Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation
The European General Data Protection Regulation will have a global impact when it goes into effect on May 25, 2018, according to Gartner, Inc. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. “The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well,” said Bart Willemsen, research director at Gartner. ” The GDPR applies therefore to not only businesses in the European Union, but also to all organizations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of data subjects within the EU. These organizations should appoint a representative to act as a contact point for the data protection authority and data subjects. Many organizations are required to appoint a data protection officer. “Large scale” does not necessarily mean hundreds of thousands of data subjects. Very few organizations have identified every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to maintain compliance in future personal data processing activities. Organizations must demonstrate an accountable ground posture and transparency in all decisions regarding personal data processing activities. It is important to note that accountability under the GDPR requires proper data subject consent acquisition and registration. Data transfers to any of the 28 EU member states* are still allowed, as well as to Norway, Liechtenstein and Iceland. EU-based data controllers should pay specific attention to new mechanisms under the GDPR when selecting or evaluating data processors outside the EU and ensure appropriate controls are in place. Outside of the EU, organizations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR. 5. Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed. If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls. Gartner analysts will provide additional analysis on data security at the Gartner Security & Risk Management Summits 2017 taking place in National Harbor, Maryland.
GDPR Blog 02: Why has the GDPR come about?
There have been attempts at legislation regarding the security of personal data in the past and a good example is the UK’s own Data Protection Act of 1998. Much has changed in the way data is generated over the last 20 years. Today we live in a global digital economy, we create data very differently and the data volumes are exploding; more data has been created in the past two years than in the entire previous history of the human race. In Aug 2015, for the first time, over 1 billion people used Facebook in a single day and sent on average 31.25 million messages and viewed 2.77 million videos every minute. We are seeing a massive growth in video and photo data, where every minute up to 300 hours of video are uploaded to YouTube alone. The outlook is for much more data generation in the future with Cisco’s June 2017 12th Visual Networking Index forecast predicting that by 2021 there will be 13.7 billion Internet of Things connections and 3 trillion internet video minutes per month – 80% of all internet traffic. When viewed against this fast moving backdrop it is easy to understand why current EU legislation regarding citizen personal data protection never envisaged creation of data on this scale. So an all encompassing, digitally aware and common standard, the GDPR, has been introduced to provide a level playing field across all member states for data protection. The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. As well as being senstive, personal data is also highly valued which is why there are so many cyber attacks that target the capture of such data which once obtained can be sold on for both criminal and equally illegal marketing purposes. Many organisations now view the cloud as secure more so than on-premise deployment. What we have to remember is that with GDPR cloud security is a joint responsibility. The scope of the GDPR includes IP addresses and online identifiers, as well as forcing companies to gain people’s explicit consent to use their data. The aim is to make it easier to find out what data companies hold on you, how your data is handled and what it’s used for. The implementation date for the GDPR is 25 May 2018 and there is no period of grace beyond that time. Under GDPR regulations, a data subject has the right to have their personal data rectified or forgotten.
Implementing a GDPR strategy: What you need to know
Simon Kouttis, head of cybersecurity at Stott and May, explains what you need to know about the upcoming GDPR. The European Commission’s General Data Protection Regulation is coming into force on May 25, 2018. With this comes new rules regarding the collection and processing of personal data which will affect some 508 million EU residents – and any organisation that handles their information. In less than two years’ time, businesses will have to gain the explicit, stated consent to collect an individual’s data. They will need to wipe this data after a prescribed period of time, and individuals will need to be made aware of how this data will be used, and of any rights they have pertaining to its processing. In the event of a serious breach, companies will need to inform the Information Commissioner’s Office within 72 hours – as well as anyone impacted by the intrusion. If your company markets goods or services to any of the European Union’s member states, or if you handle any of the data of its 508 million residents, it’s subject to these rules. The age of big data has been largely positive, but it’s also led to a culture of collecting information for no discernible business purpose: a survey from Pure Storage found that 72% of businesses amass information that they never use later on; 22% of those queried said they do it “Often”. Again, it’s perhaps unnecessarily harsh, but if it forces you to streamline your data collection processes, it might have a positive outcome. What data do you have? Where is it stored, which internal and third-party stakeholders have access to it, and how well is it protected? Make sure you’re not handling anything you don’t strictly need, and have a process for informing users that you intend to use their data and obtaining their consent. In particular, it’s necessary to work out how your company is going to handle a data breach. You’ll need to conduct an impact assessment to ascertain any risk associated with processing, and in the event that your systems are compromised, you’ll need to notify the authorities and the affected users. Much has been said about the potential role a Data Protection Officer might play. In all the talk of compliance, it can be easy to forget that this legislation is supposed to be about protecting data and mitigating potential danger. Hiring, customer relations, and security shouldn’t be box-ticking exercises: it’s in your interest to use data correctly, be transparent with consumers, and safeguard your most vital systems.