maas360 goes global to keep data local

MaaS360 Goes Global to Keep Data Local Expand your mobile device strategy while complying with local data privacy regulations

Jonathan Dale, MaaS360 Portfolio Manager, IBM Security

Adam Nelson, Global Privacy Lead, IBM Security

2 IBM Security

Housekeeping items

Duration – 60 minutes

Submit your questions to the Q&A box located on

the left-hand side of your screen

Recording and slides will be emailed to you

3 IBM Security

Let’s talk about…

IBM CONFIDENTIAL until Sept. 13, 2016

• Reflection of our mobile progress

• What is holding us back

• MaaS360 goes global

• Data Privacy

• GDPR Readiness

Merging mobile and security strategies

4 IBM Security

iOS dominates the enterprise

with Android gaining momentum

XX% of employees use personal

devices for work purposes

By next year, X of employers

will require bring your own device

More than XX% of organizations

support corporate applications on personal devices

We have matured past the basics

5 IBM Security

Now we are managing massive amounts of apps

Apps managed by IBM MaaS360

472 apps managed by highly mobile organizations

10 apps managed by SMB and large organizations

Most Popular Apps

31% Business

16%

Productivity

17%

Education

10% Utilities, games, travel

6 IBM Security

We are scaling mobile – everywhere

Sales

Operations

Sales

Marketing

Finance/HR

Engineering

Operations

Services

Sales

R&D

Marketing

Execs

7 IBM Security

Improving care

We’re going places where mobile can make a deep impact

Saving lives Busting lines Making safe landings

Learning in class Heading home

8 IBM Security

Security

A large U.S. children’s

hospital protects

3,000+ mobile devices

ensuring HIPAA compliance;

installed and integrated

with existing servers in just

90 minutes

Compliance and Regulations

Productivity

A leading gaming and

entertainment company

reduces customer wait time by

80% with tablets

using a single

managed app to speed

the time to deliver food

and drinks to customers

Improving Customer Experience

We have real examples, and real results

9 IBM Security

But, not everything is perfect!

10 IBM Security

Top mobile challenges frequently slowing progress

IBM CONFIDENTIAL UNTIL SEPT. 13, 2016

CEO CIO CISO CRO CCO CLO

• Impediments in using international

datacenters when adopting SaaS

• Complexities of regulatory compliance

and other local and regional privacy laws

• Intrusion of user privacy and data

privacy

• Uncertainty around access and

authorization

• Difficulty deploying products and

services with limited staff and expertise

• Risks associated with data loss, app

vulnerabilities and mobile malware

11 IBM Security

What we recently announced


• IBM MaaS360 to support in-country data requirements with local presence

• Mobile deployment services

• IBM Privacy Consulting Services, GDPR Readiness

IBM MaaS360 global expansion, services and security integrations

12 IBM Security

Start with a solid foundation for global SaaS and security adoption


IBM Cloud 47 datacenter locations

26 countries

13 IBM Security

Start with a solid foundation for global SaaS and security adoption


IBM Cloud 47 datacenter locations

26 countries

IBM MaaS360 • 4 existing centers

• 2 under way in India and France

• 8 additional centers to open in 2017-2018

14 IBM Security

IBM MaaS360 enterprise mobility management

Productivity Suite Trusted Workplace

Content Suite Secure Collaboration

Threat

Management Malware Protection

Gateway Suite Enterprise Access

Management Suite Visibility & Control

A flexible, integrated platform that

meets diverse mobile use cases

Devices Apps Container

Threats Content Networks

15 IBM Security

IBM MaaS360

Cloud Access and Workload Protection

Mobile Threat Management

Mobile Identity Management

Integrated Application Security

Risk and Event Detection

Unified Endpoint Management

Application Vulnerability and Reputation

End-to-end mobile security integration capabilities


16 IBM Security

Accelerate mobile success with new IBM MaaS360 services


Quick Start

Guidance

Time-to-Value

Guidance

Enterprise Mobility

Implementation Services

Enterprise Mobility

Health Check Services

Mobility Training Workshop

MaaS360 Mobility

and Productivity Workshop

An Introduction to the GDPR

18 IBM Security

Purpose of the new Regulation

• To create a unified data protection law

Unlike the prior 1995 EU Data Protection, the Regulation does

not require any further enabling legislation to be passed by

specific country governments. It will be “automatic” law in 28

EU Member States and those countries following EU law

voluntarily.

It will also simplify the regulatory environment for

international business

• To enhance the level of data protection for EU

data subjects

EU data subjects will have more control over their personal data

• To modernize the law in line with existing and

emerging technologies

Helps encourage innovation and the use of big data/analytics

GDPR will fundamentally change the way

organizations must manage their people,

policies, processes and technologies.

19 IBM Security

Key aspects of the GDPR

• The Regulation has been formally adopted and will take effect as of May, 2018

still a “work in progress” as formal guidance surrounding implementation of the Regulation has yet to be finalized

• It has international reach, applying to controllers and processors, both inside and outside the EU,

whose processing activities relate to the offering of goods or services to EU data subjects.

• Data Protection Authorities have the power to impose significant fines on organizations for non-

compliance with the rules, scalable to €20 million or 4% of the organization’s global annual

turnover per incident, whichever is greater.

The majority of companies are not ready for

the new requirements of the GDPR and

should start to address the necessary steps

for compliance NOW.

20 IBM Security

Enhanced rights for EU data subjects

• Key definition of “Personal Data” now explicitly includes “online identifiers” (e.g. IP addresses,

cookies etc.) and “location data”, and new terms such as “biometric data”, “genetic data” and

“pseudonymous data” have been introduced

• Higher standards for privacy notices and for obtaining consent – e.g. from implied consent to

consent given by “a clear affirmative act”

• Easier access to data by a data subject – expands the set of information to be provided to

individuals and removes the right for controllers to charge a fee for access requests

• Enhanced right to request the erasure of data – the circumstances under which data subjects have

the right to request that any of their personal data held by controllers and processors be erased have

been expanded

• Right to transfer data to another organization (portability) – controllers must enable the transfer of

structured and/or raw data to another organisation through a “commonly used electronic format” if

requested by the data subject

• Right not to be profiled – Right to object to processing now explicitly includes right to object to

profiling

21 IBM Security

Enhanced obligations on controllers and processors

• Increased obligations for data processors: e.g. implementation of technical and organizational

security measures appropriate to the risks of processing

• Building a Data Protection by Design and Default process enabling the review of the entire lifecycle

management of personal data with particular focus on procedural safeguards regarding the accuracy,

confidentiality, integrity, physical security and deletion of data

• Controllers will be responsible for carrying out a Data Protection Impact Assessment (DPIA) and a

risk analysis of the potential impact any intended processing could have on the rights or freedoms of

data subjects

• Implementation by controllers and processors of appropriate technical and organizational security

measures appropriate to the risks presented by the processing

• Breach notification requirements in the event of a data incident

• Extended options for the transfer of personal data outside the EEA or to international organizations,

including possible prior approval from the supervisory authority

• Appointment of a Data Protection Officer: Public Sector; Companies that process sensitive

personal data on a large scale; Companies that monitor data subjects on a large scale

GDPR Readiness – Steps towards compliance

23 IBM Security

GDPR Readiness – What you should be doing to prepare

• Understand your obligations - Become familiar with the proposed GDPR requirements and monitor

the development of implementation guidance

• Know what data you have and where it is located - Conduct a data inventory and mapping initiative

to assist in understanding and evaluating the operational and technological changes required for

compliance

• Appoint a Data Protection Officer - Create a structured privacy office and appoint, as required, a

data protection officer (DPO) who has expert knowledge on data protection law

• Review all privacy notices - Confirm all privacy notices are presented in clear and plain language,

are transparent, and are easily accessible to data subjects.

• Review customer consent and choice mechanisms - Ensure that the appropriate consent and

choice mechanisms are in place and/or are updated to meet the new consent requirements and to

easily facilitate customer choice

• Review processes addressing data subjects’ access, correction and erasure requests

• Review data retention schedules

24 IBM Security

GDPR Readiness – What you should be doing to prepare (con’t)

• Review all cross border transfers of personal data - Confirm that you have a legitimate basis for

transferring data to jurisdictions outside the EU that do not have “adequate” data protection regimes

• Implement a Data Protection By Design approach to new systems and services - Create a Data

Protection By Design framework to ensure that privacy requirements are embedded, by default and design, from the

very outset of the development of new products, systems and services.

• Document your privacy compliance activities - Adequately document all processing operations involving

personal data through the use of Data Protection Impact Assessments (DPIAs)

• Implement and document appropriate security measures - Provide technical, physical and administrative

security measures 'appropriate' to the processing risks

• Create breach response and notification protocols - Implement data breach investigation, containment

and response processes and procedures, and be sure to be able to test their effectiveness

• Develop audit capabilities and processes - Establish a robust audit plan and process to monitor ongoing

compliance and to mitigate risk

• Train your employees – Ensure your employees are educated, at least annually, on the requirements and their

obligations with respect to data protection

Secure appropriate executive support and budgets to support the changes!

25 IBM Security

GDPR Readiness Assessment

• IBM’s Data Privacy Consulting services can help your organization identify areas of their business

which will be impacted by their requirements and obligations under the GDPR.

• Through our customized end-to-end GDPR Readiness Assessment, IBM is able to evaluate your

organization’s current practices against the new requirements with a focus on process development,

best practices and organizational need.

Possible focus areas can include:

• Consent – How to implement?

• Controller/Processor – How to Audit?

• Data Mapping – Necessary for Data Portability, Right of Access, Right of Erasure

• Privacy Impact Assessments – How to complete?

• Information Security – What is an “appropriate” level of security? How to implement?

• IBM will also provide your organization with a maturity model and gap/remediation plan to assist

your organization in developing and implementing their roadmap towards compliance.

• The Readiness Assessment also pairs IBM products and services to the GDPR requirements,

enabling a one-stop-shop for necessary software and/or services to implement GDPR compliance.

This should not be considered Legal advice – it is process advice only.

Reach out to the appropriate Legal Counsel for guidance as necessary

IBM Privacy Consulting Services

27 IBM Security

Build a robust, auditable, privacy

program to manage GDPR compliance

and to reduce organizational risk

28 IBM Security

A brief overview of our services

04/13/201

6

SECURITY METHODS COMMNICATION SERIES 28

Offering

Overview

Privacy Program Design helps clients more rapidly create and

deploy comprehensive privacy policies, standards, guidelines and

operating procedures that are designed to align with best practices

and help better manage regulatory compliance requirements.

Protect brand image and

reputation

Gain and maintain customer trust

Ensure local, national and global

regulations are addressed

Gain competitive advantage in the

industry

Provide a strategic foundation and

guidance for other investments in

data governance, threat mitigation,

data security

Holistic approach with our Total

Privacy Management (TPM)

Framework designed to build a

bridge between business lines,

Legal, IT, and management

structures

Enabling a more efficient privacy

program to help better manage

local and global regulatory

compliance

Leveraging of our expertise across

security services and products as

part of a holistic privacy program

GDPR Readiness Assessment

Privacy Risk assessments

Privacy Impact assessments

Data Mapping/Data Flow charts

Gap Remediation plan

Privacy Strategy

Privacy standards and guidelines

Privacy by Design/Internet of

Things

Audit preparedness and support

Capabilities

IBM Security

Strategy, Risk and

Compliance Services

Objectives Features

IBM does not provide Legal advice. IBM recommends

that your clients consult with the appropriate Legal

Counsel as necessary

29 IBM Security

IBM Data Privacy Services helps provide sustainable solutions using four key components

The IBM Data Privacy Environment

04/13/201

6

SECURITY METHODS COMMNICATION SERIES 29

IBM's Total Privacy

Management (TPM)

Framework

IBM's Privacy Patents IBM's Research

IBM's Data

Privacy Services

IBM has more than 3,000

scientists and engineers at

12 research labs, in

6 continents

IBM's Privacy and Security

experience allows us to implement

more holistic solutions for our clients

IBM has been working on data

privacy issues since 2001 and

has been granted numerous

Data Privacy related patents

IBM's TPM Framework helps

provide robust Data Security

and Privacy for our clients

IBM's Privacy and

Security experience

Q&A

30

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU

Appendix

33 IBM Security

What about Brexit?

• When Brexit moves forward, UK entities probably will need to comply with the

requirements of GDPR

• UK’s Information Commissioner’s Office (ICO) has said it intends to ask the

Government to reform UK data protection law in order to achieve equivalent

standards to the EU’s

• The ICO has stated that it views the GDPR as a good business practice

• Until that has been completed, UK will need to gain an “adequacy” ruling from

the EU. This is similar to many other countries such as Israel, Switzerland,

Canada, Argentina and others

• Bottom Line - GDPR will still apply to any entity doing business with the

greater EU marketplace

34 IBM Security

EU-US data transfers

• In an October 2015 European Court of Justice ruling, the Safe

Harbor certification method by which organizations legitimized

the transfer of protected data on EU data subjects to the United

States, was invalidated. This decision was not related to the

GDPR, but is often mentioned in the same discussion.

• Companies must now re-evaluate their cross border data

protection framework with the US and consider transitioning to

other mechanisms such as consent, Binding Corporate Rules

or EU Model Contracts/Clauses.

• On July 12 2016, the EU Commission adopted the EU-US

Privacy Shield framework. It replaces the invalidated Safe

Harbor framework and immediately enters into force. US

Companies are able to certify with the U.S. Department of

Commerce starting August 1, 2016.