1. EU General Data Protection Regulation
Competition Killer Call
These slides are intended to provide friendly and helpful advice and are not a definitive statement of law

2. Agenda Introduction to the call and objectives
Who to contact & Call to action
GDPR - Gregory Campbell
Prospecting – Bob Yelland
Back Up – The how and why ILG
© 2016 IBM Corporation
IBM Analytics © 2015 IBM Corporation

3. Your UKI Connections and Contacts
Plus
UKI Integration/Governance
Sales specialist team;
- Andrew Templeman
- Steve Harries
- Paul Ranson
Specialty: StoredIQ

4. The New General Data Protection Regulation (GDPR) is Imminent
The GDPR rules are set to be published in 1H 2016 and be immediately applicable after a 2 year transition period by 1H 2018 to any organisation which operates in the EU market
Unlike the existing 1995 Data Protection Directive, the GDPR will look to create a harmonized, unified data protection law framework for all EU countries
Non-compliance has the potential to lead to huge fines, so now is the time to build on the foundations you already have to ensure you Protect, Govern and Know Your Data
© 2016 IBM Corporation
IBM Analytics © 2015 IBM Corporation

5. The GDPR Will Widen the Scope of Data Protection Application
Extra-territorial, so unlike the current law, applies to organisations outside the EU processing EU data subjects’ personal data; even if there is a Brexit, UK organisations will still be affected
Widely defines what constitutes personal data, and includes data that directly or indirectly identifies or makes identifiable a data subject such as online identifiers and location data
Modernises the law in line with emerging technologies such as social networks and cloud
Will fundamentally change the way organisations must manage their structured and unstructured data, with obligations not just on Controllers but now also on Processors
© 2016 IBM Corporation
IBM Analytics © 2015 IBM Corporation

6. GDPR Key Concepts, Example Suggested Actions and Sanctions
Administrative Fines for Non-Compliance
Regulators can impose Administrative Fines for non-compliance of up to €20m or 4% of total annual worldwide turnover, whichever is higher
Additional powers for regulators, including gaining access to data and premises and to auditing, all in addition to, or instead of, Administrative Fines
By Design and By Default
Data controllers must implement technical and organisational measures which demonstrate compliance with GDPR core principles
Plan for this in the long term e.g. instrument and manage data syndication and data lineage
Rights of EU Data Subjects
New and enhanced rights for data subjects in the EU including erasure, access and portability
Maintain data quality, amending, manipulating, erasing and exporting it into usable formats in both structured and unstructured environments
Design
and Default
Assessmen t & Clean Up
Rights of EU
Data Subjects
Legal
Administrative Fines
for Non
Compliance
Accountability
of Compliance
Records & Retention
Curation
Data
Breaches
Accountability
Various accountability provisions; for example data controllers need to be demonstrably compliant and ensure full reporting capabilities
Consider how compliance can be proven, including data protection impact assessments, codes of conduct and proactive certification
Security of Personal Data
Includes 72H breach reporting to both regulatory authorities and to individuals in many scenarios
Implement pervasive and intelligent internal and external network defences and restrictions to reduce data risks, including usage of data masking and redaction techniques
Lawfulness
and Consent
Archiving
Lawfulness and Consent
Processing is only lawful if there is one of consent, necessity, legal obligation, protection, public interest, official authority or legitimate interest
Keep data subjects informed and manage requests in a transparent, efficient and effective manner ensuring core GDPR principles are upheld
© 2016 IBM Corporation
IBM Analytics © 2015 IBM Corporation

7. GDPR Prospecting Conversation Guide Target Audience
CIO/CTO/Storage Manager
Chief Data Officer/Data Protection Officer
Line of Business Liaison
Compliance/Legal/Security = General Counsel
VP/Director of Compliance
VP/Director of Records
Chief Security Officer
LinkedIn Masterclass
Need a refresher?
Module 1
Module 2
Module 3
Conversation Guide
What is the issue/ new regulation?
What is IBM’s value proposition?
At the client organisation, who is likely to care?
Why should they care?
What could this lead to in terms of engagement and offerings?
What assets are available to support the conversation?
Calls to action?
Sample Tweets

8. GDPR Preparedness - Reality bites
Thursday 28th April; 2pm to 5pm
IBM Analytics Solution Centre, IBM Southbank
Register
here

9. Call to Action GDPR Event client event on 28th April (IBM Southbank) –
Invite your clients/prospects. (Should have from Rachel Edwards)
Various collateral and materials – Contact the specialist team

10. BACK UP slides – How and Why

11. Enterprise data growth
Information Under Management in 2014
Portion of information unnecessarily retained
Estimated number of records that were compromised in 2012
10 Zettabytes
70%
44.8 million
Information Doubles Every Two Years
1 Zettabye = 1,000 Exabytes = 1,000,000 Petabytes
Percentage of total information retained inside an organization which has no business value and no legal or compliance obligation*
Erroneous delivery of s and documents was the leading threat action among the 47,000+ security incidents we studied from 2012 *
Source: IDC Digital Universe, 2012
Source: CGOC Summit Survey
Source: Verizon 2013 Data Breach Investigations Report
*Indeed much of this data being kept is likely to have privacy obligations that are often failing to be met 11

12. Enterprise data accounts for increased risk and waste
Typical organizations retain far too much ROT data Redundant, Obsolete and Trivial
Redundant data—duplicates that are no longer of value
Data that has aged past its useful life
Data that has no ongoing business value
Typical organizations struggle with dark data No insight into it, yet any breach can uncover….
Personally identifiable information (PII)
Highly confidential information (HCI)
Payment Card Industry (PCI) data
Dark data risk includes
Sources such as , chat, file shares, SharePoint, desktops, etc. can all be eDiscovery and privacy blind spots
Regulatory data stored in the wrong location with no visibility to it’s lifecycle
70%
Typical amount of unstructured data that has no value
Organizations are unaware of sensitive content residing outside of expected security protocol
35%-45% of data created this year will hold no business value in one year
- Gartner 2014

13. Compliance with Local Laws & Regulations is Challenging – a Growing Risk & Cost
Operating in many countries- Managing information at the local level reduces storage overall vs. applying worse case retention rules across all countries.
U.K. Principles 5 & 8 Data Protection Act, 1998
Personal data processed for any purpose should not be kept for longer than is necessary for that purpose
Generally interpreted as 2 years MAX
PENDING – EU GDPR
Trilogue EU negotiations began June 24 for 6 m.
Obligation for Compliance, Right to Erasure, Data Breach Notification
Data Protection & Privacy – due 2017
Singapore IRAS regulations
Income tax act and GST act, 5 years for records up to 1/2007, 7 years for records after 1/2007
PDPA Data Privacy – due July 2014
SEPA & ISO 20022
information around mandated XML
transaction archiving for banks
Hong Kong
PDPO Privacy Act 1996
U.S. 29 CFR 516, (b), & Employee payroll and other employee information Retain for 3 years
HIPAA HITECH Act – Privacy and PHI access
Patriot Act – Retain for 5 years
Australia Retention & Privacy regulations
There are around 80 Acts at both the State and Federal level which regulate document and record retention and destruction.
Privacy Act changes March 2014 (APP)
Switzerland Code of Obligations, Article 957 & 962
Employee Training Records, including attendance records
Retain 10 years

14. Business critical data is at risk everyday
SQL injection
Watering hole
Physical access
Malware
Third-party software
DDoS
Spear phishing
XSS
Undisclosed
Attack types
Note: Size of circle estimates relative impact of incident in terms of cost to business
Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2014
2011
Year of the breach
2012
40% increase
2013
500,000,000+ records breached
We are in an era of continuous breaches, where reported attacks continue to increase
In 2011, IBM X-Force declared, somewhat prematurely it would appear, the Year of the Security Breach. It has only gotten worse since.
2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over In 2013, security incidents surpassed the total number reported in 2012, and their effects on the organizations involved was more troubling kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies.
A new security reality is here, where…
Sophisticated attackers break through conventional safeguards every day.
Organized criminals, hacktivists, governments and adversaries are compelled by financial gain, politics and notoriety to attack your most valuable assets. Their operations are well-funded and business-like ‒ attackers patiently evaluate targets based on potential effort and reward. Their methods are extremely targeted ‒ they use social media and other entry points to track down people with access, take advantage of trust, and exploit them as vulnerabilities. Meanwhile, negligent employees inadvertently put the business at risk via human error. Even worse, security investments of the past fail to protect against these new classes of attacks. The result is more severe security breaches more often.
61% of organizations say data theft and cybercrime are the greatest threats to their reputation (2012 Global Reputational Risk & IT Study, IBM).
And the costs are staggering. By one estimate, the average cost of a breach is over $3.5 million (2014 Cost of a Data Breach Study, Ponemon Institute)
61%
of organizations say data theft and cybercrime are their greatest threats
2012 IBM Global Reputational Risk & IT Study
$3.5M+
average cost of a data breach
2014 Cost of Data Breach, Ponemon Institute

15. What is Information Lifecycle Governance?
ILG is a set of policies that defines how an organization manages its information throughout the data lifecycle in order to reduce operational and systemic risk—without adversely impacting the value of the information.
IBM Analytics © 2015 IBM Corporation

16. Information Lifecycle Governance
Solutions & Capabilities
Assessment & Clean Up
Legal
IBM
Information Lifecycle Governance
Records & Retention
Curation
Archiving
IBM Analytics © 2015 IBM Corporation

17. StoredIQ approach: Understand data in it’s native location before taking action
INTELLIGENCE
Analyze
Identify
ACT
IBM Analytics © 2015 IBM Corporation

18. Connect to data in it’s native location
NT File System (Agent-less or Agent)
NFS
Lotus Notes &
Domino
OpenText Livelink / Content Server
FAS & SnapLock
Macintosh
Xtender
CIFS
Content Archive System / HCAP
Linux / Unix
DX Object
Storage
Celerra/
Centerra
Support for over 75+ data sources and 450+ file types
IBM Analytics © 2015 IBM Corporation

19. Identify data in-place, analyze for relevance/value/risk & then act
Identify data in 75+ repositories
Categorize data based on metadata and full-text
Create rule sets for data action
Act on data
IBM Analytics © 2015 IBM Corporation

20. Classify data to identify business value
Use a combination of rules and machine learning to identify and classify data of business value, making it readily available for migration
Filter1
Filter2
Filter3
Action
Volume
Relevance
IBM Analytics © 2015 IBM Corporation

21. Legacy Data Clean-Up and Archive Data Reduction
Assumptions used:
Unstructured Data Volume = 100Tb
Unstructured data is growing 30% year over year
Storage Cost per TB: £2.5K per year,
Storage cost decreasing year over year 5%
27% ROT Potential, with 5% follow on year reduction
Backup and DR Volume is 1.5 times of Prime
Backup an DR costs are 25% of Primary Storage costs
Archive Storage costs 25% less than Prime
All Unstructured Data
750TB Stored
(NetApp NAS)
User CIFS Data
100 TB in Scope
User Data after Clean-up
68 TB Stored
User Data after Archiving
50TB Stored
50 TB Stored
All client data sources (Messaging, SharePoint, Repositories, Desktops, etc. ) storing an estimated 750 TB of data.
All client CIFS file shares storing end-user generated content.
Legacy data targeted for clean-up. An estimated 27% (32 TB) reduction in the total amount stored on user CIFS shares. This includes Growth Rate
Remaining data targeted for archive. This might impact Backup & DR Data Volumes
An estimated 50% total reduction of user CIFS storage with Legacy Data Clean-up and Archive.

22. Supported largest litigation case in the world by identifying, collecting analyzing & classifying 132 TB of data to produce 200GB of relevant data
PROBLEM: For The Deep Water Horizon matter, look across 132TB's, 3 continents and 8 locations. Collect 1TB to a preservation location in Houston. Full text indexing and apply additional terms to reduce to the smallest defensible data set which was sent out for production review by outside counsel.  Final data set was approximately 200 GB's.
SOLUTION: Enable a 100:1 reduction in collection process in less than 2 weeks.
ROI: Saved million of dollars, responded to every DOJ request; substantially lowered outsourced review costs and built a defensible audit trail. 22

23. Common Use Cases Privacy & Risk Avoidance
Personally Identifiable Information (PII)
Highly classified information (HCI)
Payment Card Information (PCI)
eDisclosure Readiness & Support
Early Data Assessment
Data Collection
Export to Review
Data Clean Up
Redundant – duplicate files
Obsolete – files past their useful life
Trivial – files that never had value to the org
Data Migration
Move to cloud (BOX)
Mergers and acquisitions
Divestitures
Comply with GDPR and other privacy regulations
Part of the StoredIQ for Legal solution
Which data do employees actually use?
Only move the information that matters
IBM Analytics © 2015 IBM Corporation

24. Key benefits
Find the data that matters — Properly discover, classify and manage information according to business value to reduce risk and cost Speed time to value — Reduce time to migrate content to box by only migrating relevant data Identify sensitive and toxic content — Leave sensitive data on-premise or dispose of it
Essentially all organizations need to find and manage content for internal investigations, regulatory investigations, and litigation. Responding quickly and cost-effectively is largely impacted by how efficiently an organization is managing its information.
Organizations need to understand:
What information do I have?
Where is that information located?
What is the value of that information?
Do I have enforceable and defensible retention policies (and the right policies) in place?
Highlights of the StoredIQ solution for eDiscovery:
Properly discover, classify, and manage information according to business value and risk
Better comply with corporate policies and regulations by knowing exactly what information is stored and where
Making appropriate decisions before litigation about the retention, deletion, and security of their unstructured information
And, once an organization becomes aware of a case, the solution can be used to:
Crawl and classify active information across multiple sources
Begin to quickly analyze data prior to collection
Improve the ability to cull down potentially responsive information
Automate the processing and creation of load files for downstream litigation review