GDPR AND

CLOUD SERVICE PROVIDERS

The new data protection regulations, the

impact on your cloud services and what

both you and they need to do.

The

Essential G

uid

e

FOREWORD

Big changes for data processors. Third party processors, more often known to us as cloud service providers (CSPs) were not a consideration when the current data protection laws were written. As a consequence, they have very limited liability or obligation, often only governed by the commercial contract which typically focuses on the service elements such as up-time as opposed to the appropriate stewardship of data. Why does this matter to cloud service providers? The GDPR imposes new direct compliance obligations on both controllers and processors, and both controllers and processors will face direct enforcement and serious penalties if they do not comply with GDPR. The majority of cloud service providers will be classed as processors if personal or sensitive personal data is in play. To help enforce this, a new onus exists on CSP clients and service requestors to procure third party services that meet GDPR requirements when client or employee personal data is being processed. What should we do to prepare? Businesses should carefully review the requirements associated with appointing processors. In particular, it is advisable to review existing third party contracts and consider whether any amendments are required. Any new third party contracts should be drafted in accordance with the requirements of the GDPR. In summary, the new obligations for processors to maintain GDPR compliance are:

o Defined contractual requirements; o Sub-processor restrictions and obligations; o Record keeping; o Adequate security; o Breach Reporting; o Liability to Authority, controller and data subject; o Data transfer restrictions

“Having clear laws with

safeguards in place is more

important than ever giving the

growing digital economy”

Steve Wood, Deputy Commissioner, ICO

CONTENTS

1 Foreword

2 Introduction to GDPR

3 Brexit and GDPR

4 Controller or Processor

5 New User Rights

6 Privacy by Design

7 Cloud Service Providers

8 Data Protection Officer

9 Next Steps – The GDPR Compliance Plan

10 GDPR Solution Provider Directory

Introduction

The General Data Protection Regulations are the most significant

development in data protection that Europe, possibly the world,

has seen over the past twenty years. Unsurprisingly GDPR is

designed to better take into account modern technologies, the way we work with

them today and are likely to work in the future. In addition, there is a much greater

emphasis on compliance following a widely-held belief that businesses, particularly

in the UK, had not previously taken data privacy seriously enough. To reinforce

this, penalties are considerably harsher and the compliance requirements are

intended to spread a far wider net to include small and medium businesses and

the third-party contractors they use.

The 6 GDPR Data Protection Principles:

1 (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a

transparent manner in relation to the data subject

2 (‘purpose limitation’) collected for specified, explicit and legitimate

purposes and not further processed in a manner that is incompatible with

those purposes

3 (‘data minimisation’) adequate, relevant and limited to what is necessary in

relation to the purposes for which they are processed

4 (‘accuracy’) accurate and, where necessary, kept up to date; every

reasonable step must be taken to ensure that personal data that are

inaccurate, having regard to the purposes for which they are processed, are

erased or rectified without delay

5 (‘storage limitation’) kept in a form which permits identification of data

subjects for no longer than is necessary for the purposes for which the

personal data are processed.

6 (‘integrity and confidentiality’) processed in a manner that ensures

appropriate security of the personal data, including protection against

unauthorised or unlawful processing and against accidental loss destruction

or damage, using appropriate technical or organisational measures .

Brexit and GDPR

There was some speculation that GDPR would cease to be

relevant following the UK’s decision to leave the EU. Whilst we

await the detail of what Brexit really means in terms of our EU trade agreements,

people movement and laws there has been significant commentary including a

statement from the Information Commissioners Office (ICO) suggesting that it will

still apply and that businesses should start compliance preparations now. The

following key reasons are given as to why GDPR still applies:

GDPR Comes Before Brexit

The GDPR comes into force 25 May 2018, the earliest Brexit can happen is

January 2019 and until then all EU laws apply.

Application

The GDPR applies to EU citizen’s data regardless of where the controlling or

processing of that data takes place. This means that countries outside of the EU

(including the US and an independent UK) would have to apply GDPR for client

data where the client is in the EU.

Adequate Data Protection

For an EU country to trade outside of the EU ‘adequate’ data protection measures

must be in place. It is likely that GDPR will be the standard set as ‘adequate’ and

the UK would have to introduce an equal replacement if it decided to revert to

existing DP regulations. Which would simply be GDPR under a different name.

Competing with the EU

Data is fast becoming the new oil and in order to compete with the EU to be

regarded as the new data safe haven, the UK will at the very least match the

GDPR standard and may even increase its data protection requirements to attract

global data centric business.

Controller or Processor

Many businesses are significant data consumers. Client data is at

the very least at the heart of their marketing initiatives and may

even be part of the product or service they sell and the client they sell to. Much of

this data is sensitive either for commercial reasons or because it directly relates to

an individual.

Various sectors from health to finance to legal all have their own specific

governance regulations sometimes shared due to complex relationships between

the services, but for personal data the GDPR will apply equally to all.

There will not be many businesses that do not hold or process personal data but it

is important to understand their role and responsibilities as determined by the

GDPR. The two significant roles are that of ‘controller’ and ‘processor’.

GDPR says…

‘controller’ means the natural or legal person, public authority, agency or other

body which, alone or jointly with others, determines the purposes and means of

the processing of personal data; where the purposes and means of such

processing are determined by Union or Member State law, the controller or the

specific criteria for its nomination may be provided for by Union or Member State

law;

A business will be determined a ‘controller’ for the client, prospect and employee

personal data it stores and uses.

GDPR says…

‘processor’ means a natural or legal person, public authority, agency or other

body which processes personal data on behalf of the controller;

A cloud service provider or third party data host will in most cases be determined

as a ‘processor’.

Personal or Sensitive

It is import to determine whether data is ‘personal’ or ‘sensitive personal’ as

defined by the regulations as different levels of protection are required, some

mandatory and accountable in the case of sensitive data. It is also a new

requirement that processors understand what type of data they are handling on

behalf of their clients

Personal Data

The definition of personal data has been broadened to include anything that can

be directly associated with an individual. GDPR broadly keeps existing definitions

but adds digital footprints such as cookies and IP addresses.

GDPR says…

‘personal data’ means any information relating to an identified or identifiable

natural person (‘data subject’); an identifiable natural person is one who can be

identified, directly or indirectly, in particular by reference to an identifier such as

a name, an identification number, location data, an online identifier or to one or

more factors specific to the physical, physiological, genetic, mental, economic,

cultural or social identity of that natural person; - Article 4 of GDPR

Sensitive Personal Data

The following are the GDPR classifications for sensitive personal data:

GDPR says…

revealing racial or ethnic origin,

political opinions,

religious or philosophical beliefs,

or trade union membership,

and the processing of genetic data,

biometric data for the purpose of uniquely identifying a natural person,

data concerning health or

data concerning a natural person's sex life or sexual orientation shall be

prohibited. - Article 9 of GDPR

The GDPR essentially prohibits the processing of sensitive personal data unless

one of the criteria in Article 9 (2) is met. These include:

9(2)(a) – Explicit consent of the data subject, unless reliance on consent is

prohibited by EU or Member State law

9(2)(e) – Data manifestly made public by the data subject.

User Rights In addition to the duty of a firm to

protect its information there are a

number of enhanced or new data

subject rights that they will need to be mindful of

as each could demand considerable

administration capability particularly if the

necessary access and recovery tools are not in

place.

Data subject access requests (DSARs) will be

easier for clients and employees.

Data subjects will no longer be required

to pay a fee to make a DSAR. Firms must

respond without ‘undue delay’ and no later than

one month after the DSAR is made (rather than

the current 40 days). However, there are a

number of grounds for refusal

if the request is manifestly unfounded or

excessive.

Right to Erasure

A new right under GDPR is to have data deleted.

There are several reasons this request can be

refused such as conflicting regulations and in the

public interest but once legitimate reasons for

denial are exhausted data must be deleted.

Right to Portability

Not too dissimilar to the right to port a mobile

phone number from one supplier to another,

GDPR entitles a user to have their data exported

and transferred in a ‘machine readable format’.

Key Tools

Search, Delete, Export

Talk to….

GDPR Says...

The response to a DSAR will include:

(a) the purposes of the processing;

(b) the categories of

personal data concerned;

(c) the recipients or

categories of recipient to

whom the personal data have

been or will be disclosed, in

particular recipients in third

countries or international

organisations;

(d) where possible, the

envisaged period for which the

personal data will be stored,

or, if not possible, the criteria

used to determine that period;

(e) the existence of the right to

request from the controller

rectification or erasure of

personal data or restriction of

processing of personal data

concerning the data subject or

to object to such processing;

(f) the right to lodge a

complaint with a supervisory

authority;

(g) where the personal data are

not collected from the data

subject, any available

information as to their source;

(h) the existence of automated

decision-making, including

profiling, referred to in Article

22(1) and (4) and, at least in

those cases, meaningful

information about the logic

involved, as well as the

significance and the envisaged

consequences of such

processing for the data subject

Article 15 of GDPR

Privacy by design

This is a concept that features consistently throughout the GDPR. In essence. it is the

principle of considering and building in appropriate data protections during the design phase of all new projects and changes to systems and processes.

Security by design and by default

The GDPR requires that employers (and other data processors) should be “audit-ready” at all times, meaning that all employer’s systems will need to be set up to ensure compliance by design. The GDPR introduces a legal requirement for ‘privacy by design’ for sensitive data and the onus will be on employers to prove compliance. Records will need to be kept and policies and procedures will need to be in place to demonstrate this.

Firms must implement technical and organisational measures to show that they have considered and integrated data compliance measures into their data processing activities.

Key Design Principles

Only necessary data to be processed including:

• Amount of data

• Extent of processing

• Retention period

• Access to data

Technical Measures

There are a number of technical measures that can be put into place to enhance data security. Many of these will simply involve ensuring best practice with existing technologies.

Organisational Measures

This will include maintaining the appropriate records as described later in this guide, minimising data by applying appropriate retention periods and appointing a Data Protection Officer to oversee compliance activities.

GDPR Says...

Data protection by design and by default

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 23 of GDPR

Security of Processing

GDPR requires that the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.

The legislation goes on to describe the security required for processing data.

• pseudonymisation and encryption

• confidentiality, integrity, availability and resilience of processing systems and services

• the ability to restore

• testing, assessing and evaluating the effectiveness of technical and organisational measures

It is an obligation to ensure that a controller only engages with a third party data processors or cloud service providers if they also comply with the above.

Key Tools Encryption, Data Leakage Protection, Secure Archive, Records Management, Access Control Talk to…

GDPR Says...

Security of processing

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

Article 32 of GDPR

Cloud Services Third Party Processors are specifically addressed in GDPR. For most

businesses, this will relate to the increasing use of Cloud Service

Providers. The current Data Protection laws were written before real

internet usage and certainly before the adoption of cloud services as

we know them today, resulting in an

essentially unregulated ‘black hole’ for

personal data that falls under their control.

GDPR changes this significantly by

introducing new regulation and obligation for

CSPs.

GDPR compliance (Art 33)

Cloud providers are now required to provide sufficient guarantees that the appropriate technical and organisational measures are in place to ensure compliance with GDPR. In the absence of a recognised accreditation it will be for controllers to seek assurances of compliance.

Contractual Requirements (Art 28)

Currently, the only obligations that exist for cloud providers is that stated in their commercial service contract. Typically, this has focused on the SLA and guarantees of uptime sometimes with associated penalties for disruption. GDPR requires new mandatory contract provisions including:

• the subject-matter and duration of the processing,

• the nature and purpose of the processing

• the type of personal data and categories of data subjects

• the obligations and rights of the controller

Obligation To Appoint A DPO (Art 37)

The GDPR requires that a CSP appoints a Data Protection Officer in certain circumstances, particularly where activities consist of “processing on a large scale of special categories of data”

GDPR Says... Processors

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller

Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller.

The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Documentation (Art 30)

Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

• the name and contact details of the processor or processors and Data Protection Officer;

• the categories of processing activities performed; • transfers of personal data to a third country or an international

organisation, including the identification of that third country or international organisation;

• a general description of the technical and organisational security measures

Sub-Processing (Art 28)

Sub-processors have to be appointed on the same terms that apply to the processor, and subject to the controller's approval. A sub-processors failure to comply results in liability on the processor.

Processors may only appoint sub-processors with the permission of the controller.

Return Or Delete (Art 28)

At the choice of the controller, a CSP must delete or return all the personal data to the controller after the end of the provision of services.

Notification (Article 28)

A new obligation for processors is to notify controllers of data breaches ‘without undue delay’

Data Transfer (Article 44)

Data can be transferred for a number of reasons, including for back-up or disaster recovery purposes but it is not uncommon for controllers to be unaware.

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. It will be essential that CSPs provide transparent notification of any transfers that occur and that controllers ensure its lawfulness.

Direct Liability (Article 82)

Perhaps one of the scarier developments for CSPs is the realisation that they will be potentially liable for damages in the event of a breach. In the event of an infringement and where a controller is liable to the data subject, if a processor is at fault the controller may recover damages from the processor.

In addition, processors are now directly liable to the data subject for any breach of GDPR that results in damages.

What You Need To Do

There is a new requirement for all businesses to only engage with a CSP if they are GDPR compliant. It is likely that you will bill held accountable and possibly fail an audit if non-compliant CSPs are in use.

Cloud Service Provider Checklist It is advisable to identify any cloud service providers that your business interacts with, keep a register of these services and contact them to understand their plans for

compliance and how they will be positioned to assist you if you need access to your data following a data subject access request. As well as the checklist on the right, it is important to understand: 1 Can you search for data 2 Can you delete data 3 Can you export data (and in what format)

“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject” Article 28(1)

Technical & Organisational security

New contract provisions

Demonstrable GDPR compliance

Data Processing Records

Breach Notification Process

Delete or return data post contract

Data Transfer transparency

Sub-processor change process

Data

Protection

Officer Under the GDPR, you must

appoint a data protection officer (DPO) if you:

• are a public authority (except for courts acting in their judicial capacity);

• carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or

• carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

A DPO can be an outsourced role which will pave the way for external agencies to provide this service.

DPO Duties

The DPO’s minimum tasks

• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.

• To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.

• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

DPO Rights

Businesses must ensure that:

• The DPO reports to the highest management level of the organisation

• The DPO operates independently and is not dismissed or penalised for performing their task.

• Adequate resources are provided to enable DPOs to meet their GDPR obligations.

GDPR Says... 1. The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size. 4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors. 5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. 6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority

NEXT STEPS – The GDPR

Compliance Plan

The GDPR Essentials Compliance Plan is designed to assist Data Protection Officers in preparing for GDPR and maintaining compliance once the legislation is activated. The GDPR Essentials 4 stage process enables the DPO to raise awareness, discover current risks, deliver a mitigation plan and design processes for maintaining compliance.

Step 1 – EDUCATE

The EDUCATE phase consists of a combination of interactive workshops

and stakeholder interviews, designed to generate a high level of understanding of

the impending legislation and any changes to system, policy or process in order to

achieve GDPR compliance.

GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm. Suitable for: Senior Management, Directors, Key Stakeholders

GDPR Assessment workshop - A workshop for internal staff responsible for owning the assessment process. Suitable for: Compliance Team, IT Team, Project Managers

STEP 2 – DISCOVER

The DISCOVER phase uses the Data Protection Impact Assessment (as

recommended by the Information Commissioners Office) to discover any risk or

exposure the firm may currently have.

Data Mapping – using our GDPR Essentials Data Register you will document, data flows for both systems and processes within the business where personal data is at play. Stakeholder Interviews – To compliment the data mapping exercise, one to one discussions with key stakeholders are held in order to document departmental processes involving personal data.

Risk Register – Following the completion of the data mapping exercise a risk

register is compiled detailing the key areas of likely non-compliance.

Dark Data - One of the challenges businesses face when carrying out an impact

assessment is ensuring that all personal data is discovered. Data that is for some

reason not searchable and therefore not discoverable is also known as ‘dark data’.

The most common example found is a PDF file that has not had the content of the

document OCR’d leaving just the document title searchable. This has the potential

to leave a business at significant risk of breach and potentially unable to respond in

full to a Data Subject Access Request.

There are a number of software solutions available that will scan your network for

‘dark data’ identify it and convert it to searchable data.

STEP 3 – PLAN

GDPR Preparation Plan – Using the GDPR Essentials Task Assignment

register, document actions needed to prepare for and maintain GDPR

compliance. Understand budget required and systems and processes that require

modification.

STEP 4 – MAINTAIN

Prepare for new obligations such as Breach Response and DSAR

Processing. Review existing InfoSec policies and procedures to ensure

they align with GDPR.

Talk to….

SAMPLE GDPR PROJECT TIMELINE

SAMPLE GDPR ESSENTIALS TASK ASSIGNMENT REGISTER

GDPR SOLUTION PROVIDER DIRECTORY

SOLUTION PROVIDER

GDPR FUNCTION

FEATURE DETAIL

Data Subject Access Request

Data Discovery

contentCrawler is an essential component for all firms to ensure they comply with the new GDPR legislation and respond to Data Subject Access Requests (DSAR). contentCrawler ensures comprehensive data discoverability and works to uncover documents that otherwise would not be found because they are not indexed for searching. It is a key tool in making sure that all words in every document (even image documents) are fully text searchable.

Privacy by Design

Data Leakage Protection

cleanDocs enables organisations to clean documents from hidden information and potentially harmful hidden metadata.

Shortly, cleanDocs will include functionality to prevent users from accidentally sending emails to the wrong recipient and help with data leakage protection.

Privacy by Design

Content Management

In most cases responding to data subject access request will involve providing high volume of documents to the requester. pdfDocs Binder can automatically bundle large volume of documents together in order to efficiently provide them to the requester.

Privacy by Design

Cyber Security

iboss is a cyber security platform that uses cloudtechno logy to extend preventative and predictive multi-layered security to any size or organization, in any place and to any device.The result is a lower risk profile, and greater enhanced due diligence (EDD) for the organisation, which helps meet GDPR regulations, and can lower associated fines if data breaches occur.

Privacy by Design

Data Leakage Protection

Iboss includes behavioural data exfiltration sensors to detect data loss and exfiltration across any communication medium (WEB, EMAIL, DNS, P2P etc)

Privacy by Design

Content Management

Granular gateway level controls against web access and application usage

Right to access

Privacy by Design

Access Control

Document Protection

Search

iManage Govern Govern critical information at every step of the engagement and beyond

iManage Govern lets you manage your engagement files according to each client retention policies, from creation through to disposal all while ensuring your organization meets audit and discovery requirements.

Improve governance: by applying retention policies centrally across both electronic and physical client records

Integrated document and records management: through seamless operation with iManage Work

Boost productivity: and reduce risk by taking records management responsibility off your professionals shoulders

Manage information in place: without copying to a separate system

Reduce operating costs: by moving inactive projects to a governed, searchable archive

Privacy by Design

Secure File Transfer

iManage Share A Fast, easy and secure sharing of professional work product

Securely exchange work product with your clients, partner firms, and outside consultants within tools that you are familiar with. iManage Share offers industry-leading security with seamless integration with iManage Work and Microsoft Outlook, so that secure file sharing is easy and convenient without sacrificing security and governance of your client files.

With iManage Share:

Share, edit and collaborate on work product from within iManage Work.

Share files from your Outlook email: Share files as secure links directly from Outlook.

Secure, firm-branded web portal in a snap: Give your client access to their documents from a single responsive interface on phone, tablet or desktop, branded with your firm logo.

Collaborate on the go: Share and securely collaborate with customers from your smartphone or tablet.

Know what is shared and with whom: Monitor who is accessing your files and when.

Privacy by Design

Document Protection

iManage Work Manage documents, emails and more in a single engagement file

Right to Access

Search

DSAR response

Access Control

Access your work product from anywhere on any device in a single user experience. Designed by professionals for professionals, iManage Work makes it easy to collaborate with your team and stakeholders in a secure and governed manner.

Improve productivity: Suggested email filing keeps you ahead of inbox overload

Make better decisions: Document timelines, dashboards and analytics cut through clutter enabling faster, better decisions

Find everything: Search across all work product (documents, emails, images) automatically tuned to your work style

Be more responsive: Secure mobile access means you can view and edit your work from anywhere

Work smarter: Integrates seamlessly with the applications youre already using to save time

Privacy by Design

Document Protection

Access Control

Intapp Walls replaces distributed, ad hoc approaches to confidentiality management with a centralised solution that provides law firms with unparalleled capability and control.

Several features of Intapp Walls can help address GDPR requirements for “privacy by design,” “privacy by default” and the Accountability principle.

Intuitive interface for access management – Define policies using an easy-to-use wizard to configure and control walls and user account management, so that IT, conflicts team members and lawyers have appropriate levels of visibility and control

Real-time enforcement and maintenance – Intapp Walls delivers real-time enforcement, automating notifications to individuals subject to specific policies, tracking acknowledgments for compliance, and alerting firm management about suspicious activity related to sensitive information

Protection beyond document management libraries – Lock down all key repositories where sensitive information is stored, including records management, accounting, CRM, search, portals and other applications, in addition to document management libraries

Automated compliance logging – Demonstrate compliance if required to do so by clients or by government agencies by presenting a documented audit trail via Intapp Walls

Broad visibility across the organisation – Gain visibility into the volume and types of policies in effect across the firm; configurable reports can be delivered in an event-driven, scheduled or on-demand basis to provide management with real-time visibility into policies, classification and history, as well as affected parties and prevented breaches

Data Protection Officer

Education

The Law Firm Risk Blog (www.lawfirmrisk.com), sponsored by Intapp, covers a wide range of risk management topics relevant to GDPR, including information governance, conflicts management and information security.

The Risk Roundtable Initiative (riskroundtable.com), also sponsored by Intapp, hosts in-person events and webinars bringing together a mix of law firm risk management and related professionals, including general counsel, loss prevention partners, risk management partners, senior conflicts/records managers and IT leadership. They provide opportunities for peer networking, cross-functional dialogue and a better understanding of common problems and trends including the evolving regulatory landscape affecting confidentiality, information barriers and ethical walls.

Intapp customers have access to user group meetings, newsletters, webinars and Inception 2017, Intapp’s global user conference.

Intapp Professional Services offers a Risk Consultancy practice that will assess your firm’s approach to confidentiality management and suggest processes, procedures and technologies to satisfy specific compliance obligations related to the EU GDPR, the HIPAA Privacy Rule in the US, and other regulations

Privacy by Design

Data Leakage Protection

Secure Archive

Security

Enterprise Information Archiving provides the secure, perpetual storage and policy management necessary with the predictable costs and scalability of a true cloud architecture. With an industry-leading 7 second search SLA, archived information is instantly accessible, making it easy for employees or administrators to find a single email or to support a larger e-discovery case.

Mimecast solves important archiving challenges by:

• Archiving email in the cloud

• Responding quickly to litigation requests

• Retaining important company files • Archiving Lync IM conversations

A single, unified archive in the Mimecast cloud delivers scalability, rapid information access and data assurance — without the spiraling expense of hardware and software typical of legacy on-premises solutions.

Data Subject Access Request

Data Discovery

What personal data do you hold? Where is it? How old is it? Who can it be accessed by? Is it encrypted? Finding the answers to questions like these and others could take a manual workforce 1000s of man hours. RAVN Connect is the perfect solution for performing data audits during compliance reviews. It provides:

• Over 40 out-the-box connectors to popular enterprise systems like DMS, CRM, filestores, and email servers. It also allows you to easily create your own custom connectors if required.

• Uses Named Entity Recognition (NER), Natural Language Processing (NLP) and other techniques to automatically identify personal data types, like:

o Name o Identification numbers, like employee

number, national insurance number etc o Location data, like address o Electronic / Online identifiers like, IP

addresses, login credentials, email address, MAC Address, IMEI numbers

o Biological identity like ethnicity and race o Political opinions o Religious / Philosophical persuasion o Trade Union Membership o Data concerning sex life o Criminal convictions and offences o Employee-Employer related data

• Classify data according to common GDPR classifications like standard or sensitive data

Present results in a reporting interface and allow you to filter, sort and discard results.

Privacy by Design

Search

Once new and enhanced subject rights come into force, businesses may experience an increase in the number of data requests they receive from individuals. In most cases, the business must respond to these requests within a month of receiving it, so having technology to expedite this work is of paramount importance, and a manual approach may prove too labour intensive. Performing this service quickly is especially important considering how the GDPR prevents businesses from charging individuals to receive the data (unless in certain circumstances), and businesses don’t want to waste too many man-hours on this obligation. RAVN Connect, our Enterprise search solution, has been optimised for Subject Access Requests. It provides:

• The same connection functionality as for data auditing above

• Required criteria to search for personal data, and ability to fashion more complex search queries

• Filtering of results by data type, source and other custom values.

• Reporting Depending on the technical architecture of the data source, it could provide the ability to extract, remove or redact the personal data

Privacy by Design

Information Governance

In the build up to the GDPR coming into force, many professional services firms will offer a service to their clients on how compliant the data & privacy clauses in their contracts are with GDPR. Or, the business's own legal function might do this. Whatever the approach, RAVN Extract is able to find relevant provisions within contracts, and extract the relevant provision into a review user interface. With training, it can then “analyse” the extracted provision by either summarising it, or making a judgement of compliance based on pre-defined conditions. It provides:

• Uploading of documents for ingestion, including OCRing

• Previewing all the documents that have been processed by ACE

• Searching across all document sets or within single documents

• Reviewing document clusters and tag document groups

• Filter results based values like projects or originating folder name

• View clauses relevant to GDPR (Data Privacy, etc.) in a distilled format for quick review.

• Review and amend the information that has been found within the documents and extracted into the review screen

• Manage workflows and assign teams and people to workflows

• Create and edit data points that are extracted and train the system based on feedback

• Run comparisons on information residing in different documents

• Generate reports Export exposed information to other systems and formats if required.

We hope you found the second edition of this guide useful.

To recommend content or a solution for the next edition or GDPRwiki.com please contact:

info@2twenty4consulting.com