadership on various topics, we start in the identity management space, but look at many other areas like information security and others concerning the digital transformation. We do this by delivering research, such as some product analyzes such as our leadership compass documents and trend reports.
We do this through our events like the webinars and conferences.
I'll touch conferences in a minute and through advisory where we support customers. For instance, in defining our strategies roadmaps, and in tools processes, we have a couple of upcoming wins. So the next two ones are our digital finance world, which will look at the changes the digitization brings to the finance industry. This event will run end of February, early March in Frankfurt, and then we have our upcoming European identity in cloud conference, which will run the 12th time in Munich with may.
We have also a lot of standardized offerings in that or advisory, like our GDPR readiness assessment, where we in a various string and efficient approach, analyze the readiness of organizations for GDPR and identify areas where organizations need potentially to make the one or other adjustment to get ready and to have address, to understand where they are, where they are good enough, where they need to improve, where they're already really good, et cetera.
So let's look at the webinar, some guidelines for this webinar, you are muted centrally, so you don't have to mute or unmute yourself.
You're controlling this features. We are recording the webinar and we plan to publish the podcast recording latest by tomorrow. And there will be a Q and a session at the end of the webinar.
However, you can answer questions at any time. There's the go to webinar control panel, which is usually the right side of your screen. And in that control panel, you find the area questions where you can enter your questions. The more questions we have, the more likely our Q and a session will be. So let's have a look at the agenda as usual for our webinars, the agenda are split into three parts. The first part I will talk about GDPR requirements. So I will look more detailed some more at the high level, some others.
So GDPR has a lot of things in, and so I will look at some of these more detail. As I've said, I will talk about the new challenges imposed by breach notification. I will touch upon why this is so important to know where data resides. And the second part and direct Melbourne of manage engine will bring in some concrete actions, look at some concrete actions, organizations should take to fulfill GDPR requirements and to avoid penalties. He also will have a look at why you need more than one tool for doing so.
So I think simply said, there's not the one single tool which makes you or helps you making you GDPR compliant. It's more what you need in the third areas I've already said, we will then do our Q and a session. And the more questions we have the better it is. So let's start.
And I wanna start with the one thing which is definitely important from today. It are only 164 days to go if I have counted, right? That's not that much anymore. So May 25th, the GDPR will become effective.
And when we look at the GT, GDPR is before ther we had a situation where each EU member state had its own a data protection laws. There were, there was particularly one EU directive, but this had to be transposed into each national legal system. There's a very interesting thing.
In, in, in DEU regulations, there are directives and there regulations, directives have to be transposed into the national legal system of each member state first, before they become effective. And thus, there could be more differences between what it is and regulations sort of overrule the national law and GDPR is the regulations. So once it becomes effective, it's effective.
So entry into fourth was in 2016 and the applicability is 2018. So this is a two years period. Organizations have had half a year of that, less than half a year, we have to go until it becomes applicable with the GDPR.
We have a lot of interesting changes. One is the harmonization at U level. So it's one regulation for all. It's far more modern than the ultra directive on the most of the national laws, it strengthens a lot of existing data protections standards. So add some other of things and it has an extraterritorial effect. So the GDPR binds businesses established outside the EU to the European standards when operating in the EU area. And this is I think, a very important thing to understand. It's not only European regulation, it's something which has an effect far beyond the EU.
If you want to do business, be it paid or not paid.
So providing services also, if you don't charge for them makes you, makes it applicable to you. I think there are some important definitions. I go to that very, very quickly. So there's personal data, which is any information which is able to identify and natural person, which is the so-called data subject, where it's important to understand. So there's a lot of stuff in, and I don't go into all details here, but it's very important to understand if you can sort of trace back potentially to a specific natural person, then it's PII.
So it's not just that you say, okay, I have this record, which says marketing Cooper, or with this home address and sell. And then it's, it's it's far earlier, that becomes PII. If it allows you really to trace back by combining attributes, then you have to consider them PII processing is another important thing.
So processing is all the stuff around data processing of such as collection, recording organization, et cetera, so storage as well. So there are a lot of things which are under this processing.
So processing is also very broad term, and that means, in fact, the definition of, of both what is PII and what is processing of PII, both are very, very wide definitions here. We have done a lot of other things. So we have the data subject. I already mentioned. That's the natural person. We have the controller who says how data shall be processed. Who's in sort of control of that data. And then there's the processor who does the processing on behalf of that controller.
So that might be for instance, service data is stored, or that might be in service, which uses all of the data to do a specific task on behalf of, to control cetera, very important.
And I'll touch this more detail is the area of consent. So consent is something which is required, which is very important in that concept. It's not always required, to be honest, there are some other things around it, but consent becomes very important.
The interesting thing here is consent needs to be all of these things are, I think, should be roughly read freely, given specific informed and unambiguous indication of the data. Subject's wishes a statement of by a clear affirmative action, etcetera. So at the end, that's all this, you know, the typical style of cookies, oh, we are using cookies. And if you want to proceed, say, okay, that's not enough anymore. It needs to be far more clear.
If you look at informed, for instance, consent needs to be specific. What specifically do you do with the PII and all that stuff?
And then there's the personal data breach. So which meets might lead to destruction, loss, alteration, and disclosure, that of PII, which is important in the context of all the penalties we have. So within GDP, we have six key principles, personal identifiable data must be processed fairly and lawfully. So there must be sort of fairness in that only for specific specified explicit and intimate purposes. So it's not easy to say, okay, I want to do something different because that might be just another, until now a non-specified purpose, which then leads to the need for additional consent.
There's the concept of data minimization. So only store only PII, which is really relevant and the minimum. And we all know a lot of organizations store far more PI and collect far more PII than they really needed.
If you look at many of the registration forms, you have to fill more or less day by day. There are so many fields frequently where you say, Hey, why does this company need that information? Not for that purpose.
In fact, that the information needs to be accurate and kept up to date no longer than it's necessary. And the controller is the responsible, liable party to ensure and demonstrate compliance. So at the end, the controller always is in charge. So when we look at a quick summary of fundamental changes in with the GDPR and, and fundamental concepts of the GDPR, one of the most important ones clearly is unless another legal basis is in place. Consent is required prior to processing personal data.
So if there's a contract you already have in a signed form, the contract is what means you don't need the consent explicitly be given.
Then there's the concept of legitimate interest. There's the concept, which says, if there's legitimate interest, you don't need to, to, to gas a consent.
However, the definition of legitimate interest is ERO. And I trust a few days ago, had a conversation with a lawyer who, who simply said, you know, trust earning money is not enough to, to, to, to have, to, to, to have a latch limit interest. So that's not enough. So there must be really a very concrete latch interest and most discussions around, oh, we might be bypass constant by saying we have legitimate interest.
The position of, of most lawyers is very clear re usually it's it's at the end, you'll end up with asking for content, by the way, if there's legitimate interest, you still have some informational duties. You still have to inform the data subject about PI I, you have storage, so it might not really solve your problem.
So we already had this consent freely, given informed cetera per purpose, and it might be revoked at any point of time per purpose. So I can go and say, okay, for that purpose, you, I don't give you consent, but I'll leave it for others.
And if I, if someone adds a purpose for using the PII, he needs to ask for additional consent, which is very important because it fundamentally changes sort of the, the, the interaction and the, the journey of the user and using the app, the application, the service, when he's asked for additional consent. So you have to explain to your customer consumer, Hey, you already agreed to that at some point. And right now I want to do that with your PII. Would you please give me your consent? So you need to bring up obviously, a very good argument for the people saying, okay, yes, makes sense.
I give you a consent. There's the concept of DPOs data protection officers, which are required. They can be external for some countries. That's straightforward because they have to others don't have it under certain circumstances or rights of public places, dealing with health data, and other sensitive data. You need to undergo regular specific data protection, impact assessments, data breach notifications, notably to the supervisory authority, not necessarily to the data subject within 72 hours data control, right?
So that's the right to be forgotten the right to freeze data, processing the right to export data and edited. If you don't know where the data resides, you're obviously in travel because then it's hard to be compliant. So you need to understand where does data reside? There's the concept of privacy by default design, which are right now mandatory. So there are many key aspects. I just wanna pick a very few one.
I want one, I already touched it's this scope of application.
So if you are for goods or services to EU data subjects or monitor the behavior of data subjects in DEU, GDPR applies, there's this idea of data protection, impact assessments. So where's the high, when there's the higher risk for the rights and freedoms of data subjects, then you have to go through there's a pre-assessment initiation. So it's a various phases, proposed identification of systems, processing, personal data, very important thing. So where does the data site, where is its process, identify the risks. Then you can make your assessment. You can look at controls and residual risks.
You can document it. So you really have to understand again, where does data reside? Another point, which comes up frequently, the data breach part.
Again, it's important to understand that that's frequently not very clear in the discussions.
There's the notification to the supervisory authority, seven to two hours. That's not much, if you're not prepared, you have a problem.
And so, because it says, okay, what are the, what are the measures you already take? What are, which measures familiar take? What are the consequences to collect all the data within 72 hours? That's hard. And we are talking about 72 hours and not like with some of the ES we've, which have been, become public over the past 72 months or something like that. It's really a short period notification data subjects without, and you delay the nature of the breathe breach, and there are some exceptions. So if it will not affect negatively the data subject, you not necessarily need to inform.
That's an interesting point because it's opened some interesting doors here, finds and sanctions have frequently discussed, heavily discussed. So the amount of finds have been significantly increased 4% of an annual worldwide turnover that can be pretty tough.
30 or retailer, 4% could be far more than your, than you than you.
You, you are margin 20 billion. Whichever is greater, the addressing out of so, and the data subtracts can large complaints with the DPAs. This is very important. So we will see a lot of these complaints come up latest on May 26th next year, because a lot of data subjects, I bet already prepare for that. And then the process starts. So it's not that you, that the, the DPA needs to, to become active himself. There can be complaints and there will be complaints.
And there's the article 82 1, which is also frequently ignored until now any person who has suffered material or nonmaterial damage as a result of an infringement of this regulation shall have to arrive to receive compensation from the controller or processor for the damage suffered. So it's, it's not only defined, there's another option for people directly asking for compensation.
So there will be probably also a lot of lawsuits around that aspect. Another interesting. So just look at this, some, some notes and some, some statements around that.
So defines should be a, a, a matter of last resort, not the default. So there should be usually a warning repri suspension of data processing, which could, could be worse in defiance.
So in, in theory, first there's a substantial data for saying, oh, you're not allowed to run the service anymore. Then define stopping. It might be more harmful than any fine.
However, there might be a situation where others issue fines without warning. So the Netherlands, for instance, around announced that, but only in serious cases, but what is the serious case? How many of us see, I think there's a lot of room to be discussed, but there's a risk and we need to deal with the risk.
So what we should, we do, what are our key actions?
And when I look at these key actions, the first one is discovery, discovery and document PI I, you old it's, by the way, part of the regulation also says that you have to document the data flows to data processors, and also from you as data controller to data processor, to the next data process, etcetera, across the entire chain check that it is necessary and the minimum correct up to date and look at your models for consent and control. Then look at the consent part per purpose, et cetera, proof of age is an important thing.
Family consent is a very complex thing to implement if you're realistic. So there are some interesting things around consent. Look at how to deal with consent. Define your strategy. Also look at what does it mean to the interaction, starting from the registration process of a customer and consumer to the ongoing communication with them, it will change a lot of things you need to implement control, access control at data field level control of aggregation, the access requests, etcetera. So implement control, implement also security for the cloud.
Assure compliance with data is held in cloud services, that's feasible, but you need to control. I have your control over PII, also in the cloud, look at the certification of your cloud service providers, to all that stuff, implement your data or set up or assure as you have data protection officers. And if you need to do DPIs ensure that you do them and prepare for the preach.
That's absolutely important. There are so many other things within GDPR we need to look at, but I think these are some of the really, really important actions to take.
And with that, I want to hand over to Derek who will do the second part of the presentation, who will talk about the concrete actions right now, and look also a little bit at the tooling. You need to run that to be compliant with tree power, Derek, it's your turn.
Excellent. Thank you so much, Martin.
I, I, I really hope that everyone is grasping the, the breadth of what Martin was reviewing there. He, he really touched on what I consider to be some of the most important points of GDPR.
I, I think, you know, here in the us, which is where I currently live, we've been dealing with so many over compliance and over regulations that GDPR is just one more notch, but many of the points that Martin is bringing up is, is absolutely critical. And what I want to do is I want to go into some details regarding especially a windows environment, because many of us rely on active directory to secure our environments and control access to data. Before I do that, I just wanna kinda give you a very brief overview of who I am.
So, you know, a little bit about who's talking to you now, I am the technical evangelist for the 80 solutions team here at manage engine.
And what that really means is I get the opportunity to travel around the world and, and talk with administrators, talk with organizations, and really have the ability to help organizations get answers, to questions that they want. And it's really what we're talking about today is, is really helping organizations understand GDPR, kind of get some ideas on what they're gonna need to do with GDPR. So you can take action now, so that by may, you're ready to go.
I do wanna point you to some other resources as well, that are available on our website that can really help you with this concept of, of security. If you actually just go out to our main landing page, one of the things that I wanna point you to is, is a security hardening site that we built a couple years ago that will help you with certain aspects of what I'm gonna show you today.
That will also just over secure your environment. If you just hover over products and go to security, hardening, you, you will see here this site, the site is dedicated to you.
And if you go to the bottom of the site, which is the most important place, you will see all of these areas. And we're gonna touch on quite a few of these areas today, which is things that you must secure and you must monitor. And if you click on any one of these, you'll see that we have blogs and videos that will help you maintain that. So this is an excellent resource for you to take advantage of both for GDPR and just overall security of your environment. The second resource that I wanna point you to is actually a dedicated GDPR site that we put together.
So if you come to manage engine.com/gdpr, we have lots of different things that you can read.
Some guidance. We have information about our solutions and the different tools that are available. Martin mentioned that, that there is no one tool that you can get for GDPR. So you have to understand the, the complexities around GDPR so that you can pick the right tools.
So, so it's very important to understand the moving parts and not only at a description level, but in action level. So the action that you're gonna have to take actually has to make a lot of sense, because otherwise it's just words on paper and you have to know how to put action in place. And that's what we're gonna talk about today. I do also want to, to, to key you into our world tour for 2018, this will be our fourth year of doing this. We are gonna have a, a very stern emphasis on GDPR. The dates are being finalized.
As we speak, we will be hitting probably 12 to 15 countries before may.
So please keep an eye out for these. These are great ways for you to come to an event, talk with people that understand technology and, and share information and get information from other people that are dealing with the same things. So please keep an eye out for that for our world tour, our AB solutions world tour in 2018.
So what, what are we gonna really focus on today? Well, what I wanna focus on is really, I'm gonna decrypt some of what Martin went over and give you that in action. I wanna actually show you what that means and what we're gonna do by the end of this is I'm gonna give you a recipe as a foundation for what you can do for GDPR to meet compliance. If you have a breach, if you have someone come in and ask for information, kind of in an audit, you have to have all these things ready to go, and you cannot wait until may to do this.
You, you will be behind the eight ball and it will be impossible for you to generate that information on the fly. So let's kind of walk through the different components that I see as important from a technology implementation standpoint, with regard to GDPR.
Now, first of all, as Martin stressed, very importantly, identifying personal data is probably gonna be the one thing that is most complicated. I don't think that implementing tools is really gonna be that complicated. And I'm gonna show you how easy it can be. The thing that's gonna be complicated is how do you find the information? Because for years, we've never had to worry about this. And now all of a sudden, we have to worry about where personal data is, so that we can monitor it and we can track it.
So you're gonna have to scour your file servers and your storage devices looking for personal data.
Now, of course, if, if you collect personal data from a form on the internet and you shove it into a database, that's pretty easy, but what about information that you gather as a one off? Maybe you just have an employee that gathers information, maybe in interviews, maybe in gathering information about potential customers. This is all part of GDPR. So you're gonna have to go through and scour your servers and your storage devices. You're gonna investigate all of your databases.
You actually also have to look at endpoints. You're gonna have to look at your users' computers. They might have an Excel spreadsheet that has information about customers. They may have information about potential people. They were gonna hire, and they never hired them. And they were HR employees. We may have laptops that are roaming around with this information. It's very common, especially for road warriors, like me to take information from the network store on my laptop.
That way, if I don't have internet access, if I don't have VPN access, at least I have the information that I need.
And if I'm working in an industry that I'm dealing with information about humans, personal data, then this becomes a, a point in which we need to track this information. So what we're gonna have to do, what you're gonna have to do is come up with methodologies on finding all of your personal data. A couple of weeks ago, I was in London and there was actually an organization that came up and talked to me an it person that said that they send out a questionnaire to every employee asking them about how they interact with personal data. That's one step.
But what if you send information, a questionnaire to an employee and then employee forgets about some information, you're gonna be missing some information.
So these are just some things that we really need to think about.
Now, once you actually find your information, you're gonna have to organize it. Now, what I'm gonna suggest is you try to isolate GDPR information. That doesn't mean on one server and one file or one folder. It means that you have to know where things are just like Martin was talking about.
Now, if we get into kind of a live environment here, you know, I, I, I have a very simple environment. Obviously this is just a demonstration environment, but what I'm gonna do is I'm gonna show you how and what I mean by some of the things I'm talking about. So here you will see that I have a GDPR folder.
Now, what I'm gonna recommend is that when you go to a particular server that holds GDPR information, it's pretty clear, which part is GDPR and which part isn't, this is gonna be easier for you to search easier for you to see where GDPR information is.
And when you are gonna have to prove where your GDPR information is located, this becomes extremely important. So what I'm gonna suggest is you try to put your GDPR ducks, your GDPR eggs in one basket, get your ducks in a row and get your eggs in one particular basket. That doesn't mean one server.
It just means know where this information is and isolate it from other information. What we don't want is we don't want databases, storing GDPR information and non GDPR information, because you may not have to monitor the non GDPR information. But if it's all in the same location, it's very difficult to separate that out.
Now, once we have determined the information and organized it, now you have to secure it now with regard to security, especially in a windows environment, which it pretty much is across all OSS is you're gonna have to set up your access control list and the data must be encrypted.
Now inside of a windows environment, we simply go into our security configurations and we are going to control who has access. Now you'll notice here that I have a, a mixture of managers and also some GDPR groups.
This, in my opinion, becomes a huge problem for you because now you can't just monitor GDPR groups and the access. You also must monitor other generic types of groups in their access. So my recommendation is when you set up this GDPR security that you go in and make sure that your access control lists are very tight, the more loose you are with these, the more information you're gonna have to monitor now, also with regard to GDPR information, you're gonna have to encrypt the data. So you're gonna have to make sure that you go in and all the data that you have as encrypted. This is part of GDPR.
So what we're doing here is we are establishing the foundation for what's important with regard to GDPR data. And this is completely across the board. What you're gonna have to do according to the compliance regulation. Now I've already showed you that you're gonna have to go in and set up the security on the ACLS, but you also have to set up how this is structured inside of active directory. So if I go on to active directory users and computers, you'll notice that I have a GDPR OOU and this is where my GDPR group membership and my members are going to reside.
Again, the ideas that I want to keep these things isolated. So I know where to go. If I have to run a report, I know exactly who I need to monitor for changes and things that are going on.
Now, once we have our data organized, we have our data secured.
That's only the core requirement. We must then go in and monitor. We must monitor the access to this data. We must look for inappropriate access. We must know if we are breached. And there is a difference between inappropriate access and breach. Inappropriate access is someone accidentally got into a group and they have access and they shouldn't have access. A breach is we were attacked and the information pretty much in mass was downloaded.
And now the information is in the wild, but no matter what it is, we have to know that this occurred. So we are gonna have to go in and monitor everything that is securing the GDPR data. So what do we do with that?
Well, let's first of all, talk about our groups. You'll notice here that I have a group GDPR modify access. And that group, as you saw a minute ago, was on the access control list.
If I go in and add someone to this group, the group membership changes, you are required to track this.
Now, not only track this and what I mean by not only track this, you can't just rely on the event viewer, to somehow track in the security log that this has changed because this is not sufficient enough. Your security log only can store so much information. So what you need is you need a tool that is going to allow you to track that information.
Now, if you look at a tool like a audit plus, which is completely designed to do this, it's extremely easy to set this up. Now, all you do is you go in and you say that you want to look at group modification. You're gonna create a new report profile, GDPR groups, G DPR group mods. You're gonna say that if it's group modification and then you get to specify what changes with that, even the name change can be important, right?
So with anything is modified with this, you need to set that up and then you simply come in and you say, I want to search on GDPR.
Now, once you have this in place, the idea is that you can just now select all the groups that are dedicated to GDPR. Perfect. Now I'm done. Okay.
Now, at this point, if someone goes back in and they modify anything related to this group, right? Anything that's modified related to that group. And I go back to this report, that report is actually going to tell me of those changes that are occurring inside of that group. This is the information that you need, because when we're gonna talk about it in a minute, if you were breached, or if someone asks you for the group membership and the changes you need this type of report, but notice how simple it can be.
If you have things structured correctly, but you have to have things structured correctly in order for you to easily do this. Now, am I saying that this is easy to accomplish? I'm not saying that at all, this is a tremendous amount of work. That's why we are six months before GDPR talking about this. You're gonna have to go in and kind of change the way that you do business around personal data. And you're gonna have to set up these types of configurations so that you can track.
Now, what we're talking about here in a audit plus are access groups, security groups that have access to the data. And we're controlling those. This group is stored in active directory, but this really has nothing to do with specifically the data. That's why you need other tools such as file audit plus, which allow you to go in and specifically target just the data that you're concerned about.
Because if someone goes in and they manipulate data, that's inside of here, say for example, they modify or they change information.
Let's say someone goes in and they update a file and they shouldn't have updated the file. Right?
Well, this could go back to the concept that Martin was talking about, about information being correct. Well, what I need is a tool that is going to help me see that possibly I have modifications. I have to know what's going on inside of the environment. I have to know and be able to track this. So what you can do is you can set up how you want to look at things who you want to look at. And now you have the ability to generate these reports, to indicate what is happening over time. You obviously have dashboards which are gonna help you with this as well.
So you have dashboards which are quick and easy to look at, and then you have reports, which you're gonna have to generate for auditors. And if you are breached. So with regard to really what Martin set up and the details that I'm talking about, you're gonna have to go in and really investigate track changes to any concept that is related to this idea of GDPR data. You also have to deal with breach detection. So when it comes to this, this concept of breach detection, you're gonna have to have tools in place, which help you track this.
Now, another tool that we have is called event log analyzer. Now event log analyzer is a tool that really looks at all of your devices. 80 audit plus is a tool which looks at windows devices. But when you need to look at bigger devices, you need to have the ability to go in and determine if things are happening.
I need to see if we are being breached. If we are breached, I need to be able to generate reports with regard to things that are happening. So for example, if I have a breach to one of my, let's say servers, then I need to have that information.
Now let me kind of go back in time and show you what this might look like. So you'll see here that I have breach detection set up for a SQL injection. So if there is a trend of a SQL injection on one of my SQL servers, which I have set up in my settings, then I can have reports generated for this as well as alerts. So this is the level of detail that you need now. Not only possibly do you wanna look at SQL injections? You wanna look to see if you have firewalls that are changing.
So if I have any rules that have changed my firewalls, these don't change. I need to be able to set this up.
One of the things that Martin really talked about is inside of the idea of these post breach reports, you're gonna have to indicate where the breach occurred, the extent of the breach, and then you also have to give details around what was affected. And then he even mentioned that if it affected the personal data of the user or the person you collected, you're gonna have to notify them. So all of these things become an important concept around this idea. Now this just dives deep into a windows environment.
But if we take one step back, you also have to be concerned about privileged identities, identities that have access to data that are part of the processing of that data. So these privileged identities normally are service accounts, but don't have to be, but these service accounts can be attacked.
They can be breached. And if you're not monitoring these, if you aren't tracking these and controlling these, it can really be a big problem. So what we have to do is have tools such as password manager, pro, which is a vaulting system for your privileged accounts and their passwords.
So you can control all aspects of this because if one of your service accounts is breached, this has to be part of your writeup. And this is where password manager pro comes in. So what we've done in the short time together is kind of walk through some details around what is required for the actual implementation. Technically for you to meet GDPR. We talked about identifying and organizing information, securing the information, what you have to monitor, and it's not just the data. It goes well beyond that data.
Then you have to have tools that can generate reports and these reports have to be in place well before any negative thing happens or any auditor comes in asking for that report. All of this stuff has to be in place.
So Martin, that kind of concludes what I wanted to talk about, and I'm really hoping that we have some great questions lined up
Derek. Thank you very much. And indeed, we have a couple of questions waiting, so let's directly move. Oops. Directly move to the questions. Gimme a second to share my screen again, as we right now in the Q and a session. And so there are various questions we have here. Maybe we start with one. So one is around your tools. And I think that a really good one. How does manage engine tools, track file changes, etcetera. Is there an agent running on the servers?
The tool that I showed, which is file audit plus does have an agent that is running on the file servers. That's absolutely correct.
Okay. And do you also provide a hosted service?
The file audit plus is not a hosted service. We do have some tools on our repertoire, which would help with cloud based installations and, and certainly there's, we have over 40 different products.
So depending on exactly what they're wanting and what they're wanting to track, whether it be, you know, let's say they're talking about Azure or something like that, it, it really depends on what they want, but certainly they can contact us and, and ask more specifically and we'd be able to help them.
Okay. So let's look at some of the other questions.
So one, maybe I pick you, you add on if you want. So is there a difference between, let's say Trudo as a private person, so the data subject and Trudo as an employee of whatever the Acme Inc ed. So basically both are data subjects and as data subjects, the same regulation applies. The difference might come from the, for instance, the contracts, which are in place on one hand between your organization, Acme and between Acme and trau in contracts to the contracts or not contracts, which are in place between your organization and trio as a private person.
So they are different and they're the same. It depends at the end. It depends really on, on more details of the scenario.
So our, what are the contractual relations behind that, etcetera, which you need to figure out my perspective, maybe Derek, you wanna add something on that?
So, so this actually was brought up to me a couple of weeks ago when I was in London. And it really made me start thinking about kind of the breadth of this. I think we're all learning as we go through this and something that you mentioned earlier, Martin really tied in with this as well, which is contracts that are already in place.
Now, when we start talking about an employee, this becomes very, very critical because I believe what's going to have to happen, or organizations are gonna have to look at employees as really data subjects. They're, they're, they're they have personal information about employees. And if an employee's information is made public, really what they need is they need their consent to deal with that as well. So I think consent is gonna have to be for employees, for individuals and for organizations. I think all three of them are gonna have to have the consent. Yeah.
I think an important part is the GDPR also affects the, the relation between an organization and its own employees. So, yes, it's important to understand here. Another question. So we have already a couple of questions here in the consent form. Maybe also one I started and then you add there, the consent form. Can you have the ind individual wave their GDPR rights such as the right to be forgotten? So basically it's up to you, how you do it. You need to provide a simple way for consent. Obviously there are very clear regulations and the same holds true for the individual data, right, right.
To be forgotten, etcetera. So you're not allowed to hide somewhere deep down on your website, but it must be accessible. And so it depends on how do you want, I think this is really important recommendation. When you look at GDPR, think about what are the, the customer churns, the various types of customer churn you have for consumer churn, from registration to all the other interactions you have and think about what is the best way to interact with, with them regarding the, the, the handling of their PII.
And then it might turn out that it's good to have these options like right, to be forgotten on the same form, or it might be better to have it in a different way. It's really more start thinking it from what does it mean for my, my organization's relationship to my customers and consumers, what is the best way to do it? And this is, I think probably the, the most logical and best way to handle it. And then you will end up with the one or other way to do it. You can combine it, but you don't need monetarily to combine it in one form.
Yeah.
And I think I, I, I think you hit on all the key factors there, Martin, the, the, if, if I were to summarize it, I think it's, you have to, and, and if I tie it back to really what you focused on earlier, you have to be clear on what you are gathering and why you're gathering and what you're gonna do it with. You have to be clear on allowing the person to remove the information from the database. So you no longer can use that information. And then there has to be information about how long you're gonna keep it. And then that has to be purged at that point.
So there should be no more communication after that.
Okay. Next question. Use that. So you directs that you must, you must be organized with GDPR in mind. I just can agree on that. If an ad installation contains consumers from all over the world, so ad active directory, does this mean I need to separate my use into another active directory or a branch? Are you in the same active directory? So what are the best practices for use data design and persistence here? So maybe you start at my view.
Okay.
So, so when, when you say you have information in throughout active directory, most likely this won't be customer information cuz customers normally aren't in active directory. Now, if the customers are in active directory, because you're providing some kind of a centralized service for them, then actually I think it should be separated out. Absolutely.
But, but I think within active directory, if they are employees, it kind of goes back to the last point, which is they're gonna have a consent that they sign if they are partners. Well, again, I think Martin mentioned this earlier. They already have a, a contract in place.
If not, you have to put one in place. So that really covers employees and partners. And then if you are providing a service, yes, I think those should be separated. I do. Should they be in the same active directory in a separate OU that's a tough one. I really have to look at the structure of what you're providing for the service to be able to answer that.
But, but I actually think it should be a separate active directory
Unless, and I think that would be my note. And maybe something you could think about unless you want to offer the same level of privacy to all of your customers for all over the world. So with GDPR being probably currently the most string and strong regulation, you also might say, okay, why not use this as a standard model because I will be compliant virtually everywhere, following that approach. So it might be an option as well, which then, then makes it easier clearly to, to handle that. If not it's about segregation. Yes.
Otherwise you it'll be really tough to handle it. Okay. Next question here, if you want to set up a data lake in the public cloud, how would you recommend to handle PII, which is holding that data, data lake Derek, you mentioned something on keeping PII separate via the topic. So how would you implement this in the context of a public cloud?
So it's, it's, it's, I'm gonna, I'm gonna stand true to what I'm saying. You're gonna have to isolate this and you're gonna have to, for, for the information that falls under GDPR, personal data, that information has to be addressed at a different level than everything else.
Now, Martin, you just brought up a good point, which is if we just wanna raise the standard for everyone, for the entire organization, whether it's GDPR data or not, that's, that's a good idea. It just depends on the volume that we're dealing with.
So, so when you are sh when you are sharing, when you are putting information into a, a, a cloud based environment, you have the same requirements in that cloud, as you do on prem, when it comes to the monitoring, the security, the controls, the breach, everything. So as soon as you put that information in the cloud, now you're going to duplicate your efforts in the cloud as well.
Yeah. Okay. You mentioned backups are these required per by GDP approach DPR.
So, so this came up again a couple of weeks ago in London and my interpretation of GDPR mentioned storage. Well, since storage is part of GDPR, then of course we have to deal with a backup of that storage because we also have to make sure that things are correct. We have to make sure that data that can change is constantly correct. So if I back up data to make sure that I'm consistent and I restore that data, the data that I restore has to be correct. So in my opinion, backups are absolutely part of meeting GDPR compliance.
Okay. So let's look which other questions we have.
Some companies have established country specific websites. If U citizen goes to us side instead of the country specific side, that GDPR apply to the us side. Good question. I would've to ask our lawyer.
So, so I, I am going to second, Martin's asked the lawyer, but I'm gonna give you my layman's answer. My interpretation of GDPR is if I am a us based company gathering information about an EU citizen, I have to meet GDPR.
Yeah. And I think if there's anything at least latest, when you have any indication that it's new citizen, even if he goes to the us website, you need to comply.
I, I believe so because you're gathering that information. Yeah. But
It's, again, it's a layman's answer and it is clearly, there are some interesting, very interesting things to discuss. And honestly, on the other hand, I think that's something we shouldn't underestimate. When I look at many of the regulations I've, I've seen so far over the past years, GDPR, amongst the, the ones with the least number of, or least amount of gray area. So GDPR is pretty clear and it's worse to read it. It's available on the website for download. So particularly the standard article.
So which really go, so the core regulation it's very well structured in front of that. There are many, it's a big free phase with a lot of annotations. These are not as good structured, but anyway, it's interesting. So to read it, so going back to the questions, I think we pick one more question here. So one question I have here back to the manage engine tools, do your tools integrate with management systems, provisioning, access governance or control systems. So manage cetera.
Our, our, the tools that I showed you ad audit plus integrates with a couple of storage management. We have our own tool for provisioning users, whether that be active directory or our centralized ticketing system to provision users. And that actually does have some integration with other tools. And if you're interested in that, I would suggest that you email us and get in contact with someone that is more in tune with, with those tools. I'm more of the active directory guy. So I think, I think that requires some additional communications with some other people on my side.
Okay.
Thank you, Derek. So we still have a couple of open questions. What I propose is that direct, directly follows up on these questions because we are close to the end of the time for our webinar. Maybe we pick one final question then, and as I've said, other questions we will follow up afterwards.
So one is, will GDPR applied to audit trails and lock tray of current and legacy systems. So we're only username exist on the activity they front. So is this any, is any of this considered applicable to GDPR Derek?
I'm sorry. Can you ask the question one more time?
So, so if you have a audit trail or lock trail of a current or a legacy system where the username is tracked and what he has done, so the activity he has performed, so is this a part, is this applicable or GDPR applicable to that type of data?
A again, I think this falls under what we talked about before with employees and partners.
So, so my suggestion is that you have a pretty widespread consent for your employees, and that would include what you're mentioning in that question, which is tracking their behavior, because anything that happens with an employee's account, whether that be an HR personal information about where they live their health information, or it's their active directory information, and what they're doing that would all fall under that blanket consent.
And I would say the same for partners, because at that point, if they're dealing with stuff inside of your organization at that level of access, then they should have a blanketed consent as well. I think where it really gets confusing is when you start talking about email and, and the communications of email that go outside of the organization and what's contained in those emails really becomes a, a consideration for GDPR.
Okay. Thank you very much, Derek. Thank you very much to the attenders of webinar. Hope to see you at one of our upcoming events next year or one of our webinars.
So we will have many, many webinars next year, again, starting in January, have a look at our website again, thank you very much for, to Derek and thank you very much for, to manage engine for supporting this webinar and enjoy the upcoming holiday season.