GDPR Action Plan: Discover, Manage, Protect and Report

Matthew Shea    On May 25th, 2018, the European Union began enforcing the General Data Protection Regulation (GDPR) to protect customer privacy and data. GDPR adherence requirements apply to any organization in any country, inside or outside the EU, that handles or processes EU residents’ personal data. In the wake of GDPR, organizations should reconsider their network security, data discovery, data access, controls, mapping, and governance policies and practices, to ensure regulatory compliance and to prevent stiff fines for noncompliance. Here to discuss what GDPR means for organizations using SAP products and data sources are experts from Dell Technologies and Auritas, a leading data management firm specializing in comprehensive SAP solutions.

   I’m excited to be joined by Deepak Sood, the CEO and CTO of Auritas; Brett Hansen, vice president client software and general manager data security at Dell; David Boeckle, vice president for strategic accounts at Auritas; and Morten Loderup, SAP North America alliance manager at Dell. Thank you for joining us today. To begin, can you provide our listeners with a quick overview of GDPR and its impact?

I’m excited to be joined by Deepak Sood, the CEO and CTO of Auritas; Brett Hansen, vice president client software and general manager data security at Dell; David Boeckle, vice president for strategic accounts at Auritas; and Morten Loderup, SAP North America alliance manager at Dell. Thank you for joining us today. To begin, can you provide our listeners with a quick overview of GDPR and its impact?

[00:01:31]Brett: GDPR is the first regulation of its nature that covers an entire marketplace. It’s not focused on a single industry like a HIPAA, or a Basel II, or some of the ones that we’re more used to in the United States. It’s any organization doing business in the EU.

What really makes it unique is a couple different things. First is the breadth. It’s not simply looking at one or two elements of data hygiene. It’s looking across an organization’s entire ecosystem of how they collect, how they manage, how they control, how they delete data.

The other thing that makes it unique is the teeth. They’re very real, the fact that you’re talking about 20 million euros or 4% of revenue, means that failure to comply can have some very serious implications to your business. It’s a big step for any government organization to be bringing forward a set of regulations as broad and comprehensive as this, as well as punishment of this severity.

[00:02:42] Matthew: Looking forward, how can organizations ensure they’re GDPR compliant in the short and the long terms?

[00:02:51] Deepak: I can quickly answer that. Considering the regulations that have come forward with the GDPR, the first piece that we are looking into is finding out what kind of data are we holding or are we keeping, that could be put under the purview of GDPR regulations?

Starting with PII information, personally identifiable information, what applications are keeping that information? Not only the primary area of the first name and the last name, but if you have primary and secondary location of the information stored into a single application or a group of applications that can create a logical record, that is identifiable for a European Union citizen, you need to identify how that can be created, where that is located, and then define the process and procedures for making sure it is secure, it is encrypted, and if the use has requested you to delete that information under the GDPR guidelines, what would be the process for you to address that?

There are some other regulations in GDPR whereby, if you have passed a particular time segment, and you have not used that particular user’s information for any kind of business transaction, you are also legally liable to dispose that information from the systems.

[00:04:24] Matthew: Deepak, could you have a sense of where on SAP applications this user data might lie?

[00:04:32] Deepak: There are, SAP being an ERP platform, you will find that there are multiple locations where you’ll have to look for this particular information, but we look at the SAP platform not only from an ECC perspective, but from the fact that you have an SAP CRM system, supplier relationship system. You have not only your primary system of record as an ECC platform, but you also have BW system. All these systems contain data that is linked with GDPR.

I’ll give you some examples. If anybody’s trying to find the detail, what should they be looking for? Whether you do business in European Union or not, if you are keeping, or if you are having employees who happens to be a European Union citizen, you are under the purview of GDPR compliance requirement, and you have to comply with these details. Then, some other ideas that you want to look into will include customer data, vendor data, and they also look for any kind of financial transactions you have done with these particular customers and vendors, but then if you look for additional applications like SuccessFactors, FieldGlass, those are all candidates for GDPR-related information, and you may want to look into the specific fields for specific users within that space to comply with GDPR requests.

[00:06:06] Matthew: Morten, looking for SAP customers, what are the steps that they can take to become compliant with all these implications?

[00:06:17]  Morten: There’s various types of steps, and that customers should take to ensure compliance. We’ve put this under a fourfold umbrella, under discover, manage, protect, and then report on the various aspects of their SAP landscapes, and whether they’re running SAP or not, these customers have to become compliant and understand what technologies and resources are available from Auritas on the services consulting side, and Dell Technologies on the software and the infrastructure side.

[00:07:01] Matthew: How do Dell EMC-ready solutions for SAP relate to GDPR?

[00:07:06] Morten: With Dell EMC, we have, from Dell Technologies, and specifically Dell EMC, we have certified SAP infrastructure. We’ve certified our servers ever since Dell EMC came out with servers. SAP certified specifically on our ready nodes, ready bundles, and ready systems, have been optimized for SAP workloads.

As far as bringing a GDPR environment onto a certified SAP platform, whatever that GDPR components may constitute, if it’s ILM from SAP, or if the SAP modules, in order to ensure the end-to-end protection, that the certified Dell solution, stealth ready solution, is key in order to ensure you have a protected environment, from the bootup process to the end of running a particular SAP application.

[00:08:10]  Matthew: Is GDPR a good opportunity for customers to evaluate how they’re securing their data?

[00:08:15] Brett: It certainly is a key opportunity to take a step back and look at their entire business strategy for data. I have met with too many customers who, in a quest for good data security, forget that  You need to be utilizing data for your business. A good data security strategy begins with a good business strategy for how you’re using data.

GDPR focuses on that. We were just talking about the fact you need to look at how it’s being collected, and where it’s being stored, and how it’s being used, so that the starting point with data security is not necessarily technology, which everyone jumps to. It really is understanding your data needs, evaluating what you need to collect, what you need to store, who needs access, and how it gets delivered.

Then, from there, you can take the next logical step to say, “How do I go about securing these different efforts around the utilization of data?” So many customers, as I said, forget that first step. They jump right into the technology conversation, versus starting the conversation with a business strategy, typically of business leaders, and then rolling back into, “Now, how do I think about technology?” Whether that is encryption, or firewalls, or DOP, to prevent the data from being compromised?

[00:09:48] Matthew: That first step, what are some quick wins that a customer can get by focusing on security practices?

[00:09:55] Brett: One of the things that we see successful customers doing is putting it down on paper. Writing out all the places where data’s being collected. The data I’m speaking of, of course, is the confidential data that would be included in GDPR, personal information, whether that’s employees, or customers, or vendors. Ensuring you have understanding of, again, where it’s being collected, who’s collecting it, how it’s being utilized, who has access to it, what systems, what location. Is it local? Is it in storage? Is it a cloud? Your cloud, someone else’s cloud.

That’s the first quick win. Just write it down. It’s often a sense of great enlightenment to actually see what’s going on.

The other thing which I see successful companies doing is not just an IT or compliance effort. Bring in your business leaders. Make them part of the solution to this. If you’re on your one side saying, “Okay, I’m seeing all these business guys collecting all this information,” and you’re not including them in the process, and you come back to them and say, “Well, I need to stop this, or we need to lock this down, or we can’t allow this access,” then, you’re not providing a collaborative, step-by-step approach to solving this problem.

It all begins with an understanding, and that has to be informed with the business leadership to be effective.

[00:11:18] Matthew: Looking at GDPR, is this something where you’re seeing business leaders get involved in finding a solution to the regulations?

[00:11:27] David: Personally, I’ve seen many, many customers starting to decipher what the impact of GDPR is on their organizations. What we typically find is that it will initiate from legal, initially, and then also incorporate all of the various business owners throughout different functions of their organization.

[00:11:52] Matthew: Is there a business function that’s being particularly impacted by the GDPR regulations?

[00:11:58] David: We are seeing quite a bit from an HR perspective, from a CRM perspective as well. The regulation really pertains to any information or personally identifiable information for a European Union citizen, and oftentimes what we’ve seen in the past are companies have gathered a lot of information for many, many purposes, and held onto that information for quite a long period. They may have had information that they wanted to use for marketing purposes. They may have information that they wanted to use for forecasting, and sales campaigns, etc. Today, with the introduction of GDPR, they’re really restricted on how much data they can keep, what they can keep, and how it needs to be handled.

With the, as Deepak had mentioned previously, one of the components of the GDPR is a subject asset request, or SAR. This is where a EU citizen can request from a corporation an output of all PII information that they have on them, and how that is being utilized, and then to extend that thought, they also have the right, which is kind of coined the right to be forgotten. They have the right to request that their data be deleted. That is where you run into a little bit of a challenge, because sometimes that data is necessary for business purposes. That’s where SAP has brought additional functionality in the form of block and delete in n order to mask that data, so it’s no longer personally identifiable, but it is there to run their standard business operations as required.

[00:13:39] Matthew: Looking forward, how do you see GDPR impacting innovation in Europe and newer technologies like AI which are so heavily dependent on data collection?

[00:13:48] Brett: I don’t see this as a detriment to the progression of innovation. Good data hygiene is good business. If you look at the regulations that GDPR has cut out, they’re fairly sensible. There really is not any sort of ridiculous ask that puts companies at a disadvantage for innovation. What they’re asking for is, know what data you’re collecting, know who it’s from, know what you’re using it for and who’s accessing it. That’s good data hygiene, and so from our perspective, we see this as a positive sign, helping customers take the necessary steps to have better integrity over the data that they’re collecting from their customers, employees, and partners.

[00:014:40] Matthew: For companies that have just scrambled to meet the GDPR deadline of May 25th, do you have any advice for companies that still have a ways to go to be GDPR compliant?

[00:014:51] Deepak: Here are some of the things that are seeing companies that are trying to do.

As part of them trying to be compliant with GDPR, you will find that companies are interpreting this regulation the best they can, of whatever their legal counsel is telling them, but with the same process as per the requirements and the regulations, if you show a genuine effort to comply with these regulations, but you are still not ready, or you’re not fully compliant, you can get an extension from the authorities.

That way, if you are doing an effort from a blueprinting process, from software evaluations, from purchasing solutions from Dell, and trying to show a genuine effort to comply with these requests, you would not be put into the same bracket of penalties being put for other companies who have not shown any intent of doing that.

[00:15:50] Matthew: For companies that are already, they’ve made their good faith effort. They consider themselves GDPR compliant. What are the best practices that they are continuous GDPR compliant, and also following data security best practices going forward?

[00:16:13] Brett: The first thing I would call out is the fact, again, that this needs to be a conversation between business, and compliance, and IT. It’s not one group. One of the failures in cybersecurity over the last few years is it’s kind of been set onto the side. It’s the black box, it’s the dark room. We’re not going to think about it until we have a breach. This needs to be part of your ongoing business conversations. If you decide to change HR policies, if you initiated a new marketing program, this has to be part of the conversation. Cyber security needs to be part of a fundamental business strategy.

The second thing that you should be thinking about is, how do our technologies need to evolve? A large portion of the legacy cyber security stack was built before things like GDPR. They were built before the rise of the modern malware infrastructure, and they’re unable to keep a hold of how business has changed, how people have changed, and how their work has changed, and how data security needs to evolve as well.

The other piece of this has to be re-evaluating what you’re using and how you’re protecting yourself. Am I still using a legacy anti-virus anti-malware solution that’s based off a signature approach? Probably time to move on. Is my data security technology based around network-only protection? I’m creating walls to try to keep data in. That’s not effective in a world where you have more partners, you have a more mobile workforce.

Part of this has to be an ongoing evaluation of, what am I using to protect myself? Acknowledging things that have worked in the past are unlikely to be effective in today’s world.

[00:18:00] Matthew: Looking on the technology side, how do Intel and Dell EMC solutions for technology and infrastructure provide the highest level of security for organizations responding to GDPR?

[00:18:13] Brett: There’s no silver bullet. There is no one piece of technology. There’s no one product. I’m sure many of the folks listening have been to the RSA conference and have seen the hundreds of vendors who sell that single silver bullet. There’s no such thing.

A good cyber security technology is about, again, understanding what your needs are, understanding how your needs are going to change in the future, whether that’s due to compliance and regulations changes, business changes, or evolving workforce needs. Then, selecting a combination of offerings that work well together, that provide a layered approach, and that most importantly, meet the evolving nature of data security as it is today.

What are some of those elements of evolving data security? First is, data is going to move. It’s in the cloud. It’s on different applications. It’s still on the edge. Most of the companies that we find have 40 to 50 percent of their data still sitting on those end points. Perhaps the weakest point in your cyber security chain.

You need to be thinking about, how do you apply data security in a world where I just can’t lock things away. Yes, I need to meet GDPR compliance standards, but data still is essential for the business. It’s still an innovation driver. I’m still going to be looking at to build the insights about my customers to provide them better support. Help my employees and their elements.

The data security approach has to be centric on the data itself. Too much of our legacy infrastructure that we’re using is all about creating walls. I’m going to lock things down and prevent people from using it.

Dell’s research has found, and this is backed by our other conversations, that the vast majority of employees, best of intentions for good data security hygiene, but when it comes to making decisions about good data security hygiene and getting their jobs done, guess what? They choose getting their job done.

Whatever security strategy you have, you have to also take into account that human factor, especially given the fact as much as 40 or 50% of your data is probably at that end point, where that employee has complete control over that data.  It’s all about thinking about this, again, not just from a technical perspective, but from a business perspective, appreciating the human factor, and appreciating the fact that you’re not going to want to restrict. This is not about prevention. It’s about protection while still enabling the workforce to utilize the data.

[00:20:57] Morten: If I could add one thing in addition to what Brett has offered. Our SAP Dell EMC solution runs Intel processors, and with Intel comes the trust of execution technology providing additional layers of security, including platform boot, location compliance trust, verified virtual machines, work containers and OS integrity, so all those layers of security enhancement provided by that combined Dell EMC Intel solutions is also paramount to obtain and accomplish the security measures that Brett has explained.

[00:21:39] Matthew: In closing, is there any final thoughts that each of the panelists could leave us with?

[00:21:45] Brett: I was going to say that, I mentioned this earlier, but I just want to reiterate this. I work with the Dell team that has been responsible for Dell meeting GDPR regulations. They took the right approach, which is, this is an opportunity. I know it’s regulations. I know it’s compliance.

There is a sense of, “Got to do it,” but this is an opportunity to go back and really reset on how you’re protecting your data. You know, you don’t want to get caught with the GDPR and face the fines. I think, over the last few years, has proven that data breach can have impacts far more great than a compliance issue. It can also damage or brand reputation. It can reap the large, expensive lawsuits. GDPR can be an opportunity to go back and really reset on, how am I protecting my data?

The guidelines that we provided earlier, the approach if you will, to thinking about it, discover, manage, protect, report, that is a great way to get started. Getting the line of business engaged in this conversation, walking through these elements, writing down where all this is, is not an EA task. It’s an essential task for good data security hygiene that creates value far and above meeting GDPR compliance regulations.

[00:23:01] Deepak: I caught the sentiments of what Brett said. This is a step in the right direction, for sure. We all, as an organization, value the data, especially the citizens’ data, but there comes a point that collection of the information becomes potentially toxic, not only for the organization, but also for the people who are linked with it.

This regulation is forcing organizations to make sure to utilize, to consume the data that is needed, and once it is not needed, do not leave it behind, or do not keep the tools running forever, hoping that maybe, just maybe one day, this might be adding value to it.

Over the years, it has added potential risks for both organizations as well as the data you are keeping towards hacking, towards other breaches coming along with that. It is a step in the right direction, and provided the right tool sets, provided by Dell, provided by SAP, and other areas, you will find that you are able to comply with these needs pretty efficiently.

[00:24:06] David: I would echo a lot of comments from Brett and Deepak. I think if I were to leave the audience with a couple of key points, the first would be you need to get started now. Enforcement has already begun. If you have not gotten started and laid out a plan to become compliant, now is the time. Secondly, I would talk a little bit about not only the financial impact of noncompliance but perhaps something much more damaging, is that damage to your reputation and brand. We don’t know exactly what is going to happen, but we have seen situations in the industry in the past, where there were data breaches, and they’ve cost a lot of public corporations tremendous amounts of money, and they’ve sustained major damage to their brand.

I think it’s very important, in a couple of areas. One, that they’re taking the proactive steps to protect that vital data of citizens. Number two, I think it’s critically important that, if organizations are not compliant today, that they should list that noncompliance and potential risk factors, be it fines and brand reputation in their list of liabilities in public statements. I think that, those are the two core areas that I would like the audience to take away today.

[00:25:29] Morten: Customers sometimes may think of Dell or Dell EMC as the server, just stores networking, but there is so much more under the Dell Technologies umbrella that would help GDPR customers, and any customers concerned about security, to accomplish their journey, and to ensure a safe passage through this new environment, including GDPR or any new security measures and policies that might be coming down the road. When you think about Dell, think Dell Technologies. We’ve enjoyed both Brett and Deepak’s comments today, and David’s input.

With Dell Technologies, you get RSA, and the software solutions and the insight that RSA has provided the industry for many, many years. You get SecureWorks, which is also another managed and hosted security platform providing security guidance, and direction, and product solutions for GDPR-concerned customers today. Of course, you get everything else as well VMware, the virtualization capabilities we have today to move data from on-premise to cloud or in a hybrid fashion, and of course, in addition to the Intel process, Dell EMC infrastructure certified for SAPs.

All these things working together with Auritas consulting services, we can provide an end-to-end GDPR guidance and support and the solutions, the infrastructure that customers are in need of today.

Download the white paper. In the white paper, that there’s a joint engagement between Auritas and Dell Technologies, and Intel, you will find a lot more information. We hope you enjoy that, and let us know what other questions you have.