GDPR: 5 Lessons Learned Veeam Compliance Experience Shared a Step-By-Step Guide for IT Professionals

GDPR: 5 Lessons Learned Veeam Compliance Experience Shared A Step-by-Step Guide for IT Professionals

Mark Wong General Counsel

Contents

Introduction...... 3

Know your data...... 4

Manage the data...... 6

Location...... 7

Who has access? ...... 10

Exclusions...... 11

Protect the data ...... 11

Documenting and complying ...... 14

Continuous improvement ...... 15

Conclusion...... 15

About Veeam Software...... 16

Veeam® is committed to sharing our GDPR compliance experience with you . This regulation is complex and fact specific, meaning each organization’s GDPR compliance program may mean something different from the next company . GDPR is a major update to the Data Protection Directive from 1995, or more specifically 95/46/EC (that’s right, over 21 years between major releases!), and the data intensive world we live in is significantly different than the world we lived in in 1995 .

Many people might think that the GDPR is just an IT issue, but that is the furthest from the truth . It affects everyone — not just IT .

We have prepared this white paper as a discussion of how Veeam interprets GDPR as of the date of publication . As a privately held information technology company that develops backup, disaster recovery and data management software for virtual, physical and cloud-based workloads to provide Availability for the Always-On Enterprise™, we have spent a lot of time with GDPR not only complying with it as a global organization, but also in development of our products .

This white paper should not be relied upon as legal advice or determination on how GDPR applies to your organization . We encourage you to do as we did and work with legally qualified professionals to discuss GDPR and how it applies to your organization and collaborate and build a plan towards compliance . Veeam provides this white paper “as-is” and makes no warranties, express or implied as to the information in this white paper .

Published on January 2018. Version 1.0

Introduction

In mid-2016, shortly after the enactment of the General Data Protection Regulation, or GDPR, Veeam’s executive management team immediately invested in a GDPR compliance initiative . We recognized that GDPR is the new benchmark and global standard that other countries will look to as a standard for data privacy . GDPR is brand new law and the first law addressing data privacy of individuals since the Data Protection Directive 95/46/EC . It’s a broad sweeping law and we encourage you to read it, all 260 pages of it found here at: http://data consilium. europa. eu/doc/document/ST-5419-2016-INIT/en/pdf. .

The first tip we can provide you is to embrace the fact that this is an “evolution” not a “revolution” as many of your organizational practices you had before in compliance with the Data Protection Directive serve as the foundation for GDPR compliance . You will find numerous articles and blog posts talking about GDPR as organizations are scrambling to leverage this opportunity to grab your attention .

We here at Veeam think very thoroughly . We have been building software solutions to help organizations like yours operate more efficiently and effectively . Our founders, Ratmir Timashev and Andrei Baronov founded Aelita software, a company that provided enterprise network management tools that improved security, usability and control over an organization’s network environments . You can still find these tools in Quest Software’s Windows Management products . Mr . Timashev and Baronov launched Veeam in 2006 and with our Veeam Availability Platform, we enable organizations like yours to ensure Availability for any application, any data, across any cloud . We know data management and data protection, two (2) of the key principles behind GDPR and we want to walk you through what GDPR means for us and how our products can help you address the key principles of GDPR .

The Veeam game plan is to approach GDPR compliance by addressing the following five (5) principles: 1. Know your data: Identify the Personally Identifiable Information (“PII”) your organization collects, has and who has access; 2. Manage the data: Establish the rules and processes to access and use PII 3. Protect the data: Implement and ensure security controls are in place to protect the information and respond to data breaches 4. Documenting and Complying: Document your processes, execute on data requests and report any issues or data breaches within the guidelines 5. Continuous Improvement: Keep up with the fast-changing digital world and constantly review and improve your processes and procedures for data privacy and protection

Know your data

If your organization has PII, then you need to find out where ALL of it is and how you collect it . GDPR is an organization- wide effort and everyone must be involved . If your organization has PII of an EU resident, then GDPR applies to you . If your organization is located in the European Economic Area, then GDPR applies to you . GDPR is the new benchmark and standard for data privacy and is seen as the “global leader” . We at Veeam expect many of the concepts to be implemented by other countries very soon . So even if you are the rare organization that doesn’t believe GDPR applies to you, the concepts will eventually apply to you once its adopted by your local jurisdiction .

We believe sharing what we learned will help you in your compliance process . We are a global company, Swiss headquartered, with a truly global footprint and have 3,000 employees all over the world . Not only do we have customers all over the world, many of our customers share the same global footprint that we do . Accordingly, Veeam is a global data controller and we not only comply with GDPR, we are constantly driving to implement best practices for GDPR and data privacy compliance in general . As we are committed to sharing our compliance initiative with you, we are also committed to providing the materials that we developed internally in our journey to date .

As already said, finding out where ALL your data is, how you collect it, who has access to it and where you (physically) keep that data is the first step in your journey to compliance .

Top tip: Flow charts mapping the flow of PII across your organization and to your third-party partners is a valuable way to get started. A visual map is a great way to classify and manage your network environments and we will show you how Veeam has designed helpful environment mapping tools in its Veeam Availability Platform to give you an entire picture of your environment.

Figure 1: Example of infrastructure data map

As an organization, after completing the first step, you’ve probably classified your data and identified all of the various locations that PII is stored . There are certain VM’s, physical servers or even cloud instances for HR, mailboxes, that you know contain PII . Often times, this information is also business critical and core to the operations of your company . You need this data available so you have a backup plan for these environments . If you’re already using Veeam, then you know about how Veeam ONE™ 9 .5 offers you complete visibility into your backup and virtual environments .

Figure 2: Example of a dashboard for your backup infrastructure

With Veeam ONE 9 .5, you have a powerful monitoring, reporting and capacity planning tool for your backups, VMWare vSphere, Microsoft Hyper-V VM’s, physical servers, workstations and cloud VM’s . You can rest assured if you have structured your environments for GDPR compliance, your backups are also stored and managed in a logical way where you have complete visibility into the environments at all times . You can control and manage your backup plan to be synergistic with your operating VM’s, knowing if you need your backup, it will be available .

Figure 3: Example of a dashboard based on department tagging

Manage the data

Now that you know your data and where your PII enters your organization and where you store it, you must establish the rules and processes to access and use PII . This is the second fundamental principle of GDPR, managing the PII includes managing who accesses the information, why they access the information and for what purpose . Veeam learned through this process that different organizations handle and access PII for different reasons . Let’s talk about three (3) organizations that you likely have in your organizations and the customized plans and processes we have for each organization:

1. Marketing: Our global marketing teams are responsible for driving campaigns and generating sales leads for our sales organization . They are on the front lines of collecting potential customer and partner information at conferences, our websites and through targeted marketing campaigns . Veeam leverages a world class marketing and go-to-market team that analyzes and optimizes data to ensure when our sales people reach out to a prospective customer, our sales people know exactly what our customer is looking for and we can provide the best package and solution the potential customer can implement . Given our fast- paced digital world, this process happens very quickly . It was important that Veeam standardized the procedures for processing PII that is obtained through our various marketing sources .

At Veeam, we implemented an opt-in (double opt-in in some countries) to ensure that individuals that provide us with their PII know why we collected their PII and when we contact them, they won’t be surprised . We vigorously monitor our opt-in lists and funnel our contacts lists through “scrub” against any opt-out before we initiate a targeted marketing campaign . Our goal at Veeam is to only contact individuals who want to be contacted by us and for the reasons they told us they want to be contacted . As always, we always provide our customers and potential customers the opportunity to opt-out or opt-in at any time .

2. Sales: Veeam proudly partners with Salesforce com. for its CRM software and this highlights the importance of choosing the right partners . Veeam only chooses partners that are or are on the path to GDPR compliance before it will trust those partners with our customers or potential customers PII . Veeam carefully reviews each and every third-party it partners with and continues to monitor and evaluate the partners that may process Veeam collected PII . We recommend that you do the same . Ensuring data processors have implemented the necessary organizational and technical methods on security is a fundamental principle of GDPR . 3. Human resources: Often times when organizations think about GDPR compliance, they focus almost entirely on how they collect and process PII of their prospective customers . However, the highest level of care for most companies that are not in healthcare or human resources, is their own internal human resources . Some HR data is considered “sensitive” PII and requires stricter security measures and protocols to protect this information . Sensitive PII includes, but is not limited to healthcare information, racial or ethnic origin, political beliefs and other categories .

Veeam proudly partners with WorkDay and leverages their solutions for our HRIS system . Our IT infrastructure works seamlessly with the Workday solutions and WorkDay is as committed to GDPR compliance as Veeam is . Following the fundamental principle of choosing a data processor, it is imperative that your organization carefully scrutinizes and monitors your third-party vendors to ensure they care as much about GDPR compliance as you do, and guarantee they have implemented the necessary organizational and technical methods of security to protect the PII your employees have entrusted in you . Location

Article 44 talks about the transfer of data, and we already talked about in the first lesson learned that you need to realize where your data physically resides . If data would not live, then it would be a one-time manual action and you are finished . Unfortunately, this is not the case and data lives and moves . As already said, it is also not enough to know the location of the production data alone .

An exciting new feature we would like to show you is “GeoTagging ”.

Figure 4: Example of adding a ‘physical’ location to production servers

With GeoTagging (or locations), Veeam will allow your system administrator to clearly indicate the specific location of any VM or physical server that is backed up . This tag will clearly define the location of the data and in the event a restoration of the data to an indifferent geographical location is attempted, it will alert the system administrator and ask for a confirmation before a restore to a different geographical location is initiated . It also gives you the possibility to add a location to your backup repositories, tapes, replica locations and so on . You will see where the data lives and where its copies are located .

While GDPR may have guidelines that permit the transfer of PII outside of a specific EU country or outside of the EU all together, Veeam GeoTagging offers that additional layer of protection that may remind the system administrator to check your organization’s policies and procedures, or even check with your Data Protection Officer before the restoration is initiated . This is just one of the many features Veeam has built into its solutions that help your organization stay compliant with your GDPR compliance procedures .

Figure 5: Example of a restore warning where the location of restore differs from the original production location

Make the right decision and leverage GeoTagging as a simple “last line of defense” to ensure GDPR compliance.

Veeam learned through its compliance process that in some circumstances, even if the transfer of information outside of a specific EU country is permitted, it is best avoided in order to minimize the risk of the data being compromised . A fundamental principle of GDPR is only processing the data in a way that is necessary for a lawful and legitimate purpose .

GeoTagging HR environments.

Veeam has over 3,000 employees and a significant number of those employees are located in Europe . As we were developing the processes and procedures for human resources records management, executive management decided there wasn’t a justifiable reason why any PII of our European employees should be transferred out of the European Economic Area . As a result, our IT managers have GeoTagged our European Economic Area environments . Since our operational procedures prohibit the transfer of these environments outside of the European Economic Area, if a new system engineer or someone that forgot our internal procedures tries to restore the backup to a different geographical location, they will be stopped and a warning will advise the systems engineer that they’re attempting to restore the backup outside of its original area . Your organization can leverage this tool to do the same . While you may not have expected this handy safeguard in your backup software, having the proper backup software and visibility is just as important as how you manage your PII in the front end, as your backup may end up being on your front-end operations if you need to restore a backup to your operational environment .

GeoTagging customer support environments.

Another area GeoTagging came in handy was in our customer support environments . Veeam customer support is 24/7 . Our customers can call us at any time for customer support and while access to their environments and PII is not necessary, in the rare cases where it is necessary or it can expedite the handling of a support case, our customers can rest assured that Veeam has the best protocols and procedures to handle these situations with the same care as we protect our own PII and confidential information . Our system administrators are able to GeoTag and classify the working environments of our customer support personnel to ensure they are not included in our regular backups and they are handled separately . Our customer support systems are purged after 30 days to ensure no customer information (PII or not) is stored in any of our regular system backups . Once a customer hands PII or information to our customer support, that PII or information is purged from our systems once the support case is closed . Leverage GeoTagging and manage your VM’s the way Veeam does with Veeam One 9 .5 . You can find more information about the features and products here https://www veeam. com/virtualization-management-one-solution. .html .

Who has access?

After finding out where the data is, who owns what and so on, it is important to find out who has access to it (and why do they access that information and what is the purpose) . After doing the research, you will notice that a lot of people have access to information, both internal employees and third-party organizations . We already stated that you need to document this (and revise where necessary) . Make sure you don’t forget about your data copies . One item that many organizations seem to forget is that backup administrators have access to all data . In larger organizations, this can count for restore administrators also . Make sure you can identify (and report) on who has access to what information .

Figure 6: Example of a report that shows who has what restore rights

Exclusions

Finally, you might need to exclude certain data from your backups . Especially when it is sensitive PII data, it might not be allowed to make copies of that data depending on your vertical and what specific sensitive data it is . Make sure that your solution allows those exclusions and that you can report on them .

Figure 7: Example of an exclusion report Protect the data

Implement and ensure security controls are in place to protect the information and respond to data breaches . Organizations are rightfully focused on the “front-end” were IT Security Software is the starting point and focal point of every data protection policy . VMware vSphere and Microsoft Hyper-V have robust security features such as leveraging BitLocker Encryption (physical protection) on parent partitions and stacking with anti-virus protection on the virtual machine (as BitLocker encryption is not supported on virtual machines) . There are a host of technical papers on properly configuring these virtual environments as securely as possible . However, a vital part to your data protection plan has to be choosing the right backup solution . Data production by design and by default also means the ability to keep your data available (or make it available again as soon as possible .) Veeam Availability Platform should be your trusted backup solution .

From one single backup, many restore possibilities exist . Whether it is instant restore (getting your data available again very fast), disaster recovery (with our built-in replication) or even recovering bits of data in well-known formats (for the portability of data) .

But can you really recover at all times? And can you prove it? Veeam Backup & Replication™ offers you the possibility of using SureBackup® and SureReplica to test your recoveries fully automated, in a quarantined lab . And you can run reports in Veeam ONE to prove it .

Figure 8: Example of a surebackup report

Encryption of your most sensitive data and environments that hold PII is a critical first step to a good data protection plan . However, protecting your data doesn’t end there . GDPR requires monitoring, auditing and constant diligence . You can’t just “set and forget ”. Veeam ONE 9 .5 monitoring tools and alerts are useful tools to help you automate this monitoring process . There are a variety of reports that you can create that you should have as part of your data protection strategy for GDPR compliance . This dashboard that gives an administrator a resource tracker by department is a critical tool that allows an administrator to monitor the resources for department VM’s that may contain PII and offers a quick view to ensure the backup has been properly completed .

Figure 9: Example of your infrastructure health

When you are talking about unauthorized access to your data, you also need to be aware who can get access to the copies of that data as already discussed in Lesson 2 . And more importantly, you need to be able to prove who had access to what data .

Figure 10: Example of restore activities Documenting and complying

Document your processes, execute on data requests and report any issues or data breaches within the guidelines . Data requests are the biggest shift in GDPR where an individual can request a correction or deletion of their PII and an organization that holds it must comply . While there is no time frame set for compliance, an organization needs to execute on this request and certify that it has been completed . Reviewing your data universe to search, locate and correct/delete PII is an exhaustive process . The last thing you want to do is also dig through your backups to determine where the PII may exist within your backup . With Veeam ONE 9 .5, locating the backup and managing the backup is as easy as using the management console . With our user interface and [search functions], an administrator can quickly identify the location of a backup, the status of a backup and even the number of changes in a VM since the last backup . With this type of visibility and control, you not only gain efficiency in executing a data request, you also can rest assured you located the backup .

With our reporting functions and diagramming capability, administrators can leverage and automate this process of documentation that is required by GDPR . This saves enormous amounts of time creating diagrams and reports solely for compliance with GDPR, freeing up network administrators to focus on their core tasks of managing the network . Continuous improvement

Keep up with the fast-changing digital world and constantly review and improve your processes and procedures for data privacy and protection . As we discussed before, the GDPR effective deadline is months away, but it is only the beginning of the journey . Data privacy and protection are responsibilities that will only increase as the digital world we live in continues to evolve and expand at a rapid pace . GDPR requires constant monitoring, auditing, review and improvement . The only way to do this is to leverage software solutions that are constantly innovating and backup solutions that are state of the art today, where the company is consistentlyreinvesting in continuous development to conquer the challenges of tomorrow . Veeam has a long history of constant and continuous innovation which is demonstrated in our company timeline (https://www veeam. com/company/about. .html) .

For more information about Veeam solutions:

Veeam Availability Platform: https://www veeam. com/availability-platform. html.

Veeam Availability Suite datasheet: https://www veeam. com/veeam_availability_suite_9_5_datasheet_ds. .pdf Conclusion

As GDPR evolves and the enforcement begins on May 25, 2018, we will keep you updated on developments as we believe the flexibility and ever-improving Veeam Availability Platform is the right solution for your organization . We will always stay a step ahead of the competition by providing you with Availability for your Always-On Enterprise™ .

About Veeam Software

Veeam® recognizes the new challenges companies across the globe face in enabling the Always-On Business™, a business that must operate 24 7. .365 . To address this, Veeam has pioneered a new market of Availability for the Always-On Enterprise™ by helping organizations meet recovery time and point objectives (RTPO™) of < 15 minutes for all applications and data, through a fundamentally new kind of solution that delivers high-speed recovery, data loss avoidance, verified protection, leveraged data and complete visibility . Veeam Availability Suite™, which includes Veeam Backup & Replication™, leverages virtualization, storage, and cloud technologies that enable the modern data center to help organizations save time, mitigate risks, and dramatically reduce capital and operational costs .

Founded in 2006, Veeam currently has 51,000 ProPartners and more than 267,500 customers worldwide . Veeam‘s global headquarters are located in Baar, Switzerland, and the company has offices throughout the world . To learn more, visit http://www veeam. com. .

GDPR: 5 lessons learned, Veeam compliance experience shared. VEEAM IS VERY PROUDVEEAM OF IS OUR VERY PROUD OF OUR 1 000 000 USERS 51 000 500PARTNERS 000 users 280 000 CUSTOMERS 80 TOP INDUSTRY AWARDS 30 500

145 500