Posts Tagged :

GDPR

Data Privacy Day: Security industry highlights key issues

960 640 Stuart O'Brien

Tuesday January 28th marks Data Privacy Day, the annual international day aimed at raising awareness of privacy and data protection issues and promoting best practices.

Here we’ve gathered up the thoughts of some leading figures from across the sector, covering everything from GDPR to biometrics and compliance, and what 2020’s priorities need to be…

Nigel Hawthorn, data privacy expert, McAfee

“Over a year after the EU’s General Data Protection Regulation (GDPR) came into force, the regulatory bodies are changing their focus from guidance to full enforcement. The GDPR framework serves as a driver for organisations to revisit their current processes and take full responsibility for how they process and store personal data. As the UK leaves the EU, this legal responsibility doesn’t go away. The UK government passed the Data Protection Act 2018 to provide an equivalent law to GDPR. As we’re stepping into a new decade, we are seeing the rise of more regulations which put internet users first and a rise in the data stored in the cloud.”

“With the increasing reliance on the cloud, businesses need to be rest assured that they have complete visibility and control over data regardless of where it is. According to our latest research, 40% of large UK businesses expect to be cloud-only by 2021. What we’re going to see in 2020 is even more data and applications shifting to the cloud – and where they migrate, cybercriminals will follow.

Today, we should recognise that the age of the cloud is here. Whether businesses are cloud-only or shifting towards a cloud-first approach, the key is to make sure it isn’t an easy target for cybercriminals.”

Zachary Jarvinen, Head of Product Marketing, AI and Analytics, OpenText “As we welcome in another Data Privacy Day, this date – and what it represents – has never been more relevant or more important.

“It’s clear that 2020 will be the year that the rest of the data privacy iceberg begins to emerge. While regulations like Europe’s GDPR and the California Consumer Privacy Act (CCPA) have already been established, new regulatory developments surrounding data privacy are continually coming to light.

“Although these regulations have their inherent differences, the general scope of data privacy laws is to give consumers the right to know how and what type of personally identifiable information (PII) is collected, and the option to take legal action in the event that they should incur damages from bias or data security breaches. In 2019, 53% of consumers stated that they would cancel a transaction if they didn’t like something in the privacy policy – more must be done this year to make sure data privacy and protection is a top priority for companies.

“Until now, most organisations have focused their efforts on structured information, but they must also be able to understand what PII is located in textual documents. Archived data, in particular, is an especially pressing concern for most enterprises. AI-powered solutions will be instrumental in locating sensitive data and managing it through automated workflows. Today, organisations will also need to establish internal data governance practices to determine who is accountable for data security and enterprise-wide policy, which may include creating teams that blend technical and regulatory expertise.

“It’s also a great time to get started with a career in the industry. Over the past four years there has been a 75% increase in jobs with “privacy” in the title. Privacy is hot. And, finally data protection is at the table for new initiatives and technology decisions.”

Simon Wood, CEO, Ubisecure  “The topic of data privacy could not be more relevant in the current cybersecurity landscape. Last year, for example, a number of headline-hitting data breaches were revealed to be a result of misplaced security design choices – demonstrating the damaging consequences of underestimating security requirements. 

“A large cause for concern here is when it comes to businesses building identity management functionality in-house. No matter how big the development team some companies may have, a lack of experience and resources in cybersecurity areas like identity management means that building such features internally comes with increased risk. Faced by tight deadlines and pressure to get applications to market as fast as possible, teams are challenged to build functionality that properly adheres to privacy by design and proven security methodology. Often, we see the impact of not doing so through the breaches that take advantage of weak authentication policies and a failure to keep data privacy central to the whole design process. 

“One way for tech leaders to solve this problem is to deploy Identity-as-a-Service (IDaaS) solutions – cloud based authentication and identity software or APIs already proven and in use in the market. Such solutions allow teams to integrate identity features into applications as securely and as seamlessly as possible, without reinventing the wheel each time. Ultimately, this on-demand expertise reduces the risk of data breaches caused by employee-led error and places data privacy at the forefront of the development process.“

Gijs Roeffen, Director IT & Security at EclecticIQ “As data breaches continue to hit the headlines, businesses and consumers alike are becoming more and more aware of the need to protect their data. Here are a couple of simple tips to help keep your personal information secure: 

Swap PIN codes for biometrics

“When it comes to passwords and PIN codes, people are creatures of habit. People not only use the same password across multiple online accounts, they will also happily use the same PIN code for their debit card and their phone, or a generic PIN number. In fact, cybersecurity specialist Tarah Wheeler recently shared the most common PINs used by smartphone users to secure their devices, and shockingly, the most common PIN number was 1234. 

“Passcodes and PIN numbers can easily be captured from a glance over someone’s shoulder, or can be photographed or filmed from another mobile device. Biometrics, however, such as facial recognition or fingerprints, are unique to the user and can’t be obtained in either of these ways, making them a much safer option than passwords and PINs.

 Safeguard your SMS messages

“While it is possible to intercept SMS messages over the air, it requires multiple factors to be aligned to be successful. Attacks on SMS are often very targeted, since intercepting SMS codes requires specialist knowledge and hardware. 

“Using a two-factor authentication, however, is an effective means of defence against account takeover, so be sure to check your SMS is protected. Alternatively, look into using an encrypted messaging service. Encryption jumbles the content of a message into random data until it is received on the other end, so if a hacker intercepts the message, they won’t be able to view it in full. Apple’s iMessage service uses encryption, as does WhatsApp, which works across both Android and iPhone devices.”


Ashley Bill, enterprise data consultant, Micro Focus“Fortunately, life after the General Data Protection Regulation (GDPR) has seen organisations begin to change how they think about data privacy. While avoiding regulatory fines and reputational damage is often top of mind, savvy business leaders may also see the business benefits that effective compliance can bring: the ability to generate high quality, streamlined data that can be monetised through applying predictive analytics.

“By investing in optimised data management driven by compliance, organisations can effectively increase the value of their data. It not only saves them pouring significant amounts of time into making sense of exploding datasets, but also creates an environment where teams can effectively deploy predictive analytics to make informed decisions. Using insights gleaned from quality data, companies can better predict the preferences and behaviour of their target audiences to inform and maximise the potential of marketing, advertising and product development. Ultimately, accurately predicting what customers want and remaining a step ahead of competitors is the ‘holy grail’ of business success.

“If predictive analytics is essential for boosting business outcomes, data privacy compliance is a fundamental component. And looking ahead, it will be a major driving force behind the development of modern, ethical, data-driven organisations.”

Chris Greenwood, Senior Director and General Manager UK&I at NetApp 

“Data privacy has moved beyond protection and is now a question of trust. 

“We, as consumers, trust organisations to handle our data in a secure, standardised and accountable way. But with 60% of UK businesses planning to migrate apps and data to the cloud within the next year, the risks are high. Combine this with the rise of 5G, edge computing and AI bringing about entirely new and disruptive ways to use data, organisations must ensure suitable safeguards are in place, tested and updated as we begin to unravel these various possibilities.

“75% of IT leaders anticipate that security will have the largest impact on their data strategy over the next 12 months. In order for privacy to succeed, it is the duty of companies and organisations to not only understand how and why data is being used, but also have the capabilities to remedy any ethical concerns which may naturally arise as new lines are drawn on what ‘is’ versus what ‘was’ acceptable as technology becomes ever more powerful.

“This can only be achieved by being able to see, access and conscientiously use data from any and every environment whilst affording the end user the means to control how and what data is there in the first place. Only then can user privacy truly succeed.”

Malcolm Murphy, Systems Engineering Director, EMEA at Infoblox “You hear a lot of people in the industry talking about Zero Trust. Whist it is certainly a core element of improving data protection standards, we need to be more realistic about its wide-scale implementation.

“Despite the hype, no one is actually doing ‘Zero Trust’ yet. Putting the infrastructure in place to enable organisations to verify anything and everything trying to connect to its systems before granting access is a really hard thing to do, as we can’t easily layer it onto existing technology at scale.

“As it stands, we’re nowhere near being able to implement the Zero Trust concept at a cost-effective level, and this is unlikely to change in 2020 – and our data privacy may suffer because of it.”

“This approach will remain difficult, expensive and inconvenient. I think it will take a catastrophic event or new regulation to make organisations invest in Zero Trust, it won’t happen on its own.”

Paul Farrington, EMEA CTO, Veracode: “Many businesses today are software-driven and they are conscious of the role software security plays in keeping data protected. There is a greater need to ensure security is a core part of the software development process going forward. As a new data-driven decade commences, businesses should empower developers by training them on best practices in secure coding and providing the tools to enable them to find and fix vulnerabilities in their software.

“We know that unresolved vulnerabilities that pile up over time, also known as security debt, can leave organisations exposed to data breaches. Hackers will continue to look for weak points at the application layer, which is still the predominant threat vector. By shifting security left, developers are able to fix vulnerabilities faster and more effectively, improving an organisation’s overall security and ultimately better protecting sensitive data. Across Europe, more businesses are learning that they are able to adopt application security without stifling innovation.”

GDPR compliant facial recognition CCTV arrives in UK

960 640 Stuart O'Brien

DVS has become the first UK electronic surveillance distributor to provide the Facewatch facial recognition crime deterrent system to its installer and reseller network.

Over the past 18 months, Facewatch has been successfully trialed across a range of retailers, with demand for the system as a deterrent to stop shop theft and violence in stores particularly high.

DVS says making Facewatch available through established UK reseller channels will ensure the product, training and support is provided at the highest level and a rapid roll out can be achieved.

Facewatch, which is sold as a licenced product, is GDPR compliant. The uploaded criminal data is the responsibility of Facewatch under a data sharing agreement, which has been signed by the user. 

Facewatch will be available to ‘approved’ installers who have been trained on both the practical setup of the cameras and aspects of managing and running the system.

“Facial recognition is being discussed within businesses and the wider world by those who understand that the best technologies can deter and prevent crime,” said Gavin Dunleavy, commercial director, DVS Ltd.

“Facewatch is the leading facial recognition solution with a focus on the retail sector and other verticals alike. With GDPR compliance and privacy controls built into the system the solution becomes powerful and legally deployable. Facewatch combines simple CCTV hardware with a secure cloud-based software solution, so accredited training and support is of the upmost importance for our installers to deliver this incredible solution. 

“We will be running training from our HQ initially then across the UK with a plan to have trained and accredited strategic partners in place throughout 2020.”

Nick Fisher, CEO Facewatch, said: “DVS are a perfect partner for us. They have a highly technical team; they are used to working with the very latest CCTV technology and have a great team on the road and at their HQ offering sales and technical support. 

“Facewatch is a sophisticated SAAS (software as a service) product that requires training and support and DVS have a well-established training team who will work with us to establish a network of approved Facewatch installers. Facewatch is supplied on licence and therefore creates a new recurring income stream for installers who will provide lifelong technical, product management and training support to their customers. We are very excited to announce DVS as our channel partner.”

CCTV: Are you complying with regulations?

960 640 Guest Blog

It’s exactly a year since the new General Data Protection Regulation (GDPR) came into force (May 25). CCTV surrounds us and is everywhere – on public, commercial and private premises and our homes, but is everyone complying with the Regulation that governs its use?

What’s more, is it being deployed to best effect? Andrew Crowne-Spencer, UK CCTV Manager at property services and security specialist Clearway, says it’s recent survey suggests ‘no’ to both, and those that aren’t complying are leaving themselves open to fines or complaints…

The reasons for this worrying discovery were multiple, but appeared mainly to be because the management responsible hadn’t bothered to read all the Regulations in enough detail, don’t think they apply to them, are too lazy to comply with it all or simply don’t understand them.

CCTV cameras are now a fact of life and surround us. Six years ago, the British Security Industry Association (BSIA) estimated there were nearly 6m in the country, including 750,000 in “sensitive locations” such as schools, hospitals and care homes, and there are some 15,600 on the London Underground network alone. Other estimates put the national tally far lower at 1.85m but it’s virtually impossible to clarify the figures with any degree of accuracy without checking every single property and street from Scotland to Cornwall as they are literally everywhere. 

Whichever figure is nearer the truth, that’s still a lot of cameras, which may persuade some people we live in a ‘surveillance society’, anathema to those who champion our right in the UK to privacy, freedom of speech, expression and movement. 

Like it or not, however, CCTV has become part of the modern British landscape and camera images protect businesses, homes and public property while providing police forces and security organisations with a vital tool for both deterring and solving crime. Given the increasing paranoia now about terrorism, especially in high profile buildings and travel hubs, and the development of more refined technology, one wonders just how many cameras there are watching us anywhere and everywhere?  

No doubt this prevalence contributes to the debate about balancing the use of surveillance with individuals’ right to privacy, but across the UK and EU there are now stringent GDP Regulations which cover of the use of CCTV… but just how good are organisations at complying to them?

Since our streets and buildings bristle with CCTV cameras everywhere, inside and outside, recording details and images of our comings and goings (it is estimated that the average Briton is captured on CCTV around 70 times per day) most people believe this is a small compromise to privacy necessary for improved protection from crime

However, facilities, building and security managers or property owners really need to check their compliance to Regulations is up to scratch before someone complains and they face a hefty fine. 

These days, like it or not, the public tend to accept the fact that wherever they go, inevitably they’re on someone’s camera, somewhere; it’s a fact of life and reassuring in most cases where their personal security is concerned.

However, when you think about it when you are out and about yourself, do you really see or notice advisory signs about CCTV, as much as you should? Which is what the Regulations demand. And have you any idea where all these images are stored, or if they’re deleted after a short time, or perhaps shared with other parties? Who really knows where you are going or what you are doing? 

The answer is probably not. The whole point of CCTV is security, and its deterrent factor in part, as well as recording the criminal activity to assist law enforcement bodies in detecting the perpetrators. Therefore, if trespassers or criminals don’t even realise they’re on camera, as is what we suspect in a lot of cases, what sort of useless deterrent is that? And, just how good are the images the cameras are supplying? If they’re grainy or blurred due to old or faulty equipment, or not set up correctly, that doesn’t help anyone except the trespassers or criminals. Ten years ago it was reported that 95% of murder cases investigated by Scotland Yard used CCTV footage as evidence, yet latest data suggests 80% of footage now available is of such poor quality it’s almost worthless. That apart, don’t these companies or organisations, even public sector ones, realise if they’re not properly complying with the GDP Regulation they can be penalised because of it? Sometimes to the tune of many thousands of pounds?

One year on from the introduction of the new GDPR, here are some of the key failures that came to light in Clearway’s investigation of its own extensive nationwide client and contact list:

In no particular order:

  • Failure to fit signage or keep the information on it accurate.
  • Failure to carry out a GDPR risk assessment prior to CCTV deployment.
  • Leaving DVRs (digital video recorders) unlocked or unsecured so anyone, not just designated security personnel, have access to footage.
  • Failure to ensure the lenses of CCTV cameras are not appropriately directed or are masked so that inappropriate footage is not recorded, and, if the data is shared with other parties, for example to monitor specific individuals, then innocent people are blurred out, a simple matter to deal with using appropriate modern software.
  • Having CCTV monitors which are viewable by the public.
  • Failure to have trained staff to monitor the CCTV. 
  • Leaving usernames and passwords as default settings or noted next to the equipment.
  • If the images are to be shared with other organisations, eg the police, TfL, or other security service providers, failure to manage this appropriately to conform to Regulations.

Here’s an example of what was found on one site recently – It’s a great example of common compliance failings:

  • DVR on reception desk with monitor on top  – no one at reception – someone leaned over the desktop to look at the monitor to see if their taxi was at the front door!
  • Username and password on a sticker attached to the monitor (redacted for media use)

We walked outside to find all of the CCTV signage was so worn and old that the contact details had faded away and were illegible.

Then, in a second example, there was a case of the settings on the equipment not being right, specifically the date and time were incorrect and two systems on the same site had times set 17 seconds apart. 

That might sound petty, but there was a break-in and when the intruder was arrested police showed the CCTV footage in court.  The defence barrister then asked for all camera footage to be played at the same time. 

As the intruder was seen on two systems at the same time (due to the timers not being synced) the barrister claimed the evidence was inadmissible as it was clearly inaccurate since how could the intruder be in two places at once?

Case dismissed due to lack of evidence!

The message from all this is simple. Check your CCTV systems are doing what they should and you are complying with the Regulations. Because someone, somewhere will be watching what you’redoing sooner or later.

Most ICO data breach reports ‘late and incomplete’ prior to GDPR

960 640 Stuart O'Brien

A Freedom of Information (FOI) request data from the Information Commissioner’s Office (ICO) made by Redscan has found that businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the GDPR’s enactment. 

On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days.

The vast majority (91%) of reports to the ICO failed to include important information such as the impact of the breach, recovery process and dates.

The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage. 

Redscan analysed 182 data breach reports triaged by the ICO in the financial year ending April 2018 (relating to ‘general businesses’ as well as financial services and legal firms). Key findings include:

  • On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1320 days
  • After identifying a breach, it took businesses an average of 21 days to report it to the ICO, while one took as long as 142 days
  • More than 9 out of 10 companies (93%) did not specify the impact of the breach, or did not know the impact at the time it was reported
  • Less than a quarter (45 out of 182) of businesses would be compliant with current GDPR requirements, which demand organisations report a breach within 72 hours of discovery
  • Nearly half of data breaches were reported to the ICO on a Thursday or Friday (87 of 181)
  • Saturday is the most common day for businesses to fall victim to a data breach – over a quarter of incidents were reported on a Saturday
  • Financial and legal firms identified and reported breaches more promptly than general businesses

“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses”, said Mark Nicholls, Redscan director of cybersecurity.

“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.” 

Redscan’s FOI request reveals that financial services and legal firms were far better at identifying and reporting breaches than general businesses – likely due to increased regulatory awareness and the highly sensitive nature of data processed in these industries.

On average, financial services firms took 37 days to identify a breach, legal firms took 25 days, while companies classified as ‘general business’ took 138 days. 

Financial services (16 days) and legal firms (20 days) were also quicker to disclose breaches to the ICO than general businesses (27 days). 

21% organisations did not report a breach incident date to the ICO, suggesting they either lacked awareness of or knowingly withheld this important information. A further 46/181 (25%) organisations also failed to report a breach discovery date. 

Half of UK IT directors would pay cyber-ransom to avoid GDPR fines

960 640 Stuart O'Brien

A new study has revealed that almost half (47%) of UK IT directors would ‘definitely’ be willing to pay a ransom fee to hackers who stole their company data, rather than report a breach to the authorities and pay a larger penalty under the EU General Data Protection Regulation (GDPR).

The research, commissioned by Sophos, show a further 30% of UK IT leaders said they would ‘possibly’ consider paying the criminals’ ransom if it was lower than the possible penalty for a breach. Only one in five (18%) respondents completely ruled out paying off their attackers.

Small businesses were least likely to consider paying a ransomware demand
● More than half (54%) of IT directors at UK companies with fewer than 250 employees ruled out paying their attackers
● Just 11% of directors at companies with 500 – 750 employees said they would opt for this approach

UK IT directors are significantly more likely to pay than their counterparts in other Western European countries
● Of the five European countries studied, Irish IT directors were the least likely to pay. Just 19% said they’d ‘definitely’ be willing pay a ransom over a larger fine
● IT directors in France, Belgium and the Netherlands were also less likely to pay a ransom. 33% of respondents in France, 24% of those in Belgium and 38% of IT directors from the Netherlands said they’d ‘definitely’ be willing to pay

UK IT directors are the most confident that they are compliant with GDPR
● The research also showed that 46% of UK IT directors were confident that their organisations are fully compliant with GDPR rules
● This is more than the number of IT directors in the Netherlands (44%), France (37%), the Republic of Ireland (35%) and Belgium (30%) who were confident their organisations were fully compliant
● Just 13% of UK IT directors said they had tools in place to prove compliance in the event of a breach. Organisations in the Netherlands (27%), France (24%) and Belgium (20%) said they were slightly better prepared in this regard

Cloud services are a popular option for managing risk in data protection
● 67% of UK IT directors said they had increased their use of cloud computing as a direct result of GDPR

Adam Bradley, UK managing director at Sophos, said: “It is concerning to learn that so many UK IT leaders misunderstand the threat and consequences of even a minor data breach. Companies that pay a ransom might regain access to their data, but it’s far from guaranteed and a false economy if they do it to avoid a penalty. They still need to report the breach to the authorities and would face a significantly larger fine if they don’t report it promptly.”

‘It is surprising that large companies appear to be those most likely to pay a ransom. It is a mistake for companies of any size to trust hackers, or to expect that they’ll simply hand the data back. Our advice? Don’t pay the ransom, do tell the authorities promptly and make sure you take steps to minimise the chances of falling victim again.

“The best way to avoid paying is to stay one step ahead of the cybercriminals. Hackers tend to rely on phishing emails, unpatched software and remote access portals to gain access, so make sure your systems and people are able to spot the signs of attacks. Patch early and patch often, and secure remote access points with proper passwords and multi-factor authentication.”

Sapio Research interviewed 906 IT directors and managers about their experiences of cybercrime and approaches to cyber security. The interviews were conducted online, primarily with IT decision makers working in companies with between 240 and 750 employees in Belgium, France, Ireland, Netherlands, UK and the Republic of Ireland.

Half of all phishing attacks originate from EMEA

960 719 Stuart O'Brien

A report published by NTT Security has revealed that over half (53%) of the world’s phishing attacks originated from Europe, the Middle East and Africa (EMEA).

The Global Threat Intelligence Report (GTIR) analysed global threat trends from 1st October 2015 – 31st September 2016 and showed that of all phishing attacks worldwide, 38% came from the Netherlands, second only to the US (41%).

The data also revealed that nearly three-quarters (73%) of all malware globally was delivered to its victims because of a phishing attack.

The report highlights the latest ransomware, phishing and DDoS attack tends and the impact of these threats against organisations, with the UK the third most common source of attacks against EMEA, behind the US at 26% and France 11%.

In terms of top attack source countries, the US accounted for 63% with the UK following at 4% and China 3%.

Some of the biggest regional differences related to brute force attacks, which are commonly used to crack passwords. Of all brute force attacks globally, 45 per cent started in EMEA – more than the Americas (20 per cent) and Asia (7 per cent) combined. In addition, 45 per cent of brute force attacks that targeted EMEA customers also started in the region.

Dave Polton, Global Director of Innovation at NTT Security, is calling for more active collaboration between business, government and law enforcement agencies to tackle global threats and to ensure measures are in place that will have a long-lasting impact on global security.

“While phishing attacks affected organisations everywhere, EMEA unfortunately emerged as the top region for the source of these attacks,” said Polton. “These figures, combined with those for brute force attacks, should be of very serious concern for any organisation doing business in EMEA, especially with the EU General Data Protection Regulation (GDPR) just around the corner.

“Any organisation processing data belonging to EU citizens need to demonstrate that their information security strategy is robust.”

Other key EMEA figures:

In EMEA, over half (54%) of all attacks were targeted at just three industry sectors – Finance (20%), Manufacturing (17%) and Retail (17%)

Over 67% of malware detected within EMEA was some form of Trojan

Top services used in attacks against EMEA – File shares (45%), Websites (32%) and Remote administration (17%)

Frank Brandenburg, COO and Regional CEO, NTT Security, concludes: “We all know that no security plan is guaranteed, and there will always be some level of exposure, but defining an acceptable level of risk is important. Clients are starting to understand that by default every employee is part of their organisation’s security team, and businesses are now seeing the value in security awareness training, knowing that educating the end user is directly connected to securing their enterprise.

“Expanding cyber education and ensuring employees adhere to a common methodology, set of practices, and mind set are key elements. Clients see that assisting and coaching their employees (end users) on the proper usage of technology will only enhance the organisation’s overall security presence.”

www.nttsecurity.com

Guest Blog, Marc Sollars: Five ways UK firms can size up to GDPR compliance…

800 450 Jack Wynn

Even as Britain’s business community looks to the government for a workable Brexit plan, the shadow of much tougher data privacy regulation is falling right across UK Plc’s economy.

That’s because the EU’s General Data Protection Regulation (GDPR) is dragging citizens’ right to data privacy back to the heart of the continent’s digital economy from May 2018. And this seismic shift will apply however quickly, and most likely on whatever terms, once Britain leaves the EU.

Concern has grown in Europe for years as personal details being exposed in a connected world. But the GDPR goes way beyond previous privacy thinking, enshrining principles of ‘accountability’, and citizens’ ‘right to be forgotten’ in law – transforming day-to-day business and social interactions with digital and cloud footprints. 

The directive will pervade commerce. When trading partners agree contracts post-2018, they must decide if a workable contract involves consent; from a citizen or data subject, to the handling of personal data that isn’t needed to perform the actual contract. This ruling could upset sectors like eCommerce, or manufacturing with extended supply chains, that draw on multiple partners and data sets.

There’s no escaping the GDPR’s shadow, even with Brexit, because it:

  • Applies to those supplying goods and services to the EU from inside the union or outside; 
  • Goes into law without any enabling legislation; 
  • It takes effect before Britain can make its earliest technical Brexit, we will need different compliance regimes before and after leaving Europe.

Government ministers, the technology sector and legal commentators agree that complying with the directive will change the way that UK organisations, down to comparatively smaller businesses, operate. Post-Brexit, Britain will still need a close imitation of the GDPR to trade with European partners.

And if that hasn’t focused C-level minds, penalties for GDPR non-compliance dwarf anything seen before: offender organisations could be fined up to four per cent of turnover.

But the GDPR’s biggest impact will be on day-to-day work, since UK organisations will become directly liable for managing all the unstructured data (customer details, images and social media interactions) on their networks and in the cloud – a challenge for any business.

Legal and technology experts rightly say there is no silver compliance bullet. Boards, we are told, should take a strategic approach; driving compliance, examining privacy standards and getting their employees on board. 

But this thinking breaks down in the face of exploding cloud-based data processing levels. IT teams have little or no visibility of their data assets and their final uses, a situation only exacerbated as new cloud services come on-stream or organisations authorise bring-your-own-device (BYOD) programmes simply to stay competitive.

GDPR planning begins with visibility: as employees use cloud apps from Evernote to Netsuite, IT and security professionals are asking: where is the data – and who owns it after it leaves our offices?  When a company’s customers use, for example, OneDrive, data is accessed by customers from any device anywhere, so the corporate security team must build corporate-level checks and controls to stop easy data leakage. Well-known UK companies are beginning to deploy Cloud Access Security Brokers (CASBs) solutions for sanctioning and controlling IT applications; only employees on a patched corporate device can access the application.

At present, no team of IT suppliers can provide a complete GDPR compliance solution but suppliers such as CASBs are starting to put organisations on a practical path towards it. This is because these suppliers can integrate corporate network and application monitoring systems – delivering that essential visibility of data.

These fast-evolving capabilities enable us to set out five broad, practical measures for IT and security professionals to anticipate GDPR compliance, as well as help streamline operations, after 2018:

  • Boards must oversee systems that meet data subjects’ future requests under GDPR, such as the right to be forgotten, or requesting copies of relevant (unstructured) personal data;
  • Organisations must start to design data security into products or services – by default;
  • UK companies must plan data security and auditing processes and ways to notify stakeholders of a data breach – as well as making suppliers document their own information security processes;
  • Companies over 250 employees, or whose operations are based on data handling, will need a data protection officer to scrutinise their IT processes, data security and privacy systems;
  • Boards must operate Data Protection Assessments and train up their IT and security personnel on compliance.

It’s a lengthy list, but cloud services and related hardware technologies will transform organisations’ processing and network monitoring power – with these capabilities increasingly available to CIOs and security teams as flexible, managed services. 

There is no silver bullet. But senior IT executives are already scoping the foundations of GDPR compliance. And others will appreciate the irony that UK companies will achieve far better control and visibility of their fast-evolving cloud data processing operations through such focused innovations, even as the directive’s long shadow finally falls over us.

Marc Sollars is CTO of Teneo, a specialist integrator of next generation technology, offering global organisations optimisation solutions for networks, security, storage and applications. The company designs its solutions by understanding through consultancy and delivering through managed services. Marc is on Twitter at: @MarcatTeneo

Guest Blog, Markus Bekk: EU General Data Protection rules will hit soon – are you prepared?

800 450 Jack Wynn

Did you ever try to set-up and execute a transformation programme in just 18 months that will change your global processes, involve all divisions, affect most of your supplier and client contracts, and bear the risk of fines as high as four per cent of your global turnover?

That is what many are probably facing as they prepare for the General Data Privacy Regulation (GDPR), which the EU enacted in 2016 and comes into effect mid-2018. I can already hear shouts of “But Brexit!” However, if an enterprise offers services to the EU market, it is still involved. And now things have gotten even more complex…

What’s the buzz about GDPR?

Given the patchwork of data protection directives created since 1995, the EU decided to harmonise standards, increase cooperation between institutions, and provide clear points of contact. This was backed by a 2015 study showing 89 per cent of Europeans said it was important to have the same rights and protections over their personal information, regardless of the country in which the entity offering services is based.

The most important GDPR updates include:

Privacy by design: Design processes need to incorporate ”privacy by design,“ which means appropriate technical and organisational measures to implement data-protection principles, e.g. applying principles for personal data minimisation, early pseudonymizing of personal data, and data protection security features.

Right to be forgotten: Subjects can request erasure if no legal ground or purpose still exists, or their consent has been withdrawn. Online enterprises are obliged to inform third parties to remove links or duplicates of the data to be erased.

Data portability: In case of automated data processing, data subjects have the right to request and receive data in ”a structured, commonly used, machine-readable and interoperable format” that can be transferred to a different provider.

Notification in case of data breaches: In cases of risks to the rights of data subjects, the supervisory authority needs to be informed within 72 hours. In cases of high-risk data subjects need to be informed with recommendations to mitigate the risk.

Review and Recertification of data: Users may view and update their personal data, free of charge (if not misused).

Rules for consent of data subject: Processing based on consent has been update. It needs to ensure that sufficient consent can be demonstrated; existing consent either fulfils all new requirements or needs to be renewed. Consent may not be conditional for the performance of a contract, must be in clear and plain language, and easily withdrawn in the future. Consent for processing of sensitive data needs to be explicit.

Processing documentation: Data controllers and processors need to maintain processing documentation of various aspects, e.g. representative contact, data protection officer, processing purpose, data categories, data recipients, safeguards in third countries, time limits for erasure, and security measures.

Data Protection Officers (DPO):  Necessary in a variety of circumstances. They require expertise, need to remain independent, and shall directly report to the highest management level. 

Transparency to data subject: When personal data is acquired the subject needs to be informed about various aspects, e.g. identity of the processor, DPO, recipients, international transfers, storage period, several data protection rights, and if data is used for automated decision-making.

Data processing risk assessments:  GDPR requires establishment of effective procedures and mechanisms that focus on processing operations that are likely to result in high-risk to allow effective risk mitigation (in some cases with supervisory authority).

International transfers to non-EU countries: Have been modified and need to be revisited. 

Explicit obligations of data processors: Data processors (processing on behalf of a data controller) are now explicitly required to fulfil certain rules, like documentation requirements, DPO, EU representatives, or data breach notification.

What should be done?

You should get the detailed requirements from the regulation, check how far the regulation is applicable, perform a gap-analysis and launch the most important transformation initiatives. 

This could include:

  • Review communication channels and appoint necessary roles
  • Ensure proper consent of data subjects
  • Update notices, standards and policies
  • Verify and streamline your processes
  • Design processes (privacy by design) 
  • Risk assessment and security measures 
  • Data subject requests (erasure/portability) 
  • Notification and reporting (PDA/data subjects) 
  • Documentation 
  • Evaluate your contracts
  • With your data subjects 
  • With your data processors 
  • Monitor for local GDPR amendments and any updates issued by the European Commission orthe European Data Protection Board.  

Markus Bekk, CISA, PMP, ITIL Expert is a hands-on professional in IT governance, risk and compliance management, and specialises in sourcing and third-party management. He has delivered numerous transformation, transition and innovation projects and programmes with international players mainly in the financial and insurance industry. Bekk is determined to overcome the gaps between traditional IT management disciplines and distributed, international, agile business requirements.

GDPR could see 75,000 new data protection positions worldwide…

800 450 Jack Wynn

The International Association of Privacy Professionals (IAPP) estimates that 75,000 new data protection officer positions will need to be created globally by the time the General Data Protection Regulation (GDPR) comes into effect from May 2018.

After initially predicting that 28,000 such roles would be required, the IAPP calculates a much higher total with 11,790 in the EU alone. The US, considered to be the EU’s biggest trading partner, will need to appoint the most data protection officers, followed by China, Turkey, Russia and Switzerland.

A separate study in partnership with TRUSTe has revealed nine in 10 companies have started to action GDPR, with 67 per cent of EU-based organisations claiming their implementation is either underway or already completed.

Trevor Hughes, IAPP CEO and president said: “Clearly, IAPP members are taking the GDPR’s DPO requirement seriously, with many of them well on their way toward creating a GDPR compliance programme.

 “As the research shows, privacy program leaders are resourceful, but increasingly pressed for time and resources. The IAPP’s training and in-depth educational materials, alongside tools developed by technology providers like TRUSTe, will be vital for helping organizations be ready for the GDPR in May of 2018.”

Read the full ‘Preparing for the GDPR: DPOs, PIAs, and Data Mapping’ report from the IAPP and TRUSTe here

WinMagic logo Microsite

WinMagic: Your guide to the new EU GDPR legislation…

800 450 Jack Wynn

The long-anticipated EU General Data Protection Regulation (GDPR) has been adopted in Brussels after years of negotiations and speculation about how it will affect businesses of all sizes.

The new legislation gives citizens more control over their personal information, and makes companies responsible for keeping their data secure – with fines of up to £20 million (or 4% of turnover) and huge consequences for a breach.

Businesses now need to realise this is not just an IT problem, but a significant organisational issue that senior management need to actively engage with.

Find out what you can do now to prepare with WinMagic’s guide