Software Security Solutions

+

+

+

+

+

+

+

+ +

+ +

+

+

+

+

+ +

_ ****

WHI TE PA P E R

Business Implications of GDPR and the Role o f Te c h n o l o g y

Lenovo recommends Windows 10 Pro.

+

+

+

+ +

+ +

+ +

+

+ +

+

Introduction

+

+ + +

+ +

+

While data privacy regulation is hardly a new concept for the 21st century, the adoption of EU’s General Data Protection Regulation (GDPR) is a watershed event as it marks a seismic shift in the way data controllers and data processors handle personal data.

+

+ +

So, what is GDPR? Why is it so important? What role will technology play in ensuring compliance for your business? These are some of the questions we seek to answer through this whitepaper. Apart from providing a macro-level understanding of the key aspects of the proposed regulations, we’ll be exploring the technology implications GDPR will have on your business and the steps you can take to ensure compliance.

+ +

+ +

+

+ +

+

+ + +

+ +

01

+

Lenovo recommends Windows 10 Pro.

02

+

+ + +

+ +

Penalties of Non-compliance

Why GDPR Matters Approved and adopted by the EU Parliament in April 2016, the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It is aimed at consolidating and improving upon the patchwork of data privacy regulations practiced in Europe, to better protect the data privacy of all EU residents in an increasingly digital world. Consequently, it is also poised to transform the way organizations, both within and beyond the European Union (EU), approach data privacy.

Once the GDPR fully comes into effect on 25 May 2018, it will not only be binding on businesses operating within the EU but all companies who offer, or wish to offer, their goods or services to EU citizens. One of the key reasons why GDPR has grabbed headlines for the past few years is the provision for exorbitant penalties to be exacted from organizations for non-compliance. organizations can be fined up to 4% of their annual global turnover, or €20 million, for breaching GDPR. The monetary penalization aside, organizations that fail to align their technology infrastructure with GDPR run the risk of operational failure and legal complications, both of which can cause irreparable reputational damage.

Perks of Compliance While some of the fears associated with GDPR are not misplaced, it will be wrong to take a completely bleak outlook of this revolutionary step. In fact, organizations that take a positive approach to ensuring compliance with GDPR can look forward to significant gains.

+

With the increased focus on data protection, businesses with a good data privacy reputation will fare better in today’s hyper-competitive market. Also, the heightened awareness about data privacy regulation will make it a key factor for consumers to consider when choosing a brand to invest in. Additionally, compliance with GDPR practices will result in a more robust technology infrastructure for organizations, which in turn, will have a positive impact on operational efficiency and employee productivity.

Lenovo recommends Windows 10 Pro. 03

04

+

Understanding the Regulation GDPR will change the way businesses and public sector organizations handle their customer’s personal data. Let’s look at some of the key components of this bold framework of privacy regulation.

Expanded Territorial Reach The scope of implementation of the GDPR is not limited to entities registered within the EU but will be binding on all organizations, based anywhere in the world, when they handle any EU citizen’s personal data. So, if you are based out of India and selling software solutions to individuals in a European country, your organisation will need to comply with GDPR, or face steep penalties.

Scope of Personal Data To keep pace with the rapid technological advances and relentless digitalization of our world, the definition of ‘personal data’ has been broadened under the GDPR. So along with attributes such as name, identification number and location data, personal data now includes online identifiers such as IP addresses and mobile device IDs.

New Standard of Consent organizations processing personal data must get prior consent from data subjects, and more importantly, this consent must relate specifically to the purposes of the processing. Companies getting explicit consent for one purpose and then using the gathered personal data for a different purpose will be penalized.


06

+

+ +

Understanding the Regulation Privacy by Design and by Default To ensure that data privacy is not reduced to an afterthought, GDPR has the ‘privacy by design’ mandate clearly outlined. According to this mandate, all organizations need to adopt an approach that promotes privacy and data protection compliance right from the start of any project, and also throughout its lifecycle. Furthermore, the ‘privacy by default’ provision of the GDPR requires business entities to take deliberate measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

Right to Erasure

+

GDPR, under its ‘right to erasure’ clause (formerly ‘right to be forgotten’), gives individuals the right to have their data removed or deleted, under specific circumstances. For example, an individual can invoke this right if he feels that his personal data was unlawfully processed, or that it is no longer necessary for the purpose for which it was collected.


08

+

+ +

Technology Implications The GDPR framework for data privacy, once implemented fully, will lead to a world with more penetrative forms of scrutiny – a world in which technology failures will be harder to excuse. And whether the failure is due to an external attack from hackers or because of poor management of sensitive information by an employee, reported cases will open lines of inquiry into all aspects of technology design and delivery.

Accountability GDPR requires increased accountability from both data controllers and data processors in the way they collect, store, process and manage personal data.

Privacy Integration GDPR mandates organizations to consider privacy and data protection during the initial discussion and design stages of a project as well as throughout its lifecycle.

Access to Data + +

GDPR allows EU citizens to request a copy of their personal data, and consequently puts the onus on organizations to make this data available to them in a usable form.

+

Data Retention GDPR’s ‘right to erasure’ provision requires organizations to know exactly where an individual’s data is stored so that it can be deleted upon request.


10

+

+ +

Where Does Data Reside?

Where to Start Instead of a hurdle to be overcome, GDPR should be seen as an opportunity to get your information management and governance in order. You can begin your journey towards compliance by understanding the personal information you have or will collect, developing the appropriate organisational policies to protect this data, and using technology to implement these policies. And you start by answering the following questions.

Before you start working on your GDPR compliance strategy, it’s important to analyse and understand how this new regulatory framework applies to your organisation. For this, you first need to evaluate the data you have and where it resides.

How is Personal Data Being Captured, Accessed and Used? GDPR has been designed to give EU citizens more control over how their personal data is captured and used. As an organizations subject to GDPR, you will need to assess how you are capturing and using personal data, and then formulate a data governance plan with revised policies and protocols that ensure compliance with the GDPR.

How Can You Protect Your Data? From operational negligence and accidental loss to intentional attacks from hackers, there is a multitude of factors to consider when devising a data security plan. You can start by taking steps to manage and mitigate risks, such as password protection, data encryption, and controlled access to data.

+ +

+

+

+ +

Lenovo recommends Windows 10 Pro. +

11

12

+ +

+

+

+

+ +

+

+

+ +

+

+

How Lenovo Can Help

+ +

+

Data security is a key priority at Lenovo. Lenovo’s leadership role as a technology company is based on the trust earned from customers and the wider IT community. To earn this trust, we go beyond simply adding security features into our products. We design and build systems with a truly integrated approach to threat prevention, detection, and mitigation. Therefore, when it comes to readying yourself for GDPR, you can count on Lenovo to help you every step of the way. +

+

+

At Lenovo, we’ve implemented a comprehensive approach to security that ensures the protection and privacy of Lenovo devices and the people who use them.

Hardware Security Solutions

Software Security Solutions

+ +

+

+

Security Services and Support +

+ + +

+

+


14

+

+ +

Hardware Security Solutions dTPM

Secure Hard Drives

A built-in feature of ThinkPads, ThinkCentres, and ThinkStations, Discrete Trusted Platform Module (dTPM) encrypts all user data, including passwords.

Optimised for safeguarding essential data while on-the-go, the ThinkPad Secure Hard Drives offer high-level 256-bit Advanced Encryption Standard (AES) security, in real-time.

Windows Hello

Lenovo Security Cable Lock

Windows Hello uses biometric sensors to recognise the user apart from others, giving a superior level of entreprise-grade protection by allowing the user to unlock the device using their face.

The Lenovo Security Cable Lock allows customers to manage physical security access within the enterprise. Cable locks help reduce theft and increase physical asset security protection for notebooks, notebook docking stations, desktops and flat panel monitors.

Match-on-Chip Fingerprint Solution Back in 2004, the ThinkPad T42 became the first notebook PC to include a built-in fingerprint reader. Since then, we have continued to upgrade and improve fingerprint technology and the user experience. The latest Match-on-Chip solution provides a more secure authentication solution by reducing the risk of fingerprint information being compromised. Further strengthen multi-factor authentication with Intel® Authenticate which gives IT flexibility to create and deploy customized hardened multi-factor authentication policies to enforce user identity protection for access to the corporate domain, network, and VPN; protecting identity and securing data. Intel® Authenticate solution provides a simple self-service enrollment tool for end users to quickly get started, eliminating calls to IT.

Port Protection Smart USB protection disables ports to help prevent data theft and network security risks against unauthorised use of storage devices.

ThinkPad Glance ThinkPad Glance allows automatic locking using the Infrared camera when the user is away from the device.

Remote Data Wipe Lenovo devices saves time by manually wiping drives with Intel® Remote Secure Erase for Intel® Solid State Drives that are managed by Intel® Active Management Technology, making it easier to wipe SSD media and delete encryption keys faster.

Lenovo Privacy Filters Lenovo privacy filters come with patented 3M microlouver privacy technology so only persons directly in front of the display can clearly see the image on screen.


16

Software Security Solutions Lenovo XClarity™ Lenovo XClarity™ Administrator is a centralized resource management solution that is aimed at reducing complexity, speeding response, and enhancing the availability of Lenovo® server systems and solutions. Lenovo XClarity includes features like firmware management, configuration management, OS provisioning, hardware monitoring and management. Among the many new obligations outlined in GDPR is a clause that requires organizations to report a data breach within 72 hours. Documentation is key to ensuring compliance here. Lenovo XClarity includes an audit log that provides a historical record of user actions, such as logging on, creating users, or changing user passwords.

Lenovo Absolute The Lost & Found service of Lenovo combines software and security tools from Lenovo and Absolute Software with additional alerts that make it easy to return missing PCs to their registered owners. Absolute Software tracks the stolen computer and provides local police with the information they need to get it back.


18

+ +

+

+

Security Services and Support Product End-of-Life Management (PELM)

+

Lenovo Online Data Backup (OLDB)

With the GDPR just around the corner, the importance of keeping your corporate data safe cannot be overstated. However, the critical task of backing up data can be a challenging and expensive endeavour. And backup isn’t enough; quick and simple access to that data is also critical. Lenovo OLDB is a powerful solution for endpoint data backup. Backed by Mozy by EMC, OLDB can give you the confidence that your company data is safe, secure, and available when you need it.

PELM is the reuse, refurbishing, demanufacturing, dismantling, reclamation, shredding, recycling, treatment and disposal of products, parts, and options when they are taken out of service, reach end of life, and/or scrapped. This ensures that your personal data or corporate data never falls into the wrong hands.

Encryption Services Hard drive encryption is essential to avoid unauthorized access to data and sophisticated attacks.

+

Lenovo's data encryption service encrypts all your data to the PC automatically.

+

+

Lenovo Keep Your Drive (KYD) The Keep Your Drive (KYD) service from Lenovo allows you to keep your Lenovo drive and data within your custody, improving security and potentially alleviating civil liability risks. It lets you dispose of business data on your terms and helps your organisation avoid the legal and monetary repercussions associated with a breach of data security.

19

20

Conclusion GDPR is a landmark legislation for privacy and data protection in the EU with far-reaching implications including increased territorial scope, enhanced accountability and new responsibilities for both data processors and data collectors. As such, being ‘GDPR ready’ demands organizations to take a closer look at their current data handling practices, identify gaps that make them vulnerable and develop a holistic, long-term plan towards achieving compliance.

reasons why Lenovo is a difference maker

Trusted around the world

Expertise across categories

Choose Lenovo with confidence


Business-boosting technology

Flexible support network

www.lenovo.com