© 2019 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential.

Alexandros Mathopoulos | Product Manager, Delphix

Data Privacy & Security:GDPR and What it Means to You

March 28, 2019

© 2019 Delphix. All Rights Reserved. Private and Confidential.

1 GDPR Overview

2 Key Articles of GDPR

3 Security Controls

Agenda

2

© 2017 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential. 3

Effective Date

May 25, 2018

© 2017 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential. 4

Effective Date

May 25, 2018Scope

500+ Million EU Residents

© 2017 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential. 5

Effective Date

May 25, 2018Scope

500+ Million EU ResidentsFines

4% of Global Revenue

© 2019 Delphix. All Rights Reserved. Private and Confidential. 6

Personal Data

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

”- Article 4

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Key Articles of GDPR

7

BREACH NOTIFICATION

Responsibilities

PROTECTIONOFFICER

CONSENT

RIGHT TO BE FORGOTTEN

PROFILING PROTECTION

CROSS BORDER TRANSFERS

“In the case of a personal data breach ...not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”

Article 33

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Key Articles of GDPR

8

BREACH NOTIFICATION

Responsibilities

PROTECTIONOFFICER

CONSENT

RIGHT TO BE FORGOTTEN

PROFILING PROTECTION

CROSS BORDER TRANSFERS

“The controller and the processor shall designate a data protection officer...The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”

Article 37,38, & 39

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Key Articles of GDPR

9

BREACH NOTIFICATION

Responsibilities

PROTECTIONOFFICER

CONSENT

RIGHT TO BE FORGOTTEN

PROFILING PROTECTION

CROSS BORDER TRANSFERS

“the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data...presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language...the data subject shall have the right to withdraw his or her consent at any time.”

Article 7

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Key Articles of GDPR

10

BREACH NOTIFICATION

Responsibilities

PROTECTIONOFFICER

CONSENT

RIGHT TO BE FORGOTTEN

PROFILING PROTECTION

CROSS BORDER TRANSFERS

“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection..”

Article 44 & 45

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Key Articles of GDPR

11

BREACH NOTIFICATION

Responsibilities

PROTECTIONOFFICER

CONSENT

RIGHT TO BE FORGOTTEN

PROFILING PROTECTION

CROSS BORDER TRANSFERS

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Article 22

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Key Articles of GDPR

12

BREACH NOTIFICATION

Responsibilities

PROTECTIONOFFICER

CONSENT

RIGHT TO BE FORGOTTEN

PROFILING PROTECTION

CROSS BORDER TRANSFERS

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”

Article 17

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Security ControlsThere exist 2 controls that allow you to be exempt and/or relaxed from GDPR

responsibilities. Anonymization & Pseudonymization.

© 2019 Delphix. All Rights Reserved. Private and Confidential. 14

Pseudonymization

“The principles of data protection should apply to any information concerning an identified or identifiable natural person…..principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information”

Anonymization

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Psuedonymize Data with Tokenization

Name

Charles Evans

Email Address

mary.moore@starfx.com

Credit Card #

3233-4123-8211-6723

Name

5E23LuuX4uhkeAbLBX==

Email Address

D0AFec#9EHQ+PsE/tM==

Credit Card #

kkIEDX2xY/+asEQ1v90==

Tokenization

Name

Charles Evans

Email Address

mary.moore@starfx.com

Credit Card #

3233-4123-8211-6723

Re-Identification

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Name

Email Address

Credit Card #

7253-6623-0291-9074

kim.cole@grvstan.com

Louis Brett

Anonymize Data with Masking

“DATA AT RISK” IS IN DATABASES

Name

Credit Card #

Charles Evans

Email Address

mary.moore@starfx.com

3233-4123-8211-6723

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Non-Production Data Represents a Major Hidden Risk

NON-PRODUCTION (80%)

PRODUCTION DATA (20%)

» Is constantly growing

» Entails multiple types of repositories

» Is often less protected by security and governance measures

Non-Production Data:

© 2019 Delphix. All Rights Reserved. Private and Confidential. 18

Data Still Needs To Be Useful...

© 2019 Delphix. All Rights Reserved. Private and Confidential. 19

DB2 Mainframe DB2 LUW DB2 iSeries

Oracle SQL Server

Data Source Almost Never Live In Isolation

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Masking Eliminates Sensitive Data in Non-Production

“DATA AT RISK” IS IN DATABASES

Claimant Table

ID First_Name

1 George

2 Mary

3 John

Employee Table

ID F-Name

5 John

6 George

7 Mary

Claimant Table

ID First_Name

1 Michael

2 Clara

3 Damien

Employee Table

ID F-Name

5 Damien

6 Michael

7 Clara

Unmasked Data Masked Data

REALISTIC Value preserved for testing and analysis

REFERENTIAL INTEGRITY Data is masked consistently, even across heterogeneous sources

IRREVERSIBLE Sensitive data cannot be

retrieved

REPEATABLE Automation to keep pace

with changing dataSENSITIVE DATA IN PRODUCTION

Social Security Numbers, Credit Card Information, Patient Information, Email Addresses

© 2017 Delphix. All Rights Reserved. Private and Confidential.© 2019 Delphix. All Rights Reserved. Private and Confidential. 21

© 2019 Delphix. All Rights Reserved. Private and Confidential.

A Comprehensive Approach to Non-Prod Data Security

SECURE

APPLY automatic or custom masking with

consistency, repeatability

DISCOVER

IDENTIFY sensitive data and create an

enterprise-wide risk profile

DELIVER

DISTRIBUTE secure data to non-production

environments in minutes

© 2017 Delphix. All Rights Reserved. Private and Confidential.

Delphix Dynamic Data PlatformDeliver masked data in just minutes

Applications

Files

Databases

Rich APIsDD ControlsSelf Service

Datapods

On-Prem Any Server

Private Cloud

Public Cloud

SyncCompressProvision

CompliancePolicyMasking

DistributeAudit & ReportManage

VIRTUALIZE SECURE MANAGE

DBA

23

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Masking Eliminates Sensitive Data in Non-Production

“DATA AT RISK” IS IN DATABASES

Claimant Table

ID First_Name

1 George

2 Mary

3 John

Employee Table

ID F-Name

5 John

6 George

7 Mary

Claimant Table

ID First_Name

1 Michael

2 Clara

3 Damien

Employee Table

ID F-Name

5 Damien

6 Michael

7 Clara

Unmasked Data Masked Data

REALISTIC Value preserved for testing and analysis

REFERENTIAL INTEGRITY Data is masked consistently, even across heterogeneous sources

IRREVERSIBLE Sensitive data cannot be

retrieved

REPEATABLE Automation to keep pace

with changing dataSENSITIVE DATA IN PRODUCTION

Social Security Numbers, Credit Card Information, Patient Information, Email Addresses

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Mask virtual copy one time

Repeatable and Secure Data DeliveryMask once, deliver many

25

Production Source

DEV

QA• Provision a complete, virtual copy of production• Automatically discover and mask sensitive data • Distribute multiple masked copies packaged in data pods• Provide testers with self-service control• Easily refresh data copies

Distribute secure copies in minutes

© 2019 Delphix. All Rights Reserved. Private and Confidential.

CLOUD

Enable Secure Dev/Test in Hybrid Cloud Architectures

26

ON-PREMISEProduction Source

DEV

QA• Synchronize with on-prem source• Compress and mask data• Replicate secure data to cloud-based instance• Provision data pods to consumers

© 2019 Delphix. All Rights Reserved. Private and Confidential.

Delphix Dynamic Data Platform and GDPR

Ease “Cross Border Transfer” restrictions using pseudonymisation and anonymization

Protection of live production data

Satisfy “Right to Be Forgotten” requirements for non-production

Breach notification support

Secure personal data in both cloud and on-premises data through pseudonymisation and anonymization

© 2019 Delphix. All Rights Reserved. Private and Confidential.

QUESTIONS?alexandros.mathopoulos@delphix.com

Delphix.com