GDPR News Center News for 04-10-2018

GDPR Readiness: Compliance Deadline Looms, Confusion Remains

With Europe’s General Data Protection Regulation set for prime time on May 25, 2018, network security provider WatchGuard has produced a study looking at how well organizations understand the law, its impact on their business, and their readiness for the compliance deadline. Bottom line: Any company that stores or processes personal information about EU citizens must comply with the GDPR’s privacy laws. The study’s results show organizations still lack a clear understanding of exactly how it applies to them. Do they realize they’re adrift in treacherous waters – penalties for noncompliance are steep, up to four percent of global sales? Maybe yes, maybe nosome 44 percent of respondents don’t actually know how close their organization is to complying with the law. Who knows? 37 percent of organization don’t know if they need to comply with GDPR, while 28 percent believe their organization doesn’t need to comply at all. Of the organizations that don’t believe the law applies to them, 14 percent collect personal data from EU citizens. Some 28 percent that are unsure about GDPR compliance also collect this type of information. In the Americas, just 16 percent of organizations believe they’ll need to comply. Who’s ready? Despite knowing about GDPR for a while, only one in 10 companies said they’re 100 percent ready for it. Getting there: 86 percent of those organizations recognizing they need to comply with GDPR believe they have a compliance strategy in place with firewalls, VPN and encryption security technologies. Work left to do: 51 percent said their organization will need to make significant changes to their IT infrastructure in order to comply with GDPR. 5. The pressure is on: Respondents from organizations that are not yet GDPR compliant figure it will take them seven months to get the job done. About 48 percent are looking for third-parties to help out. Every company with access to data from European citizens needs to understand GDPR and its impact, said Corey Nachreiner, WatchGuard CTO. “Unfortunately, the data shows that an alarming amount of organizations are still unaware or mistaken about the necessity for GDPR compliance, leaving them three steps behind at this stage,” he said. “The only way to prevent unnecessary fines and frustration is to take a good hard look at the criteria, assemble a GDPR plan of action and begin implementing it immediately.”

Keywords: [“organization”,”percent”,”GDPR”]
Source: https://www.msspalert.com/cybersecurity-news/gdpr-readiness…

The GDPR Overview

You’ve probably heard mention of the GDPR, and likely have many questions about its scope, implications, and potential effects, both on your own business, and for the domain industry as a whole. What is the GDPR?When is the GDPR going into effect?What is the purpose of the GDPR?How will the GDPR impact your business?How should you prepare?How is OpenSRS preparing?Resources. Lays out a new set of rules for how the personal data of people living within the EU should be handled. Clear, informed consent and individual control over the use of personal data are basic rights in the GDPR. Any business taking personal data must not only obtain consent, but also explain what they need the information for. The GDPR imposes requirements around how companies should address security breaches that expose sensitive personal information. What is the purpose of the GDPR? The GDPR helps protect individual privacy in the digital age. The European Union views the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. Although there are other existing privacy laws in effect already, the GDPR is different in its scope of applicability and because significant fines may be levied for non-compliance. The GDPR replaces the 1995 EU Data Privacy Directive, harmonizing privacy laws across the EU. Once it comes into effect on May 25, 2018, it will be law in all EU member states. You have customers who live in the EU. You now need to ensure that you’re obtaining permission from these customers to use their personal data, and meeting the updated requirements surrounding its handling. Before the GDPR comes into effect in May 2018, you’ll want to make sure you’re compliant. While the rules outlined in the GDPR apply only to EU-local individuals. How should you prepare for the GDPR? It’s important to get started now so you’re able to fully understand the implications the GDPR could have upon your business, and plan effectively to meet the updated requirements. We already store your data securely, but we’re doing some internal review to see how we can strengthen our protections to keep information safe. We would like to reinforce this point: Tucows does not share personal data beyond what’s needed to provide the service that the client ordered.

Keywords: [“GDPR”,”data”,”information”]
Source: https://opensrs.com/the-gdpr

The GDPR will cause challenges for connected care developers

According to a new research report from the IoT analyst firm Berg Insight, the upcoming implementation of the General Data Protection Regulation in 2018 will cause challenges for companies in the telecare industry. Telecare and telehealth apps and devices are potentially generating huge amounts of data that could be used for various purposes. Today, data is increasingly more used to help patients without the need of the patient’s own active involvement. This includes various kinds of health data as well as user location and movement data which could be used to identify abnormalities. If a user does things differently, for example not leaving or going to the bed as usual, a notification can be sent to relatives or care givers. Legislative authorities in the EU are developing and designing legal frameworks that should be in line with the new data driven world of mobile health. As part of this, the European Commission will in 2018 implement a General Data Protection Regulation that aims to harmonise data protection rules in the EU, ensuring legal certainty for businesses and increasing trust on eHealth services with a consistent high level of protection of individuals. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive and it becomes enforceable from May 25 next year after a two-year transition period. It does not require national governments to pass any enabling legislation and will be directly binding and applicable. “While the future is data driven, end-users do care more and more about integrity aspects. The GDPR aims to increase privacy for the end-user which is a step in the right direction. The regulation by default actually prohibits processing of health data unless explicit consent has been given. At the same time, this will cause challenges for those telecare and telehealth solution providers that are not proactively working on their preparations.” “If the solution providers are not enough prepared for handling, processing and storing sensitive data in accordance to GDPR, they could risk heavy fines if not fulfilling the requirements”, says Anders Frick, senior analyst, Berg Insight.

Keywords: [“Data”,”Protection”,”GDPR”]
Source: https://www.iot-now.com/2017/12/18/73304-gdpr-will-cause…

GDPR News Center News for 04-09-2018

General Data Protection Regulation Explained

Key Points of the GDPR. Privacy By Design: The aim of the GDPR is to protect the Personal Data of EU citizens, including data such as their name, email address, financial or medical details, and even their IP address. Data Custodianship: In addition, better data custodianship rules are also part of the General Data Protection Regulation. The regulations dictate that organizations should only keep the data they absolutely need for only as long as they need it. Once that data is no longer needed, the data should be destroyed or anonymized. Right To Erasure: Building off the “Right to be forgotten” concept introduced in a 2006 lawsuit against Google, the GDPR includes a right to erasure. This means that users can request for their Personal Data to be deleted from an organization for any number of reasons, including suspected non-compliance with the GDPR. Additionally, explicit consent, which must be given freely, is required for the processing of Personal Data, and organizations must provide users with the same ease of consent withdrawal should the user wish to do so. Breach Notification Requirements: Along with the requirements around keeping users’ data safe, the GDPR also includes mandatory and stringent data breach notification rules. In the event of a data breach of Personal Data, the breach must be reported to the Supervisory Authority of the EU member states affected within 72 hours of the breach’s discovery. Depending on the severity of the data breach, the organization may also need to notify the affected users as well. Understand your network and the scope of the data you have. Make sure you have a grasp on your ecosystem and the scope of the data your organization holds: who has access to it, and what kind of data is it? Once you have an idea of the scope, you can start to implement access limits and monitoring to make sure there’s no unauthorized access. No one wants a data breach to occur, but it’s best to be prepared for the worst-case scenario well ahead of time. Put in place a formalized data breach notification process and take it for a few trials runs, and be sure it includes incident detection and response capabilities. The General Data Protection Regulation will be formally implemented on May 28, 2018, and impacted organizations should begin moving toward compliance as soon as possible. Learn more about complying with the General Data Protection regulation.

Keywords: [“Data”,”Breach”,”organization”]
Source: https://www.rapid7.com/fundamentals/gdpr

GDPR For Schools

Come May 25th 2018, the GDPR will come into effect changing the way that schools, colleges, academies and all other organisations are required to manage and protect data. Keeping data securely protected is already law but as the Data Protection Act is almost 20 years old and the way that data is created, stored and used has evolved a lot it is time for an update. GDPR stands for the General Data Protection Regulation; The regulation will look to update the Data Protection Act which sets out much of the current guidance on data protection. GDPR aims to strengthen how schools and other organisations manage and protect data, with a focus on the protection of personal data. While pre-existing legislation that schools must adhere to will remain in place, the GDPR sets out some drastic changes around how data can be processed and gives individuals more rights than they have previously had, concerning their data. The GDPR will affect all organisations that hold data on European citizens, even if they aren’t in Europe themselves. Compliance with the regulation is vital for all schools and given the sensitive nature of the personal data held the risk of a data breach is huge. Under the Data Protection Act, the ICO has the power to give a maximum fine of £500,000 for a major data breach. A data breach is defined as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data. It’s worth knowing that the ICO, to date, has never fined a school for a breach and is more likely to implement an undertaking with the goal of improving a school’s protection policies and compliance with data protection laws. Under the GDPR public authorities must appoint a Data Protection Officer who will be responsible for helping the organisation comply with the regulation and advising on policies. One of the core aims and principles in the GDPR is to ensure data is protected correctly and with organisations sharing data with partners and external organisations it’s vital to make sure they are compliant too. Subject access requests – Under the GDPR, a data subject can request a copy of the data you have on them. Data Protection – You should already be doing this under regulations of the Data Protection Act and guidance from the Schools Financial Value Standards. Data Protection Officers – As a public body, you must have someone responsible for advising on compliance for the school.

Keywords: [“data”,”school”,”Protection”]
Source: https://www.redstor.com/en-gb/news/gdpr-schools

GDPR News Center News for 04-08-2018

What is GDPR and will your club get fined?

Find out about the General Data Protection Regulation and what your club will need to do to comply with the law. This article will give you an introduction to the General Data Protection Regulation and the first steps that you need to take to ensure that your club is GDPR compliant. GDPR will be replacing the Data Protection Act 1998 and will become law in the UK on 25 May 2018. GDPR will apply to you whether you pay staff or are all volunteers, whether you have a hut or not, whether you have 10 members or 1000 members there are no exemptions! GDPR is already here and the period from now up to May 2018 is for implementing any changes that organisations need to make to become ‘GDPR compliant’. What is GDPR and why change from the Data Protection Act 1998? Changes to data protection regulations are required as the advances in technology over recent years and the different ways that personal data is now processed with this new technology need to be included. GDPR will give EU* citizens more control over how their personal data is used. It will make it clearer for organisations to understand their data protection requirements. The reason that all clubs need to comply is that clubs collect data about its members – name, address, e-mail address, telephone number etc. For some clubs additional data may be collected such as data of birth, gender, emergency contact details or medical information. If your club is fully compliant with the Data Protection Act then you may only have minor changes to make to be compliant with GDPR. Steps to ensure that you are ‘GDPR compliant’. These are the first steps that you need to take to check out what you do as a club with the data that you hold. Consider what data you hold: who holds it and who has access to it? Consider where that data came from: how is it up-dated, how regularly it is up-dated, how long you hold it for? Consider what you do with the data: who you give it to, how do you transfer it to other people/organisations? Consider the security of data: where do you hold data, what data do you encrypt/password protect? Do you have permissions from your members to do what you do with their data, when was that permission given? Do you have a data protection policy, is it adhered to, is it current? Working through the points above will give the club a good understanding of current practices and may identify some issues that you will need to deal with.

Keywords: [“Data”,”GDPR”,”club”]
Source: https://www.thebmc.co.uk/gdpr-mountaineering-clubs-introduction

Managing GDPR with Teams, Planner, and Compliance Manager

Following its announcement at Ignite 2017, Microsoft launched the preview of its Compliance Manager on November 16. The Compliance Manager is available to all organizations with a paid or trial subscription to a Microsoft cloud service, except tenants of the Office 365 datacenter regions in China and Germany. Microsoft describes Compliance Manager as: “A dashboard that summarizes Microsoft’s and your organization’s control implementation progress for Office 365 across various standards and regulations, such as the EU General Data Protection Regulation, ISO 27001, and ISO 27018.” To access Compliance Manager, log into this site using your Microsoft cloud credentials. Office 365 already includes many compliance features to help an organization control data, including data loss prevention and retention policies, classification labels, encryption and rights management for documents and email, content searches, and auditing. Compliance Manager is a dashboard, but it is a passive instrument. For now, Compliance Manager lists standards and regulations that organizations and service providers might want to satisfy and delivers some practical advice about how tenants can start dealing with those standards. When I started Compliance Manager, it offered the option to work with GDPR and ISO 27001-2013. The biggest benefit of the Compliance Manager is how Microsoft has broken down complex regulations like GDPR into the controls. With 47 controls to satisfy, any Office 365 tenant has a lot of work to do to make sure that they can cope with GDPR. Compliance Manager tells them what needs to be done but gives no practical assistance to manage the actual work. You can also upload documents to Compliance Manager for each control. All in all, using the Compliance Manager to track work is an exhaustingly manual process. Creating a new plan also creates a new Office 365 Group, to which I added the people who would work on the GDPR controls as members. Voilà! I now have the ability for people to work through the controls necessary for the organization to satisfy GDPR. Of course, it would be nice if Microsoft built the necessary intelligence into Compliance Manager to create the Office 365 Group, plan, and team and export the controls information to the plan, probably using the Microsoft Graph APIs. Microsoft’s Compliance Manager breaks down complex regulations into digestible chunks.

Keywords: [“Office”,”plan”,”Compliance”]
Source: https://www.petri.com/teams-planner-compliance-manager-gdpr

GDPR vs EU-US Privacy Shield

The deadline for enforcing GDPR, or General Data Protection Regulation, is only a few months away, and businesses across the US are asking themselves what they need to do to prepare, if anything. What does the new regulation mean for the EU-US Privacy Shield agreement from last year? How does the newest agreement affect companies in the US? We’ll answer a few questions about GDPR and EU US Privacy Shield. What is GDPR? It’s a new framework for data protection that’s meant to unify the various data protection laws across Europe. US businesses that have offices in Europe or collect or use EU data for any reason will be affected. Do I need to be compliant with GDPR? If you have anything at all to do with the EU, yes. What’s the difference between GDPR and EU US Privacy Shield? The EU-US Privacy Shield is a new agreement between the EU and US in response to the now-invalidated Safe Harbor agreement of 2000. Privacy Shield allows for the transfer of personal data from the EU to the US and focuses on the methods of data transfer, including third-party transfers. The GDPR is a law that has specific requirements for companies that handle EU data in any country, not just the US. According to GDPR, data transfer may only occur to countries deemed by data protection authorities as having adequate data protection laws. This agreement helps create the adequate data protection laws needed for US companies to meet the GDPR requirement. If I’m compliant with Privacy Shield, does that mean I’m compliant with GDPR? Not necessarily. There are several requirements of GDPR. Being compliant with Privacy Shield only ensures that you have the adequate data protection laws in place to do business with the EU. You may need to take additional steps, such as hiring a dedicated Data Protection Officer. Essentially, the old data protection laws that were first enacted were no longer adequate enough to keep up with the explosive growth in data and the technology surrounding it. According to the GDPR website, the new agreement was designed to “Designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Eugdpr.org to read the key articles of GDPR, and get more information about the new standard’s impact on businesses.

Keywords: [“Data”,”GDPR”,”Privacy”]
Source: http://resource.onlinetech.com/gdpr-vs-eu-us-privacy-shield

GDPR News Center News for 04-07-2018

Businesses scramble for GDPR compliance

The British government has confirmed that the GDPR data rules will come into force in May 2018. One survey says that most UK businesses remain unaware of the requirements, the solutions – and the multimillion pound fines – that the new legislation will entail. This week, the British government confirmed that General Data Protection Regulation will become a part of UK law by May 2018 – meaning that businesses have only nine months to guarantee compliance, or face potentially devastating fines. GDPR replaces the existing legislation as defined by the Data Protection Act. Failure to follow the new laws can result in a substantial fine of €20 million, or 4 per cent of global turnover. The polling agency YouGov found in May of this year that just 29 per cent of organisations in the UK have begun to prepare for GDPR changes. Data law expert and founder of DigitalLaw UK, Peter Wright, believes that this week’s announcement represents the final warning for companies wishing to avoid the fines – but he added that it “May already be too late” for some larger organisations with complex infrastructure. GDPR is a subject that we have talked about before – and we will be looking at it again in depth in the not too distant future. A premium software-as-a-service product will provide out of the box GDPR compliance as standard; many firms, including eBoss, offer an end-to-end solution that secures data at each stage of the recruitment process. Existing eBoss clients have GDPR compliance support as a standard part of the eBoss service. The Association of Professional Staffing Companies has released data for the financial sector, showing a near thirty per cent jump in vacancies within the financial sector between May and July of this year. Commercial banking was responsible for the largest portion of those vacancies, with more unfilled positions than consumer finance, investment banking, and insurance combined. Despite the sharp rise, the figures actually represent a year-on-year fall in the number of banking vacancies. Banking has long been considered an attractive profession, so why has that seemingly now changed? Public perception of the banking profession has altered over the years: from one of stable, steady employment to that of affluence and risk. Are we now seeing another change, where a new generation – aware of the risks of future jobs obsolescence – is rejecting the uncertainty that a career in banking may now represent?

Keywords: [“data”,”banking”,”GDPR”]
Source: https://www.ebossrecruitment.com/news/businesses-scramble-gdpr…

Onna

What is GDPR? The General Data Protection Regulation of the European Union will take effect for all 28 member states on May 25th, 2018. The primary aim of the GDPR is to return control of personal data to all EU citizens and residents across the 28 member states. Personal data is defined by the European Commission as being any information that relates to an individual, “. EU citizens will also have the right to access a readable copy of any personal data held by a company, and also the right to be forgotten by that company, if they so choose. The GDPR has been designed to reconcile the various data privacy laws existing across the EU member states in order to create a comprehensive and unified compatibility of data protection within the EU. Complying with the new GDPR rules will not be particularly easy for many companies. The compliance requirements are strict, fastidious and demanding, but will have to be met by those companies doing business within the EU, regardless of where they are based worldwide. Multinational companies in the US are seeing the situation as a top priority in regards of data protection, and most are allocating significant budgets, usually in the millions of dollars range, in an effort to be ready and fully compliant with the new data privacy laws when they come into force. The GDPR presents huge challenges for companies operating within the EU. Legal and IT departments especially will be tasked to bring company requirements up to scratch in a timescale that is not particularly generous. It is with this in mind that a number of external companies are now offering a range of solutions to some of the problems created by GDPR. How can Onna help your organization with GDPR? Real-time search across multiple repositories. Onna is a platform that provides real-time search across multiple repositories. Onna automatically processes and indexes all files associated to the source creating a fully searchable environment. Create a central point of information and fulfill GDPR requests efficiently. Onna is a discovery tool designed to help organizations take control of their information. Thanks to search using regular expressions, Onna can easily extract personal information, such as social security numbers, EU passports, credit card information, and more. Onna identifies where this pattern of information can be found and helps take action.

Keywords: [“company”,”Data”,”GDPR”]
Source: https://onna.com/use-cases/gdpr

GDPR in construction: Are you prepared?

Some data is included to the sensitive data category. Especially after the recent Wannacry cyber-attack, it becomes evident that construction has to try hard in order to keep its data safe and to empower the profile of the industry as a trustworthy data controller and processor. In order to establish a GDPR compliant data processing system, there are six vital principles that you need to take into consideration. A data controller is an individual or party that designates, either alone or in cooperation with others, the purpose behind data processing. As far as the data processor is concerned, we are talking about a person or party who follows the guidelines determined by the controllers and who is responsible for processing the personal data on their behalf. From data collection to data storage and alteration, controllers and processors with the advent of GDPR in construction have to follow a much more carefully defined context and avoid putting the available data under any type of danger or risk. The data subject should provide unambiguous positive consent regarding the processing of his/her personal data for specific purpose(s). In cases of emergency, the processing of personal data is allowed in order to protect interests of vital importance either for the data subject or another person in connection with the subject. Simply put, the data subjects should be able to offer their consent for every data processing action separately. Data controllers should provide the option of separate consent based on the data processing action in question. There should be a clear balance of power between the data controller and the data subject. An explicit consent must be given in cases where sensitive data should be processed or transferred to countries that don’t belong in the EU. How to demonstrate compliance with GDPR in construction. Systematic internal inspections can help you ensure that your data protection procedures and policies are following the GDPR guidelines. Assign a DPO: It’s highly recommendable that you appoint an experienced Data Protection Officer who can help you with implementing the GDPR principles and who can function as the contact person for data-related issues. If you are still not convinced about the impact that GDPR will have on the way that you manage data in construction, you should take a closer look at the consequences in case of non-compliance with the new EU regulation.

Keywords: [“data”,”process”,”GDPR”]
Source: https://geniebelt.com/blog/gdpr-in-construction

GDPR News Center News for 04-06-2018

Crayon Announces GDPR Services Based on Microsoft Technology

Experts in Risk Assessment and Technology Optimisation Planning to drive compliance with GDPR for businesses worldwide. Crayon has launched GDPR services based on Microsoft technology to help businesses comply with the new European regulations arriving next year. With the GDPR coming into force on May 25th 2018., businesses of all sizes handling data on EU residents must comply with new rules on the protection of this and its privacy across EU member states. This is further complicated by regulations also applying to anywhere where EU resident’s personal data is processed or monitored. Should that data become compromised, then businesses must also report any data breaches within 72 hours. Failure to do so could see them being fined €20,000,000 or 4% of their global annual turnover in the preceding financial year, depending on which is higher. The GDPR also introduces a statutory basis for the role of data protection officer. To meet these demands Crayon’s specialist team of GDPR practitioners will advise and assist businesses consuming Microsoft solutions on their strategy and approach when it comes to complying with GDPR via its new GDPR Governance Service, a comprehensive GDPR management and risk mitigation solution. Crayon will offer managed services and training for DPOs around GDPR for clients and partners alike. Already trusted by many of the world’s leading organisations as the go-to experts for Software Asset Management, the move is a natural extension for the Crayon business in deepening customer engagement en route to compliance and technology optimisation. By undertaking a full risk assessment analysis with Crayon and utilising the embedded data governance qualities in Microsoft solutions such as Azure, Office 365 and SQL Server, businesses will be able to address areas of risk in their IT environment, with Crayon’s specialist GDPR team providing the expertise to bring those areas into compliance. “Says Torgrim Takle, CEO, Crayon Group:”By providing businesses with detailed insight into areas of risk and risk mitigation in relation to their IT environments, Crayon’s team of GDPR experts can help make the road to GDPR compliance a smooth journey. “However, GDPR compliance should be part of an overall governance strategy and not seen as an end in itself. We believe cloud services, such as Azure, can offer a more streamlined way for customers to meet their GDPR compliance obligations.”

Keywords: [“GDPR”,”Crayon”,”businesses”]
Source: http://www.fintech.finance/01-news/crayon-announces-gdpr-services-based…

Punter Southall Aspire and GDPR

What is the GDPR? The GDPR is a new regulation which will replace the Data Protection Act 1998. The primary objective of the GDPR is to strengthen data protection for all individuals within the EU by giving them control over their personal data. The scope of information classed as personal data has changed;. Data subjects have greater rights over their personal data, including portability and having data erased;. There is a higher threshold for consent for processing personal data;. The GDPR applies to ‘controllers’ or ‘processors’ of personal data operating in the EU. A controller says how and why personal data is to be processed and a processor acts on the controller’s behalf. Both are defined in broadly the same terms under the GDPR as they are under the DPA, although data processors now have obligations under GDPR which they didn’t have under the DPA. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. What data is covered? Like the DPA, the GDPR covers ‘personal data’, which is ‘any information relating to an identified or identifiable natural person’. The scope of GDPR is broader than the DPA and personal data can include online identifiers as well, such as an IP address or cookies. ‘Sensitive personal data’ continues to be covered by GDPR in broadly the same way as under DPA but is known as ‘special categories of Personal Data’. Punter Southall Aspire’s preparation for GDPR. The Punter Southall Group and Punter Southall Aspire take the handling and storing of personal data very seriously. We already have policies, processes and IT security in place to safeguard personal data and to comply with the requirements of the DPA. As the GDPR introduces changes to how personal data should be managed, we are taking a proactive approach to meeting these requirements. This has representation from across the group and is looking at all aspects of the GDPR. As a business, PS Aspire has also set up its own working group, to enable it to directly focus on GDPR issues specifically affecting our business, the clients and the data we handle. We are undertaking Data Protection Impact Assessments of all of our processes where personal data is involved. We trust the above demonstrates the importance we place on handling personal data and gives you the reassurance that we will be compliant in time for 25 May 2018.

Keywords: [“Data”,”GDPR”,”personal”]
Source: https://www.psaspire.com/company-news/gdpr-preparation

Apache Kafka and GDPR compliance

You can effectively delete all the user specific data by throwing the key away. The GDPR contains exceptions when deleting individual user data is infeasible or if the data in question is a backup, in which case you must only keep a log somewhere so you don’t forget to delete again. If someone asks to be deleted from your system, you do so, and then you restore a backup with their data, you have clearly violated the intent. The GDPR contains exceptions for data storage for which it is infeasible or outside reasonable effort to delete individual records or you have legal compliances to uphold. No since the GDPR exempts things you need for legal compliance, thus a list of users who have asked to be deleted is fine if it’s being used to ensure compliance. So do you mean that GDPR allows for a request for removal from model or of there is an exemption from data mining results? I think that it allows for a request for removal from the model unless it can be proven that the PII cannot be retrieved from the model. The GDPR offers exceptions to the right to erasure, this mostly includes legal compliance or in the interest of legal claims or when data cannot be easily deleted as individual record. It’s a very interesting thing to do but, in my organization, it leads to many loooong discussions 🙂 GDPR has an exemption related to the legal requirement to process data that might cover this scenarios. An audit trail is almost always needed – it’s not an extreme leap to say “Why don’t we just replay the audit trail to arrive at the current state?” >What, none of these people /ever/ foresaw the need to delete some data? Hard Disk Drives have always been known to never actually delete data. Just like a regular HDD, you can forcibly delete the data, it’s just a very expensive operation that isn’t needed 95% of the time. Only in the case when you want to keep the data forever and can’t use compaction, then there’s no way to delete a specific message. I’d have to read the exceptions for backups included in GDPR, but you could make the case that, in this case, the Kafka log is maintained only as a backup of the data, to be able to replay it again in case something downstream gets broken. In Kafka, if you want to forcibly delete the data, you could simply just force topic compaction after a delete. Depending on the size of your data, a regular delete could take hours, which would likely blow the resource usage on any decently sized deployment.

Keywords: [“data”,”delete”,”GDPR”]
Source: https://news.ycombinator.com/item?id=15846539

GDPR News Center News for 04-05-2018

GDPR compliance: get the facts, then gauge the impact

Management does not understand the impact of GDPR. GDPR will increase complexity in the market. Let’s be honest here, GDPR is a doozy of a regulation, so it is not surprising that organizations are reluctant to dive in. Along with GFI’s brand new report “Understanding and Implementing GDPR Compliance Measures”, we can jump-start your GDPR assessment and help you answer that key question: does GDPR apply to my organization? GDPR is the acronym for the EU General Data Protection Regulation, also known as Regulation EU 2016/679. “Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”. GDPR is a comprehensive piece of legislation divided into 11 Chapters that cover all aspects of data protection, including the rights of the EU data subject, the requirements for data controllers and processors, not to mention the liabilities and penalties associated with compliance failure. GDPR has been introduced to better safeguard the personal data of EU citizens, residents and even tourists, referred to in GDPR as ‘data subjects’. GDPR stipulates that data subjects must provide consent to the collection and processing of personal data. GDPR also provides guidelines on the secure collection, storage and processing and transfer of personal data. If an organization that controls and processes personal data fails to comply with GDPR, they can face hefty fines, such as 4% of annual company revenue. Any organization, regardless of company size of geographical location, that regularly collects or processes volumes of personal data from EU data subjects may be affected. Consider a company website that requires users to fill in forms in order to access services, the personal data collated of EU data subjects must follow strict GDPR collection, storage, transfer and tracking guidelines. The key concern is this: if volumes of personal data belonging to EU data subjects are being collated or processed by your organization, then GDPR is very likely to apply to you. GFI’s brand new report “Understanding and Implementing GDPR Compliance Measures” is now freely available. The report clarifies complex terminologies, outlines GDPR requirements, discusses implications to services like cloud storage, and defines key areas of focus to achieve compliance by the May 2018 deadline.

Keywords: [“Data”,”GDPR”,”organization”]
Source: https://techtalk.gfi.com/gdpr-compliance-get-the-facts-then-gauge…

GDPR Readiness with Profisee

Adding the Profisee Platform® to optimize data management capabilities. PRNewswire/ – The European General Data Protection Regulation will have a global impact when it goes into effect on 25 May, 2018. According to several data management analysts, by the end of 2018, more than 50 percent of companies affected by GDPR will not be in full compliance with its requirements. More.The General Data Protection Regulation is a binding regulation created by the European Commission. The regulation is replacing current European Union data protection directives and diverse national laws. By 25th of May 2018., the affected businesses will have to meet several new requirements in relation to how they collect and use the personal data of EU citizens – whether or not the company itself is European. The GDPR is being introduced in order to strengthen the citizens’ right to data protection and – in the longer run – to simplify the processes around this data for the organizations. Profisee CEO.”On our site, you’ll find critical information you need to know about the GDPR,” states Jeff. Wilson, CMO. “With the threats of hefty fines, and the fear of ensuing bad press, the business case for compliance using a data management strategy is shifting to a higher priority for many companies.” The most efficient way of underpinning a successful GDPR strategy is to implement a data management solution and to create a single view of your customer-often called the “Golden Record”. Golden customer records within Profisee provide a solid foundation for dealing with the four pillars of GDPR. Only with a comprehensive understanding of what data you have and where you store it, followed by consolidation into a single view, can you address the requirements of each pillar. Profisee recommends organizations act now to ensure they are in compliance when the regulation goes into effect. Profisee is a leading modern data management technology company that makes it easy and affordable for any size organization to ensure a trusted data foundation, for every user across your enterprise. Our unique, Profisee Advantage pricing approach includes every user, data record, domain, and data source. As a Microsoft Gold ISV Partner with a strong heritage of Microsoft Master Data Services expertise, Profisee provides a wide breadth of leadership from master data management, business intelligence and enterprise software firms.

Keywords: [“data”,”Profisee”,”GDPR”]
Source: https://finance.yahoo.com/news/gdpr-readiness-profisee-184700114.html

Complying with GDPR

One of the biggest changes in security regulations is coming from the European Union, and Kanguru is here to make it easy for organizations to comply with this new regulation. The General Data Protection Regulation affects not only EU nations, but any nation that conducts business with them pertaining to the collection and processing of personal data of EU citizens. This new law provides EU citizens with specific rights and control regarding their personal information, the data collected, and how it is secured and processed. Organizations in the EU and around the world that process personal data of EU Citizens need to be aware and prepare for GDPR, which has already been approved and adopted into law by EU Parliament on April 14, 2016, and is slated to go into full effect on May 25, 2018. Currently the regulation is under a 2 -year grace period to give organizations enough time to prepare. The new regulation spells out some severe consequences in hefty fines for organizations that are found to be in non-compliance of GDPR. It also provides new rights for EU citizens to pursue litigation if they feel collection and management of their personal data has been violated. Organizations would be wise to prepare now before the May 2018 deadline. Kanguru is helping organizations large and small prepare and comply with this new regulation by providing targeted solutions to meet the needs of organizations within their budget. Kanguru’s military grade data security products provide simple, easy-to-use solutions to help organizations meet and exceed GDPR, along with other regulations in the industry. Now is the best time to get ready for GDPR. If managing personal data is part of your overall business and you collect any information of citizens from an EU nation, you should closely review this new regulation. What is the GDPR? A brief summary of what GDPR is, its timeline, and scope…. Why should Organizations Outside the EU Also Prepare for This New Regulation? Given the nature of today’s digital world, GDPR not only affects organizations within the European Union…. How Kanguru Products Help Organizations Comply with GDPR and Other Regulations. Kanguru military-grade, high-quality products help organizations comply with GDPR, as well as meet other industry data security regulations to protect data, like: HIPAA, SOX, FISMA, GLBA and more…..

Keywords: [“organizations”,”regulation”,”GDPR”]
Source: https://www.kanguru.com/info/complying-with-GDPR.shtml

GDPR News Center News for 04-04-2018

Bovill

Significant advancements in technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals are increasingly making personal information available publicly and globally and there is increased ease with which data may be collected, transmitted, stored, manipulated and, most importantly, disseminated. These developments, together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes and the emergence of a new regime of privacy protection. The revised EU data protection regime is set out in the General Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The GDPR will be directly applicable in all EU member states on 25 May 2018. The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the Data Protection Act 1998 – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. What information does the GDPR apply to? The GDPR defines personal data as “Any information relating to a data subject” whether stored electronically or on paper. A data subject is the identified or identifiable person to whom the personal data relates. A person is identifiable if he or she “Can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” of that person. An IP address or cookie identifiers can be personal data. “The protection of natural persons in relation to the processing of personal data is a fundamental right.” Be aware, the UK’s ICO does investigate and fine firms on a regular basis – they go after all types and sizes of firms, not just the big ones. Download Helping firms to implement the GDPR. Share this.

Keywords: [“data”,”personal”,”GDPR”]
Source: https://www.bovill.com/topic/gdpr

GDPR and Application Protection

The General Data Protection Regulation is a European regulation intended to strengthen and unify data protection for all individuals within the EU, but it also addresses the export of personal data outside the EU. The regulation comes into effect in May of 2018 and organizations worldwide are working to ensure their security policies and procedures comply with the new legislation. Because data is created, accessed, and changed through applications, protecting your applications is a key component to protecting your data. Adding application protection to your secure software development lifecycle will make it more difficult for people and machines to exploit them. Preventing hacker-born breaches, Avoiding or minimizing stinging GDPR penalties, Shortening incident response time, minimizing breach scope, reducing notification cost and Simplifying GDPR audit processes and validation. Why is the GDPR getting so much attention? Increased penalties ratchets up per incident costs. The “State of the art” GDPR compliance standard differs substantially from the more common “Reasonable” standard. For the first time, Data Processors have regulatory and statutory obligations. Prior to the GDPR, security and notification obligations only applied to Data Controllers. There is no reasonable way to hit this standard without an ongoing investment to track cyber threat and countermeasure developments, The cost of safeguarding implementations, as well as The relative likelihood and severity of any given class of data breach occurrence. For a discussion of these basic risk concepts in the context of application development, see The Six Degrees of Application Risk. With the GDPR, appropriate safeguards are buttressed by notification obligations if/when a breach occurs. Timing: A data breach must be reported to the Supervisory Authority within 72 hours of the data breach. “Would a Data Processor be liable under The GDPR if the Processor develops software that is shown to have included avoidable vulnerabilities that subsequently led to a data breach?”. “The GDPR requires that the controller uses only processors providing sufficient guarantees to implement appropriate technical and organisational measures” – including “The requirements stemming from data protection by design and by default and those on security.” Put more succinctly, the EDCC responded YES. Data Processor Development and DevOps organizations are not exempt from GDPR obligations.

Keywords: [“Data”,”breach”,”GDPR”]
Source: https://www.preemptive.com/solutions/gdpr

you forgot about Europe’s GDPR already The Register

If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR, which comes into force on May 25, 2018, and will likely increase your costs. What is GDPR? It is meant to return to people control of their personal data, and giving them, for example, a right to be forgotten. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. At an A3 GDPR session, lawyer Renzo Marchini – a partner covering privacy, security and information at Fieldfisher – said the regulation is non-prescriptive. It is on you to make sure your internal processes and procedures satisfy the GDPR. Suppose you just want the GDPR issue dealt with, and order an SKU or contract with somebody to make it all happen. Anyone selling a perfect GDPR compliance kit is flogging snake oil. Ricky Patel, UK and Ireland channel sales director at Wasabi Technologies, said there is no uniform GDPR kit. Reputable suppliers will sell you products that point you in the right direction to GDPR compliance, setting you on the correct path to avoid any fines. Joe Garber, global head of information management at Micro Focus, said his company has eight such pre-packaged GDPR starter kits. Mimecast offers gear with GDPR email capabilities, ditto Quantum with its data protection products. Garber said organizations in less-regulated industries are being pulled full tilt into GDPR. Does that mean GDPR will increase the addressable market for data protection and governance suppliers? “You’re bringing in new use cases, and also investigation and e-discovery,” Garber answered. The flip side is organizations’ costs will go up if they are enveloped by GDPR. Suppose you think to yourself it’s a storm in a teacup, and it’ll be easy to implement any necessary changes? Bob Plumridge, director and treasurer for SNIA Europe and a former Hitachi Data Systems CTO, estimated: “That’ll be the case for the vast majority, but for 20 per cent or so it will involve fines.” You can buy GDPR consultancy services, such as this one from Jawbone. The basic message here is to take the self-checking test and then, if you need to act, prepare to assign people and time, and therefore money, to appease the priests at your nearest GDPR temple, because there’s no way out. GDPR is, one way or another, a tax you are going to have to pay.

Keywords: [“GDPR”,”Data”,”information”]
Source: http://www.theregister.co.uk/2017/12/19/europe_gdpr_business_summary

GDPR News Center News for 04-03-2018

Countdown to GDPR

Here’s a brief refresher: The GDPR is an EU regulation meant to harmonize the patchwork of data protection laws in Europe. The GDPR repeals and replaces not just the current EU data protection directive, but also the Byzantine system of privacy legislation that each EU member state enacted under that directive. A Partnership of Responsibilities for GDPR. When it comes to GDPR compliance, Workday and our customers both have responsibilities: our customers as data controllers, and Workday as a data processor. To quote from the official GDPR FAQ page, “A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” Below we provide some highlights about the protections Workday provides in its role as the data processor, and the tools we offer our customers to meet their responsibilities as data controllers. Workday has already taken steps to update the data processing terms we offer our customers to meet GDPR requirements. Cross-border data flows: The GDPR continues to allow the flow of personal data across country borders, and includes provisions ensuring existing data transfer mechanisms remain valid going forward. Workday’s customers have a choice of GDPR-compliant data transfer mechanisms for personal data transfers outside the European Economic Area to Workday. Privacy impact assessments: The GDPR requires PIAs for many types of data processing. Security breaches: The GDPR introduces new notification rules for any security breaches that lead to the loss, destruction, or unauthorized access of personal data. In addition to Workday’s own compliance obligations under the GDPR as a processor of customers’ personal data, Workday also assists our customers in meeting their obligations under the GDPR in a variety of ways. Data purging: To support customers’ compliance with the Right to be Forgotten, Workday offers a wide range of purging functionality. With the Purge Person Data feature, customers can select the population of ex-employees whose data is to be removed. Activity logging: To help customers protect personal data against security threats, Workday logs activity for each account. Independent audits of Workday’s controls and processes: Customers can reference and rely on the procedures performed by our independent auditors as part of the SOC and ISO procedures to demonstrate GDPR compliance.

Keywords: [“Data”,”customer”,”Workday”]
Source: https://blogs.workday.com/countdown-to-gdpr

GDPR Explained: What are the Technical Security Requirements?

The upcoming GDPR will bring substantial changes to how organizations process personal data. Every time we buy a product online, pay our taxes or use a service, we have to hand over some of our personal data. Clearly, cyber theft of the data exposes us to significant personal risks. Data Subject RightsTo be informed about processing of the personal data, to have access to the data, to be forgotten, to be notified about a data breach, and so on. The rights along with privacy principles dictate the implementation of security controls and managing personal data lifecycle. Privacy PrinciplesCompanies should implement in their systems such privacy principles as integrity and confidentiality, accountability and compliance, data minimization and others by design and default. Data Protection Impact AssessmentDPIA includes such tasks as identification of data flows, evaluation of security controls, assessing effects of a presumed data breach and mitigating privacy risks. They mention 4 classes of the measures:the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Data Breach NotificationOrganizations shall monitor access to personal data and effectiveness of security controls in order to detect data breaches in their systems. If a data breach is likely to result in a risk to the rights of natural persons, the organization shall notify supervisor authority. Once an IT system is identified to be in the scope of GDPR, we shall assess data processes of the system. That means to identify personal data processed in the system, find users having access to the data, evaluate security controls, and identify risks to data subjects in case of the data breach. The second step is mitigating identified risks: restrict access to personal data, implement security controls, and configure blocking and erasing rules for personal data. We have to monitor access to personal data, detect ongoing cyberattacks, and prepare incident response plans. It’s noteworthy, that GDPR in many different ways requires monitoring access to the data and effectiveness of security controls.

Keywords: [“data”,”personal”,”security”]
Source: https://erpscan.com/…/blog/gdpr-explained-security-requirements

iland Secure Cloud Hosting Services

Iland has taken an aggressive risk-based approach utilizing ISO 27001, SOC2, BS 10012:2017 and CSA standards to ensure proper governance and management of risk and security for all data collection and processing. Customers of iland are encouraged to review all iland third-party auditor findings as well as details of our GDPR and other compliance programs. With the rigor of Risk, Privacy and Security it is easy to lose sight of the goal of delivering services. Iland has identified the need to ensure that the structure of the GDPR program does not adversely affect the service offerings by ensuring that one of the pillars of the GDPR program is Service Management. ISO 20000 is a global standard that describes the requirements for an information technology service management system. Using the ISO 20000 and SSAE 16/18 SOC2 standards iland maintains visibility into its ability to deliver services in accordance with contractual requirements and once again validates this through external third-party audits. The third pillar of the iland GDPR program is the usage of standardized frameworks. This allows for the repeatable and documented output from the elements that compose services offered by iland. The ITIL framework is designed to standardize the selection, planning, delivery and support of IT services to a business. The goal is to improve efficiency and achieve predictable service levels. Within the usage of these frameworks Risk, Privacy and Security are incorporated, as an example, privacy by design has been incorporated into the Agile framework at all levels and is actively overseen by the iland GDPR program office. The same efforts occur around ITIL activities to ensure that process and policies conform to the requirements of GDPR. Legal/Governance. Finally, to validate and oversee GDPR program activities, Legal and Governance which covers contractual formulation of Controller/Processor agreements, the use of Model Contract Clauses,, EU/US Privacy shield and Binding Corporate Rules for internal iland data are managed. This pillar of the GDPR program also ensures that Controller oversight, through the use of logging, audit artifact generation and customer performed audits is managed, giving customers a dedicated resource to interface with. This segment of the program also employees the Data Protection Officer to provide linkage between the customer’s DPO and the iland DPO to manage Data Subject Requests as well as breach processes and notifications.

Keywords: [“Iland”,”service”,”GDPR”]
Source: https://www.iland.com/solutions/gdpr

GDPR News Center News for 04-02-2018

What EU GDPR Means for B2B Marketing

Amidst the turbulence within the EU of late, a critical piece of legislation has arisen that threatens conventional marketing practices as we know them. May 2018 will change the ways in which sales and marketing data can be used. This impending legislation will alter how data can be used for marketing communications, requiring swift adaptation by marketing organisations to avoid steep fines. B2B email, telephone and SMS marketing will be the hardest hit; the GDPR will force organisations reliant on these means to re-align their marketing practices and teams so as to remain compliant. The problem of nuisance calls and the data protection rights of individuals led to intense debate as to what changes could be made to rein in the practices of some organisations reliant on mass-email and telephone marketing. The legislation promised to both strengthen corporate and individual rights on use of data, and to unify those rights within the EU to simplify the governance of the new legislation. In short? Gone are the days of mass, untargeted marketing comms. The GDPR will, practically speaking, directly threaten the use of practices such “Batch and blast” telesales and email campaigns which rely on bulk purchased data that is used in an untargeted manner. The legislation tightens the laws provided within the Data Protection Act, drilling down further into the subject of obtaining consent from a data subject, as well as the ability for that subject to easily remove consent. The former may be a saving grace, with certain post and telephone marketing permitted with the use of an opt-out or unsubscribe system. Data will be required to be targeted to a more accurate degree so that ‘legitimate interest’ from the customer may be argued; this means that B2B organisations must ensure that their content is relevant to the job role of those they contact. The UK exports around 40% of all its exports to the EU so a trade agreement that includes the UK’s adherence to EU data protection regulation is most likely. As of May 2018, B2B marketing communications in particular will be more restricted, forced to comply to legislation to a degree not previously mandated by the DPA. Is Your Business Ready? Successful organisations will benefit through increasing spend in these areas, such as Pay Per Click and digital marketing. These channels will become more cost-effective in comparison to telesales and email, meaning that a diverse multi-channel marketing strategy is vital for business growth.

Keywords: [“Data”,”marketing”,”legislation”]
Source: https://www.qliq.co/news/eu-gdpr-means-b2b-marketing

Announcing a new GDPR extension

Our new extension aims to enable charities/organisations to manage their supporters in a GDPR compliant manner. GDPR in itself does not introduce many new directives however it does make organisation appointed officials directly responsible for any breach in directive and therefore has a degree of responsibility which had been missing from previous iterations. It’s important to understand that simply implementing an opt in process and assuming all contacts are opted out overnight is probably not what is best for your organisation, there are many factors to consider before determining that a formal opt in is required. For example a membership organisation is well within its rights to assume that member communications are assumed opt in unless the member explicitly opts out. Its also a fair assumption where contacts have been imported from third party fundraising systems, where they can represent your charity and they have stated they are happy to be contacted by the charity they are fundraising for. The overall aim of this extension is to help organisations navigate the journey to GDPR compliance without compromising their presence with and income from their existing supporters. More details about GDPR and CiviCRM can be found at https://vedaconsulting.co.uk/GDPR. The first version of this extension does the following;. Allow you to record the data protection officer for your organisation. A new tab ‘GDPR’ in contact summary will display group subscription log for the contact. Custom search ‘Search Group Subscription by Date Range’ which can be access from GDPR Dashboard. Access list of contacts who have not had any activity for a set period of days from GDPR Dashboard. User friendly communication preferences, moving to explicitly worded opt in mechanisms. A forget me process – where a supporter has asked to be erased from the organisations CRM. We will introduce a button which will anonymise the contact without losing financial or any other history therefore keeping the performance history of the organisation in tact. Currently CiviCRM supports include or exclude from a group but it does not allow for the selection of the communication medium that should be used for example happy to receive email newsletters but please don’t send me any other emails. GDPR comes into force in the UK on May 2018, we aim to complete the feature set of this extension by Feb 2018 and if you’d like to get involved please do feel to get in touch.

Keywords: [“GDPR”,”organisation”,”contact”]
Source: https://civicrm.org/blog/parvez/announcing-a-new-gdpr-extension

GDPR News Center News for 04-01-2018

The implications of GDPR for business

The General Data Protection Regulation will come into force on 25 May 2018.The Government has confirmed that the UK will implement GDPR and it is expected that the UK will continue to comply with GDPR after Brexit. All businesses should be assessing their interaction with personal data and how GDPR will impact them and the sector in which they operate. The government has published its plans to implement a new data protection regime. GDPR introduces wide-ranging changes to UK data protection legislation and, if they have not already started, it is essential that businesses begin to take steps towards compliance. GDPR follows a similar approach to existing data protection legislation there are some material changes. A fine of up to €20 million or 4% total worldwide turnover, whichever is higher, may be imposed for more serious offences, such as a breach of the basic data protection principles or a breach of international transfer restrictions. GDPR introduces an obligation on data controllers and processors to show how they are complying with the data protection principles. If not already in place, comprehensive governance measures should be put in place to minimise the risk of a breach and safeguard the protection of personal data. Appropriate measures include privacy impact assessments for high-risk processing and steps to ensure that data protection is incorporated “By design and by default” rather than being an afterthought. An element of accountability has always formed part of data protection law, but GDPR places greater focus on this and businesses should ensure that existing policies and record-keeping are sufficient to satisfy the new requirements. At present, data processors are not under any direct obligations and the data controller is responsible for any breach committed by its processor. GDPR imposes specific obligations on data processors, including an obligation to implement appropriate security standards, ensure adequate record-keeping and inform the data controller of any breach. GDPR also mandates a number of provisions that must be included in all contracts involving the processing of personal data. The rights of data subjects have been extended such as the right to be “Forgotten”, where an individual may request the deletion of their data when certain grounds apply. If they are not already doing so, all businesses, large and small, should be assessing their interaction with personal data and how GDPR will impact them and the sector in which they operate.

Keywords: [“Data”,”GDPR”,”Protection”]
Source: https://www.icas.com/ca-today-news/gdpr-the-implications-for-business

3C Consultants

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact that this is likely to have. HR need to ensure staff receive regular GDPR awareness training and that employment contracts and information security management systems are adjusted accordingly. You should document what personal data you hold, where it came from and who you share it with. You should review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically in a commonly used format. You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. You should start thinking now about whether you need to put systems in place to verify individuals ages and to obtain parental or guardian consent for any data processing activity. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Data protection by design and data protection impact assessments. You should familiarise yourself with the ICO’s code of practice on privacy impact assessments as well as the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organisation. Data protection officerYou need to decide if to appoint a data protection officer to take responsibility for compliance and assess where this role will sit within the organisation structure and governance arrangements. Regardless of whether you need to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR. Additionally, 3C Consultants can assist you and your organisation, whether you have started the process or still in the planning stage, with the 3C GDPR Gap Analysis service. This service will provide your organisation with a preliminary assessment of your current level of compliance with the requirements of the GDPR, alongside a resulting report which will include recommendations, a prioritised action plan and pointers to guidance and best practice.

Keywords: [“data”,”GDPR”,”need”]
Source: http://www.3cconsultants.co.uk/news/gdpr-checklist

Accelerate Your Path Towards GDPR Compliance

The General Data Protection Regulation went into effect on 24 May 2016, giving all organizations who process or control personal data of residents in the European Union two years to put the right people, process and tools in place to comply with the regulation. The regulation, which will apply from May 25, 2018, aims to harmonise data privacy rights for all EU residents across the 28 countries that make up the EU, as it relates to the use and protection of residents’ personal data. The challenge for organizations facing the GDPR is that data is everywhere these days-processed through all types of apps, stored in various places and accessed from all sorts of devices. For customers who still need to begin their journey toward GDPR readiness, and even for those who have already began, simplifying the approach of focusing on data protection and understanding key privacy use cases is essential. Organizations should be prepared to answer questions such as, “What data do we have? Who has access to that data? How is the data protected?”. To answer these questions, it’s important to map out data lifecycle to security and privacy use cases for data protection. Basic data lifecycle includes data collection, access, usage, storage, transfer and deletion/destruction. Connecting each stage of the data lifecycle to data protection use cases can help organizations determine if they have the right tools in place to help with compliance. The right solutions need to be in place to cover data protection use cases and help organizations move towards GDPR readiness. A digital workspace can help improve data privacy, protection and control, and enable accountability and transparency across the data lifecycle. We’ll focus on the data access stage in the data lifecycle. Data access is all about having a secure way to access your data, and making sure those who access the data are authorized to do so. Conditional policies like these eliminate manual compliance management, which minimizes data access risk, a critical component of the GDPR. Mapping secure data access to identity management gives organizations a simple way to think about data privacy and access. This data protection capability maps well to Article 32 in the GDPR, which speaks to the implementation of encryption of personal data where appropriate. Workspace ONE is the platform that can help organizations deliver secure digital workspaces, enabling their end users with secure data access, data transfer, data collection and more.

Keywords: [“Data”,”access”,”organization”]
Source: https://blogs.vmware.com/euc/2017/09/accelerate-towards-gdpr…