10 Software and Cloud Services Providers to Consider for Your GDPR Compliance Needs

MARKET PERSPECTIVE 10 Software and Cloud Services Providers to Consider for Your GDPR Compliance Needs

Andrew Smith Angela Gelnaw Carla Arend Duncan Brown Archana Venkatraman

EXECUTIVE SNAPSHOT

FIGURE 1

Executive Snapshot: GDPR Regulations Create New Opportunity

Source: IDC, 2017

August 2017, IDC #US42277417 NEW MARKET DEVELOPMENTS AND DYNAMICS

GDPR Accelerates Storage, Compliance, and Security Modernization GDPR enforcement begins May 25, 2018. The EU-wide regulation streamlines many of the complex local and regional regulations already in place and updates the laws around data collection and security to be more applicable and relevant to modern businesses using a range of cloud, mobile, and social technologies. From all the GDPR articles, IDC has distilled four major implications for organizations processing the personal data of EU-located data subjects:

. Heftier noncompliance fines. The fine for noncompliance has been set at a maximum of €20 million or 4% of global revenue (whichever is higher). This takes noncompliance of personal data protection into anti-bribery and anti-money-laundering levels, making data protection a boardroom issue, not an IT issue. . Mandatory notification of breach. Mandatory breach notification rules (common in the United States and other countries) are now introduced to the EU. A company must notify relevant authorities within 72 hours of discovering a breach and affected data subjects "without undue delay." This presents two challenges for organizations: the ability to effectively discover and document a breach quickly (most breaches are discovered months after they occur) and managing public relations after a breach. A company needs to plan for a breach and have a well-thought-out process not only for the technical remediation but also dealing with regulator, customer, and media concerns. . Extra-territoriality. The GDPR contains an extra-territoriality clause, which extends its applicability to any data processor dealing with the personal data of EU citizens. This means that, for example, this regulation is applicable to a United States-based cloud service provider with no physical footprint in the EU if it processes EU citizen data. Social networks, ecommerce sites, and other internet-based companies are therefore included in the GDPR, making the regulations enforceable far beyond EU borders. . Ban on data processing. In extreme cases, a regulator can suspend the right of companies to process personal data (see Article 58). This is effectively an order to cease trading since the processing of orders or the payment of employees typically involved processing personal data. Although it is unlikely that this sanction would be wielded often, it exists within the written law. This sanction will act as a backstop should all others fail and must be given serious consideration during any risk assessment associated with GDPR, since it has the potential to halt business operations entirely. Customers need distinct capabilities to address these challenges. For providers, simply branding products as GDPR-ready is unlikely to be sufficient or credible. Customers need help understanding how new regulations impact their data held on and off premises and how they can quickly identify what personal data is under their corporate umbrella and whether it is compliant with the GDPR. In some cases, these questions will lead to infrastructure modernization and new technology purchases, which can help organizations cost effectively adhere to GDPR regulations. However, there is still a significant amount of uncertainty and confusion surrounding GDPR enforcement. Technology and services providers have a unique opportunity to help customers identify the solutions and tools they need to become compliant, dispel the confusion and anxiety around GDPR compliance, and accelerate infrastructure and software modernization efforts in the name of improved data protection and security.

©2017 IDC #US42277417 2 Providers Can Help Customers Build a Business Case for GDPR Compliance The technology and services providers we spoke with indicate that many of their customers are ill- prepared to become GDPR compliant by the May 2018 deadline. A combination of uncertainty, lack of time, lack of funds, and aversion to change are responsible for customer unpreparedness. In response, vendors have released white papers, product maps, end-user surveys, and doomsday-style countdown clocks to remind customers of the impending changes and impact to their security, storage, and infrastructure strategies. Customers in highly regulated industries like finance and telecommunications typically have existing technology and processes in place, which may only need upgrades and modifications to meet the new requirements set forth by the European regulation. However, customers in other industries — such as manufacturing and retail — where high volumes of customer data have historically been collected under less stringent regulatory requirements, may find themselves scrambling to modernize their infrastructure and applications.

For customers facing GDPR noncompliance issues, technology and services providers can act as an authority and valuable resource to help build the business case for GDPR-related solutions. Our discussions with providers uncovered several ways in which vendors are successfully partnering with customers to tackle GDPR compliance issues. These can be distilled into two basic approaches: providers can help dispel myths and uncertainty surrounding GDPR or providers can stress the necessity for both process and technology changes.

Providers Can Help Dispel Myths and Uncertainty Surrounding GDPR GDPR presents unique positioning opportunities for many vendors. Under GDPR, service providers that store or process personal data will be subject to legal and regulatory obligations because of their status as a "data processor." This means that the burden of GDPR compliance does not lie solely with the customer, or the "data controller," as they are known under GDPR law. Customers using a cloud services provider to store, collect, or access customer information or run cloud-based applications that store or access customer information will rely on their service provider to help achieve GDPR compliance.

IDC has identified several areas where vendors can give guidance regarding new GDPR regulations and help customers execute necessary changes. Combined with internal and external legal counsel, this will help vendors establish a reputation as a trusted partner during the formation of GDPR-related policy and technology decisions. To do so, vendors can focus conversations with their customers and partners around the following areas:

. GDPR is just one piece of the data protection puzzle. Data protection is a continuum, with tools for data archiving, backup, security, recovery, and compliance all contributing to increasingly mature levels of protection. Most customers looking to address GDPR will have existing tools for compliance and data protection in their environment. The key opportunity is for providers to help map the requirements of GDPR to the customer's existing fabric of data protection tools and processes and identify the areas where infrastructure and software optimization are necessary to improve the customer's data protection maturity. Finally, achieving GDPR compliance should not be seen as a binary end state; once a customer reaches "compliance," providers should help work with customers to anticipate future needs and stay ahead of legal and regulatory changes. . Customers should not take a "wait and see" approach. Providers should be sure to discuss the risks of noncompliance with customers. One large cloud services provider we spoke with estimates that half of its customers in the EU are actively planning their GDPR compliance

©2017 IDC #US42277417 3 needs and have a team and plan in place to address issues. The other half — customers without a significant plan in place — are hoping they will be able to avoid fines by responding reactively as initial lawsuits and enforcement are doled out by the authorities. Providers must encourage customers to be proactive with GDPR compliance. Realistically, authorities will have to take a strategic, targeted approach to GDPR enforcement at the outset because of lack of time and resources. Authorities won't be able to fine everyone, so it will be possible for some firms to avoid litigation in the short term. However, the financial and public relations ramifications associated with GDPR noncompliance could be catastrophic for some firms. Every organization will make a risk assessment for GDPR and calculate the costs and benefits of compliance. Technology providers can help influence these assessments and incentivize customers to take a proactive approach to GDPR solutioning, despite the cost and time necessary to execute changes. . Do not let uncertainty around vague requirements lead to decision paralysis. Many providers we spoke with indicated there was confusion with customers regarding how/when some GDPR articles will be enforced. One such rule is the 72-hour breach notification requirement. Vendors and their customers question how this policy will be enforced and how uncertainty around unknown/undiscovered breaches will impact reporting. Providers can help clarify that only "personal data breaches" must be reported, which is narrower than security breaches generally and narrower than "data breaches." Furthermore, it is essential to help customers understand that notification requirements differ for data controllers and data processors. Data controllers must notify the data protection authority of personal data breaches without undue delay, and where feasible, within 72 hours after the firm becomes aware of the breach. Thus the deadline is not 72 hours after the breach occurred but 72 hours after the firm knows about it. Data processors must notify personal data breaches, without undue delay, to the controller that engaged it. No indicative time limit is given for processors. Understanding these nuances will help providers instruct customers and avoid decision paralysis when interpreting complex regulations and defining a strategy for GDPR. Providers Can Stress the Necessity for Both Process and Technology Changes Once the myths and uncertainties around GDPR are addressed and the customer has a strategy for implementation, solution and process mapping become the next hurdles. Once again, providers have the opportunity to bring tools and services to the table to make GDPR compliance time and cost effective. The challenge is helping customers identify what data within their environment needs to be protected and how. Vendors should stress the fact that GDPR compliance requires both technology and process changes and that both elements are necessary to build a successful business case. As tempting as it may be for providers to lead with their technology as the solution to all GDPR problems, the most successful strategies will include equal parts process and technology. Providers must help customers assess what privacy-related data they have, where it resides, who owns it, and what policies must govern it. Once these policies are understood, the right technology and solutions can be chosen and applied to ensure efficiency and successful implementation. Technology and Cloud Services Provider Profiles To better illustrate the breadth of technology and services vendors can deliver to aid GDPR compliance, IDC interviewed a mix of technology and cloud services providers regarding their GDPR solutions portfolio. The profiles that follow offer a summary of each provider's capabilities and strengths, along with some of the key technologies and services each vendor is deploying to help customers achieve GDPR compliance.

©2017 IDC #US42277417 4 Actiance Actiance provides solutions for enterprise communications compliance. The Actiance Platform is a comprehensive solution made up of the company's three product offerings: Alcatraz, Vantage, and Socialite. Together these tools can enable an organization to address EU GDPR Articles 15, 17, and 25 (right of access, right to erasure, and data protection by design and default, respectively).

Alcatraz is a cloud-based content archive that natively captures and preserves data from more than 80 different channels of communication for a centralized repository of enterprise communications in context. The solution has capabilities to automate policies for data retention, provide fast and accurate search and data retrieval, set access controls as well as segregation of use, and provide comprehensive audit trails for regulatory reporting requirements that will have strict response time frames in place.

Vantage enables the enterprise the ability to be more proactive in managing enterprise communication compliance. The solution enables the moderation of conversations and flagging of information that may violate industry regulation or company policies prior to those conversations being archived — saving time on searching for that data later and surfacing issues as they arise.

Socialite extends policy controls and risk reporting to social networks that firms have authorized for use by employees to reach customers or partners. The enterprise can control the business use of social networks with the ability to moderate, restrict, or even block content and/or unauthorized usage.

Actiance products were built with data privacy by design and default, and unlike many traditional software vendors, the software does not need to be overhauled or upgraded to meet those requirements. Alcatraz leverages TrueCompliance, which is Actiance's method for capturing content in a forensically sound and defensible manner. In addition, the data stored within the platform is encrypted both at rest and in motion, and the company has received certifications for SSAE-16 SOC2 and ISO 27002.

Once an organization has a GDPR strategy in place, Actiance can enable it to implement greater data governance and compliance around enterprise communication. To help with the planning and development of a GDPR readiness strategy, Actiance has partnered with IBM, which can provide services around data mapping and identification in context of the new regulations. This partnership ensures that implementations of Actiance will be as successful as possible.

Amazon Web Services Amazon Web Services (AWS) is a public cloud services provider. Under the new European GDPR regulation, it is considered a "data processor" as it was before under EU data protection law. It will need to comply, like other data processors, with a number of new obligations under GDPR. It is critical that business leaders understand not only how AWS' solutions can be leveraged to help them meet their GDPR readiness goals but also what is required from CSPs that are taking on the role of a "data processor."

As of April 2017, AWS has met the requirements necessary to be considered a GDPR-compliant partner. The architecture of the cloud infrastructure for AWS has been built with data protection and data security in mind and meets the goals of Article 25 of GDPR data protection and privacy by design and default. The company has already obtained internationally recognized certifications for compliance and security to demonstrate to customers its commitment to supporting them in their path to strong data privacy and security. Certifications received include ISO 27017, ISO 27018, PCI DSS Level 1,

©2017 IDC #US42277417 5 SOC 1, SOC 2, and SOC 3 as well as several industry specific and regional accreditations. ISO 27018, in particular, is a code of practice that focuses on protection of personal data in the cloud, but it also provides a set of additional controls and associated guidance intended to address public cloud personally identifiable information (PII) protection requirements not addressed by the existing ISO 27002 control set.

In addition, the following Amazon Web Services are compliant with the Code of Conduct set by Cloud Infrastructure Providers in Europe (CISPE) that ensures providers are taking appropriate data protection measures that are in line with the GDPR: Amazon EC2, Amazon S3, Amazon RDS, AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon Elastic Block Storage (EBS). Finally, the vendor has released its data processing agreements (DPA) drafted in accordance with GDPR stipulations. DPAs are required under Article 28 for organizations to dictate the terms of the data processing activities, and AWS provides a data processing agreement that will meet the requirements of the GDPR. Amazon does not provide GDPR-related consulting or legal advice but it does have experts on staff who can help answer questions related to compliance, data protection, and security. In addition, all AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018.

Ultimately, it is the responsibility of the business (i.e., data controller) to understand what data it has, where it currently lives and where it should live, what value it brings to the organization, and what retention and deletion policies are appropriate. However, once an organization has gone through the process of working with their legal teams and/or consulting partners to determine their individual road map to GDPR readiness, AWS can help business leaders to tactically implement that strategy via instrumenting enterprise data and configuring the infrastructure to more easily locate and analyze enterprise data at scale. Large, complex organizations — like those in financial services and healthcare — are likely to benefit the most from this type of solution, which can tie multiple systems together under one umbrella for greater visibility, manageability, and security. Ultimately, we believe this is Amazon's greatest strength around GDPR — the ability to provide cost-effective data analytics, telemetry, and mapping tools native to its IaaS platform.

One solution that customers can look to is Amazon's S3 rapid retrieval storage solution combined with its low-cost cloud archive, Glacier. Together, organizations can control policy settings for access control and security regulations related to data retrieval for both shorter-term storage needs and longer-term archival requirements all on one platform that is GDPR compliant. CloudTrail logs and data plane logs provide data monitoring capabilities and visibility into authorization and use of objects for audit requirements.

A big benefit to AWS solutions is scale. For organizations with large, unpredictable workloads, the amount of data processing and storage required under the GDPR for continuous monitoring and active management is extraordinary. The AWS platform can help organizations with this issue by supplying a sustainable infrastructure solution as well as tools to help with the automation or policy management and analysis of critical data as it moves throughout the enterprise. AWS has always offered the ability to customers to choose in which regions of AWS their content/data is stored, and AWS does not move content/data from such selected region(s).

Commvault Commvault uses its archiving and data protection tools to provide GDPR-compliance backup, data management, storage, and security capabilities. Commvault delivers a unified platform for backup and archiving, which allows customers to leverage a range of data management, security, and analytics

©2017 IDC #US42277417 6 tools. This flexibility and ease of access under one platform will appeal to customers looking to address the full range of security and compliance needs required by GDPR. Commvault works with customers to simplify and automate GDPR compliance by ensuring that their data is appropriately classified and understood at the point of collection/ingestion and then routed to backup and archive repositories. Commvault's platform accomplishes this task with native indexing and entity extraction capabilities, which can automatically identify sensitive personal information and make sure it is backed up and archived with the right security models and compliance policies in place. Commvault also offers built-in quarantine and data deletion tools, federated search, ediscovery, chain of custody, and audit capabilities within its platform.

More advanced analytics tools like Commvault’s Data Cube provide a range of business intelligence capabilities that can be applied to data within the Commvault Data Platform. Data Cube also has the ability to analyze data in place, which is not under full Commvault data management. Additional data can be fed from external sources to augment further analysis and can be presented in customized reports and dashboards. Commvault's range of data collection and analytics tools allows customers to set universal policy requirements, which can be applied to multiple data sources and quickly identify which data should be backed up, archived, dispositioned, or deleted to align with necessary compliance policies.

Commvault's strategy to focus on the identification and classification of data should appeal to customers dealing with both structured and unstructured volumes of data dispersed across multiple sources. Analytics capabilities like Data Cube will also help save customers time and money as they work to establish efficient and automated data governance processes. We believe there are two areas where Commvault will look to improve its portfolio for GDPR-related customers over the short term:

 First, Commvault must continue to simplify the licensing of its platform to allow customers to easily switch on and off the tools they need. Customers are reevaluating their infrastructure, data protection, and archiving portfolios in the scope of GDPR, creating opportunity for solution modernization and competitive displacement. Allowing customers to easily add to their existing platform without the need for additional software licenses will be a key differentiator.

 Secondly, Commvault will look to improve the breadth of its data classification, detection, and text analytics capabilities. Many compliance use cases require proactive detection and management of sensitive information. In the case of GDPR, this becomes a significant challenge, especially when considering the sheet volume of PII data passing through organizations and the range of classification policies which need to be applied. To help customers address this challenge, Commvault is improving its internal data classification capabilities and also working with an ecosystem of specialist partners that can provide added layers of analytics and intelligence. These types of advanced capabilities will remain high on Commvault's development road map as regulatory requirements like GDPR become increasingly complex and demanding in nature.

Druva Druva provides data protection and information management solutions for enterprise IT systems across endpoints, servers, and cloud applications. Like many of the other vendors covered in this document, per the GDPR, Druva takes on both the role of the data processor and data controller. As such, the company must attest to Article 25 and 32. Druva has numerous third-party validations to validate security and privacy compliance at both the application and the infrastructure layers. In

©2017 IDC #US42277417 7 addition, Druva works with Amazon Web Services and Microsoft Azure, which also provide GDPR attestations for their infrastructure services. Finally, Druva's products were designed and built with security and privacy in mind. Druva secures data on devices and in the cloud with 256-bit AES enforceable encryption and secures data in transit with TLS 1.2 encryption. Its solutions also provide controls around user authentication and access.

Because the GDPR has the potential to negatively impact any organization considered a processor or controller, with little tactical guidance as to how those organizations should go about complying with the new regulation, it is left to the enterprise to prove data security and compliance to regulators. Thus reporting and auditing capabilities are imperative. Druva is enabling organizations to do just this with tamper-proof audit logs that can be fed into any event management solution to show records of data processing when required. These features address Article 30 for records of processing.

Druva's inSync product offers defensible deletion, enabling an efficient process for data deletion as well as an auditable trail to deletion for proof of erasure. This will be critical for proving compliance with Article 17, the right to erasure. The solution allows a user to search for a file or keyword within a data set, retrieve all the data associated with that file, and delete all of those data instances regardless of where they reside. This level of visibility is extremely useful in proactively managing and protecting the enterprise data attack surface. Existing customers are leveraging this tool to perform privacy impact assessments (PIAs), to create data threat profiles, and to map out their corporate data landscape.

Under Article 20, the data subject (the actual consumer who is sharing personal data with an organization) is given the right to request and receive its personal data back from the controller with whom it shared its data. The data controller must provide the data at no charge in a readable and usable format at the request of any data subject within a one month's time frame. Druva can enable the regulation's data portability requirements via secure data transfers between any AWS or Azure datacenter for multiregional requests if requested (in accordance with Articles 44–50 Third Country Data Transfers as well). The company's solutions can also be used to for data restores or data exports in a variety of machine readable formats.

Overall, Druva is a technology solution that enables GDPR compliance for organizations to help them in securing their PII and provides greater visibility into protecting their corporate data no matter where it lives.

Google Cloud Google has been extremely vocal regarding its approach and strategy for GDPR compliance. As a leading cloud services provider, Google Cloud must adhere to GDPR regulations according to its role as a data processor. However, Google has also focused on educating customers on their responsibilities, many of whom are considered data controllers under GDPR. Setting clear lines of responsibility and ownership will help Google and its customers ensure compliance and mitigate security breaches.

Google has publicly stated that all its enterprise cloud and data services across its G Suite portfolio and Google Cloud Platform (GCP) will be GDPR compliant by the May 2018 deadline. Google plans to update data processing terms for Google Cloud Platform and G Suite for the GDPR. For example, Google currently provides contractual obligations around incident notification for G Suite and GCP. These obligations will be updated to align with the breach and notification policies of GDPR. Where Google hopes to establish a more strategic, long-term relationship with its customers is around data security, specifically the governance and management of personally identifiable information. Google

©2017 IDC #US42277417 8 sees data security as a shared responsibility under GDPR — a goal which both the cloud provider (data processor) and customer (data controller) must collaborate and continuously improve on. Google focuses equally on preparing its own services for compliance and educating customers on the areas where they must ensure compliance to meet this goal. This "shared responsibility" approach to GDPR makes Google a valuable partner to any customer looking to adopt cloud services that are designed to meet specific security, governance, and compliance needs. G Suite and GCP customers can be sure that the GDPR-related investments Google is making in its own services will add value and reduce development time for their own security, storage, and compliance initiatives.

From a product perspective, most of the capabilities that Google delivers to help customers comply with GDPR can be found within the vendor's Identity & Security services. Solutions include cloud identity and access management, data loss prevention, two-step verification and security key enforcement, encryption and cloud key management service, information right management, mobile device management, Stackdriver logging and monitoring, and cloud security scanner. Depending on the complexity of the environment and compliance needs, customers can also use services like Google Vault to apply more advanced policies for data recovery, litigation, long-term retention, deletion, and search.

Hewlett Packard Enterprise HPE leverages its software, services, and years of experience in the security, information management, and information governance markets to help customers address their GDPR challenges. HPE sees GDPR implementations as an opportunity to engage with customers around infrastructure and software modernization and help customers evaluate how to get the most out of their data in a secure, cost-effective manner. HPE leverages its size and breadth as core differentiators when it comes to GDPR, bundling its security, data protection, data management, and compliance capabilities into a single solution set that maps directly to a customers' GDPR requirements.

As a provider of infrastructure, software, and professional services, HPE can approach GDPR with a holistic solution tailored to customers across a broad range of industries. Visibility into both hardware and software environments helps HPE assess a customer's structured and unstructured data, classify exactly what data types are in and out of scope when it comes to GDPR, and apply a range of policies using its own software IP to move, delete, encrypt, or quarantine data. From a product perspective, ControlPoint, Structured Data Manager, Content Manager, Digital Safe, Policy Center, and SecureData are the core solutions leveraged to help customers assess, apply, and secure GDPR policy. In an effort to facilitate GDPR engagements and conversations with customers, HPE has also released a GDPR Starter Kit and readiness assessment tool, which customers can use to better understand how GDPR regulations will impact their individual business and determine the best course of action to ensure compliance. HPE also partners with professional services providers like PwC to help guide customers to the right solution set and facilitate any custom implementation work.

Large enterprise customers with complex compliance requirements should look to HPE as a valuable partner to solve their GDPR compliance needs. HPE's major challenge is to continue simplifying its GDPR offerings at both pricing and technical levels. The release of the GDPR Starter Kit was a critical step in the right direction, bundling a range of software solutions into purchasable packages, thereby reducing the license, maintenance, and subscription agreements a customer must manage. On the technical side, HPE must work to ensure simplified integration among GDPR-related product suites like ControlPoint, Structured Data Manager, SecureData, and Digital Safe as well as add centralized management and analytical tools so admins can easily track data across their environment and see

©2017 IDC #US42277417 9 what policies and rules have been enacted. No one solution can cover the breadth of GDPR compliance requirements, so ensuring simplicity of purchase options and integration will be the key to success for HPE customers.

IBM IBM brings its storage, infrastructure, professional services, and cloud services together to provide a comprehensive GDPR solutions portfolio. More specifically, IBM relies on a combination of its Spectrum software suite and Systems Storage product portfolio to assemble the necessary storage and infrastructure capabilities (encryption, copy data management, archive, backup, and erasure) that customers need to adhere to GDPR regulations. IBM has made significant investments in its Spectrum suite over the past year, including IBM Cloud Object Storage, and enhancements to Spectrum Protect helps clients more effectively identify, classify, and manage GDPR-related data across on-premises and cloud storage environments.

To help customers comply with data encryption requirements, IBM flash, disk, and tape products support encryption, and Spectrum Virtualize can be used to provide encryption for other fibre channel or iSCSI block storage. Spectrum Scale and Protect also have native deduplication and encryption capabilities. For data placement, IBM provides Spectrum Control for block environments and Spectrum Scale's policy engine to automate and audit this process in file environments. Spectrum Protect and Spectrum Copy Data Management can help users manage and automate the placement of backup data and copy data. Spectrum Protect also provides long-term retention and archiving tools necessary for customers. Finally, IBM leverages the resiliency, high availability, and disaster recovery tools within Spectrum Protect to provide customers with the appropriate data protection and retention capabilities.

IBM's greatest strength when it comes to GDPR solutioning is the vendor's existing presence in large infrastructure and database environments. Many customers will approach GDPR as an infrastructure and database modernization opportunity. This gives IBM the ability to educate and work with its existing install base first and foremost, preparing them for GDPR compliance with new tools and capabilities within its Spectrum suite. IBM also provides professional services that can plan, deploy, or operate a GDPR-ready infrastructure and can host compliant computing services on the IBM Bluemix Cloud. IBM's greatest challenge will be helping customers expand beyond the IBM ecosystem. Personally identifiable information can be scattered across a wide range of applications and databases, situated on premises or in the cloud. While IBM is adept at helping customers manage data within their own ecosystem, extending functionality to third-party environments may lead to reduced functionality and increased complexity. IBM is aware of this challenge and has focused on expanding the integration capabilities of Spectrum Protect in particular, adding support for Amazon S3 and expanding its SAP and VMware management capabilities, all during 2016.

A final differentiator for IBM is its ability to integrate its analytics capabilities — particularly Watson — with a range of its archiving, backup, data management, and infrastructure solutions. As data volumes and complexity continue to grow, we believe that prescriptive and predictive analytics will play a crucial role in helping to reduce complexity, maintain compliance, and mitigate significant fines like those possible under GDPR. As a result, we expect IBM to prioritize the integration of more analytics and Watson-based capabilities within its data protection and management portfolio.

Microsoft Microsoft takes a platform approach to GDPR, deploying on-premises and cloud capabilities across its wide range of portfolios to aid customers with their regulatory requirements. Microsoft has outlined a

©2017 IDC #US42277417 10 four-step strategy for GDPR compliance designed to help customers discover, manage, and protect personal data and provide continuous reporting and assessment over the long term. From a granular product perspective, Microsoft offers a combination of solutions, including but not limited to Office 365 IRM and DLP, Advanced Data Governance, Advanced eDiscovery, Azure Information Protection, Azure Security Center, and the Office 365 Security & Compliance Center, to help customers meet their GDPR compliance obligations.

Although this may seem like a wide range of products and services, customers can be confident that the solutions Microsoft offers — combined with the vendor's role and obligations as a data processor — will meet all GDPR standards. This promise is backed up by contractual commitments from Microsoft. However, some Microsoft customers will struggle to apply new data discovery and management tools to their existing storage repositories and applications — across which personal data may be scattered. Microsoft looks to mitigate this challenge by clearly defining the tools and capabilities across its portfolio, which can help customers prepare for GDPR. The vendor has published an in-depth white paper that maps relevant products to each of its four GDPR compliance pillars. However, solution mapping is just one step in the process. The next challenge Microsoft seeks to help customers overcome is data management and visibility into increasingly complex environments, which distribute personal data across clouds, databases, applications, and devices.

To help customers develop complex data discovery and management tasks required by GDPR, Microsoft is making significant changes to its Office 365 Security & Compliance Center, which will allow the platform to act as a central hub for all GDPR-related management and reporting tasks. Currently, the Security & Compliance Center offers an intuitive, card-based UI that lets users customize their dashboard with the applications, data, and analytics they wish to monitor. Users can set policies for retention, archive, supervision, and deletion; search across content and applications; and establish security alerts and notifications. Many of these capabilities already exist across Office 365, SharePoint, and Exchange. However, the Security & Compliance Center is engineered to bring all capabilities under one platform, providing a centralized data governance tool. The Security & Compliance Center still lacks some functionality, especially when connecting to applications or devices outside the Microsoft environment. However, the Security & Compliance Center's breadth of services and ability to manipulate security and governance tasks for multiple applications, storage repositories, and end-user devices is an important differentiator. Microsoft will continue to make significant investments in the Security & Compliance Center before and after the GDPR deadline. Future enhancements will be focused on advanced reporting capabilities and the addition of enhanced analytics and machine learning tools.

Mimecast Mimecast is an email security, continuity, and archiving SaaS provider and serves as a key piece of the GDPR puzzle. Email remains a major data and information repository, which may potentially contain a wide range of personally identifiable information across multiple devices and locations. Mimecast has designed its email security and archiving services to ensure this data remains secure and compliant and can be easily located and eliminated upon request. Mimecast primarily uses its Targeted Threat Protection, Data Leak Prevention (DLP), and cloud archiving services portfolio to help customers secure and manage their email while supporting GDPR compliance initiatives.

To minimize data leakage and compromise, Mimecast's services inspect all inbound, outbound, and internal emails for threats as well as offer a secure messaging service to analyze and encrypt emails and messages. Users also have the ability to set more granular security policies for messages that

©2017 IDC #US42277417 11 contain specific types of sensitive data. Mimecast can provide automated data leakage notifications to help customers respond to security alerts or breaches in a timely manner and report them as necessary. Mimecast's built-in search capabilities, case review app, and ediscovery services can be utilized to identify, aggregate, and transport data to the necessary customers or services providers to support GDPR subject access requests, the right to be forgotten and erasure requests. Finally, Mimecast's indexing, retention management, and audit log tools allow emails to be securely retrieved and erased upon request.

It is important to note that, under GDPR law, Mimecast is considered a data processor. This means Mimecast will be held to the same standards as its customers, and therefore, Mimecast services are designed with GDPR compliance in mind. Ultimately, Mimecast's position as a data processor eases the burden of compliance for customers, making Mimecast a valuable partner.

Veritas Veritas' approach to GDPR compliance focuses on two key areas: data analysis and compliance enforcement. Data analysis involves helping businesses identify what data they have and where it falls in the spectrum of GDPR requirements. Compliance enforcement includes the application of policies, automated rules, and management procedures, which ensure that an organization remains compliant as customer and employee data moves between devices, repositories, and geographic locations. By focusing on these two key areas, Veritas helps customers develop better visibility and management of their GDPR-related data and PII. Veritas' Data Insight, Enterprise Vault, Enterprise Vault.cloud, and eDiscovery Platform along with Information Map are the core products used to help customers meet their GDPR requirements.

We believe Veritas' GDPR portfolio is strongest in the data assessment area. The vendor's solutions help customers answer the "where," "who," and "what" of all their data and identify which data is important and which is redundant, obsolete, or trivial (ROT). Establishing an effective data assessment and identification program allows customers to pinpoint what data is personally identifiable and critical to control for GDPR compliance needs and what data can be stored or archived under less stringent (and less expensive) policies. Veritas has further expanded its data assessment capabilities with a set of consulting and professional services offerings specifically tailored for GDPR. Veritas currently offers a GDPR workshop, designed to help customers establish roles and responsibilities and receive basic education around GDPR. A GDPR assessment service helps customers analyze data in their environment and identify gaps and recommendations around compliance. Last, Veritas customers can use the vendor's Solution Delivery service, which focuses on implementation and operationalization of GDPR-related compliance and security changes. Veritas deploys many of these services in conjunction with partners like Capgemini, CSC, and Wipro.

To improve its compliance enforcement portfolio, Veritas is focusing investments on its data classification capabilities (Veritas recently released Data Insight 6.0), its advanced analytics tools, and its ability to operate alongside a range of cloud services providers. Veritas plans to implement more advanced search capabilities, more granular policy controls, and more automation tools so that PII data can be identified, quarantined, and stored in a GDPR-compliant manner with minimal user intervention. Planned enhancements to Veritas Information Map, Data Insight, and Enterprise Vault products will be critical to achieving this goal. Finally, Veritas is closely partnering with leading cloud services providers like Microsoft to help customers retain data visibility across different storage environments (Azure, on-premises, etc.) and ensure security and compliance policies intelligently adapt to the type of environment that data is being stored or accessed from.

Advice for Cloud Services Providers Cloud services providers need to consider their positions urgently in light of the GDPR. They will have to update their standard contract terms for compliance with GDPR requirements, bearing in mind that their role as a controller, processor, or sub-processor will change depending on the situation (even for the same customer who may use the cloud service, or different services, in different ways for different purposes). They will also need to devise a game plan for handling customers (whether controllers or processors) who seek to amend their standard terms. The potential impacts of GDPR for cloud services providers are so great that IDC has published a two-part analysis of the effects the new rules will have on the cloud ecosystem (see The Impact of GDPR on Cloud Services Providers — Part 1: General Considerations for Contracts and Liability, IDC #EMEA42627817, June 2017 and The Impact of GDPR on Cloud Services Providers — Part 2: Security, Data Transfer, and Other Considerations, IDC #EMEA42627917, June 2017).

Compliance may be difficult for smaller providers with little negotiating power. An extra complication is that cloud services providers may be treated as "processors" under the GDPR even if unaware that data processed using their services constitute "personal data." Therefore, cloud services providers will need to review their pricing and service structures as well as their standard terms, vendor/partner terms, and their vendor procurement/management processes. In addition, cloud services providers should consider to what extent and how they can update their systems and processes to comply with new GDPR contractual (and non-contractual such as security) obligations such as deleting personal data post termination, providing "assistance" to customers, whether extra fees can be charged for such "assistance" and if so how much, how to handle any law enforcement demands for personal data, and so forth. Advice for Software Providers Traditional software providers may have less stringent requirements, especially if they are not considered a "data controller," "processor," or "sub-processor," which will be defined by the type of environment they are selling their software into (public cloud, on premises, partner managed, etc.). Nonetheless, traditional archiving, security, and data protection software solutions will be an important piece of the GDPR puzzle, which will result in a new wave of customer inquiry and consideration for these solutions. First and foremost, software providers should ensure that their solutions and platforms can meet all GDPR requirements. If a solution is missing data deletion, reporting, encryption, or protection capabilities necessary for compliance, vendors should ensure they are partnering or developing new tools to fill these gaps prior to the May 25, 2018, deadline. Although some software providers may not be legally bound as a "data controller" or "sub-processor," any guarantees or assurance that can be provided contractually to customers may help differentiate a vendor from its peers. Finally, we advise that software providers be ready to discuss their customer's process and technology requirements regarding GDPR. Being able to help customers classify their data management and compliance policies as well as their technology needs will demonstrate maturity to customers and ensure a more effective partnership.

Related Research . 10 Myths Regarding GDPR: Sifting Fact from Fiction (IDC #EMEA42628217, June 2017) . The Impact of GDPR on Cloud Services Providers — Part 2: Security, Data Transfer, and Other Considerations (IDC #EMEA42627917, June 2017) . The Impact of GDPR on Cloud Services Providers — Part 1: General Considerations for Contracts and Liability (IDC #EMEA42627817, June 2017) . Implications of the Code of Conduct for Cloud Infrastructure Service Providers in Europe (IDC #EMEA42512717, May 2017) . European GDPR-Related Activity Appears to Follow a Rough North-South Maturity Line (IDC #EMEA42460617, April 2017) . Western Europe GDPR Survey, 2017: Mobility Results (IDC #EMEA42426817, April 2017) . The Road to GDPR Compliance: Higher Levels of Data Management Maturity Will Help (IDC #EMEA42420117, March 2017) . IDC PlanScape: EU General Data Protection Regulation (GDPR) Compliance for IT Security in Healthcare (IDC #EMEA42309917, March 2017) . Veritas Helps Organizations Become GDPR-Ready and Data-Driven with an Expanded Information Management Portfolio (IDC #EMEA42178616, January 2017) . Which GDPR Requirement is the Most Challenging? (IDC #EMEA42215117, January 2017) . Which Security Technologies Are Key to Getting Ready for GDPR in 2018? (IDC #EMEA41907216, November 2016) Synopsis This IDC Market Perspective summarizes some of the major challenges, risks, and opportunities associated with the impending enforcement of EU General Data Protection Regulation (GDPR). The document offers perspective from both the end-user and technology provider perspective to illustrate what challenges customers face and how they can partner with vendors to build a business case for GDPR compliance and successfully implement the necessary changes.

This analysis then summarizes the GDPR-related technology and services capabilities of ten relevant and leading storage, security, and cloud services providers.

"Uncertainty and confusion among end users regarding GDPR compliance is widespread," said Andrew Smith, senior research analyst, Storage Software. "Customers are looking to their storage, security, compliance, and cloud providers to help make sense of their infrastructure and data management needs in order to avoid heavy fines, which can be levied under GDPR. Although the task of GDPR compliance may seem daunting, the new regulations provide unique opportunity for customers to work closely with their technology and services providers to modernize their infrastructure, governance, and data management tools and leverage GDPR as a catalyst for IT and business modernization."

©2017 IDC #US42277417 14 About IDC International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications and consumer technology markets. IDC helps IT professionals, business executives, and the investment community make fact- based decisions on technology purchases and business strategy. More than 1,100 IDC analysts provide global, regional, and local expertise on technology and industry opportunities and trends in over 110 countries worldwide. For 50 years, IDC has provided strategic insights to help our clients achieve their key business objectives. IDC is a subsidiary of IDG, the world's leading technology media, research, and events company.

Global Headquarters

5 Speen Street Framingham, MA 01701 USA 508.872.8200 Twitter: @IDC idc-community.com www.idc.com

This IDC research document was published as part of an IDC continuous intelligence service, providing written research, analyst interactions, telebriefings, and conferences. Visit www.idc.com to learn more about IDC subscription and consulting services. To view a list of IDC offices worldwide, visit www.idc.com/offices. Please contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or [email protected] for information on applying the price of this document toward the purchase of an IDC service or for information on additional copies or web rights.