GDPR News Center News for 04-30-2018

GDPR: It’s not just about fundraising |

G.D.P.R. Four letters that have sent a collective shiver down the spine of the charity sector lately. Standing for the rather less awe-inspiring ‘General Data Protection Regulation’, the GDPR updates and replaces the current UK Data Protection Act. The four horsemen paving the wave are seen as the Information Commissioners Office; the Fundraising Preference Service; the 13 charities fined; and the as yet uncompleted GDPR guidance. Under GDPR, the ICO can issue fines of up to £17m compared to the current £500,000. The negativity obscures a real opportunity to review and protect the personal data of staff, volunteers, service users and donors. Shouldn’t we be welcoming changes to legislation that strengthens the rights of individuals with regards to their data, and that puts more onus on data collectors and users to treat this data carefully? Much discussion of GDPR has focused on the impact it will have on charity fundraising. We are missing the big picture if that is the focus of GDPR compliance. We should be looking at the impact of GDPR on all of the personal data that we hold-whether that’s on staff and volunteers, or service users and donors. If your organisation is already up to speed with the Data Protection Act, then you will find GDPR enhances the existing standards. If data protection has been at the end of your large to-do list then you will have further to travel. It can be confusing: the ICO has not yet provided all the guidance on how to implement GDPR, while there appears to be a GDPR industry of private firms willing to advise for a fee. GDPR will cover everything on how a charity collects, stores, analyses and deletes personal data on staff, volunteers and service users. Consult previously written guidance on the Data Protection Act, much of which remains current under GDPR, and can be a helpful guide in bringing data protection to life. On 8 November we held a debate on the use of personal data by charities.

Keywords: [“GDPR”,”Data”,”Protection”]

Here is what GDPR consent dialogues could look like. Will people click yes?

THIS NOTE HAS NOW BEEN SUPERSEDED BY A A MORE RECENT PAGEFAIR INSIDER NOTE ON GDPR CONSENT DIALOGUES. PLEASE REFER TO THE NEW NOTE. This note presents sketches of GDPR consent dialogues, and invites readers to participate in research on whether people will consent. In less than a year the General Data Protection Regulation will force businesses to ask Internet users for consent before they can use their personal data. Many businesses lack a direct channel to users to do this. It is likely that they will have to ask publishers to seek consent on their behalf. This is a sketch of what a GDPR consent request by a publisher on behalf of a third party may look like, with references to the elements required in the GDPR. Update: it is important to note that this is a limited consent notice. It asks to track behaviour on one site only, and for one brand only, in addition to “Analytics partners”. What percentage of people are likely to click “OK”? Tracking preferences. In addition to the consent requirements in the GDPR, the forthcoming ePrivacy Regulation requires that users be presented with a menu of tracking preferences when first they install a browser or setup a new system that connects to the Internet. The menu above is as it might have appeared under the original proposal from the European Commission, in January 2017. The European Parliament is developing amendments to the Commission’s proposal. Below is a sketch of the menu as it might appear under the latest text from June 2017. Notice that “Accept only first party tracking” is pre-selected. This is because Recital 23 in the current draft stipulates that the default setting should prevent “Cross-domain tracking” by third-parties. This menu may change again as the Regulation is further developed. Assuming that some version of this tracking preferences menu becomes law across the European Union, how many people can be expected to opt back into tracking for online advertising?

Keywords: [“CONSENT”,”track”,”NOTE”]


Get your organisation ready for the General Data Protection regulation changes with our GDPR Brochure. This brochure will aid you in understanding the changes, whether or not these changes will apply to your organisation and the 13 key areas that they will affect if they do. Paper records represent a significant GDPR compliance risk. To help companies ensure their paper records don’t fall foul of the Regulation, we have a team of experienced business consultants and digital specialists on hand to help you fully understand the impact of the incoming GDPR, and the Data Protection Bill, on your organisation. GDPR and paper records – why it’s not all cyber and fines. GDPR compliance regulations will be in effect before we know it, and though most businesses are aware of the law and what it requires, only 10% of people polled in a recent Restore survey say they have sufficient measures for handling paper records. An individual is behind every piece of personal information recorded on paper. The enhanced individual rights of the GDPR reflect this renewed focus on the individual: the removal of fees for making access requests; the right to require erasure where information no long serves a purpose; the right to seek compensation should any failure lead to damage. As awareness grows, any increase in the number of individuals using their rights will increase scrutiny on the methods used by organisations to manage paper records containing their personal information. Our recent customer webinar looked at how paper records represent a significant GDPR compliance risk, and provided advice on how you can start managing those risks. In the meantime you can download a copy of the slides. If you would like to hear the full discussion on GDPR with Rowenna Fielding, Data Protection Lead at Protecture, please click the Soundcloud track below: Take the first step towards your GDPR readiness assessment. Contact us to find out more about our services and our free GDPR health check.

Keywords: [“GDPR”,”Paper”,”records”]

GDPR News Center News for 04-29-2018

UK data protection laws to be overhauled

Citizens will be able to ask for personal data, or information posted when they were children, to be deleted. The proposals are part of an overhaul of UK data protection laws drafted under Digital Minister, Matt Hancock. Firms that flout the law will face bigger fines, levied by the UK’s data protection watchdog. The bill will transfer the European Union’s General Data Protection Regulation into UK law. “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world,” said Mr Hancock in a statement. “It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit,” he added. Make it simpler for people to withdraw consent for their personal data to be used. Require firms to obtain “Explicit” consent when they process sensitive personal data expand personal data to include IP addresses, DNA and small text files known as cookies. Make re-identifying people from anonymised or pseudonymised data a criminal offence. Should you wish for any firm that holds your personal data – from your name to your DNA – you will be able to ask them to delete it. There are arguments that those holding the data can put forward to refuse such requests, such as freedom of expression and matters that are of scientific or historical importance. In the UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover. The current maximum fine firms can suffer for breaking data protection laws is £500,000. Elizabeth Denham, the information commissioner, said: “We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.” As for members of the public, many find it “Almost impossible” to understand the complex ways in which firms handle their data, according to computer security researcher Steven Murdoch at University College London.

Keywords: [“data”,”protection”,”firm”]

How Will Privacy Notices Change Under the GDPR? – NDC News

At the moment, when your organisation collects people’s personal data your privacy notice needs to tell them who you are and how you plan to use their data. You need to communicate your legal basis for processing data, your data retention periods and you must inform people that they have a right to complain to the Information Commissioner’s Office if they are unhappy with the way you are handling their data. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect. How do you share your privacy notice with the data subject when you didn’t obtain personal data from them directly? Under the GDPR you are required to provide these people with privacy information just as you would if you had collected the data directly. What information is being collected? Why is it being collected? How will it be used? Who will it be shared with? What effect will your data processing and sharing activities have on the data subject? Is the intended use likely to raise complaints? Jane Jones Industries Ltd will be the controller of the personal data you provide. We only collect personal data that is necessary to provide you with our service. We need your basic personal data so that we can provide you with our charity updates. We never collect any data that we don’t need to provide this service. No third parties have access to your personal data unless the law states otherwise. We have a data protection system in place to manage the effective and secure processing of your personal data. We only keep your personal data for as long as you wish to receive charity updates from us. You have a right to see the personal data we hold about you and to have it corrected or deleted. You can meet the GDPR’s requirement to make this information accessible to your data subjects by ‘layering’. That way, the data subject hasn’t been overwhelmed by the information in your privacy notice but has been given the opportunity to delve into more detail.

Keywords: [“data”,”privacy”,”personal”]

Gearing Up For The GDPR: Efficient Data Management

GEARING UP FOR THE GDPR: EFFICIENT DATA MANAGEMENT. The General Data Protection Regulation has come at a time when data protection is at the forefront of businesses minds. With attacks becoming far more prevalent and widespread, the need for an update to the outdated regulations from 1998 has never been more important. Several huge organisations, both in the UK and across the world have fallen prey to disastrous breaches which have both irreparably damaged the company’s reputation and encroached upon the invaluable personal information of individuals. Personal data has undoubtedly become an extremely valuable commodity so it comes as no surprise that these new rules have been drawn up to assist in governing its ownership and management. The GDPR is viewed by most businesses as tremendously onerous, with the level of fines attached to breaches seen as excessive and having the ability to potentially bankrupt business. The responsibility for this is seen by most as lying predominantly with IT professionals, despite the fact security is an issue that affects every department in the company. All of this, combined with the inevitable bureaucracy and inconvenience involved ensures that when it comes to data, businesses must now put the rights of their customers above all else. How do businesses prepare for the GDPR? What data management strategies are the most effective when ensuring compliance? How do you educate your staff in the best security measures? Which data can you safely shed to exclude liability? These and many more questions will be answered at our latest IT Leaders Forum, free to attend for qualified IT professionals. >> REGISTER YOUR FREE PLACE TODAY. This Computing IT Leaders’ Forum is a complimentary half-day conference for senior IT professionals from end-user, private sector organisations. We are not able to accept registrations from employees of software vendors as well as sales, marketing, recruitment or consultancy professionals.

Keywords: [“DATA”,”professionals”,”businesses”]

GDPR News Center News for 04-28-2018

Information Security Forum publishes GDPR implementation guide

The Information Security Forum has announced the launch of the ISF GDPR Implementation Guide, which presents best practices for guiding a compliance program ahead of the European Union’s General Data Protection Regulation. The GDPR Implementation Guide builds on the recently released ISF digest, ‘Preparing for the General Data Protection Regulation’, which summarizes the key requirements of the new legislation and lists the questions an organization needs to address to understand its GDPR readiness. “The need for organizations to prioritize data protection and information security has never been greater. A well-funded, well-governed and enterprise-wide GDPR compliance program will demonstrate an organization’s commitment to data protection and security,” said Steve Durbin, managing director, ISF. “To get the most out of the GDPR Implementation Guide, an organization should consider its current data protection practices and how to improve those practices in line with GDPR requirements. Utilizing the GDPR Implementation Guide, organizations can better prepare, implement, evaluate and enhance their data protection activities.” Phase A: PREPARE by discovering personal data, determining compliance status and defining the scope of a GDPR compliance programme. Phase B: IMPLEMENT the GDPR requirements to demonstrate sufficient levels of compliance. The ISF, in collaboration with ISF Members and other experts, has developed a structured method for achieving sufficient levels of compliance with the GDPR requirements. The ISF Approach focuses on key compliance actions that includes guidance required for an implementation plan, which can be embedded in a continuous improvement cycle. It is supplemented with practical actions, tips and reusable templates to accelerate compliance. The GDPR Implementation Guide is intended primarily for data protection and privacy practitioners, IT, information risk and security professionals responsible for, or supporting, a GDPR compliance program.

Keywords: [“GDPR”,”compliance”,”Data”]

an overview of GDPR

Technological change has ushered in a connected era in which information is gathered, stored and used to provide services which enhance our lives, making data an invaluable resource for modern businesses. With its ever-growing importance, and as companies continue to collect more and more of it however, a new approach to data is required. Given the substantial impact and the role that data has in both our personal lives and businesses, the upcoming General Data Protection Regulation is a logical next step to ensure that our privacy and integrity of data is maintained in the digital age. Going into effect on 25 May 2018, the GDPR is a new set of laws and regulations designed to ensure that personal data, including your own, is kept and used in a safe and transparent manner. We look at GDPR as a positive opportunity for growth. By providing a target to ensure that your data is correct and in order, it will be in better shape for extracting useful information and actionable insights from it, for marketing, customer improvement purposes, innovation and more. Survey respondents from the USA, UK, France and Germany in the charts below also show that more than half of large and medium-sized businesses believe that GDPR will bring with it numerous benefits – with security, trust and collaboration ranking as the most popular opportunities the new regulations offer. High levels of confidence are also shown across businesses who have their data stored on-premises, mostly in the cloud, or completely in the cloud – showing that GDPR’s opportunities span across businesses that are in different stages of technological growth. Meeting the new regulations will also reduce the risks of data breaches and large fines, and in turn, improving and maintaining your businesses reputation, while ultimately increasing customer loyalty and positive perceptions. GDPR will affect different organisations all over the world in different ways. Below are a list of resources to help you get started on your journey, ahead it going live next year.

Keywords: [“data”,”businesses”,”GDPR”]

Get GDPR compliant with the Microsoft Cloud

The GDPR requires that organizations respect and protect personal data – no matter where it is sent, processed or stored. To simplify your path to compliance, Microsoft is committing to be GDPR compliant across our cloud services when enforcement begins on May 25, 2018. GDPR is part of our holistic cloud compliance investments. Contractual commitments – We are standing behind you through contractual commitments for our cloud services, including timely security support and notifications in accordance with the new GDPR requirements. In March 2017, our customer licensing agreements for Microsoft cloud services will include commitments to be GDPR compliant when enforcement begins. Sharing our experience – We will share Microsoft’s GDPR compliance journey so you can adapt what we have learned to help you craft the best path forward for your organization. While Microsoft is committed to helping you successfully comply with the GDPR, it is important to recognize that compliance is a shared responsibility. It’s important to understand your obligations related to GDPR regardless of where your organization resides. With the most comprehensive set of compliance offerings of any cloud service provider, the Microsoft Cloud is here to support your compliance initiatives. We were the first cloud provider to achieve compliance with ISO’s important 27018 cloud privacy standard. Our cloud footprint includes over 100 datacenters and more than 200 cloud services. That’s why Microsoft is committing to be GDPR compliant across our cloud services. Visit the GDPR webpage on our new Microsoft Trust Center website to learn more about how the features and functionality of Azure, Dynamics 365, Enterprise Mobility + Security, Office 365 and Windows 10 will enable you to meet the GDPR’s requirements. As the fast-approaching GDPR deadline draws closer, we look forward to working in close partnership with you on GDPR compliance. In March, we will announce the details of our contractual commitments in accordance with GDPR rules.

Keywords: [“GDPR”,”cloud”,”Microsoft”]

GDPR News Center News for 04-27-2018

The essential news about content management systems and mobile technology.

Information contained in this Joocial News website is for information and entertainment purposes only. The website and the information may be changed or updated from time to time without notice. In consideration for using this website, the visitor agrees to hold Extly and its directors, officers, members, employees and agents harmless against any claims for damages or costs or any loss of any kind arising out of the access to or use of this website or any information contained in or obtained through this website. Certain links in the website connect to other sites maintained by third parties that may or may not be presented within a frame on the website. Joocial News has not verified the contents of such third party sites and does not endorse, warrant, promote or recommend any services or products, that may be provided or accessed through them or any person or body which may provide them. Extly has not issued or caused to be issued any advertisements which may appear on these websites and therefore accepts no responsibility for such content. The nature of Internet communications means that your communications may be susceptible to data corruption, unauthorized access, interception and delays. This website may include incomplete information, inaccuracies or typographical errors. Joocial News, and any other persons involved in the management of this website, may make changes in the information and content included in this website at any time without notice. Extly shall not be responsible for any incorrect or inaccurate information, whether caused by website users or by any of the equipment or programming associated with or utilized in this website or by any technical or human error which may occur. Extly assumes however all responsibility for the satirical nature of its articles and for the fictional nature of their content. All characters appearing in the articles in this website – even those based on real people – are entirely fictional and any resemblance between them and any persons, living, dead, or undead is purely a miracle.

Keywords: [“website”,”any”,”Information”]

Law Society of Scotland

Tim Musson, Convener of the Law Society of Scotland’s Privacy Law Committee, explains why the General Data Protection Regulation is all-important for law firms. Not long to go now! The General Data Protection Regulation will be enforced across the European Union and beyond from 25 May 2018. It is not just the headline figures of potential penalties from the Information Commissioner’s Office of up to €20M, or 4% of global turnover, which are of importance. ‘Data subjects’ will not only have enhanced data protection rights, but also a much greater awareness of those rights. Complaints to the ICO will result in enforcement, and any enforcement activity will have a major impact on reputation, which is all-important for law firms. Most organisations haven’t started taking serious steps towards compliance: it’s not yet time to panic, but it is time to start planning and putting measures in place. The underlying principles of the GDPR are essentially the same as the Data Protection Act 1998, but it incorporates a great deal of what is currently seen as best practice as mandatory obligations. The problem is that very few organisations have made a genuine attempt to be compliant with the current DPA set up. This is why GDPR compliance is likely to be challenging. As with any new legislation, much is clear but a great deal is still unclear – guidance is slowly emerging from the Article 29 Working Party and the ICO. So there are some very useful activities, such as personal data audits, which can usefully be carried out now. The ICO has made it clear that they will expect organisations to have taken suitable steps towards compliance by May, and that there will be no ‘honeymoon period’ for those that haven’t. Tim Musson has been delivering a number of Law Society of Scotland CPD & Training events on data protection and the GDPR. Find out more about upcoming CPD courses. More information on the GDPR can be found on the ICO website. Finally, you can find the official text of the General Data Protection Regulation at eur-lex.

Keywords: [“Data”,”Protection”,”Law”]

Changes In EU Data Law: The GDPR Requirements And How To Meet Them

The GDPR is the outcome of four years of constant discussions, investigations, and amendments made by the EU to update its data privacy rules and regulations. The GDPR will replace the Data Protection Directive established in 1995, creating a greater territorial scope and stricter penalties for those states members, and business dealing with Personal Data, who fail to keep and handle data according to the new regulation. The new data regulation provides all the EU citizens with data privacy in a nowadays data-driven society. From the customers’ and employees’ perspective, the EU aims to provide all its citizens with more control over how their personal data is collected, processed and retained. Ask to correct the data in case it’s incorrect; the data should be corrected ASAP as an obligation. Data portability; data has to be structured, commonly used and machine-readable format. Same rules for the companies within the EU, or for companies who process EU nationals data. After an enormous number of cases of misunderstanding regarding the scope of data protection law, the EU’s GDPR brought an end to that. Since May 25, 2018, the EU GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. Non-compliance laws will also apply to them if they are dealing with the data of EU members. What to do:Data controllers must report personal data breaches to local data administrator no later than 72 hours, but this could as little as 24 hours in the most serious circumstances. Data processor must notify their customers, the controllers, “Without undue delay” after first becoming aware of a data breach. In case a notification is not made within 72 hours of the data breach, the data controller must give a ‘reasoned justification’ explaining the reason for the delay. The controller shall keep a record of any personal data breaches, including all the facts relating to the personal data breach. This article outlines the main changes in the EU data laws and how you as a business should approach them.

Keywords: [“Data”,”GDPR”,”Regulation”]

GDPR News Center News for 04-26-2018

what does it mean to an organisation?

From May 2018, new data protection laws will change. This affects how you deal with consumer data and individual persons’ information. To assist local organisations we’re holding a number of free events and training workshops. To explain the importance of understanding your responsibilities we have joined forces with HEXAD Information Security Services. This free two-hour session outlines the GDPR and explains the major things your business must do to meet the requirements of GDPR. This includes the legal responsibilities of directors and board members and what they can do to become and remain compliant. Following on from the seminar, in conjunction with HEXAD, is the opportunity to attend separate training workshops. The workshops provide hands-on training and are tailored to your type of organisation. The workshops are being offered at introductory discounts for a limited time. What else should I know about the GDPR? It will be a requirement that all organisations providing goods and services to EU residents to conform to the rules it lays down, or face serious penalties. “The new legislation creates an onus on companies to understand the risks that they create for others and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.” It is a data protection law and ‘Business Risk’ issue. The Information Commissioner’s Office, the UK data privacy regulator, has stated that directors will be personally responsible for breaches. What are the Penalties for non-compliance with GDPR? Penalties for non-compliance will be severe. The responsibility for compliance with the GDPR will, in practice, fall on the company’s directors. The Information Commissioner’s Office is at present empowered to request personal undertakings regarding future conduct from board members to ensure that the company complies with its data protection obligations.

Keywords: [“data”,”GDPR”,”training”]

GDPR: Enabling Digital Transformation in the EU

There is a growing amount of personal information and data available on the internet that is accessible to an infinite number of businesses and organizations. In regard to this, there is something we must keep in mind: GDPR. The General Data Protection Regulation affects all businesses in the European Union. It also affects businesses that offer services to EU citizens, monitor their behavior, or obligate them to give information extracted from data processors. What will happen to the IT security sector once the BREXIT is in full swing? Two facts influenced the title of this article: Businesses are currently immersed in a technological revolution. Cybersecurity has opened the door for Digital Transformation. 43% of company heads consider that security should be the first priority when implementing Digital Transformation. IT security is a true business value because businesses cannot be digital without first protecting themselves. 1- The baseline scenario for most organizations and companies larger than 250 employees in the EU: institutions who have successfully empowered employees with business silo information, who have implemented Big Data tools, and generated trillions of data files from productivity tools. 2- To fix the IT problem we need to take back control of the distributed information silo and comply with rules 12-21 of the GDPR while satisfying the growing demand for digital transformation. This suggests that there is a greater distribution of business data that is both quick and automatic. The results have been positive with a different operational impact deriving from the GDPR based on intelligent threat platforms like Panda Adaptive Defense 360. The future of GDPR after the BREXIT. These changes should be in full swing by mid-2018. It is uncertain how to anticipate the GDPR changes, especially when it comes to implementing operational changes related to cross-border data transfer. We will continue to look over the current regulations and wait for GDPR updates following the BREXIT. Stay tuned!

Keywords: [“data”,”GDPR”,”businesses”]

GDPR Journal: On The GDPR Track, Our Compliance Roadmap

In case you missed my first post, I am documenting our GDPR compliance journey, from where I sit as an in-house attorney working for an EU and International SaaS company. Take your mind back It’s the end of May – one year before the new EU data regulation comes into effect. And internal meetings with various departments to verify feasibility, I finalized our GDPR compliance roadmap. Here are the steps I came up with and the related calendar to bring our company up to speed from point A to C. Summary May – June 2017: Nomination of Data Protection Officer July 2017: Training. Security and data privacy training sessions to be put in place for all employees and contractors. Process to notify controller without undue delay after becoming aware of personal data breach and document such breach. Record of processing activities, including, purposes of the processing, description of the categories of data and recipients, any transfers. Provider contracts to ensure compliance with GDPR, and to make any necessary amendments; a review & update of our current company insurance coverages; to put in place the requisite processes; a periodic review and control. Guarantees by processor to implement appropriate technical and organizational measures to ensure the protection of the rights of the data subjects & Update data protection agreements and appendices. Identify cross-border data flows and review current mechanisms in place. October – November 2017: Data protection by design and by default. Technical & organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. Implement data protection principles, such as data minimisation. Assessment of the impact of processing operations on the protection of personal data with advice of the DPO. Now off to implement these wonderful concrete steps. Are you currently in the process of becoming GDPR compliant? Tell us about your compliance journey and the biggest pain points of your experience so far on Twitter.

Keywords: [“data”,”process”,”ensure”]

GDPR News Center News for 04-25-2018

Training GDPR Archives

The General Data Protection Regulation is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs. In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task. 200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more. I created a new highly-interactive version of the GDPR Whiteboard – a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system. The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training. The GDPR mandates that all staff “Involved in the processing operations” receive privacy awareness training. Basic privacy awareness training for your general workforce. Advanced training for personnel who need more detailed knowledge of GDPR role-based training specific to an individual’s job function. I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics. GDPR. This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. This course can also be offered in conjunction with other courses in our series – Privacy Shield and European Union Privacy Law. Why is privacy important? What is personal data? How do we protect privacy? Please check out our humorous 1-minute video vignette about the GDPR..

Keywords: [“GDPR”,”privacy”,”training”]

Vanderbilt’s answer to the new GDPR

This enters into force from May 25, 2018 and every company operating in one or more of the 28 EU member countries must abide by this regulation. This will have a big impact on how companies handle of personal data. Vanderbilt operates in the majority of EU’s 28 countries and processes all data in private and public cloud suppliers in the EU and USA. Therefore, the GDPR compliance is an important issue for us. Since the beginning of 2017, Vanderbilt has initiated several activities to comply with this new adjustment. As the EU regulation highly depends on the old German Data Protection regulation, we enlarged our already existing protection processes in Germany, and began to roll these out to our offices in other European countries. Until May 2018, their main task is to develop and implement a data protection concept. This includes obtaining general agreements with all our external suppliers to obligate them to store the relevant data and to operate according to the GDPR. Part of our agreement with suppliers is to get a list of third countries that might store our data. Mostly, we are using our GDPR compliant agreement for the commissioned data processing. If a supplier proposes their own agreement, we carefully check the content to ensure that all GDPR requirements are reflected. A special area of focus is Software-as-a-Service products such as Vanderbilt’s ACT365 and SPC Connect. These solutions must also comply with the new regulation. As we operate and store personal data from our customers, we emphasize on the security and encryption of the processed data, the storage time of data, and the design of the privacy and data protection. The actual GDPR will not be the final version as there are further needs yet to be addressed. The new obligation to inform the authorities about data privacy or security violations is on the right track, but it is not clear when an incident must be reported. Happily in the last broad cyberattack, Wannacry, Vanderbilt and our selected providers could not report any violation of our data usage.

Keywords: [“data”,”GDPR”,”agreement”]

New ‘Getting Ready for the GDPR’ Guide Mason Hayes Curran

While the GDPR builds on familiar concepts and rules, it also brings about many changes. To help prepare for these changes, we have launched our “Getting Ready for the GDPR” Guide. The Guide will serve as a helpful resource for those looking to get to grips with the GDPR in the coming months. The GDPR expands the territorial scope of EU data protection law, meaning a greater number of organisations will now be subject to it. The Guide explores the broad scope of the GDPR and explains which businesses could be caught by its wide net. Given the degree of work that many organisations will need to do to get ready for the GDPR, it’s important to understand, from an early stage, whether the GDPR applies to your organisation. Once the GDPR becomes law, the majority of its provisions will immediately apply. This means that organisations cannot wait to remediate issues or implement changes after 25 May 2018. Each of these issues are likely to be relevant to the majority of organisations to which the GDPR applies. While the GDPR builds on many familiar rules, it also introduces a number of significant changes and new legal concepts. The Guide explores a variety of these changes, including increased obligations around consent, greater transparency requirements for privacy notices, new security rules and breach reporting obligations, a revamped regime for enforcement, remedies and liability, and the introduction of the principles of privacy by design and default. One of the most notable and newsworthy changes is the introduction of the ability for regulators to levy significant fines in cases of non-compliance. Finally, the Guide explores certain roles and sectors and the relevance and impact of the GPDR in each context. In particular, the Guide provides an insight into how the GPDR will affect public sector organisations and HR managers. The Guide also analyses the impact for contracting, given the increased obligations for data processing agreements, and responsibilities around compliance and risk management, arising from the accountability principle.

Keywords: [“GDPR”,”Guide”,”organisation”]

GDPR News Center News for 04-24-2018

Who we are, what we do and why we do it

Barracuda Networks, Inc. offers industry-leading solutions designed to solve mainstream IT problems – efficiently and cost effectively – while maintaining a level of customer support and satisfaction second to none. Our products span three distinct markets, including: 1) content security, 2) networking and application delivery and 3) data storage, protection and disaster recovery. While we maintain a strong heritage in email and web security appliances, our award-winning portfolio includes more than a dozen purpose-built solutions that support literally every aspect of the network – providing organizations of all sizes with true end-to-end protection that can be deployed in hardware, virtual, cloud and mixed form factors. Barracuda is a publicly traded company that provides powerful yet easy-to-use security and storage solutions that simplify IT. CitiBank, Coca-Cola, Delta Dental, FedEx, Harvard University, IBM, L’Oreal, Liberty Tax Service, Mythbusters and Spokane Public Schools are among the more than 150,000 organizations in 100+ countries confidently protecting their users, applications and data with Barracuda solutions. Based in Silicon Valley, our network has 1000+ employees, 5000+ partners, and offices in 15 countries. Combining our own award-winning technology with powerful open source software, Barracuda Networks delivers easy-to-use, comprehensive and reliable solutions to our customers. Barracuda Central, Barracuda Networks’ advanced 24×7 operations center, manages datacenters for all service-based offerings and works to continuously monitor and block the latest Internet threats and protect your networks. At Barracuda Networks, we take pride in serving our employees and surrounding communities. We have been recognized many times for our contributions and industry leadership many times. We are an active member of the open source and free software communities, donating hardware, code, funds and other resources to fuel open source technology innovation and collaboration. We’re looking for talented individuals who want to have a big impact.

Keywords: [“network”,”Barracuda”,”solutions”]

Could the GDPR mean an end to parking fines?

One potential consequence of this could be an end to the way that private firms issue parking fines. The DVLA then takes the information it has gathered, such as our address details, and sells it to private parking firms. Providing this information to private parking fine companies is a lucrative side income for the DVLA. In the second quarter of this financial year alone, it sold some 1.4 million records. Private parking firms used these to pursue drivers for penalties up to £100. The RAC has warned that it expects the level of parking fines issued to increase significantly over the Christmas period. This could easily run to over six million if there is a boom in parking ticket numbers over Christmas. Because parking fines are such a profitable business, those involved in it are keen to spot drivers who have overstayed their ticket by even a few minutes. Parking companies allow no grace period at the end of your parking period, even at the chaotic Christmas time when checkouts are busier and shopping trips take longer. With the cost of Christmas rising every year, a £100 parking fine is something that few families can afford to weather. Of those companies cashing in on using DVLA data, Parking Eye was the main culprit during the second quarter of 2017-18. It’s not just private parking companies that are making money from drivers overstaying their welcome. English councils made a record income from parking fines and charges last financial year, at a staggering £819 million. It remains to be seen how this will be interpreted under the GDPR. Meanwhile, Sir Greg Knight is not letting the issue of parking fines drop. His private member’s bill aimed at dealing with the excesses of parking fines will be debated in the House of Commons in the New Year, as he pushes for a fairer balance between landowners’ and drivers’ rights. Do you think the GDPR will mean an end to the DVLA selling drivers’ data to private parking firms? Or will the organisation simply find a way to circumvent the new regulations? Leave a comment below to air your views.

Keywords: [“parking”,”fine”,”Data”]

More Bad News On GDPR 11/29/2017

A new study by Openprise shows that three out of four companies are unprepared for the General Data Protection Regulation. Openprise, a provider of a data orchestration platform and compliance services, polled 508 attendees at the recent Dreamforce conference. Of that sample, only about 52% were aware of GDPR, and a paltry 43% of the sales and marketing people knew about it. Granted, awareness was higher among those who have data on EU citizens in their systems – 72% knew of GDPR. But only 60% of those have a framework to ensure compliance with the regulation that takes effect next May. And of those that do know of the pending rule, only 49% have a framework. 32% aren’t sure what the biggest compliance challenge is. What’s the problem? For 32%, the biggest hurdle is “Managing data stored across different parts of the organization.” Another 21% cited lack of understanding of GDPR’s impact, and 10% said the issue was identifying who in their firm is responsible for compliance. Need we repeat that the penalties for non-compliance are €20 million, or 4% of a company’s annual global revenue, whichever is higher? Of course, it depends on the magnitude of the offense. You have to have affirmative consent to hold and process data on people – and to market to them. If you’re big enough in Europe, it will pay to hire an inhouse specialist to manage compliance. That said, big vendors and companies probably won’t suffer much at first. “They have a huge army of lawyers,” Allen Pogorzelski, vice president of marketing for Openprise, recently said. “Most have a compliance group. The ones that don’t are going to be caught flat-footed.” “It’s disconcerting that companies as a whole still lack awareness when it comes to GDPR, not to mention an understanding of how to gain compliance. The runway is disappearing.” King concludes, “If you have any EU data in your sales and marketing databases, you must act now to ensure GDPR compliance and avoid steep penalties that could sink your company.”

Keywords: [“compliance”,”Data”,”GDPR”]

GDPR News Center News for 04-23-2018

Market Opportunities

With the deadline for GDPR fast approaching, organisations are hastily seeking new technologies to enable compliance, and consequently, this new legislation is already becoming a substantial driver of growth in both security and storage markets in Europe. At a recent IT Security Strategy Insights meeting, we spoke to over 120 IT Security Directors from large enterprise, discussing and analysing their future requirements. We will also see considerable growth in demand for technologies with capabilities of data loss prevention and data classification. The European Union’s General Data Protection Regulation is a new piece of legislation which will be coming into effect on 25 May 2018, the implementation of which is set to dramatically change the data protection landscape not only across the EU, but globally. Although the GDPR harmonises legislation across the EU, removing the complexities that organisations currently face when complying with differing local regulations, the challenges of compliance presented by the sheer scope of the GDPR are undeniably immense, and the degree of change seen in certain aspects of the regulation means that many organisations are delving into unknown territory. Though the outlook may first appear bleak, for every compliance challenge presented there is also an equal opportunity, for those who are willing to form part of the solution. The maximum fine for non-compliance is 4% of global revenue and combined with the introduction of mandatory breach notifications, organisations have to dramatically enhance their data protection practices. The timescale for compliance is tight, as such the rapid speed of implementation is driving substantial services revenue. Organisations are seeking help in prioritising risks, achieving compliance and ensuring they are in a defensible position when the day finally arrives, and there is a golden opportunity available for solution providers to help them to make privacy a major competitive differentiator. If you’re interested in participating in our GDPR roundtables please fill out an enquiry form, or contact us to find out more.

Keywords: [“data”,”compliance”,”organisations”]

What Publishers Need to Know

From 25th May 2018, the General Data Protection Regulation will come into force and replace the way publishers are able to store, use and distribute data. The new regulation will supersede the outdated 1998 Data Protection Act. Introducing harsher fines for non-compliant companies and giving people across European countries more control over what organisations can do with their personal data. Under the new legislation personal data now extends further than personally identifiable information data which currently includes: name, email address, purchases, etc. GDPR now incorporates non-personally identifiable information for the digital age such as anonymous cookies, location-based data, IP address, etc. All the information collected must have a clear opt-in/opt-out process and explain what data is being collected and why. The new legislation will affect all EU countries and those companies that are based outside of the EU if they collect or use personal data of European residents. A supervisory body can also decide to force an organisation to cease all collecting and use of data if regulations are not followed. The new GDPR affects individuals, organisations, and companies that are either Controllers or Processors of personal data. Controllers – The entity that decides the purpose and use that the personal data you have collected is used. GDPR will have a larger impact on some organisations more than others it will affect every company that collects data in some way. Many parts of the regulation are similar to the current Data Protection Act and can relate to information that is collected through an automated process. You will be required to review your approach to data protection and change the way your business handles all data. Businesses must have data protection policies, data protection impact assessments and relevant documents on how data is processed in order to be fully GDPR compliant. Businesses must have data protection policies, data protection impact assessments and relevant documents on how data is processed in order to be fully GDPR compliant or face substantial fines.

Keywords: [“Data”,”Protection”,”information”]

Zurich Warns SMBs About GDPR Non-Compliance

New research suggests the upcoming General Data Protection Regulation could threaten small businesses in the U.K. if they find themselves out of compliance with the data protection rules. Reports in Thursday said research released by insurance company Zurich in its “SME Risk Index” report found many small- and medium-sized businesses across the U.K. are at-risk for significant fines, as many remain unaware of the requirements under the GDPR rules. That includes new data protection officer employment requirements, calling for businesses that handle vast amounts of data to hire data protection specialists. In a survey of more than 1,000 small businesses, Zurich found that 85 percent of them will be impacted in some way by GDPR, yet 44 percent said they were not aware they would be required to hire a DPO under the regulation. That requirement comes into effect next May, and only one-third of SMBs said they currently employ a DPO. Small businesses could face regulatory fines for non-compliance, which could be as high a 4 percent of a business’ total turnover and a maximum of more than $24 million. Approximately 25 percent of SMBs surveyed told researchers they would be able to continue operations if they were hit with a fine that large. One-tenth said such a fine would force them to close operations altogether. “Cybersecurity-trained staff are already a rare and highly sought-after commodity, and business leaders should be gravely concerned about their ability to find and hire data security personnel,” said Paul Tombs, Zurich head of SME proposition, in a statement. “If your business requires a DPO, then investing in training current staff is probably the quickest and simplest solution given the current job market for these individuals. Stomaching the investment in training now may be hard to bear, but the repercussions for not doing so will be dire.” According to reports, separate data from Cybersecurity Ventures suggests a cybersecurity job shortage by 2021.

Keywords: [“Data”,”businesses”,”small”]

GDPR News Center News for 04-22-2018

Don’t Be Scared Of GDPR

Regardless of where your business is physically located, if your sales and marketing efforts target people resident in the European Union you’re already aware of the EU’s General Data Protection Regulation, or GDPR, and its implications for your business. What I’m interested in is how GDPR affects business marketing – for better or worse. The vast majority of GDPR concerns the way companies use, protect, store, and keep personal customer data. Not only does it fundamentally change what marketers can and cannot do with data, but it will penalize companies that misuse that information. So how did we get here? Why do we need the GDPR? The answer is simple: Because of all of us having to deal with crappy marketers doing crappy marketing for the past decade or so. With GDPR in place, any consumer resident in the European Union has the right to request a copy of the data any organization holds on them. Any business sending marketing messages to EU individuals needs to prove receipt of explicit consent that they can use the data for marketing purposes. So what’s the flip-side of the coin? By having all of this data open, harmonized, and accessible to the appropriate people offers the possibility of a whole new level of next-gen marketing tech innovations. Yes, GDPR is there to prevent unscrupulous businesses abusing customer data. GDPR is, in effect, creating a de facto worldwide standard for consumer data protection. With users having the ultimate say in how their data is used, the quality and relevance of marketing campaigns will have no choice but to improve. Blanket email blasts using rented third-party data and poorly-considered retargeting campaigns will be swiftly punished by consumers exercising their new data rights. Consumers are more likely to accept better, more targeted, more relevant marketing messages if they know they can turn the tap off quickly and easily if they wish. The adoption of new marketing technologies and innovations is just a small part of what GDPR promises. For businesses of every shape and size, GDPR provides perhaps the single biggest opportunity to improve marketing performance since the introduction of broadband internet.

Keywords: [“marketing”,”Data”,”GDPR”]

Handling GDPR with Apache Kafka: How does a log forget?

If you follow the press around Apache Kafka you’ll probably know it’s pretty good at tracking and retaining messages, but sometimes removing messages is important too. This raises a very obvious question: how do you delete arbitrary data from Kafka? After all, its underlying storage mechanism is an immutable log. The simplest way to remove messages from Kafka is to simply let them expire. Businesses increasingly want to leverage Kafka’s ability to keep data for longer periods of time, say for Event Sourcing. In such cases it’s important to understand how to make long lived data in Kafka GDPR compliant. Deleting a message from a compacted topic is as simple as writing a new message to the topic with the key you want to delete and a null value. To ‘forget’ a customer, simply lookup their Orders and either explicitly delete them from Kafka, or alternatively redact any customer information they contain. You might roll this into a process of your own, or you might do it using Kafka Streams if you are so inclined. There is a less common case, which is worth mentioning, where the key (which Kafka uses for ordering) is completely different to the key you want to be able to delete by. Then you can delete messages using the mechanism discussed earlier using the [ProductId][CustomerId] pair as the key. Quite often you’ll be in a pipeline where Kafka is moving data from one database to another using Kafka Connectors. If you’re using CDC this will just work: the delete will be picked up by the source Connector, propagated through Kafka and deleted in the sinks. One final consideration is that partitions in Kafka are made from a set of files, called segments, and the latest segment isn’t considered for compaction. Kafka provides immutable topics where entries are expired after some configured time, compacted topics where messages with specific keys can be flagged for deletion and the ability to propagate deletes from database to database with CDC enabled Connectors. Despite being built on immutable logs as its fundamental underlying abstraction, Kafka provides tools that accommodate GDPR requirements easily and elegantly.

Keywords: [“Kafka”,”delete”,”message”]

The problem is about to get a whole lot worse, as the soon-to-be-enforced General Data Protection Regulation will turn the skills gap into a chasm. Under GDPR, your business could be one mistake away from a breach that could cost you up to €20million or 4% of your global revenue. A fine-worthy breach includes data hacks, loss or misuse of data. To make the issue even worse, to prepare for GDPR itself you’re going to need staff that are adequately trained in data protection, data management and GDPR compliance. As GDPR affects nearly every company in the EU, people who have knowledge of all of the above are going to be in extremely high demand. A quick search online brings up several GDPR training courses you can send your IT team and other technical staff on so they can get clued up on GDPR and its requirements. Some businesses will need a dedicated Data Protection Officer. There is the further issue of your staff potentially leaking customer data, misusing it or storing it incorrectly. As part of your GDPR preparations, you will have to ensure all staff are aware of GDPR, its implications and what GDPR-compliance looks like. You’ll have to go into detail over what constitutes a breach, as well as put in place policies on bring-your-own equipment and data governance that all staff will have to be trained in. You should consider holding a few different training sessions with your employees based on how tech literate they are and how clued up they are on GDPR. You’ll also have to schedule in regular refresher sessions in case anything changes and to really ensure compliance and include GDPR in induction sessions for new employees. Organiztations should focus on solid data infrastructures. Between setting up employee training and finding yourself a DPO, it’s very easy to forget about the main preparations for GDPR readiness. You’ll need to carry out a data audit to ensure all your data is stored correctly and securely, is easily transferable when requested and has all the required consent. There’s a significant amount of work to be put in before the May 2018 deadline when GDPR is enforced.

Keywords: [“GDPR”,”Data”,”staff”]

GDPR News Center News for 04-21-2018

The Price Of Compliance: Study Uncovers GDPR Costs 10/26/2017

Much has been written about the penalties contained in the General Data Protection Regulation. What will it cost to comply with GDPR? It will run around $1 million just for technology, according to a survey by the global law firm Paul Hastings LLP. Specifically, firms listed in the Financial Times Stock Exchange 350 expect to spend £430,000 on technology and Fortune 500 companies expect to lay out $1 million. Only 10% of firms in the UK and 9% in the U.S. have purchased new technology to date. “‘Our research shows that, while large businesses are taking GDPR compliance seriously, there remain worrying signs that they may be falling short in planning for implementation next May,” states Behnam Dayanim, partner and global co-chair of the Privacy and Cybersecurity practice at Paul Hastings. “Dayanim adds that”£430,000 or $1 million may seem a large sum, but for many larger and more complex companies, it reflects a small portion of the technology. The news comes as a plethora of firms are announcing GDPR compliance solutions. Paul Hastings surveyed 100 general counsel and chief security officers at FTSE 350 companies, and 100 at Fortune 500 firms. Technology aside, companies are budgeting for new hires to deal with regulatory issues. Of those polled, 40% o the FTSE firms have allocated from £201,000 to £400,000 for new permanent staff. In the U.S., 34% have set aside $501,000 to $1 million. They are also preparing to shell out for legal advice. The survey found that FTSE firms have budgets for third-party legal support. 17% of the UK firms and 22% of their U.S. counterparts have no such budgets. Of course, these costs are only a fraction of what firms might be fined for violations when GDPR takes effect next May – up to 4% of their global turnover. Dayanim continues that “GDPR compliance can entail substantial revision to existing procedures and systems. Companies that haven’t yet begun already may find themselves in difficult straits come May; certainly, those that have been dragging their feet would be well-advised to strap on the running shoes and try to catch up.”

Keywords: [“firm”,”technology”,”GDPR”]

The final countdown to GDPR

The aim of GDPR is to harmonise data privacy laws across Europe and create a level playing field. A parallel directive affecting the processing of data by law enforcement authorities was agreed at the same time as GDPR, so the EU authorities are clearly taking a serious stance on this topic. Major knock-on effects GDPR brings significant changes to how firms must handle and process personal data. If you take a benevolent view, on the other hand, you will view GDPR as a fantastic opportunity to tidy up your data, reconnect with your customers and build better and more solid relationships. Let’s take the benevolent view and state that, first and foremost, GDPR is for all EU data subjects and their protection. Customer data belongs to customers and GDPR makes this clear. If you process data, new data governance obligations will apply and records of how you prepare and keep records of processing activities will come into force. New rights for data subjects A data subject is the living person to whom personal data relates. Under GDPR, data subjects will have far more control over their personal data and, quite significantly, the right to be forgotten. Data subjects will also have the right to data portability and, if they require more information on their data, organisations must make it easy to request such data and provide a comprehensive response within one month from the date of request. Data protection is not linked to a specific technology, and GDPR is principle-led for the protection of EU data subjects in general. A new concept of joint liability for both data controllers and data processors will come into force under GDPR. The data processors will be jointly liable to data subjects for damages unless they can prove, for example, that a data breach was not their fault. Data processors must report breaches to the data controller. Identify the areas of your business that may be impacted by GDPR; Seek help to design, develop and implement solutions in line with data privacy requirements. A force for good The GDPR preparation period is a great time to review your data – not just for the purpose of GDPR, but for business development reasons also.

Keywords: [“Data”,”GDPR”,”new”]

Healthcare Zone

What is GDPR? The General Data Protection Regulation is an EU regulation that will replace the existing Data Protection Act with effect from 25 May 2018. If you process an EU citizen’s data, all companies and individuals will need to comply with GDPR. Whilst it may appear similar to DPA, GDPR provides greater levels of protection and control to data subjects. As a result, GDPR will be more onerous than the current DPA requirements. The GDPR will apply to the processing of personal data by a Controller or Processor in the context of the activities of their establishment in the EU, regardless of where the processing formally takes place. It’s worth noting that despite the result of the UK EU referendum, this doesn’t alter the need to comply with GDPR as it still remains a legal requirement. The GDPR will apply to the processing of personal data by a Controller or Processor in the context of activities of their establishment in the EU, regardless of where the processing actually takes place. Criminal conviction data cannot be processed without a relevant derogation. The conditions for obtaining consent will alter under GDPR legislation. This means a soft opt-in is no longer permitted parental consent is required to process children’s data indirectly acquired data must not be processed without consent or notification and records of consent must be kept. The information to be provided at the point of data collection could change significantly. Privacy must be a constant part of any process design and privacy impact assessments must be carried out. Incident management controls must meet new breach notification requirements. Data subjects have new rights to request the erasure or rectification of data and to object to or restrict certain processing methods. Maximum fines for breaches will increase massively and the Information Commissioners Office now has rights to audit or to stop firms from processing data. Under the new legislation, the financial sanctions for breaches or non-compliance of GDPR will rise from the current maximum fine of £500k to a maximum fine of either 2% or 4% of group global turnover depending on the type of breach.

Keywords: [“Data”,”process”,”GDPR”]