SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
GDPR, changing what it means to be a good data custodian
Tue, 19th Jun 2018
FYI, this story is more than a year old

As the deadline for compliance with Europe's General Data Protection Regulation (GDPR) has finally come to pass, its impact on the business world is becoming clear. After years of ambiguity, the spotlight is fixed upon how data is used and what it means to be a good data custodian. Some of what the spotlight has shown isn't good, but the mere presence of that spotlight is immensely important – this is the data privacy discussion we needed to have.

Many individuals have seen this play out in their inboxes in recent months as all of the major social media and web players have been updating their terms of service to become GDPR compliant. For example, LinkedIn made changes around how user data “…can be used to personalise ads,” as well as how the service “…customises… experiences based on your data, including what you see, what we suggest and how we generate insights.

Some companies like Twitter say they will raise their standards by creating a “bespoke experience” for EU users.  A small number of others say they will simply withdraw from the EU entirely rather than meet the GDPR standards. These events are quite significant. Arguably, for the first time, we are being made aware of where our data goes, how it affects what we see online, and how committed companies are to keeping it secure.

The GDPR is designed to ensure that the collection, storage, and processing of member states' citizens' data is consistent, secure, and non-invasive. However, it is not merely European firms that are affected. In fact, the regulation isn't even limited to enterprises with physical operations in Europe. Rather, any organisation that stores or processes the personal data of European citizens must uphold GDPR. Failure to comply is expensive – the fines can amount to 20 million Euros (A$31.7 million) or four percent of a non-compliant organisation's revenue.

One of the key elements of the GDPR is that it empowers citizens to have a voice in how their data is used. Data subjects, including employees, have various rights and can take legal action against those that misuse their data. As such, organisations must take steps to inhibit data misuse, prevent unauthorised access, record data processing, and demonstrate compliance. To meet these requirements they need security capabilities that encompass cloud, endpoints, BYOD, and outside threats such as malware. Below are a few key areas for organisations to consider in their quest for GDPR compliance.

Visibility

To attain data security, organisations must first gain thorough visibility over their data. Whether said data is being stored in another country, transferred abroad temporarily, or ex.filtrated by employees to unsanctioned cloud apps, firms must keep track of where it is stored, sent, and accessed – otherwise, they cannot secure it. As such, the enterprise must adopt solutions that offer comprehensive, cross-app visibility for every app, action, and user that touches data.

Certifications

Organisations are encouraged to have codes of conduct and certifications that demonstrate various levels of compliance with GDPR. While these are intended to be a form of voluntary self-regulation, there will be accredited, independent bodies that determine if organisations are in compliance with the certifications that they pursue. Tools that provide transparency and security with respect to data storage, access, and usage can help an enterprise demonstrate its adherence to varied data protection standards.

Breach notifications

Finally, GDPR mandates that a breached organisation provides documentation on the causes and effects of a breach, as well as the security measures taken to address it. Because of this, organisations need solutions that log all activities involving corporate data and prevent breaches ahead of time. This requirement is less impactful in Australia and other nations where data breach notifications are already mandatory. However, the standardisation of breach notifications abroad should serve to enhance data protection practices internationally.

In a world where personal data is viewed as a currency and complex individual profiles are built by aggregating countless pieces of information, a proper public conversation on data usage is proving its worth. Everyone is entitled to having the privacy of their personal information respected. Organisations must now comply with GDPR or face the reality that they have no place in our increasingly cloud-first world.