SecurityBrief New Zealand logo
New Zealand's leading source of cybersecurity and threat news
Story image
Businesses focusing on threats from within - survey
Story image
Corelight and Exabeam partner to improve network monitoring
Story image
SailPoint releases first identity annual report
Story image

How ready are you for the GDPR and what should you do next?

23 Nov 17
Sara Barker

As 2017 soon draws to a close, organisations across the globe will have to be as prepared as Boy Scouts and demonstrate they are reviewing all of their business processes that involve personal data. Regardless of where you’re located or where the data you’re processing come from, you’ll need to ensure that the data is transparent before new privacy rules come into place in May 2018.

Under the EU’s General Data Protection Regulation (GDPR), personal data can flow between the 28 EU countries as well as Norway, Liechtenstein and Iceland. GDPR will impact every entity that holds or uses European personal data, both inside and outside of Europe. The relevance of GDPR is therefore not limited to Europe only, and the fines for non-compliance are massive.

Digitalisation is a double-edged sword when it comes to personal data. The convenience of online services and personalisation of business communications carry with them the potential for use and abuse by organisations we don’t want to do business with — and for purposes for which we have no need or interest. It’s not just annoying to get unsolicited contact, there is a real danger that our personal identity can be stolen and used for criminal activity and more.

Below are some aspects of GDPR compliance you need to take heed of:

  • You must have precise knowledge of the data you house and process; its geography, security usage and make-up—is it personal, prohibited, client-related, employee-related? Also, how is it captured—is it permitted by law or by the customer?
  • You must provide information on its usage and on the subject’s rights regarding his or her data
  • You must demonstrate the ability to manage personal data in a manner compliant with the regulation and be able to provide stored data at a subject’s request (including usage)
  • You have to be able to erase every instance of a subject’s data in compliance with the right to be forgotten
  • You must offer storage or conversion of data in a format that allows portability to other data processors
  • You need to have Governance, Risk and Compliance and IT planning practices that guarantee compliance with the GDPR including sustainable (GRC) policies and processes now and in the future, internal controls and risk mitigation, and have clear instructions on how to react to a security breach of personal data.

In a white paper, Gartner identified accountability as one of the key steps to meeting the deadline for the GDPR .  “Only a few organisations have actually identified every single process where personal data is involved,” Gartner said in the white paper, Focus on Five High-Priority Changes to Tackle EU GDPR.

Accountability is a process in itself; because transparency requirements lead to extended documentation and (internal) registration, business process owners must be formally appointed. Then, in order to be allowed to make decisions alone, subsidiaries in holding companies need to be mandated to act on behalf of the controller.

It is also time-consuming; if you are reviewing existing business processes where personal data is involved is undertaken for the first time, it can take from one week up to three months.

Outside parties in the processing operation have to comply with relevant requirements as well. Make sure their level of security matches your own, and ensure any data beyond the assigned retention periods is removed. Also, each outside party should have its own data protection officer. For many organisations, this could impact their supply, change management and procurement processes.

Accountability under the GDPR requires proper data subject consent acquisition and registration. Pre-checked boxes and implied consent are for the most part in the past. A clear and express action is needed. Subjects must know exactly what they agree to, so you should be clear on the data processed.

Here are some recommendations from Gartner that are worth you looking into:

  • Identify and appoint process owners for personal data processing activities. Obtain legal advice with regard to the grounds (legal basis) on which personal data is processed.
  • Establish and maintain an internal framework for accountability from start of processing to deletion of data. Ensure a thorough registration and up-to-date documentation of all personal data processing activities, including what data is used for what purpose.
  • Identify selection criteria for data processors and, in procurement and operations, ensure GDPR/contract compliance is audited regularly.
  • Perform a privacy impact assessment for every new (or material change in) form of processing, showing and subsequently mitigating new/changed risk to the data management practices.
  • Implement streamlined techniques to obtain and document consent and consent withdrawal. This includes the review of policies and procedures addressing personal data processing (for example, HR, IT, customers).

The challenges cannot be understated and the penalties for breaches are stinging; for major violations the fines can be up to 4% of the global revenue of the previous year. For a large corporation, this could be very painful indeed. 

Once you’re as responsible as a Boy Scout, you can move on to the next step: checking your cross-border data flows.

Article by Brenton Smith, Vice President, Software AG A/NZ.

More:
Share on: LinkedIn Twitter Facebook
Story image
Businesses focusing on threats from within - survey
Story image
Corelight and Exabeam partner to improve network monitoring
Story image
SailPoint releases first identity annual report
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Story image
Forcepoint and Chillisoft - “a powerful combination”
Following Chillisoft’s portfolio expansion by signing on Forcepoint, the companies’ execs explain how this is a match made in cybersecurity heaven.
Story image
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Story image
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Story image
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Story image
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
Story image
Cyber attacks develop complexity, target Windows sysad tools - report
The report explores changes in the threat landscape over the past year, uncovering trends and how they are expected to impact cybersecurity in 2019.
Story image
Sponsored
Healthcare without barriers: The leading edge of technology
Healthcare. It’s often on the leading-edge of science & technology – or at least when financing and regulation work in its favour.
Story image
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Download image
Avoid underutilising office space with optimisation solutions
Facility managers and security professionals need a real-time view of how their workforce interacts with a building.
Download
Download image
Infographic: How cybercriminals are targeting Kiwis
The New Zealand 2018 Unisys Security Index stands at 138, down 16 points from 154 in 2017.
Download
Story image
Govt commits $5.15m to digital identity research
“With more and more aspects of our lives taking place online it’s critical the government takes a lead to ensure New Zealanders have control of how and who uses their identity information,” says Minister Woods.
Download image
Whitepaper: How close is your organisation to GDPR compliance?
The GDPR affects any company that deals with individuals living in the EU and has very specific requirements for the treatment of their personalOne of the most significant changes in global privacy law in the last 20 years is the introduction of the EU’s General Data Protection Regulation (GDPR).
Download
Story image
Sponsored
The Implications of a data disaster and why effective DR is critical
93 percent of companies without disaster recovery who suffer a major data disaster are out of business within one year.
Download image
Whitepaper: Microsoft’s framework for inclusive and responsible cloud policies
Microsoft wants to empower organisations to use technology within a clear ethical and responsible framework.
Download
Story image
Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Download image
Understanding consumers' security concerns critical to gaining trust
Data security issues such as identity theft, bank fraud, viruses and hacking are more of a concern than natural disasters or terrorism.
Download
Story image
Mega-merger aligns physical & digital security across A/NZ
Optic Security Group is the name of one of A/NZ’s latest mega-mergers in the physical and digital security space, bringing combined revenues in excess of A$100 million to the table.
Story image
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
Story image
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
Download image
Whitepaper: Mobility you can trust
Mobility gives hackers additional opportunities to gain access to your company’s sensitive data, thus your highly confidential information is at risk.
Download
Download image
The features that should be front and centre when evaluating SIEMs
According to Frost & Sullivan, SIEM can either be an enabler or a retardant and there's a thin line between the two - here's the key attributes.
Download
Story image
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.
Download image
Whitepaper: How physical access control got where it is today
Despite the enhanced security and convenience that comes from newer options, many organisations are still using outdated and vulnerable access control technology.
Download
Download image
A guide to compliance in this new world of legislation
Every day another country joins the fight agains breaches with legislation. Get compliant and stay compliant with this detailed whitepaper.
Download
Story image
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
Download image
The six golden keys to successful identity assurance
When someone tries to access your internal systems, how can you be sure a user is who they claim to be?
Download
Story image
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Story image
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Story image
Quora's been breached: Users, change your passwords
Quora’s 100 million users are the latest targets in a major data breach, but at least the company has moved quickly to contain it.
Download image
Whitepaper: 4 tips for implementing a successful and secure hardware solution
Making big IT decisions that affect your department and organisation as a whole brings up many concerns.
Download
Story image
How to keep network infrastructure secure and available
Two OVH executives have weighed in on how network infrastructure and the challenges in that space will be evolving in the coming year.
Story image
Singtel integrates cybersecurity capabilities under Trustwave banner
The integration enables Trustwave to harness the synergies of Singtel’s global cybersecurity business, revenue, capabilities across the Americas, Europe and Asia Pacific.
Download image
Whitepaper: Five key ways to lock down BYOD with MFA
IT and security managers need to move beyond usernames and passwords, expanding their use of multi-factor authentication (MFA) to help provide secure and convenient access.
Download
Story image
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
Story image
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Download image
Whitepaper: The key to compliance is governing access to data
By implementing a governance-based approach to identity governance, companies can secure their organisation’s sensitive data.
Download
Story image
Is mobile shopping compromising your enterprise security?
When employees do their holiday shopping on company resources, security teams have a challenge with the surge in browsing and online transactions.
Story image
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Story image
Fortinet formalises threat information sharing agreement with INTERPOL
Fortinet has been an active member of an expert working group within INTERPOL for more than two years.
Download image
CASE STUDY: Prototyping the most ambitious innovation in audio design yet
Central Innovation helped Nura leverage CAD software SOLIDWORKS to refine and prototype the Nuraphone.
Download
Story image
DanaBot banking Trojan: How to protect your organisation
DanaBot is a Trojan written in the Delphi programming language that includes banking site web injections and stealer functions.
Download image
Whitepaper: Three changes that will make security teams more effective
Organisations are spending more and more money on cybersecurity preventive measures, yet the breaches seem to keep increasing.
Download
Story image
Ping Identity announces new Identity-as-a-Service solution
PingOne for Customers is built for the developer community and provides API-based identity services for customer-facing applications.
Story image
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
Download image
Whitepaper: Using your data and AI to tighten cybersecurity
ResponSight focuses on two key areas of cybersecurity – threat detection and enterprise risk measurement – and the need for more sophisticated approaches in each.
Download
Story image
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Story image
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
Story image
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Story image
Sponsored
Bringing security to the next-level of networking
By securing your network at the DDI level, you can prevent DNS attacks, data exfiltration, and put a barrier around every connected device.
Download image
3 key points to securing your digital transformation journey
In this report Unisys details three key areas focus on when implementing a successful digital transformation as with every opportunity comes risk.
Download
Story image
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Story image
Different approach to malware detection needed – VMware
Security needs to move away from the traditional approach of chasing after arbitrary forms of malware.
Story image
Sponsored
How Philips IT solutions are reinventing healthcare
Philips has a dream of completely interconnected healthcare system that offers the right information at the right time, as health knows no bounds so why should healthcare?
Story image
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Link image
Is your business growing the way you want it to?
Small business owners often have to be a jack-of-all-trades to keep their business running - but it doesn't have to be that way.
Read more
Download image
Report: How IT Is responding to digital disruption and innovation
Today “every company is in the software business" to get a competitive edge, and this survey reveals how app dev is affecting IT teams.
Download
Download image
Whitepaper: How to detect and respond to threats faster
This white paper uncovers how UEBA reduces your organisational risk and enables you to respond more quickly to attacks.
Download
Story image
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Story image
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Story image
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
Story image
Sponsored
PAM solutions critical to stopping criminals' appetite for credentials
Threat actors will also use different methods of attack and toolkits to look for vulnerabilities in any internet infrastructure. They are looking to steal any credentials that could allow for privilege escalation.  
Story image
Modernising ERP systems can help organisations comply with GDPR
“Organisations need to look for modern ERP systems that are specifically designed with GDPR in mind."
Story image
Sponsored
Is your SD-WAN solution leaving you vulnerable?
Providing direct internet access to cloud-based applications has made deploying new security strategies designed for the distributed enterprise critical.
Download image
Why digital trust is crucial for your digital transformation
Business leaders can wait and be forced to respond to market change, or they can embrace digital and lead market change themselves.
Download
Story image
Sponsored
Hands-on review: Quick and easy authentication with YubiKeys
Mobile text-based two-factor authentication is no longer a trustworthy second factor as it isn’t effective against phishing attacks.
Download image
Cutting through the noise with AI-driven threat analytics
SANS has provided an independent review of a new AI analytics solution designed to rescue businesses 'drowning in data' from SIEM platforms.
Download
Download image
Whitepaper: An inside look at the benefits of cloud
"Cloud computing is revolutionising business, enabling organisations to move faster, spend less and deliver greater value."
Download
Story image
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Story image
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Download image
Whitepaper: Why it’s critical to detect cyber attacks as they happen
"Many organisations are struggling to keep pace with the speed in which hackers are attacking their systems."
Download
Link image
Increase visibility and productivity with fleet tracking software
Know what’s going on in the field so you can dispatch more efficiently, improve customer service and reduce time spent calling drivers for updates.
Read more
Download image
Whitepaper: How to protect your business from insider threats
Critical data has moved to the cloud and employees are able to access it from any network, wherever they are in the world.
Download
Download image
Whitepaper: How Philips drives security and privacy in healthcare
Personal data within healthcare records is most valuable, as it can be used, for example, for various malicious purposes.
Download