New Zealand
Story image

How ready are you for the GDPR and what should you do next?

23 Nov 2017
Sara Barker
Share:
LinkedIn
Twitter
Facebook

As 2017 soon draws to a close, organisations across the globe will have to be as prepared as Boy Scouts and demonstrate they are reviewing all of their business processes that involve personal data. Regardless of where you’re located or where the data you’re processing come from, you’ll need to ensure that the data is transparent before new privacy rules come into place in May 2018.

Under the EU’s General Data Protection Regulation (GDPR), personal data can flow between the 28 EU countries as well as Norway, Liechtenstein and Iceland. GDPR will impact every entity that holds or uses European personal data, both inside and outside of Europe. The relevance of GDPR is therefore not limited to Europe only, and the fines for non-compliance are massive.

Digitalisation is a double-edged sword when it comes to personal data. The convenience of online services and personalisation of business communications carry with them the potential for use and abuse by organisations we don’t want to do business with — and for purposes for which we have no need or interest. It’s not just annoying to get unsolicited contact, there is a real danger that our personal identity can be stolen and used for criminal activity and more.

Below are some aspects of GDPR compliance you need to take heed of:

  • You must have precise knowledge of the data you house and process; its geography, security usage and make-up—is it personal, prohibited, client-related, employee-related? Also, how is it captured—is it permitted by law or by the customer?
  • You must provide information on its usage and on the subject’s rights regarding his or her data
  • You must demonstrate the ability to manage personal data in a manner compliant with the regulation and be able to provide stored data at a subject’s request (including usage)
  • You have to be able to erase every instance of a subject’s data in compliance with the right to be forgotten
  • You must offer storage or conversion of data in a format that allows portability to other data processors
  • You need to have Governance, Risk and Compliance and IT planning practices that guarantee compliance with the GDPR including sustainable (GRC) policies and processes now and in the future, internal controls and risk mitigation, and have clear instructions on how to react to a security breach of personal data.

In a white paper, Gartner identified accountability as one of the key steps to meeting the deadline for the GDPR .  “Only a few organisations have actually identified every single process where personal data is involved,” Gartner said in the white paper, Focus on Five High-Priority Changes to Tackle EU GDPR.

Accountability is a process in itself; because transparency requirements lead to extended documentation and (internal) registration, business process owners must be formally appointed. Then, in order to be allowed to make decisions alone, subsidiaries in holding companies need to be mandated to act on behalf of the controller.

It is also time-consuming; if you are reviewing existing business processes where personal data is involved is undertaken for the first time, it can take from one week up to three months.

Outside parties in the processing operation have to comply with relevant requirements as well. Make sure their level of security matches your own, and ensure any data beyond the assigned retention periods is removed. Also, each outside party should have its own data protection officer. For many organisations, this could impact their supply, change management and procurement processes.

Accountability under the GDPR requires proper data subject consent acquisition and registration. Pre-checked boxes and implied consent are for the most part in the past. A clear and express action is needed. Subjects must know exactly what they agree to, so you should be clear on the data processed.

Here are some recommendations from Gartner that are worth you looking into:

  • Identify and appoint process owners for personal data processing activities. Obtain legal advice with regard to the grounds (legal basis) on which personal data is processed.
  • Establish and maintain an internal framework for accountability from start of processing to deletion of data. Ensure a thorough registration and up-to-date documentation of all personal data processing activities, including what data is used for what purpose.
  • Identify selection criteria for data processors and, in procurement and operations, ensure GDPR/contract compliance is audited regularly.
  • Perform a privacy impact assessment for every new (or material change in) form of processing, showing and subsequently mitigating new/changed risk to the data management practices.
  • Implement streamlined techniques to obtain and document consent and consent withdrawal. This includes the review of policies and procedures addressing personal data processing (for example, HR, IT, customers).

The challenges cannot be understated and the penalties for breaches are stinging; for major violations the fines can be up to 4% of the global revenue of the previous year. For a large corporation, this could be very painful indeed. 

Once you’re as responsible as a Boy Scout, you can move on to the next step: checking your cross-border data flows.

Article by Brenton Smith, Vice President, Software AG A/NZ.

Related stories:
Check Point announces integration with Microsoft Azure
Managing data to comply with privacy regulations - Micro Focus
Micro Focus: How to reduce the cost of data security
Hitachi Vantara to offer data protection as-a-service
Gartner: The five priorities of privacy executives
Tech Data to distribute Nutanix backup solution in A/NZ
Dig deeper:
Story image
13 Jun
Breach checking website Have I Been Pwned is up for grabs
The man behind the popular breach checking website Have I Been Pwned is stepping down from his esteemed post as sole manager of the site.More
Story image
31 May
Workplace inboxes still plagued by phishing attacks
Mimecast’s annual State of Email Security report confirms that social engineering is still plaguing businesses, along with other email threats including ransomware and phishing attacks.More
Story image
04 Jun
Insight Partners snatches up Recorded Future for $780m
“This transaction is the logical next step for Recorded Future given the opportunities in front of us, as we fully realize the potential and vision of our strategy."More
Story image
14 Jun
One Identity: How to mitigate the risks of spearphishing
Targeting one company rather than casting a wide net allows threat actors to take a more sophisticated approach. More
Story image
10 Jun
Canalys’ top picks for Cybersecurity Leadership Matrix 2019
The matrix is based on unique feedback from channel partners via the Candefero channels community, combined with Canalys quarterly shipment estimates and analyst insight.More
Story image
11 Jun
Businesses remain unprepared despite cybersecurity risk 
"The quantification of cyber risk is not easy, but this is an area where financial professionals must take the lead given cyber attacks are a constant and success almost a given."More
Story image
Breach checking website Have I Been Pwned is up for grabs
The man behind the popular breach checking website Have I Been Pwned is stepping down from his esteemed post as sole manager of the site.More
Story image
Workplace inboxes still plagued by phishing attacks
Mimecast’s annual State of Email Security report confirms that social engineering is still plaguing businesses, along with other email threats including ransomware and phishing attacks.More
Story image
Insight Partners snatches up Recorded Future for $780m
“This transaction is the logical next step for Recorded Future given the opportunities in front of us, as we fully realize the potential and vision of our strategy."More
Story image
One Identity: How to mitigate the risks of spearphishing
Targeting one company rather than casting a wide net allows threat actors to take a more sophisticated approach. More
Story image
Canalys’ top picks for Cybersecurity Leadership Matrix 2019
The matrix is based on unique feedback from channel partners via the Candefero channels community, combined with Canalys quarterly shipment estimates and analyst insight.More
Story image
Businesses remain unprepared despite cybersecurity risk 
"The quantification of cyber risk is not easy, but this is an area where financial professionals must take the lead given cyber attacks are a constant and success almost a given."More
Story image
Exclusive: Okta’s APAC GM on its expansion strategy
As APAC organisations recognise the need for identity and access management solutions, Okta finds itself attracting attention from both partners and customers.More
Story image
Security breaches of great concern to consumers
“These findings show many people are seeing the damage of cyber crime or identity theft firsthand.”More
Story image
Untagged data a major risk to businesses - Veritas
Over half of company data remains unclassified, despite a rise in security breaches and stringent data protection regulations. More
Story image
Sophos extends endpoint detection offering to servers
By adding EDR to Intercept X for Server, IT managers can investigate cyberattacks against servers, a sought-after target due to the high value of data stored there. More
Download image
Whitepaper: Countering the top two email attack vectors
Email is the number-one application to keep an organisation functioning, lines of communication flowing, and productivity seamless. More
Story image
Radiflow launches OT MSSP partner programme
The company provides a framework for MSSPs to offer new OT cybersecurity services.More
Story image
Silver Peak and NSC announce global partnership
The new Silver Peak-based managed SD-WAN services are available immediately to NSC enterprise and service provider clients and partners in 180 countries More
Story image
Apple gets serious about enterprise & security features
Features include new BYOD policies, managed Apple IDs, security enhancements, and even an app that allows users to find their phone or their friends.More
Download image
Case study: City University ups ransomware defences after attack
After recovering from this ransomware attack, City University began to work with Infoblox to bring its network security to the next level. More
Download image
Watch: How your organisation is most vulnerable to threats from the inside
90% of global organisations have seen phishing attack volumes increase and 40% have seen the volume of impersonation attacks increase.More
Download image
Best-in-class information archiving solutions - Gartner
The bulk of EIA spending is for email compliance and retention; however, interest in archiving other sources of additional messaging data is growing. More
Download image
Frost & Sullivan’s key factors for selecting a SIEM
“In practice SIEM is either an enabler in reaching a higher tier of productivity and proficiency; or a retardant due to limitations in adaptability and scalability."More
Download image
Insider threats & breach reports: Why security needs more investment
Insider threats (those that come from within your organisation) are a serious concern - here's why.More
Story image
Is the pain of resetting passwords finally over? 
"It's now the role of businesses to take the responsibility off the end user, by coming up with a more intelligent strategy than a password expiry policy."More
Story image
Sophos acquires Rook Security to provide managed detection and response
As a channel-first security provider, Sophos will deliver the new MDR services through its network of approximately 47,000 channel partners worldwide.More
Story image
Is it possible to enjoy container agility and be secure?
In line with ever-changing demands on IT, containers are exploding in popularity and look set to become the preferred method for deploying applications.More
Story image
RapidFire Tools helps MSPs and SMBs navigate cybersecurity liability
Many cyber insurance policies require businesses to adhere to specific conditions in order to be paid out if a claim is filed.More
Story image
Cyber attacks on healthcare companies growing
“The potential, real-world effect cyberattacks can have on healthcare organisations and patients is substantial.”More
Story image
Forrester names Proofpoint leader in enterprise email security
Email remains the preferred attack vector for cybercriminal activity, from low-level cybercriminals to nation states. More
Story image
Retailers failing customers when it comes to data security
Retailers are failing to adequately secure customer’s data, especially when it comes to application development processes (DevOps), new research from Claranet indicates.More
Story image
Palo Alto Networks introduces new cloud security suite
It aims to be the new benchmark in cloud security, transforming the cloud journey by simplifying access, data protection, and application security. More
Exclusive: Veeam’s business development VP looks ahead
Backup and disaster recovery company Veeam is finding new opportunities in partnerships after marking $1billion in bookings this year.More
Practical steps to selling cloud security-as-a-service
One of the largest inhibitors to cloud adoption is concern around the security of leveraging a service provider in a multi-cloud world.More
Check Point launches cloud security analytics solution
CloudGuard Log.ic detects cloud anomalies, blocks threats and intrusions, and delivers context-rich visualisations.More
Whitepaper: Data management strategies for a new information management environment
Companies are finding that their older, legacy archive strategies are increasingly ineffective in the new regulatory environment.More
Researchers create AI-enabled computer keyboard malware
Researchers at Israel’s Ben-Gurion University of the Negev have created a proof-of-concept attack that can mimic the way people write via their computer keyboards.More
A10 Networks extends cloud portfolio with new container-based solutions
The addition of Thunder Containers extends the company’s multi-cloud portfolio and increases the performance, security and availability of applications.More
Whitepaper: Are you getting your money’s worth from your SIEM?
Many organisations are struggling to keep pace with the speed in which hackers are attacking their systems.More
Opportunity growing in cyber-physical system market
The market for systems that monitor and control mechanical devices will more than double in the next 10 years with security a priority.More
NordVPN announces new file encryption tool
NordLocker will be a file encryption app for macOS and Windows that will encrypt files stored on a computer or in the cloud. More
NEC named Frost & Sullivan Biometrics Company of the Year
The award recognises NEC's foresight in innovating and developing biometric solutions for the future that maximises customer value and experience.More
Employees are already jeopardising cybersecurity - here’s how
Get an insight into email-related activities employees often engage in that contribute to the spread of threats. More
Experts comment on US Customs data breach
The United States Customs and Border Protection agency has been responsible for the leaking of tens of thousands of images of travellers and license plates. More
Digital transformation: Security on the edge
Multi-cloud access, SD-WAN, AI, and IoT, combined with the ubiquity of remote and mobile users, are significantly expanding the attack surface.More
HP study illuminates booming counterfeit print supply industry
Businesses that purchase print supplies are in danger of falling victim to the multi-billion dollar industry of counterfeits and fakes.More
How to avoid common mistakes when moving to the cloud
There is an opportunity to embrace both IT-led and user-led cloud services, but it’s important to do it safely.More
Renewed concerns over use of personal data, according to survey
“There is wide appeal for more permissions over how organisations access their identity data, and the choice to view and manage this in one secure place."More
CASE STUDY: Prototyping key to success when challenging design assumptions
Central Innovation helped Nura leverage CAD software SOLIDWORKS to refine and prototype the Nuraphone, culminating in a product that won the Best Innovation in Headphones category at consumer goods conference CES this year.More
Whitepaper: Five stages of vulnerability assessment strategies
Tenable’s Cyber Defender Strategies Report specifically focuses on key performance indicators (KPIs) associated with the Discover and Assess stages of the five-phase Cyber Exposure Lifecycle.More
More stories