GDPR News Center News for 01-18-2018

GDPR news: UK data watchdog opens GDPR helpline for SMBs

Designed to give people more control over their data, GDPR represents a challenge to organisations, who must bring their data protection policies into line with the regulation by the 2018 deadline. GDPR will compel organisations to secure clearer consent for using people’s information, and will introduce tougher fines for failing to protect people’s data. 03/11/2017: The Information Commissioner’s Office this week launched a helpline for SMBs preparing for the General Data Protection Regulation. The phone service, which opened on 1 November, is designed to address the specific data protection challenges facing the estimated 5.4 million SMBs operating in the UK. With staff on hand to answer questions, the service acts as an extra resource to the ICO’s existing guidance, with an emphasis on helping people with obstacles particular to their businesses. The ICO already offers firms of all sizes a 12-step guide to preparing for GDPR, which comes into effect in the UK from 25 May 2018, giving people more rights over their data, and imposing tougher fines on organisations that fail to protect it. 06/08/2017: One in five large UK businesses are completely in the dark when it comes to the application of GDPR in their organisation, according to new data. First, GDPR requires people’s consent for their data to be held and shared – consent that will have to be reaffirmed actively once the legislation comes into force in May. Second, EU residents have the right to access all the data held about them at any time and also to request their data is removed at any time. Both of these may be a challenge when so many systems are used and if the data is no longer in the full control of the initial data controller. Another issue raised by the survey is understanding data ownership – a key tenet of GDPR. Only 27% of those questioned thought personal data belonged to the customer, with 50% thinking it belongs to the organisation holding it. Chris Mayers, chief security officer at Citrix, said: “Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.” “Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However, it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance,” he added. The EU General Data Protection Regulation comes into force across the soon-to-be 27 nation bloc 25 May 2018, by which point any organisations handling EU residents’ data must be compliant or face tough fines for breaches, of up to 4% of their annual turnover or €20 million, whichever is greater. As a result, CIF has updated its Code of Practice for CSPs to ensure they’re compliant with the stricter data protection rules, which hand EU residents more control over their personal data and require organisations holding or processing the data to be transparent about what they’re using it for. Collaboration platform Box’s VP of compliance, Crispin Maung, told IT Pro earlier this year that data protection authorities “Are struggling with figuring out what GDPR compliance really means and how they are going to measure [it]”. Retailer John Lewis and bank HSBC both criticised the UK data protection authority’s guidance so far on GDPR compliance, calling it “Woolly”.

Keywords: [“data”,”GDPR”,”organisation”]

GDPR News Center – General Data Protection Regulation

“Article 4 of the GDPR will have a big impact on marketers,” says Van Uytven, before going on to quote article 4 of GDPR which defines how user consent for personal data usage must be given, which is, “By a statement or by a clear affirmative action, [signifying] agreement to personal data relating to them being processed.” Inbound marketing is a gigantic slice of the daily routine of a digital marketer, and GDPR is about to regulate it like never before. Countdown to GDPR. Here’s a brief refresher: The GDPR is an EU regulation meant to harmonize the patchwork of data protection laws in Europe. A Partnership of Responsibilities for GDPR. When it comes to GDPR compliance, Workday and our customers both have responsibilities: our customers as data controllers, and Workday as a data processor. To quote from the official GDPR FAQ page, “A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” Below we provide some highlights about the protections Workday provides in its role as the data processor, and the tools we offer our customers to meet their responsibilities as data controllers. Cross-border data flows: The GDPR continues to allow the flow of personal data across country borders, and includes provisions ensuring existing data transfer mechanisms remain valid going forward. In addition to Workday’s own compliance obligations under the GDPR as a processor of customers’ personal data, Workday also assists our customers in meeting their obligations under the GDPR in a variety of ways. The EU will implement the most dramatic law of its kind governing data in May. The General Data Protection Regulation will strengthen and unify data protection for all individuals within the EU. When it becomes effective, it will give control of personal data back to citizens and residents and simplify the regulatory environment for international business by unifying the regulation within the EU, replacing a data protection directive from 1995. The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. There are some truly revolutionary aspects of the GDPR- both from the perspective of the data user and the data provider or processor. The biggest change to the regulatory landscape of data privacy associated with the GDPR is its extended jurisdiction-it applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s location. The GDPR will also apply to the processing of personal data in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens must also appoint a representative in the EU. The conditions for consent have been strengthened under the regime. Part of the expanded rights of data subjects outlined by the GDPR will also be their right to obtain from the data ‘controller’ confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Also known as Data Erasure, the “Right to be forgotten” entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The EU’s new General Data Protection Regulation is a set of rules that give consumers rights about how their data is stored, used, and deleted. With the May deadline for compliance edging ever closer, a vast majority of organizations believe that compliance with the upcoming General Data Protection Regulation would be difficult to achieve.

Keywords: [“data”,”GDPR”,”personal”]

GDPR News Center News for 01-17-2018

GDPR Awareness Coalition

DUBLIN, IRELAND – A survey of 200+ companies at TechConnect Live conducted by DataSolutions on behalf of the GDPR Awareness Coalition has found that 71% of SME’s in Ireland do not view the need to be GDPR compliant by next May as a top business priority despite an increase in awareness. When asked “How high of a priority is GDPR compliance to your company”, 26% of respondents responded with “Not a priority” with a further 45% indicating that it was “Only one of a number of priorities.” 53% of companies surveyed indicated that they had yet to begin the compliance process with a tiny minority of 2% indicating that they were GDPR complaint already. “What we’re seeing here is really worrying. With only one year to go until the introduction of GDPR it’s clear that Irish businesses are still struggling to understand the significance of GDPR and the impact it will have on their day to day business operations.” Dr. Dennis Jennings, Chairperson of the GDPR Awareness Coalition said. The survey also found that general awareness of GDPR is increasing with only 16% of respondents responding that they had not heard of GDPR while 67% of respondents said they were either familiar or had expert knowledge. “The only comforting element to this survey is that while general awareness of GDPR is increasing, there is still a real need to raise awareness of the impact GDPR will have on the SME sector to spark movement towards compliance. Based on what we’re seeing, it looks like businesses are keen to be GDPR compliant but don’t know what full GDPR compliance looks like”. 200 companies responded as part of the GDPR Awareness Coalition’s survey which took place between 9am and 12.30pm at TechConnect Live in the RDS, Dublin on the 31 May. Of those surveyed 62% identified as SME, 21% as large and 17% as corporate. The GDPR Awareness Coalition is a not-for-profit, fixed-term initiative designed to assist in raising awareness of the data privacy obligations for companies resulting from the implementation of the GDPR. The establishment of this initiative was motivated by the growing concern that GDPR awareness throughout Ireland is unbalanced among enterprise, construction and retail sectors. In response to this issue, the GDPR Awareness Coalition has assembled an expanding list of more than 50 engaged Coalition Partners that include GDPR experts, vendors, and legal, fiscal, event and general collaborators, and business associations. “With many of the world’s leading companies calling Ireland home for their operations in Europe, it was a concern to us when we read some of the recent reports that Ireland had a below-average awareness of the GDPR in comparison to other EU countries. We felt if we could help raise this awareness, we should.” To help further this initiative, Dr. Jennings will join Mr. Connolly as Co-chair to the GDPR Awareness Coalition. “I am very pleased to have been invited to be the Co-chair of the GDPR Awareness Coalition, and I look forward to contributing to the effort.” The GDPR Awareness Coalition will culminate in a conference / workshop for all interested parties, collocated with the TechConnect Live event in Dublin on 31 May, 2017. The General Data Protection Regulation Awareness Coalition is a not-for-profit, fixed-term initiative designed to assist in raising awareness of the data privacy obligations for companies resulting from the implementation of the GDPR. The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. The establishment of this initiative was motivated by the growing concern that GDPR awareness throughout Ireland is unbalanced among enterprise, construction and retail sectors. Coalition Partners include GDPR experts, as well as vendors, legal, fiscal, event and general collaborators.

Keywords: [“GDPR”,”Awareness”,”Coalition”]

What is GDPR? Everything you need to know

More than half of EU businesses don’t know what the impact of GDPR on their organisation will be. 17/11 – NEWS – Microsoft previews new GDPR compliance tool – GDPR Compliance Dashboard will allow Microsoft cloud customers to make sure they are equipped for the new legislation…. 16/11 – NEWS – Only a fifth of UK large businesses are ready for GDPR – Survey reveals many big companies are nowhere near ready for the May 25th deadline…. 14/11 – FEATURE – José Alberto Ruiz/Cornerstone OnDemand – GDPR: Where should HR start? – When the new regulation comes into effect, the HR department will be responsible for the personal data it collects on applicants as well as current employees. 14/11 – NEWS – GDPR could hit UK law firms hard – Majority of firms say they are unprepared for the effects of GDPR, but also need to up cybersecurity protection, CenturyLink study finds…. 09/11 – NEWS – IBM gives clients new control over data as GDPR approaches – Company boosts data control processes at its Frankfurt data centre…. 08/11 – FEATURE – Louise Boyd/Me Learning – E-Learning company helps UK businesses prepare for GDPR – Is your organisation ready for the upcoming regulation? Businesses will have to listen…. 07/07 – FEATURE: Mark Sangster/eSentire – The GDPR is coming: Are you prepared? – GDPR is a sweeping new EU privacy regulation that has extensive implications for U.S. firms too. 16/06 – FEATURE: Brian Rutledge/Spanning – The global impact of GDPR: Prepare now, avoid potential litigation & fines later – GDPR impact on business is proving to be one of the most talked about global regulations to-date, related to data governance and data privacy…. 15/06 – FEATURE: John Morrell, Datameer – Governing big data analytics for GDPR compliance – GDPR changes the way entire organisations interact with personal data, and thus big data analytics. What is GDPR? The General Data Protection Regulation, or GDPR, is one of the most important pieces of legislation ever passed for IT departments. Under GDPR, companies will also have to be more up front when collecting the personal data of customers – meaning consent will need to be explicitly given, as well as the gatherers needing to detail the exact purpose that this data will be used for. GDPR stands for General Data Protection Regulation, also officially known as EU Regulation 2016/679. Because data protection concerns stretch across national boundaries, the introduction of GDPR seeks not just to regulate data within the EU. It seeks to extend EU data protection law to any organisation holding information on EU citizens, even if that organisation is based outside the EU. For businesses, GDPR means keeping a much tighter rein on the data they possess, and should also improve security awareness and protection levels for many. Who does GDPR apply to? Is my business affected by GDPR? Short answer – yes. If you are a business that deals with online data in any way, you will need to comply with GDPR before next year’s deadline. For the moment, the EU states that, if you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR irrespective as to whether or not the UK retains the GDPR post-Brexit. If you are based outside of the European Union, your business could well still need to comply with GDPR. The EU states that the rules will apply to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. EU GDPR website – a central repository for everything you need to know about GDPR. – EU GDPR FAQs – answers to some of the most pressing GDPR questions. ICO overview of GDPR – guidance for UK businesses on what GDPR is.

Keywords: [“GDPR”,”data”,”need”]

GDPR News Center News for 01-17-2018

RSA Unveils New GDPR Compliance Offerings

Europe’s General Data Protection Regulation is, by name, just another information security compliance regulation requiring that organizations protect personal data from being stolen by hackers. The emphasis on data protection has changed: it is traditionally designed to protect data from criminals; but this regulation is designed to protect data for the user. They must explicitly agree to the collection of data for a specific purpose; and they can withdraw consent and require companies to delete that data. Organizations will need to be able to prove user agreement to the collection of personal data; and must be able to demonstrate deletion of that data after demand. “I think the bigger part of GDPR is to do with process, and the process burden is going to be huge. One of the big new things is the whole personal data lifecycle – from getting consent and proving user consent, to processing user data and then deleting that data after processing it solely for the purpose for which it was collected; and being able to delete it at any time on the users’ request. Although some organizations already do that, a lot of companies don’t do it very well, and don’t have the evidence to prove they are doing it. GDPR is very much evidence based.” It is against the background of GDPR being as much about data governance as it is about information security that RSA has today beefed up its Archer governance suite specifically to aid compliance with the governance side – and more – of GDPR. “Ultimately,” it says in a statement released today, “GDPR is not just a Governance, Risk and Compliance issue. GDPR spans the full enterprise and forces companies to adopt a healthier privacy and security risk posture in four critical areas: Risk Assessment, Breach Readiness, Data Governance, and Compliance Management.” It is in these four areas that Archer, combined with RSA NetWitness and the RSA Data Risk and Security Practice can aid GDPR compliance. On risk assessment, RSA suggests that Archer’s components will help accelerate the identification of the linkage between risks and internal controls, potentially reduce the GDPR compliance gaps and improve risk mitigation strategies. On breach response, GDPR requires that regulators are notified of a breach generally within 72 hours of the company becoming aware of the breach. RSA offers its SecurID suite and Data Risk and Security Practice service to cover the mainstream governance side of GDPR. Compliance is no longer a destination, but a continuing state, it suggests. While under earlier European laws, companies needed only worry about compliance if they were breached, with GDPR they can be found non-compliant in data governance areas at any time. This suite of services helps an organization optimize a GRC program; put in place the processes to enable a prompt response to cyber incidents; prepare to meet the new 72-hour notification requirements; and plan and implement GDPR-compliant data access programs. The term ‘breach’ is given a wider than usual scope under GDPR. “A breach in GDPR could be lack of availability,” Knowles told SecurityWeek; “So a successful DDoS – which may not usually be classed as a breach – could be classed as a breach in GDPR terms if users lose access to their data.” Firstly the victim gets all the disruption and cost of the ransomware, but secondly it is potentially and automatically in breach of GDPR. “If you can show that you are doing the right things, that you have the right controls in place,” says Knowles, “Then the regulators are more likely to be lenient from the GDPR perspective. But on the other hand, if the ransomware could have been stopped had you applied the correct patches, the regulator might not be so lenient.” GDPR compliance is a complex mix of security technology to protect the data, tied together with governance processes to manage the personal data lifecycle, backed up by the availability of continuous evidence to prove that you are doing the right things at all times.

Keywords: [“Data”,”GDPR”,”Breach”]

News – General Data Protection Regulation

Cloud Security Alliance Issues New Code of Conduct for GDPR Compliance Significant updates provide actionable guidance to reflect new European personal protection obligations. Edinburgh, Scotland – November 21, 2017 – The Cloud Security Alliance, the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released the CSA Code of Conduct for GDPR Compliance, which provides cloud service providers, cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the European General Data Protection Regulation. As part of this release, the CSA has also launched the CSA GDPR Resource Center, a new, community-driven website with tools and resources to help educate cloud service providers and enterprises on the new European data protection regulation. “Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection. The Privacy Level Agreement Working Group realized it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation,” said Francoise Gilbert, CSA Lead Outside Counsel and PLA Working Group co-chair. “With the introduction of GDPR, data protection compliance becomes increasingly risk-based. Data controllers and processors are accountable for determining and implementing within their organizations appropriate protection levels for the personal data they process,” noted Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group. “In this scenario, the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs.”. Fair and transparent processing of personal data; Information provided to the public and to data subjects GDPR); Exercise of data subjects’ rights; Measures and procedures referred to in Articles 24 and 25 GDPR and the measures to ensure security of processing referred to in Article 32 GDPR; Notification of personal data breaches to supervisory authorities GDPR) and the communication of such personal data breaches to data subjects; and. The CSA Code of Conduct for GDPR Compliance contains mechanisms that enable the body referred to in Article 41 GDPR to carry out mandatory compliance monitoring by the controllers or processors who undertake to apply it, without prejudice to the tasks and powers of competent supervisory authorities pursuant to Article 55 or 56 of GDPR. “The CSA Code of Conduct for GDPR Compliance offers cloud customers a tool to evaluate the level of personal data protection offered by different CSPs and make informed decisions on how they will secure that data,” said Daniele Catteddu, Chief Technology Officer, CSA. “We are extremely proud of the work that went into this latest iteration.” The CSA PLA Working Group was formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection Regulators’ recommendations on cloud computing into an easy-to-use outline for CSPs to follow when disclosing personal data-handling practices. The scope and objective of the PLA initiative was previously presented to the European Parliament as part of discussions on the potential effect of the proposed General Data Protection Regulation on cloud computing. The PLA Working Group has been engaged in defining a structured method for communicating the level of privacy that a CSP agrees to maintain. The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities. The CSA Code of Conduct for GDPR Compliance is free and available at: https://gdpr. For access to the CSA GDPR Resource Center, visit https://gdpr.

Keywords: [“Data”,”GDPR”,”protection”]