Story image

GDPR, changing what it means to be a good data custodian

19 Jun 2018

As the deadline for compliance with Europe’s General Data Protection Regulation (GDPR) has finally come to pass, its impact on the business world is becoming clear. After years of ambiguity, the spotlight is fixed upon how data is used and what it means to be a good data custodian. Some of what the spotlight has shown isn’t good, but the mere presence of that spotlight is immensely important – this is the data privacy discussion we needed to have.

Many individuals have seen this play out in their inboxes in recent months as all of the major social media and web players have been updating their terms of service to become GDPR compliant. For example, LinkedIn made changes around how user data “…can be used to personalise ads,” as well as how the service “…customises… experiences based on your data, including what you see, what we suggest and how we generate insights.”

Some companies like Twitter say they will raise their standards by creating a “bespoke experience” for EU users.  A small number of others say they will simply withdraw from the EU entirely rather than meet the GDPR standards. These events are quite significant. Arguably, for the first time, we are being made aware of where our data goes, how it affects what we see online, and how committed companies are to keeping it secure.

The GDPR is designed to ensure that the collection, storage, and processing of member states’ citizens’ data is consistent, secure, and non-invasive. However, it is not merely European firms that are affected. In fact, the regulation isn’t even limited to enterprises with physical operations in Europe. Rather, any organisation that stores or processes the personal data of European citizens must uphold GDPR. Failure to comply is expensive – the fines can amount to 20 million Euros (A$31.7 million) or four percent of a non-compliant organisation’s revenue.

One of the key elements of the GDPR is that it empowers citizens to have a voice in how their data is used. Data subjects, including employees, have various rights and can take legal action against those that misuse their data. As such, organisations must take steps to inhibit data misuse, prevent unauthorised access, record data processing, and demonstrate compliance. To meet these requirements they need security capabilities that encompass cloud, endpoints, BYOD, and outside threats such as malware. Below are a few key areas for organisations to consider in their quest for GDPR compliance.

Visibility

To attain data security, organisations must first gain thorough visibility over their data. Whether said data is being stored in another country, transferred abroad temporarily, or ex.filtrated by employees to unsanctioned cloud apps, firms must keep track of where it is stored, sent, and accessed – otherwise, they cannot secure it. As such, the enterprise must adopt solutions that offer comprehensive, cross-app visibility for every app, action, and user that touches data.

Certifications

Organisations are encouraged to have codes of conduct and certifications that demonstrate various levels of compliance with GDPR. While these are intended to be a form of voluntary self-regulation, there will be accredited, independent bodies that determine if organisations are in compliance with the certifications that they pursue. Tools that provide transparency and security with respect to data storage, access, and usage can help an enterprise demonstrate its adherence to varied data protection standards.

Breach notifications

Finally, GDPR mandates that a breached organisation provides documentation on the causes and effects of a breach, as well as the security measures taken to address it. Because of this, organisations need solutions that log all activities involving corporate data and prevent breaches ahead of time. This requirement is less impactful in Australia and other nations where data breach notifications are already mandatory. However, the standardisation of breach notifications abroad should serve to enhance data protection practices internationally.

In a world where personal data is viewed as a currency and complex individual profiles are built by aggregating countless pieces of information, a proper public conversation on data usage is proving its worth. Everyone is entitled to having the privacy of their personal information respected. Organisations must now comply with GDPR or face the reality that they have no place in our increasingly cloud-first world.

Article by Bitglass vice president of sales for Asia Pacific and Japan, David Shephard.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.