GDPR News Center News for 03-31-2018

Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation

The European General Data Protection Regulation will have a global impact when it goes into effect on May 25, 2018, according to Gartner, Inc. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. “The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well,” said Bart Willemsen, research director at Gartner. ” The GDPR applies therefore to not only businesses in the European Union, but also to all organizations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of data subjects within the EU. These organizations should appoint a representative to act as a contact point for the data protection authority and data subjects. Many organizations are required to appoint a data protection officer. “Large scale” does not necessarily mean hundreds of thousands of data subjects. Very few organizations have identified every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to maintain compliance in future personal data processing activities. Organizations must demonstrate an accountable ground posture and transparency in all decisions regarding personal data processing activities. It is important to note that accountability under the GDPR requires proper data subject consent acquisition and registration. Data transfers to any of the 28 EU member states* are still allowed, as well as to Norway, Liechtenstein and Iceland. EU-based data controllers should pay specific attention to new mechanisms under the GDPR when selecting or evaluating data processors outside the EU and ensure appropriate controls are in place. Outside of the EU, organizations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR. 5. Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed. If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls. Gartner analysts will provide additional analysis on data security at the Gartner Security & Risk Management Summits 2017 taking place in National Harbor, Maryland.

Keywords: [“Data”,”organization”,”process”]

GDPR Blog 02: Why has the GDPR come about?

There have been attempts at legislation regarding the security of personal data in the past and a good example is the UK’s own Data Protection Act of 1998. Much has changed in the way data is generated over the last 20 years. Today we live in a global digital economy, we create data very differently and the data volumes are exploding; more data has been created in the past two years than in the entire previous history of the human race. In Aug 2015, for the first time, over 1 billion people used Facebook in a single day and sent on average 31.25 million messages and viewed 2.77 million videos every minute. We are seeing a massive growth in video and photo data, where every minute up to 300 hours of video are uploaded to YouTube alone. The outlook is for much more data generation in the future with Cisco’s June 2017 12th Visual Networking Index forecast predicting that by 2021 there will be 13.7 billion Internet of Things connections and 3 trillion internet video minutes per month – 80% of all internet traffic. When viewed against this fast moving backdrop it is easy to understand why current EU legislation regarding citizen personal data protection never envisaged creation of data on this scale. So an all encompassing, digitally aware and common standard, the GDPR, has been introduced to provide a level playing field across all member states for data protection. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. As well as being senstive, personal data is also highly valued which is why there are so many cyber attacks that target the capture of such data which once obtained can be sold on for both criminal and equally illegal marketing purposes. Many organisations now view the cloud as secure more so than on-premise deployment. What we have to remember is that with GDPR cloud security is a joint responsibility. The scope of the GDPR includes IP addresses and online identifiers, as well as forcing companies to gain people’s explicit consent to use their data. The aim is to make it easier to find out what data companies hold on you, how your data is handled and what it’s used for. The implementation date for the GDPR is 25 May 2018 and there is no period of grace beyond that time. Under GDPR regulations, a data subject has the right to have their personal data rectified or forgotten.

Keywords: [“data”,”GDPR”,”more”]

Implementing a GDPR strategy: What you need to know

Simon Kouttis, head of cybersecurity at Stott and May, explains what you need to know about the upcoming GDPR. The European Commission’s General Data Protection Regulation is coming into force on May 25, 2018. With this comes new rules regarding the collection and processing of personal data which will affect some 508 million EU residents – and any organisation that handles their information. In less than two years’ time, businesses will have to gain the explicit, stated consent to collect an individual’s data. They will need to wipe this data after a prescribed period of time, and individuals will need to be made aware of how this data will be used, and of any rights they have pertaining to its processing. In the event of a serious breach, companies will need to inform the Information Commissioner’s Office within 72 hours – as well as anyone impacted by the intrusion. If your company markets goods or services to any of the European Union’s member states, or if you handle any of the data of its 508 million residents, it’s subject to these rules. The age of big data has been largely positive, but it’s also led to a culture of collecting information for no discernible business purpose: a survey from Pure Storage found that 72% of businesses amass information that they never use later on; 22% of those queried said they do it “Often”. Again, it’s perhaps unnecessarily harsh, but if it forces you to streamline your data collection processes, it might have a positive outcome. What data do you have? Where is it stored, which internal and third-party stakeholders have access to it, and how well is it protected? Make sure you’re not handling anything you don’t strictly need, and have a process for informing users that you intend to use their data and obtaining their consent. In particular, it’s necessary to work out how your company is going to handle a data breach. You’ll need to conduct an impact assessment to ascertain any risk associated with processing, and in the event that your systems are compromised, you’ll need to notify the authorities and the affected users. Much has been said about the potential role a Data Protection Officer might play. In all the talk of compliance, it can be easy to forget that this legislation is supposed to be about protecting data and mitigating potential danger. Hiring, customer relations, and security shouldn’t be box-ticking exercises: it’s in your interest to use data correctly, be transparent with consumers, and safeguard your most vital systems.

Keywords: [“Data”,”information”,”need”]

GDPR News Center News for 03-30-2018

6 months to GDPR: What’s next?

Six months from now, data handling will be subject to new regulations and yet companies are woefully unprepared. Extraterritorial scope: application to any EU body or any data processor or controller processing data of EU citizens. Consent: companies need clear and understandable terms of how data is being used. Data rights: including access to one’s data and the right to be forgotten or erased. Data protection officers: to oversee public authorities, data processors and bodies engaging in large-scale monitoring. If an organization collects any personal data – from a name to an IP address to a social media post to banking information – that body is responsible for the data and accountable to the individual that data belongs to. GDPR will redefine the data processing landscape because it firmly establishes ownership of data with the individuals that data is tied to and distinguishes data processors and custodians as “Stewards” or “Custodians” of that data, said Dimitri Sirota, CEO of BigID, a startup working with companies on GDPR requirements. Historically, a company just “Smashed data together” without necessarily understanding whose data they had, but “. CEO of BigID. If an individual wants to know what information a company has on them, come May they can ask the company to send the understandable information on what personal data is in store. Many data discovery tools are designed to look for a 16 digit string of numbers denoting card data and do not have the multidimensional capabilities to see how this data is used, its context and who it belongs to, said Sirota. Data is a strategic asset any modern, successful company cannot function without. If a data controller stores its data on a third party cloud and this cloud provider does not meet GDPR compliance, the company is still liable. So much of data security is focused around building impenetrable walls, but there is no such thing as an impenetrable wall and companies need to ensure a basic underlying accounting of data repositories is in place in case of data misuse or breaches, said Sirota. Companies have to take into account the size of their EU presence, the type of data they collect and the scope of their business operations; depending on these factors, reaching compliance can take a few months or several years, said Holcomb. The initial phases of data inventory and maintaining records of data processing for compliance will be big a big first step for companies, but a change in daily operations farther down the line will be even harder, said Holcomb.

Keywords: [“data”,”company”,”GDPR”]

| IT News Africa – Africa’s Technology News Leader

Even as organisations implement better ways to safeguard themselves and their data, malware evolves to become more sophisticated. It is how the organisation can…. POPI regulation to change the face of data analytics December 12, 2017 Backup and Storage, Big Data, Opinion, Southern Africa Dean Workman Comments Off on POPI regulation to change the face of data analytics. In South Africa, the Protection of Personal Information Act – promulgated on 23 November 2013; will come into effect next year. While in Europe, the General Data Protection Regulation entered law in May. The grace period for POPI is expected…. GDPR and PoPI – Do I really need to comply with both? December 4, 2017 General, Opinion, Southern Africa Fundisiwe Maseko Comments Off on GDPR and PoPI – Do I really need to comply with both? Ahead of the pending enforcement of the Protection of Personal Information and General Data Protection Regulation legislations, organisations are hurriedly carrying out compliancy strategies and tightening up their data security processes. While…. discussing 2018’s top IT trends and opportunities November 17, 2017 General, Opinion, Top Stories Fundisiwe Maseko Comments Off on discussing 2018’s top IT trends and opportunities. Everything is connected, every surface area is primed for data-capturing IoT, and life is mostly conducted from our phones. Even reality itself is becoming trickier to pin down, whether augmented, virtual or actual. With 2018 nigh, we should expect more of…. How South Africa can prepare for the Big Data Protection shake up September 8, 2017 Big Data, Opinion Fundisiwe Maseko Comments Off on How South Africa can prepare for the Big Data Protection shake up. While technology continues to evolve to protect a user and company’s data, organisations still find the most long-standing factors remain the most vulnerable, such as passwords and the person using the device. Many South African companies doing business…. How the new data protection act will affect startups September 7, 2017 Big Data, Southern Africa, Top Stories Fundisiwe Maseko Comments Off on How the new data protection act will affect startups. The protection of data has been the subject of thousands of conversations globally. As more and more businesses digitally transform, how they handle and analyse data is coming under more intense scrutiny. With the force of cybercrime growing by the day,…..

Keywords: [“data”,”Protection”,”how”]

GDPR: Where do I start?

As we engage with our customer base, awareness of General Data Protection Regulation is starting to grow. Protecting personal data has always been an important issue in the European Union, especially in the last 20 years. The new GDPR takes data protection to an entirely new level. In addition to a new set of legal requirements that necessitate both organizational and technological responses, the GDPR is applicable to almost every organization around the world that collects or processes EU Citizens’ personal data. The GDPR is a long read with 99 articles in fairly dense regulatory text. There are many reasons getting started may be the greatest challenge for many organizations, for example, “Data volumes often number in the billions of objects, timeframes are constrained, and determining what falls within these regulations can be cumbersome and complex,” said Joe Garber, vice president marketing, Information Management & Governance, HPE Software, in the press advisory. “The GDPR Starter Kit provides customers with an easily integrated solution set for assessing data, allowing them to take the first step in addressing data and risk management outlined in the regulation.” The GDPR Starter Kit follows HPE’s earlier launch of a comprehensive GDPR solution portfolio, and aims to provide organizations with streamlined next steps on their paths to compliance. The GDPR Starter Kit combines world-class software, including HPE ControlPoint, HPE Structured Data Manager, HPE Content Manager and HPE SecureData in bundled solutions to help customers conduct a Personal Data Assessment and optionally encrypt data that is subject to these regulations. Automate assessment of structured and unstructured data, which alleviates a traditionally manual, error-prone process. Quickly and cost effectively encrypt data to mitigate security breaches. Take a critical step toward lifecycle and retention management to enable compliance with additional GDPR articles and corporate governance requirements. Consulting firm PwC has just released a new GDPR-themed white paper titled, “Technology’s role in data protection – the missing link in GDPR transformation.” This new white paper is a great resource that echoes the Starter Kit’s theme of starting your GDPR journey by assessing your data. The white paper provides a framework for practitioners and regulators on evaluating GDPR technology. At its most fundamental level, it is describing data management best practice in the context of the GDPR, something we advocate, too.

Keywords: [“Data”,”GDPR”,”started”]

GDPR News Center News for 03-29-2018


As the Vice President of Global Advisory Services, Jamie focuses on information law, compliance, and governance issues. She has more than 17 years of in-house, government, and law firm experience, which she draws upon to advise corporations, particularly those in heavily regulated industries, on legal and compliance risk mitigation strategies. Common areas include ediscovery, digital investigations, data protection, legacy data remediation, and IT transformation initiatives. Jamie has worked for several leading financial institutions, including UBS in New York, where she was an Executive Director in Legal and Compliance and responsible for designing, implementing, and managing a centralized litigation and investigations response program to support the firm’s litigation and investigation matters worldwide. Jamie also worked for Barclays, leading and implementing a global program to reduce legal, regulatory, and privacy risk associated with legacy systems and data. Prior to corporate, Jamie spent several years in government service, first as a trial attorney in the Division of Enforcement at the U.S. Commodity Futures Trading Commission in Washington, D.C., and later, as Assistant General Counsel for the Agency, where she advised Enforcement attorneys on investigation techniques, strategies, and protocols on cases with global prominence. She also managed several key congressional investigations, Inspector General investigations, and internal investigations, including advising the Commission on strategy and risk mitigation. Jamie has testified in federal court and has qualified as an ediscovery expert. In her corporate and government roles, she served as a 30(b)(6) designee for formal and informal testimony, and regularly interfaced with regulators and Congress on ediscovery strategy and internal practices. Independently, Jamie has advised corporate legal departments on ediscovery best practices and operating model development and enhancement, particularly in the face of regulatory scrutiny. Jamie began her career as a litigation and government investigations associate at King and Spalding in Washington, D.C., and later, was a litigation partner at Fennemore Craig, in Phoenix, Arizona. Jamie is a graduate of Duke Law School and Arizona State University and a former law clerk to the Honorable Roslyn O. Silver of the U.S. District Court for the District of Arizona. She is a frequent speaker and lecturer at educational events and legal conferences internationally.

Keywords: [“investigation”,”Jamie”,”legal”]

60 percent of organizations aren’t ready for GDPR

With the deadline of May 2018 looming closer, a new survey shows 60 percent of respondents in the EU and 50 percent in the US say they face some serious challenges in being GDPR compliant. The study by data protection specialist Varonis polled 500 cyber security professionals in organizations with over 1000 employees in the UK, Germany, France and the US and finds more than half of professionals are concerned about compliance with the standard. 38 percent of respondents report that their organizations do not view compliance with GDPR by the deadline as a priority. 74 percent believe that adhering to GDPR will give them a competitive advantage over other organizations in their sector. What is seen as the biggest challenge varies by geography. For UK respondents, 58 percent think that implementing data protection by design poses the greatest challenge in meeting the GDPR, followed by the right to erasure. In the US security of processing is seen as the biggest challenge, followed by data protection by design. Both Germany and France see the right to erasure as the biggest challenge. “Things are moving in the right direction but some organizations are yet to get the groundwork done. Some have still to survey the data that they’re holding and the processes around it,” says Matt Lock, Varonis’ director of sales engineers and GDPR expert. “There’s still a long way to go. We also don’t know at this stage whether the ICO will have the resources to enforce GDPR.”. 36 percent of respondents in the UK, 35 percent in Germany and 42 percent in France report already being in compliance. In the UK, 51 percent of respondents say their organisation is more than 50 percent complete in their compliance process. One in four US respondents believe their firms don’t need to comply with GDPR. “There’s a growing acceptance that implementation of GDPR will be quite hard, people won’t just be able to tick a box on May 25th to say that they’re ready,” adds Lock. “Many organizations are realising it’s a monster task. We’re seeing lots of different approaches too, in many cases businesses are looking to get rid of data – which is a bit all or nothing – but there are also phased projects to identify data and ensure compliance. The big challenge for organizations now is just the wealth of data they collect. I think GDPR may be a driver for some businesses to reduce the amount of information they hold.” You can find out more in the full report which is available from the Varonis website.

Keywords: [“percent”,”GDPR”,”data”]

GDPR Services

EPI-USE Labs has developed a GDPR Compliance Suite for SAP and Data Secure™ Guidance and best practice: Knowledge and direction on where data is stored in SAP® Understanding the affected data types, and choices and processes to meet requirements. EPI-USE Labs has spent over twenty years in the SAP data space creating and developing advanced software solutions, and can also offer guidance and share expertise on GDPR. Data Disclose solution. Data Disclose is a unique software application which allows you to locate and display data across your SAP systems in seconds, with APIs to also connect non-SAP systems. It’s built on a solid foundation of existing technology and Intellectual Property by leveraging our well-established software product Data Secure suite), and can present the data in a flexible, encrypted company-branded PDF output. Because people have the right to ask for details about their data, organisations need to know which personal data is stored where, and for what purpose. With Data Disclose, we can help you shine a light on the dark dusty corners of your SAP system so you can see exactly where the data resides across systems. Tackling GDPR in detail: the importance of privacy, transparency and technology Personal Data Rights. GDPR aims to protect personal data rights such as the right to be informed, the right of access, the right of rectification, the right to erasure, the right to strict processing, the right to data portability, the right to object and rights to automated decision-making and profiling. Key requirements for GDPR Consent for storage must be given by the data subject. Organisations wishing to store data must have explicit consent from the subject of the data. The reason for storing it must be transparent, and the data subject has the authority to block processing while concerns are dealt with, as well as to request the removal of the information from the system. The law does say that there must be documentation showing that data protection is by design, and that processes comply with the rights of the data subject. Imagine having to log into a number of SAP systems to download table entries, or take screenshots to show the data subject’s footprint. Your challenges include The complexity, volume and sheer scale of GDPR Lack of consistency: Every GDPR compliance project is different, depending on the industry, existing IT systems, usage of data, etc. Data is stored and replicated across the system in many places, such as customer master, business partner, change document tables, and so on.

Keywords: [“data”,”system”,”right”]

GDPR News Center News for 03-28-2018

1 in 4 UK businesses have CANCELLED preparations for GDPR

One in four businesses in the UK say they have cancelled all preparations for the EU General Data Protection Regulation in the misunderstanding that it will not apply after Brexit, new research reveals. The regulation, which has been years in the pipeline, is designed to harmonise data protection regulation throughout Europe and provide citizens with more control over their personal data. Noncompliance could result in fines as high as €20 million or up to 4% of global turnover. New rules to ensure privacy must be engrained into data policies, and citizens will have the right to ask for their personal data to be edited or deleted. >See also: The road to GDPR implementation: challenges and opportunities ahead. It has been ratified by the UK and is due to come into force in May 2018, ten months before Britain completes its exit from Europe. A survey of IT decision makers at UK companies by information management firm Crown Records Management has found 24% are no longer preparing for the regulation. Alarmingly, a massive 44% of those surveyed said they didn’t think the regulation will apply to UK business after Brexit. “For so many businesses to be cancelling preparations is a big concern because this regulation is going to affect them all in one way or another,” said John Culkin, director of information management at Crown Records Management. “Firstly, it is likely to be in place before any Brexit. Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens.” “When you consider how many EU citizens live in the UK it’s hard to imagine many businesses here being unaffected.” UK officials and politicians were heavily involved in the drawing up of the new regulation and Culkin said the general principles behind it are set in stone. “The reality is we are likely to continue to see stringent data protection in an independent UK rather than a watered down version,” he added. “This means the best course is to prepare now and have a watertight information management system in place as soon as possible. This issue is not going away.” More positive news out of the survey revealed that seven in ten UK businesses with more than 100 employees have already appointed a data protection officer, one of the requirements of GDPR. Half have introduced staff training, with only 4% not planning to, and 72% have reviewed data protection policies. “These are important statistics,” said Culkin.

Keywords: [“Data”,”Regulation”,”Protection”]

GDPR is a year away: 7 things you need to know to take action

One year from now, on 25 May 2018, all businesses and organisations across Europe that handle customer data will have to comply with the General Data Protection Regulation. GDPR is an overhaul of European data protection laws and could impact every business, individual and member of public sector organisations across Europe. Ultimately, firms will need to reinterpret how they communicate with customers, how they gather data and how they organise that data into an effective audit trail. Ireland’s Data Protection Commissioner, Helen Dixon, has published a handy 12-step guide to preparing for GDPR at GDPRandyou. GDPR has severe penalties for organisations that lose data – up to €20m, or 4pc of an organisation’s revenue, whichever is higher. The GDPR makes it considerably easier for individuals to bring private claims against data controllers if their data privacy has been infringed. Ireland’s Data Protection Commissioner, Helen Dixon, told recently: “An interesting feature of the GDPR is also the fact that it increases the rights of data subjects, in terms of their ability to take civil actions against organisations that contravene their data protection rights, and obtain compensation from those organisations, so I really think we are going to see a big increase in terms of actions taken by individuals directly against organisations.” In Ireland, for example, all breaches must be reported to the Data Protection Commission within 72 hours, unless the data was anonymised or encrypted. Not only do firms need to study the rules, they need to take a good hard look at how they are currently handling customer data, and identify any gaps. Under GDPR, information must be communicated to consumers before processing data in concise, easy-to-understand and clear language. If customer consent is the legal basis for recording and processing personal data, then high standards set out in GDPR will need to be met. GDPR has special protections for children’s data, especially in the context of social media and e-commerce, and rules around how consent is communicated to underage customers. GDPR will require some organisations to designate a data protection officer. The data protection officer can be someone within the organisation or an external adviser, and they will take responsibility for data protection compliance. The new GDPR rules will make it possible for multinationals to deal with one data protection authority as their single regulating body, or lead supervisory authority in the country where they are mainly established.

Keywords: [“data”,”organisation”,”GDPR”]

GDPR News Center News for 03-27-2018


The UCL Technology Fund is backing data anonymisation software developer Anon AI as part of a £340,000 pre-seed round, in partnership with the London Co-Investment Fund, AI Seed and Ascension Ventures. Digital Minister Matt Hancock has insisted that he is confident the UK will secure and maintain an “Adequacy ruling” with the EU post-Brexit to ensure that British firms can continue to carry out data transfers with…. Article published on 20-12-2017. July It was proof that data protection regulators have their work cut out when July saw the launch of the ICO’s first International Strategy, designed to help it meet overseas challenges including increased…. News published on 14-12-2017. UK marketing and advertising industry bodies the DMA and Advertising Association are urging the Government to ensure the final Brexit deal recognises the UK’s deep alignment with the EU on data protection policy. In a…. News published on 05-12-2017. While the majority of UK businesses are bracing themselves for a data breach in the next 12 months, less than half believe they are in a position to shoulder the huge fines which they could potentially face…. Article published on 04-12-2017. A lot of the discussion around machine learning is very theoretical, with thousands of research papers published on the topic per month. Marcin Druzkowski, senior data scientist at Ocado told the audience at DataIQ…. News published on 04-12-2017. UK companies who are still living in dread of GDPR should thank their lucky stars they are not operating in the US, where a group of Democrats is planning to bring in new laws which appear to make compliance with the…. News published on 22-11-2017. Taxi company Uber is facing investigations on both sides of the Atlantic after admitting that it paid hackers a $100,000 ransom back in October last year to delete data they had stolen on about 57 million…. News published on 20-11-2017. The Open Rights Group has been awarded nearly £60,000 to create a digital tool to help individuals protect and enforce their data protection rights, particularly in the insurance and banking sectors as part of the first…. News published on 15-11-2017. GDPR preparations may be furrowing the brows of business leaders across the UK, but nearly three-quarters of marketers believe the new Regulation will spark a creative revolution as brands strive to find new ways…..

Keywords: [“published”,”new”,”data”]

GDPR compliant data collection surveys

The General Data Protection Regulation regulation will enter into effect in the European Union from May 2018 and it will have a fundamental impact on how organizations treat data from individuals in compliance with the new privacy laws. Online surveys, which are at the forefront of any consumer, market or employee data collection, also need to be made complaint with the updated regulations. In order to make it easier for QuestionPro survey software users to create and send GDPR compliant data collection surveys, we have put in place a sophisticated process to ensure all data being collected using our platform is fully GDPR compliant. GDPR Survey – Data Protection OfficerDefinition of a Survey Every organization that is collecting data from EU citizens must have a named DP officer. Survey data retention period GDPR relations state that companies must make it clear how long data about the respondents and users are retained. GDPR regulations require that each company outline its own data retention policy, and more specifically, how long is data retained for. Right to look at all survey data collected GDPR calls for allowing citizens and users to be able to look at and download all the data collected on a user. GDPR advices machine readable format for downloading the data for respondents. The respondents will be able to see that and download it in PDF as well as JSON format – to make it compliant with the spirit of GDPR. Respondents- when they click on I Privacy and Data Security will see a list of all the surveys that they have taken. Survey Data breaches and Supervising Authority GDPR calls for a legal obligation for the notification to supervisory authority regarding a data breach within 72 hours of knowing about it. Due to the fact that QuestionPro operates pan-Europe and most companies collect data and impact citizens of multiple countries within the EU, GDPR allows for selecting a “Lead Supervising Authority” – QuestionPro has selected the Dutch – DPA as the lead supervisory authority that governs data collected by QuestionPro. In cases where there is a data breach without our involvement – example a laptop with data from survey respondents gets stolen, it is up to our clients to notify their own supervisory authority regarding the breach. When users click on data and privacy – the stated purpose of research and data use will be presented. GDPR and Data Processing Agreements There are two kinds of entities as far as GDPR is concerned. Collectors Processors In most cases – there will be a single data collection entity that uses one or more processors.

Keywords: [“Data”,”GDPR”,”QuestionPro”]

GDPR News Center News for 03-26-2018

What the GDPR says about Ransomware

Many companies are busy trying to learn more about it, what it means for them, and what they have to do to become compliant. Most people familiar with the GDPR understand that it’s focused on providing companies with guidance on how to manage personal data they collect from customers. This includes what companies need to do to secure personal data, and deal with situations where they lose control of that data. A big part of that is how to avoid and respond to personal data breaches. Because the GDPR is a legal document, it’s important to understand what a personal data breach means in this context. When I hear the phrase “Data breach”, I think mainly of a company losing control of confidential information. The GDPR’s definition is considerably broader. So what does this mean for companies? According to F-Secure’s CISO Erka Koivunen, organizations might need to disclose ransomware infections to the authorities and affected customers. “You will find that a ransomware infection in a considerable number of your workstations and servers that are centric to processing personal data would likely constitute a breach under the GDPR, and could trigger the notification obligation in articles 33 and 34,” says Erka. The catch here is that this is only necessary when, to paraphrase, the personal data breach is a risk to the “Rights and freedoms of natural persons”. How does a ransomware infection at a company affect individuals that have data about them encrypted? That’s not such an easy question to answer. It’s the type of question companies need to ask themselves to prepare for the GDPR. “If you reach a point where ransomware affects the personal data you’ve collected, you need not to only worry about leakage, but on how you recover the data to continue your business operations. If you have no good quality back-ups, the effort of re-collecting and re-enriching the data for you to run your business may call for a gargantuan effort.” explains F-Secure Privacy Officer Hannes Saarinen. “If you’re not prepared and need to collect the same data again, you’ll probably need to report the incident, even though the data was ‘destroyed’ rather than stolen.” Like many other security-related aspects of the GDPR, being prepared to respond to situations where things go wrong will play a big role in shaping what companies address with their GDPR compliance projects. “Practically speaking, incident response plans need to be updated and include checks to determine whether the GDPR notification obligation is triggered by different incidents,” says Hannes.

Keywords: [“data”,”GDPR”,”company”]

GDPR Education

If you are a CISO, or someone who deals with your enterprise’s data, hopefully you have heard of The General Data Protection Regulation. GDPR is the biggest shake-up in European data protection legislation for 30 years. If you have just hearing about it now, as about 50 CIOs were when Data Security presented on this topic at a conference last month, and are starting to educate yourself, don’t be fooled by thinking it only applies to international companies. GDPR, which officially takes effect May 2018, pertains to any business that collects or stores European citizens’ data. The good news is companies have until the May 2018 deadline to ensure that their data protection processes are compliant with GDPR. The not so good news is ignore GDPR at your own peril. Data breach penalties for GDPR could be as high as 4% of global revenue or 20M Euros – whichever is greater. Now is the time to educate yourself, and Data Security can help. Although GDPR is not prescriptive in the technologies required to enable compliance, Duncan states, it strongly hints at the use of encryption and pseudonymization as approaches to protect sensitive data. GDPR calls for mandatory breach notification to customers within 72 hours unless the sensitive data was encrypted. HPE FPE transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data. Since there is no change in the data format, retrofitting to legacy applications is very simple and easy, rather than a conventional encryption that would change the data format. HPE FPE also preserves business functionality, meaning that normal data processing activities are maintained even though the data is encrypted. HPE FPE fulfills both encryption and pseudonymization functions while allowing the company to do the vast majority of their analytics on the data in its protected form, without breaking existing applications, which makes it a particularly useful technology in the context of compliance with GDPR. One of the complexities introduced by encryption is the management of keys. One point is GDPR will help to eliminate the many inconsistencies in the patchwork of national security and privacy laws that currently make it tricky to do business in Europe, and it may eliminate the costs associated with dealing with multiple data protection authorities. One far reaching benefit is GDPR will compel companies to do a full data discovery, risk classification and data security assessment, actions that are always beneficial to companies.

Keywords: [“data”,”GDPR”,”Encryption”]

GDPR News Center News for 03-25-2018

6 months to go: GDPR partners are ready to help

As of today, we’re facing a 6-month countdown to the May 25, 2018 deadline for GDPR compliance. “Partners can play a critical role in helping commercial customers adapt to the new regulation. Customers are looking for help from partners to assess their GDPR readiness. That includes evaluating their existing technology environments. The customer lifetime value of that assessment is very promising-including managed services, change management, technology reselling and support, end user training, and deployment services.”-Diana Pallais, Director, Microsoft 365 Partner Marketing Preparing for the opportunity. IDC estimates this regulation represents a $3.5 billion security products and services opportunity for partners and customers working to comply with GDPR rules. Partners getting ready to help customers with GDPR are thinking about their services in four key ways. Partners need to identify and take inventory of any personal data their organization or their customers have collected. Partners today can perform security and risk assessments, locate relevant personal data, and develop a plan to achieve and maintain compliance. Partners can work with their customers to develop, implement, and manage compliance plans by designing, configuring, and monitoring the policies and controls appropriate for customers’ data and applications. Partners can help customers to monitor, analyze, and act on threat intelligence and user behavior information to effectively address vulnerabilities and breaches. Keep required documentation, process data requests, and manage breach notifications to get ready for GDPR. Partners can offer administrative services to help customers meet their documentation requirements and notification obligations, and respond efficiently to data requests. Partners should download the GDPR Opportunity Overview to learn more. Work with a partner who knows GDPR. Here at Microsoft, we’re working with partners globally to address customer needs around GDPR. We have several partners today offering Microsoft-based solutions that include an overall set of controls and capabilities to meet GDPR requirements. Here’s a list of global partners we’re currently working with to meet the growing demand for GDPR support. If you want to be included on this list of approved Microsoft GDPR partners, please contact your local account team. We’re always happy to welcome more security and compliance partners. How are you preparing for GDPR compliance? Share your thoughts with the Microsoft Partner Community here.

Keywords: [“Partner”,”GDPR”,”customer”]

Doc Searls Weblog · GDPR

In the content business the commercial Web has become, algorithms are now used to target both stories and the advertising that pays for them. To fully grok how we got here, it is essential to understand the difference between advertising and direct marketing, and how nearly all of online advertising is now the latter. The only intermediary was an advertising agency, if the advertiser bothered with one. Second, the whole idea behind advertising was to send one message to lots of people, whether or not the people seeing or hearing the ad would ever use the product. In their landmark study, “The Waste in Advertising is the Part that Works”, Tim Ambler and E. Ann Hollier say brand advertising does more than signal a product message; it also gives evidence that the parent company has worth and substance, because it can afford to spend the money. Plain old brand advertising also paid for the media we enjoyed. Without brand advertising, pro sports stars wouldn’t be getting eight and nine figure contracts. Nearly all the buzz and science in advertising today flies around the data-driven, tracking-based stuff generally called adtech. This form of digital advertising has turned into a massive industry, driven by an assumption that the best advertising is also the most targeted, the most real-time, the most data-driven, the most personal - and that old-fashioned brand advertising is hopelessly retro. Yes, brand advertising has always been data-driven too, but the data that mattered was how many people were exposed to an ad, not how many clicked on one - or whether you, personally, did anything. At least we know it pays for the TV programs we watch and the publications we read. Wheat-producing advertisers are called “Sponsors” for a reason. So how did direct response marketing get to be called advertising ? By looking the same. It is now an article of faith within today’s brain-snatched advertising business that the best ad is the most targeted and personalized ad. Worse, almost all the journalists covering the advertising business assume the same thing. Here is why those two platforms can’t fix it: both have AI machines built to give millions of advertising customers ways to target the well-studied eyeballs of billions of people, using countless characterizations of those eyeballs. Don Marti tweets, “Build technologies to implement people’s norms on sharing their personal data, and you’ll get technologies to help high-reputation sites build ad-supported business models ABSOLUTELY FREE!” Those models are all advertising wheat, not adtech chaff.

Keywords: [“advertiser”,”New”,”how”]

Global Privacy Awareness Traini

The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities. Under Article 3, the Regulation “Applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” The GDPR requires organizations to provide quite a number of rights to EU citizens, including transparency, purpose specification, data minimization, the right to erasure, and the right to data portability, among other things. There is a requirement for data protection by design that requires those designing products and services to build in privacy and security protections in the early stages of development. With a length of about 250 pages, it is the strictest privacy law in the world and will require extensive time and resources to prepare for. A survey conducted at this year’s RSA conference concluded that over half of the security professionals surveyed were either not currently preparing or not aware of what they needed to do to prepare. According to a different survey of 900 professionals across eight different countries, nearly half of the respondents were concerned their organizations would not be in compliance with GDPR by next year. 86% of these organizations thought the consequences of failing to comply would have a significant adverse effect on their businesses from harming reputation to incurring high penalties. GDPR imposes huge potential fines for non-compliant organizations – up to 4% of global turnover in many cases. Preparing for the GDPR can seem overwhelming, but the key is good privacy and security fundamentals. It starts with having a healthy data protection program. Getting ready for GDPR can’t be accomplished in a few weeks, so now is the time to start. At far too many organizations, the C-Suite doesn’t even know what GDPR is and hasn’t allocated sufficient resources to be ready. For more specifics on the GDPR directive for training, please see my “Guide to GDPR Training” which outlines appropriate content and methods to ensure compliance with GDPR’s training requirements. This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum, an annual event that aims to bridge the silos between privacy and security.

Keywords: [“GDPR”,”privacy”,”training”]

GDPR News Center News for 03-24-2018

How The GDPR Affects Your Paper Documents

During May 2018 the General Data Protection Regulation will come into effect throughout the EU and will replace the UK’s current Data Protection Act. The GDPR will have a major impact on the way data is managed and steps should be taken to prepare immediately. The consequences of failing to adhere to the GDPR are significant – Data protection regulators will have the powers to impose fines up to €20,000,000 or 4% of the total worldwide annual turnover, so it’s never been more important to put robust standards and procedures in place. GDPR focus is often placed on cyber security threats, server hacks, database vulnerabilities and data stored on and transmitted between servers and networks. Paper documents, paper records and files are being severely overlooked. If you can’t find this information in your paper documents, then how can you comply with the GDPR? How long would it take you find information stored in paper files? Do you even know where it is? Is it in the building? Is it in storage? Are you even sure you’ve still got it? All of this searching is incredibly time consuming and costly. It’s easy for paper documents to lead a double or triple life. Human error and human handling of documents can result in a complete lack of document control and exposes your organisation to data breaches. Privacy of data is key to the GDPR. Paper documents can get into the wrong hands easily and this could easily become a data breach. Transportation of data in any format(including paper) should be seen as a threat to information security. These are all real world situations where paper documents can get into the wrong hands. How do you currently manage the retention periods on your paper files? Employees regularly make printed copies of digital files, but if a digital file is destroyed and a paper version is sat in a folder somewhere then potentially your compliance with the GDPR is affected. The GDPR states “Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.” It’s clear from the above that making your paper records adhere to the GDPR guidelines by May 2018 is going to be a complicated and time consuming task. Fears of a data breach and GDPR penalties can become a thing of the past.

Keywords: [“Data”,”Paper”,”document”]

GDPR Archives

The General Data Protection Regulation is now less than 6 months away and the need for businesses to start working together to ensure that all aspects of data storage and processing is ready for the extensive and complex changes has never been greater. Failure to comply with the GDPR could result in significant financial penalties, such as 4% of annual group global turnover or €20 million; whichever is greater. Charlie Knox, head of technology SD Worx, UK Exactly who should be responsible for data protection within an organisation? Should it be a matter for C-level staff only? Or the IT department? The sales and marketing department collecting customer information? Or is it time to appoint a dedicated Data Protection Officer? The EU’s General Data Protection Regulation comes into effect on 25 May 2017. Organisations can now assess their readiness for the impending General Data Protection Regulation with a free online self-assessment tool launched by MHR, one of the UK’s leading providers of human capital solutions. Simon Fitchett, COO of UK Data Group discusses the importance of ensuring Data Security and the role HR Professionals can play. It’s often said that the biggest threat to data security comes from people rather than technology – and people conducting private admin on work equipment could be posing a bigger threat than employers realise. With recent statistics revealing that more than four million employees now work at least 48 hours a week, it seems we are all spending more time in the office. Every month XpertHR analyses the most popular FAQs asked by HR professionals in the past month. A new risk analysis paper on GDPR from specialist technology law firm Boyes Turner this week found that promotion by consumer groups of new rights under the General Data Protection Regulation could prove more disruptive to employers than the “TripAdvisor effect”. Businesses have just a matter of months to ensure that candidate engagement strategies are hitting the mark – or they risk losing access to vast and valuable talent pools. That is the advice of global talent acquisition and management specialist, Alexander Mann Solutions, as the launch of new data protection laws draw closer. XpertHR is marking the one-year countdown to the introduction of the EU’s wide-ranging General Data Protection Regulation by launching a practical guide to help HR begin their preparations. The new Regulation – which will come into force on 25th May 2018 – replaces the Data Protection Act 1998 in the UK and marks the start of a radical new data protection landscape, with significant penalties for non-compliance.

Keywords: [“Data”,”Protection”,”Regulation”]

GDPR News Center News for 03-23-2018

Global News: GDPR, what you need to do

The General Data Protection Regulation will come into force in all of the 28 Member States of the European Union on 25 May 2018. This will herald a significant change in the regulatory landscape for data protection giving EU citizens greater control of their personal data. The new Regulation directly affects both EU and non-EU based businesses as it applies to organisations processing and holding personal data of data subjects in the EU, regardless of the organisation’s location. Non-EU data controllers and processors must comply with the European data protection obligations when they have an establishment in the EU or if they offer goods and services in the EU or monitor behaviour of individuals in the EU. Organisations based outside the EU which are captured by the GDPR must appoint an EU-based representative. The impact of the GDPR will also be felt by businesses in any supply-chain with EU based organisations as these organisations will be seeking to ensure that the processes, policies and safeguards in place with all their sub-contractors meet GDPR standards. The Feb-March 2018 edition of research News will also feature information on the General Data Protection Regulation. First off you need to determine whether your organisation’s activities mean that GDPR applies. If it does next step is to conduct an information audit to fully understand personal data use and processing within your organisation. The kinds of questions you need to investigate include: Where is personal data stored? How secure is it? Who has control and access to the data? Is it shared with third parties and other processors? What are our subcontractor arrangements? Are these sufficient? Understand the legal grounds for collecting data. Is it only consent or do you use other grounds? EFAMRO has produced some excellent guidance on understanding the different legal bases for collecting data. If you use informed consent you need to look at information notices, policies and so on to ensure that you are being “Fair and transparent” to individuals about your processing unless the individual already has this information. Questions to consider: Can your IT systems and organisation processes cope with the new rights? Think about subject access, data portability, right to be forgotten, recording objections or withdrawing from processing, plus deletion of information. Limit data retention periods and consider retention periods for different types of data and/or data purposes. Review your corporate data and security policies, processes and training. These will all need to reflect the new requirements and staff need to understand their obligations.

Keywords: [“Data”,”organisation”,”information”]

GDPR gremlin

Meeting the demands of GDPR is easier said than done and a substantial proportion of businesses are still showing a worrying lack of preparedness, writes Andrew Lintell of Tufin, a network security product company. A key issue that many businesses are also struggling to cope with is the hugely complex, and difficult to manage, nature of modern networks, which now typically incorporate multiple databases and a growing number of network devices that constantly manage potentially sensitive data. With business networks constantly growing and data flowing across an ever-larger environment, keeping track of all the moving parts can be a significant challenge. When it comes to GDPR, the first business challenge should be to tackle complexity head-on, by increasing visibility and gaining a strong sense of all the moving parts of the network. By mapping the network – and ensuring it is regularly updated – businesses get a clear view of how data flows through the company. Mapping the network also helps to maintain security policy compliance by enabling businesses to easily identify all their network traffic across different applications and services, based on actual usage. Once everything has been mapped, network segmentation can then be applied to ensure that only the appropriate network zones or user groups have access to specific types of data, which helps to keep customer information safe in the event of a data breach. Key to everything is having a centralised tool to manage network security policies and streamline all future changes made to the network. When GDPR comes around, making sure doors to corporate networks remain locked will be key to ensuring compliance – and automation can significantly reduce the amount of effort required. With networks being more dynamic than ever before, carrying out regular reviews of existing rules and policies is essential, but also an extremely tedious task to do manually. The so-called ‘ripple effect’ where a minor change to one policy causes a vulnerability in another area of the corporate network is a very real danger. Most importantly, business leaders can feel reassured the whole network meets regulatory standards. Maintaining GDPR compliance 24-7-365 is no mean feat and businesses need all the help they can get. Through an automated approach, risks and vulnerabilities can be proactively identified and resolved across even the most complicated network environment, ensuring compliance all year round. Time may be in short supply, but it’s still not too late for businesses to start putting their GDPR plans into action and turning compliance into a valuable competitive advantage.

Keywords: [“network”,”compliance”,”businesses”]

GDPR News Center News for 03-22-2018

General Data Protection Regulation comes into force on May 25th 2018, and signals a significant change to the law. On the 25 May 2018, the EU General Data Protection Regulation comes into force and brings with it a significant change to the UK’s data protection laws. As a result, housing associations need to work quickly to confirm that they understand, and can comply with, the new law. Currently, housing associations process information about their tenants. As well as general contact, tenancy and financial information, this will include sensitive personal data, especially if the association provides assisted housing for the elderly, vulnerable people or those living with a disability. From time to time, housing associations may also share tenant data with building contractors and tenant survey agencies. In both cases, it is the association’s responsibility to ensure the safe keeping and privacy of this data. Recent breaches of data protection have resulted in eye-watering fines for the organisation at fault, such as the housing association which had to report itself to the Information Commissioner after releasing private contact details of its tenants, or the double-glazing company who was fined £50,000 for making nuisance calls to people who had specifically stated they didn’t want to be contacted. Compliance with GDPR requires you to be able to understand and record what personal data you gather, why you gather it, how you handle it, where you hold it and how you share it. Processes should be put in place to ensure that permission is obtained when necessary to gather data and that data subjects are aware their information is being gathered and what it will be used for. The data obtained should also be proportionate, kept up to date and accurate, and only held for as long as it is required. GDPR introduces new rights for data subjects, such as the right to be forgotten and the right to move data held on them to another provider. It also introduces important changes to how and why consent to obtain data can be gathered and how this consent can be used. Appointing a Data Protection Officer; Providing new and existing staff with suitable training and awareness, as well as additional sources of guidance and support when required; Conducting Data Protection Impact Assessments to design data privacy into any new systems and processes. This is of particular importance if new technology is being deployed, where there is processing on a large scale of the special categories of data, or if profiling operations are being performed which are likely to have an impact on individuals; Notifying the ICO within 72 hours of a data breach.

Keywords: [“Data”,”new”,”association”]

GDPR Compliance Checklist

With 2017 coming to an end, the clock is ticking closer to the implementation of the EU’s new General Data Protection Regulation on May 25th 2018. Whether your company is located within the European Union or outside it, you are required to comply with all requirements of the GDPR if any of your customers are EU data subjects. You must also bear in mind that the GDPR restricts cross-border data transfer outside the EU. For free data flow to occur cross-border, a third country must be deemed to have an adequate level of data protection by the European Commission. The GDPR requires all businesses that process personal information of EU data subjects on a large scale to follow all requirements of the new legislation. If you process the personal data of any EU data subjects you are still required to follow the security requirements of the GDPR in article 30 as well as a large number of the other points set out in the legislation. The good news is you can forgo the appointment of a data protection officer. Knowing where your sensitive data is and who has access to it is essential to build effective data protection policies. Data Loss Prevention solutions such as Endpoint Protector can help you to both monitor the itinerary personal data takes within your network, but also to take measures such as encryption, deletion or blocking based on the results. Encryption solutions can prevent any potential data leaks by encrypting all data that is being transferred to USBs. Much like work health and safety regulations, data protection regulations training under the GDPR will become just as important to a company’s good functioning. One of the major changes brought about by the GDPR is the need for companies to take responsibility for the security of EU citizens’ data. An effective response plan can minimize data loss and save companies considerable sums of money in fines. Once a breach has occurred, companies are obligated under the GDPR to report it to their National Data Protection Agencies within 72 hours that they become aware of it, without undue delay. While both cybersecurity and policy experts are still debating the finer points of the GDPR and what they will mean for companies processing EU citizen data, one thing is clear: companies can no longer afford to turn a blind eye to data security and must make it a priority if they are to stay off the radar of Data Protection Agencies. With major cyberattacks aimed at sensitive data taking place every day, 2018 is going to be the year when regulators will take a stand by making data protection mandatory by law and permanently changing the way companies look at data security.

Keywords: [“Data”,”company”,”Protection”]