Whitepaper Security GDPR 030518 · Lenovo XClarity™ Administrator is a centralized resource management solution that is aimed at reducing complexity, speeding response, and enhancing

+

+

+ ++

+

+

+

+

+

+

+

+ +

+

+

++

****_

B u s i n e s s I m p l i c a t i o n s o f G D P R a n d t h e R o l e o f T e c h n o l o g y

WHITEPAPER

Powered by Intel®.Intel Inside®. Powerful Productivity Outside.

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

Introduction

+

+

++

+

+

+

+

+

+

+

+

++

+

+

+

++

+

+

Click here to explore Lenovo's Security Solutions

While data privacy regulation is hardly a new concept for the 21st century, the adoption of EU’s General Data Protection Regulation (GDPR) is a watershed event as it marks a seismic shift in the way data controllers and data processors handle personal data.

So, what is GDPR? Why is it so important? What role will technology play in ensuring compliance for your business? These are some of the questions we seek to answer through this whitepaper. Apart from providing a macro-level understanding of the key aspects of the proposed regulations, we’ll be exploring the technology implications GDPR will have on your business and the steps you can take to ensure compliance.


01 02

Why GDPR Matters Penalties of Non-compliance

Perks of Compliance

+

Approved and adopted by the EU Parliament in April 2016, the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It is aimed at consolidating and improving upon the patchwork of data privacy regulations practiced in Europe, to better protect the data privacy of all EU residents in an increasingly digital world. Consequently, it is also poised to transform the way organisations, both within and beyond the European Union (EU), approach data privacy.

Once the GDPR fully comes into e�ect on 25 May 2018, it will not only be binding on businesses operating within the EU but all companies who o�er, or wish to o�er, their goods or services to EU citizens. One of the key reasons why GDPR has grabbed headlines for the past few years is the provision for exorbitant penalties to be exacted from organisations for non-compliance. Organisations can be fined up to 4% of their annual global turnover, or €20 million, for breaching GDPR.

The monetary penalisation aside, organisations that fail to align their technology infrastructure with GDPR run the risk of operational failure and legal complications, both of which can cause irreparable reputational damage.

While some of the fears associated with GDPR are not misplaced, it will be wrong to take a completely bleak outlook of this revolutionary step. In fact, organisations that take a positive approach to ensuring compliance with GDPR can look forward to significant gains.

With the increased focus on data protection, businesses with a good data privacy reputation will fare better in today’s hyper-competitive market. Also, the heightened awareness about data privacy regulation will make it a key factor for consumers to consider when choosing a brand to invest in. Additionally, compliance with GDPR practices will result in a more robust technology infrastructure for organisations, which in turn, will have a positive impact on operational e�ciency and employee productivity.

+

+

++

+

+Click here to explore Lenovo's Security Solutions


03 04

GDPR will change the way businesses and public sector organisations handle their customer’s personal data. Let’s look at some of the key components of this bold framework of privacy regulation.

The scope of implementation of the GDPR is not limited to entities registered within the EU but will be binding on all organisations, based anywhere in the world, when they handle any EU citizen’s personal data. So, if you are based out of India and selling software solutions to individuals in a European country, your organisation will need to comply with GDPR, or face steep penalties.

Scope of Personal Data

To keep pace with the rapid technological advances and relentless digitalization of our world, the definition of ‘personal data’ has been broadened under the GDPR. So along with attributes such as name, identification number and location data, personal data now includes online identifiers such as IP addresses and mobile device IDs.

New Standard of Consent

Organisations processing personal data must get prior consent from data subjects, and more importantly, this consent must relate specifically to the purposes of the processing. Companies getting explicit consent for one purpose and then using the gathered personal data for a di�erent purpose will be penlised.

Understanding the RegulationExpanded Territorial Reach

+



05 06

Privacy by Design and by Default

+

To ensure that data privacy is not reduced to an afterthought, GDPR has the ‘privacy by design’ mandate clearly outlined. According to this mandate, all organisations need to adopt an approach that promotes privacy and data protection compliance right from the start of any project, and also throughout its lifecycle. Furthermore, the ‘privacy by default’ provision of the GDPR requires business entities to take deliberate measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

Right to Erasure

GDPR, under its ‘right to erasure’ clause (formerly ‘right to be forgotten’), gives individuals the right to have their data removed or deleted, under specific circumstances. For example, an individual can invoke this right if he feels that his personal data was unlawfully processed, or that it is no longer necessary for the purpose for which it was collected.

Understanding the Regulation

+

+

+



07 08

+

+

+

Accountability

GDPR requires increased accountability from both data controllers and data processors in the way they collect, store, process and manage personal data.

Privacy Integration

GDPR mandates organisations to consider privacy and data protection during the initial discussion and design stages of a project as well as throughout its lifecycle.

Access to Data

GDPR allows EU citizens to request a copy of their personal data, and consequently puts the onus on organisations to make this data available to them in a usable form.

Data Retention

GDPR’s ‘right to erasure’ provision requires organisations to know exactly where an individual’s data is stored so that it can be deleted upon request.

+

+

+


Technology ImplicationsThe GDPR framework for data privacy, once implemented fully, will lead to a world with more penetrative forms of scrutiny – a world in which technology failures will be harder to excuse. And whether the failure is due to an external attack from hackers or because of poor management of sensitive information by an employee, reported cases will open lines of inquiry into all aspects of technology design and delivery.


09 10

Where Does Data Reside?

Before you start working on your GDPR compliance strategy, it’s important to analyse and understand how this new regulatory framework applies to your organisation. For this, you first need to evaluate the data you have and where it resides.

How is Personal Data Being Captured, Accessed and Used?

GDPR has been designed to give EU citizens more control over how their personal data is captured and used. As an organisation subject to GDPR, you will need to assess how you are capturing and using personal data, and then formulate a data governance plan with revised policies and protocols that ensure compliance with the GDPR.

How Can You Protect Your Data?

From operational negligence and accidental loss to intentional attacks from hackers, there is a multitude of factors to consider when devising a data security plan. You can start by taking steps to manage and mitigate risks, such as password protection, data encryption, and controlled access to data.

+

+

+

+

+


Where to Start Instead of a hurdle to be overcome, GDPR should be seen as an opportunity to get your information management and governance in order. You can begin your journey towards compliance by understanding the personal information you have or will collect, developing the appropriate organisational policies to protect this data, and using technology to implement these policies. And you start by answering the following questions.

+

+

++

+


11 12

+

+

+

+

+

+

+

+

+

+

+

+

++

+

+

+

Data security is a key priority at Lenovo. Lenovo’s leadership role as a technology company is based on the trust earned from customers and the wider IT community. To earn this trust, we go beyond simply adding security features into our products. We design and build systems with a truly integrated approach to threat prevention, detection, and mitigation.

At Lenovo, we’ve implemented a comprehensive approach to security that ensures the protection and privacy of Lenovo devices and the people who use them.

How Lenovo Can Help

+


+

+

+

+

+

+

+

+

+

+

+

HardwareSecurity Solutions

SoftwareSecurity Solutions

Security Servicesand Support


13 14

Hardware Security Solutions

A built-in feature of ThinkPads, ThinkCentres, and ThinkStations, Discrete Trusted Platform Module (dTPM) encrypts user data, including passwords.

dTPM Secure Hard Drives

Optimised for safeguarding essential data while on-the-go, the ThinkPad Secure Hard Drives o�er high-level 256-bit Advanced Encryption Standard (AES) security, in real-time.

Windows Hello

Windows Hello uses biometric sensors to recognise the user apart from others, giving a superior level of entreprise-grade protection by allowing the user to unlock the device using their face.

Match on Chip Fingerprint Reader

Back in 2004, the ThinkPad T42 became the first notebook PC to include a built-in fingerprint reader. Since then, we have continued to upgrade and improve fingerprint technology and the user experience. The latest Match-on-Chip solution provides a more secure authentication solution by reducing the risk of fingerprint information being compromised.

Further strengthen multi-factor authentication with Intel® Authenticate which gives IT flexibility to create and deploy customized hardened multi-factor authentication policies to enforce user identity protection for access to the corporate domain, network, and VPN; protecting identity and securing data. Intel® Authenticate solution provides a simple self-service enrollment tool for end users to quickly get started, eliminating calls to IT.

The Lenovo Security Cable Lock allows customers to manage physical security access within the enterprise. Cable locks help reduce theft and increase physical asset security protection for notebooks, notebook docking stations, desktops and flat panel monitors.

Lenovo Security Cable Lock

ThinkPad Glance allows automatic locking using the Infrared camera when the user is away from the device.

ThinkPad Glance

+

++


Remote Data Wipe

Lenovo devices save the time spent manually wiping drives. With Intel® Remote Secure Erase for Intel® Solid State Drives that are managed by Intel® Active Management Technology, it is easier to wipe SSD media and delete encryption keys faster.

Port Protection

Smart USB protection disables ports to help prevent data theft and network security risks against unauthorised use of storage devices.

Lenovo Privacy Filters

Lenovo privacy filters come with patented 3M microlouver privacy technology so only persons directly in front of the display can clearly see the image on screen.


15 16

The Lost & Found service of Lenovo combines software and security tools from Lenovo and Absolute Software with additional alerts that make it easy to return missing PCs to their registered owners. Absolute Software tracks the stolen computer and provides local police with the information they need to get it back.

Absolute

Software Security Solutions

Lenovo XClarity™ Administrator is a centralized resource management solution that is aimed at reducing complexity, speeding response, and enhancing the availability of Lenovo® server systems and solutions. Lenovo XClarity includes features like firmware management, configuration management, OS provisioning, hardware monitoring and management.

Lenovo XClarity also includes an audit log that provides a historical record of user actions, such as logging on, creating users, or changing user passwords.

Lenovo XClarity™



1717 18

+

+

+

+

+

+

Security Services and Support

Encryption Services

Encryption provides factory-enabled anti-theft security and hard-drive passwords. Customers with mandated encryption regulations benefit from having it performed on the factory line, as their required documentation is provided by Lenovo.

The Keep Your Drive (KYD) service from Lenovo allows you to keep your Lenovo drive and data within your custody, improving security and potentially alleviating civil liability risks. It lets you dispose of business data on your terms and helps your organisation avoid the legal and monetary repercussions associated with a breach of data security.

Lenovo Keep Your Drive (KYD)

The importance of keeping your corporate data safe cannot be overstated. However, the critical task of backing up data can be a challenging and expensive endeavour. And backup isn’t enough; quick and simple access to that data is also critical. Lenovo OLDB safeguards business data from accidents, operating system and application errors, hard drive failures, and other unexpected risks with a secure, online solution for data protection.

Lenovo Online Data Backup (OLDB)

+

+

Asset Recovery Services (ARS)

Asset Recovery Services (ARS) is the reuse, refurbishing, demanufacturing, dismantling, reclamation, shredding, recycling, treatment and disposal of products, parts, and options when they are taken out of service, reach end of life, and/or scrapped. On top of simplifying the transition from old to new equipment, ARS mitigates environmental and data security risks associated with PC disposal, and ensures your data never falls into the wrong hands.

1919 20

GDPR is a landmark legislation for privacy and data protection in the EU with far-reaching implications including increased territorial scope, enhanced accountability and new responsibilities for both data processors and data collectors. As such, being ‘GDPR ready’ demands organisations to take a closer look at their current data handling practices, identify gaps that make them vulnerable and develop a holistic, long-term plan towards achieving compliance.

Conclusion

www.lenovo.com

Brand-Specific Trademark Acknowledgment Line

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

reasons why Lenovo is a di�erence maker

Trusted aroundthe world

Expertise acrosscategories

Choose Lenovowith confidence

Business-boosting technology

Flexible supportnetwork


21

Documents

Whitepaper Security GDPR 030518 · Lenovo XClarity™ Administrator is a centralized resource management solution that is aimed at reducing complexity, speeding response, and enhancing