GDPR News Center News for 10-19-2018

10 steps to GDPR compliance: How prepared are you? – IT Governance Blog

The EU General Data Protection Regulation takes effect in less than eight months, so now is a good time to review the steps you’ve taken to achieve compliance and what you still need to do. You can base that review on the Data Protection Commissioner’s compliance checklist, which is summarised here and outlines what organisations need to do before the 25 May 2018 deadline. Everyone else in the organisation responsible for regulatory compliance and data processing will also need to understand their obligations. Data subjects have a number of rights pertaining to the way organisations collect and hold their data. You’re not the only one who needs to know about data subjects’ rights. 

Organisations need to prove that they have a legal ground to process data. Organisations should learn when these grounds can be sought and adjust their data collection policies appropriately. The GDPR states that a data protection officer should oversee an organisation’s data protection strategies and compliance programme. One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible. 

Organisations should adopt a privacy-by-design approach to data protection. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments and data protection by design. 

Keywords: [“Data”,”organisation”,”GDPR”]

Canva Help Center

The GDPR is a standardized user data protection framework which operates across Europe and imposes obligations on organizations, like Canva, that handle the personal data of people in the European Economic Area. This page briefly explains what Canva is doing to work towards GDPR compliance. To identify the information that we collect about our users, how we use that information and keep it safe. If you continue to use Canva after we introduce these updates, it means you agree to this new policy. Second, we recognize that it’s important for you to control your information so we are investing in features that will help you to easily manage and access some of your information within Canva. 

We will provide more information on these features as they become available. Third, since we use some third-party suppliers to make Canva available, we are reviewing and negotiating these contracts with a view to ensuring that they comply with applicable laws, including GDPR. Where amendments to these agreements are required we are entering into Data Processing Agreements with our suppliers. Fourth, we recognize that protection of your data involves us so we are improving our internal controls around employee access to data and data security incidents. None of these steps are likely to impact the way you use Canva day to day – you and all our many users will remain free to design anything and publish anywhere! 

Keywords: [“Canva”,”data”,”information”]

Canva Help Center

The GDPR is a standardized user data protection framework which operates across Europe and imposes obligations on organizations, like Canva, that handle the personal data of people in the European Economic Area. This page briefly explains what Canva is doing to work towards GDPR compliance. To identify the information that we collect about our users, how we use that information and keep it safe. If you continue to use Canva after we introduce these updates, it means you agree to this new policy. Second, we recognize that it’s important for you to control your information so we are investing in features that will help you to easily manage and access some of your information within Canva. 

We will provide more information on these features as they become available. Third, since we use some third-party suppliers to make Canva available, we are reviewing and negotiating these contracts with a view to ensuring that they comply with applicable laws, including GDPR. Where amendments to these agreements are required we are entering into Data Processing Agreements with our suppliers. Fourth, we recognize that protection of your data involves us so we are improving our internal controls around employee access to data and data security incidents. None of these steps are likely to impact the way you use Canva day to day – you and all our many users will remain free to design anything and publish anywhere! 

Keywords: [“Canva”,”data”,”information”]

GDPR Compliance Solutions & Services

The primary objectives of the GDPR are to give people more control over their personal data, to help protect personal data from the risk of loss, and to unify regulatory privacy and data requirements within the EU. It is vital that any organization who conducts business in the EU understands the overall design of the GDPR and why preparing their technology and processes now for this new legislation is so critical. Today’s technology is much different than it was 20 years ago. No one could have predicted how the Internet, smartphones and the widespread use of social media applications such as Facebook and Twitter could have global implications. As a Regulation, the GDPR enacts a uniform data security law across the EU. 

Each EU country will no longer need to pass their own legislation for data security; the GDPR will be the guiding law. EU countries can still regulate certain types of data such as health data. If you are currently doing business in the EU, you may already have privacy processes and procedures in place. To ensure that your business is GDPR compliant, it is essential that you review your consent policies and procedures to verify that these meet the new higher standards. PossibleNOW and our sister company, CompliancePoint, can help you determine your preparedness and then recommend appropriate solutions and services. 

Keywords: [“Data”,”GDPR”,”Regulation”]

GDPR News Center News for 08-26-2018

GDPR Readiness, Assessment & Compliance

WHO: Enterprises that offer goods or services within the EU as well as enterprises that monitor EU subjects’ behavior within the EU. WHAT: New data privacy mandates have been issued by European Union regulation. WHEN: GDPR compliance must be achieved by 25 May 2018. WHERE: Includes any organization in the world if it retains or processes information on any citizen in the EU. WHY: To better protect any individual’s personal information, to secure rights for the individual over that collected information, and to force enterprises to follow a uniform scheme for data protection. 

HOW: Follow ISACA’s privacy guidance on how best for your enterprise and its staff to assess your unique data protection needs and meet the GDPR compliance standards set by the EU.. 

Keywords: [“enterprise”,”information”,”any”]

Data Security Issues, Risks, Trends, and Concerns

Less than a third of companies are prepared for the GDPR. HAVE A PLAN AND STICK TO IT. If you have checked your compliance and audited your data, you should know what you process, on what legal grounds, who has access and understand the lifecycle of captured personal data. The next step is to implement data protection by design, and by default. Incident Response/Breach notification response plan. 

HOW WE CAN HELP. Thales are specialists in encryption solutions, protecting your data wherever it is in your digital estate. Use our experts to conduct a health check on your organisation to assess your GDPR readiness. Then deploy the Thales eSecurity Accelerator Pack, using our proven technologies to secure critical database or file systems in less than two days. 

Keywords: [“data”,”GDPR”,”Thales”]


It’s essential that you review your approach to governance and data protection and plan your compliance now. Get all the key people onboard, update the relevant policies and procedures and develop any that are missing. Rather than aiming to be completely compliant by 25 May 2018, it’s realistic to have a ‘roadmap’ of how you are going to achieve complete compliance. A good starting point is to introduce a transparent data processing statement, or privacy statement, for all your clients. The ICO website provides more information about privacy statements with examples of good and bad privacy notices. 

Identify and document your legal basis for doing these. InternationalIf you operate internationally, make sure you know which supervisory authority you come under for data protection. 

Keywords: [“data”,”how”,”GDPR”]

GDPR Webinar

GDPR, less than a year away should be on every business’s radar. Our free webinar will share with you the key things to be aware of to help prepare your business for the May 2018 regulation. This may seem a while away, but the regulations will affect all businesses, so now is the time to start planning and putting things into place. Our one hour free GDPR Webinar is downloadable today. This webinar which was live has been created as a useful downloadable resource and includes lots of questions and answers asked by businesses like you. 

Speakers on this webinar were Adriaan Bekker and David Smart from Softwerx plus Karen Cole from RIAA Barker Gillette. Softwerx has helped a number of organisations throughout the UK increase their knowledge of GDPR and become better prepared. 

Keywords: [“webinar”,”GDPR”,”Softwerx”]

GDPR US Firms Whitepaper Landing Page

Due to the constantly changing digital world, the EU took a major step to protect their citizen’s personal data and privacy rights by passing the EU General Data Protection Regulation. Not only firms based in the EU must abide to this regulation. Any firm that does business in the EU or monitors the behavior of EU data subjects needs to comply with the regulation. For US based firms that do business in the EU, it is crucial to understand the regulation and address the key challenges to ensure that your firm is GDPR compliant. Key terms and definitions relating to the GDPR. 

Key challenges ahead. how the GDPR affects how you store data in the cloud. Solutions to complying with the GDPR. How the GDPR will fit with the EU-US Privacy Shield. 

Keywords: [“GDPR”,”firm”,”Regulation”]

GDPR for marketers: best practice, tips and case studies

The new EU General Data Protection Regulation comes into force on 25th May 2018, however only 54% of businesses expect to meet that deadline. Econsultancy is investigating GDPR from a marketer’s persective, highlighting the specific aspects of the new regulation that require your attention. As always we aim to cut through the jargon and present the important details in plain English, and where possible highlighting examples of best practice to help put things in context. All our resources are listed here – this page will be frequently updated with new articles and reports so make sure to check back in future. Econsultancy offers comprehensive online GDPR training, as well as a one-day face-to-face GDPR training course designed to bring marketers up-to-speed. 

Keywords: [“GDPR”,”marketers”,”new”]

Prepare for GDPR Compliance

GDPR establishes the many measures organizations must take to protect personal data belonging to residents of the EU. These measures include: understanding what personal data an organization handles and where this data resides; performing risk assessments to gauge an organization’s exposure to accidental or unlawful loss of this data; implementing various technical and organizational controls to protect personal data; and appointing a chief data protection officer charged with overseeing GDPR compliance. GDPR applies to any organization that handles or processes personal data belonging to EU residents. It establishes strict breach disclosure requirements, and when enforcement begins on May 25, 2018, will impose stiff fines for non-compliance. 

Keywords: [“data”,”personal”,”organization”]

GDPR News Center News for 08-20-2018

GDPR documents list

Mark Lee FCA is a strategic adviser to sole practitioner accountants who want more success but don’t like the pushy and salesy advice they get elsewhere. He does not claim to be an expert on GDPR but he has produced a list of the key documents we will all need to prepare to evidence that we are taking the law seriously – even if we are simply sole practitioners with no staff and no marketing email lists. The list is taken from a practical guide that Mark was commissioned to produce for ICPA. That guide is also now available free of charge to Mark’s contacts too. If you want a copy of the list and the practical guide simply complete the form below. 

This will also opt you into allowing Mark to email you occasionally and to receiving Mark’s weekly email containing tips, tricks and advice for accountants in practice. You can opt out of these by un-ticking the boxes below. NB: This approach is currently permissible but will be outlawed by GDPR as of 25 May 2018. After that date you will need to specifically opt-in to receive such further emails. This is just one of the many changes being introduced by GDPR.. 

Keywords: [“Mark”,”email”,”list”]

GDPR For Governors

The Essential Guide to GDPR for School Governors is here for you. If you attended the training event at Walsall College on 15th February 2018, then you will have been given an overview of the GDPR regulations and the next steps. As promised, I enclose below the information and documents referred to in the session. As the process develops we will keep you informed of changes and additional things which emerge between now and the end of May 2018. This should be given to all Governors, so that they understand the concept and the broad issues. 

A More detailed overview of GDPR. For those who love the detail and for your GDPR Governor link. Make sure that you go through this with the member of staff designated to be the person responsible for GDPR. https://docs. This has been checked and approved by lawyers, and is passed to you on that basis. 

Be sure that its not just a cut and paste exercise and that you make sure that you embed and check the processes that are described here, so that they can be seen working. Remember that this is legislation that you need to comply with and not some paper exercise. 

Keywords: [“GDPR”,”sure”,”Governor”]

GDPR Resource Center

SolarWinds® MSP has made data security central to its business since its inception. Risk Intelligence can scan any network and help to assess the personally identifiable information located throughout the network. This can be particularly helpful for data-mapping exercises and prioritizing your security efforts. With the threat of ransomware and cyberattacks, businesses can’t afford to lose individuals’ data. SolarWinds® Backup is designed to provide fast backup, rapid recovery, and secure storage, all via a hybrid cloud architecture. 

Mail Assure™ provides strong email security and encryption to help you manage this channel. It includes an email archive, so you always have access to customers’ emails in the event you need to answer a request. SolarWinds RMM gives you the tools you need to run your IT operation in a single web-based dashboard. It includes integrated risk intelligence, like antivirus, web protection and content filtering, mail protection, user permission controls, logs, and hybrid cloud backup and recovery. We have remote monitoring and management available both via SaaS or on-premises delivery. 

Keywords: [“SolarWinds”,”security”,”email”]

General Data Protection Regulation

The changes that GDPR will bring will replace the Data Protection Act 1998 as the primary piece of legislation on data protection, and the UK government has confirmed that the decision to leave the EU will not affect the commencement of these changes. The UK Data Protection Bill will update and modernise data protection law in the UK in line with the GDPR. With stronger emphasis on accountability, transparency and with the issue of fines and charities’ reputations on the line, it is essential that GDPR is on the agenda and that senior managers as well are aware of their responsibilities as data controllers. Data protection covers everyone about whom you keep personal data. The law requires organisations to comply with eight principles for data protection. 

Every organisation should have a written policy and procedure that is specific to their own context about how they handle personal data and enact the privacy principles. Online Learning offer: NICVA has partnered with Legal-Island to offer its member organisations cost-effective online training on the General Data Protection Regulation. 

Keywords: [“Data”,”Protection”,”organisation”]

Willows Consulting Ireland

The data controller is ultimately responsible for the protection of personal data they store. GDPR covers all and only personal data held in your organisation and with your 3rd party data processors. There are instances where Data Controllers can be held personally responsible for data breaches. Personal information being passed or coming into the possession of an unauthorised data processor or subprocessor. Passing of personal data to into a non GDPR compliant country. 

Passing of personal data to a third party without the knowledge of the data subject. Do not create more personal data while performing the request. Withdrawal of permission to process personal data after an ecommerce transaction. Flag the data in your databases as not to be used in marketing reports or data mining. Notify the Subject that you have received their request and flagged their data to be excluded from further data processing. 

Request for personal data in a portable transferable format. Depending on the scale and type of breach the Data Commissioners office may stop you from processing data until they investigate the breach further. 

Keywords: [“data”,”personal”,”information”]

GDPR News Center News for 08-18-2018

Data Protection & GDPR

The EU’s GDPR represents a comprehensive reform of existing data protection laws. It requires a significant change in the way organizations manage personal data in today’s digital operating environment. GDPR encompasses data management and security, including new concepts – transparency and accountability – and a key requirement to notify data breaches. Non-compliance could lead to fines of 4% of an organization’s worldwide turnover or 20 million euro – whichever is higher. Be ready to demonstrate you take appropriate practices to protect personal data. 

A consistent GDPR roadmap with operational outcomes. Drawing on global experience across diverse industries. We also work with Data Protection Officers to set out the roles, organization, and IT requirements for protecting data assets and meeting GDPR requirements. With end-to-end data protection capabilities, Capgemini has a deep understanding of the GDPR, its associated business issues, and relevant technology solutions. We help CIO, CISO, DPO, CDO and DMO from all around the world meet GDPR requirements while building digital trust with automated solutions. 

Discover how we tailor our GDPR portfolio to the current GDPR readiness of individual clients. 

Keywords: [“data”,”GDPR”,”requirement”]

General Data Protection Regulation

The GDPR aims to strengthen and unify data protection for people within European Union. It attempts to strike a balance between the rights of the individual and the ability of companies to differentiate their services and products by having access to quality information. The GDPR lays the foundation for determining what companies need to consider with regard to personal data and how they can demonstrate compliance. A key focus of GDPR is data privacy rights bestowed to an individual. Figure 1: Rights to the Individual under GDPR. 

In addition, GDPR focus areas include global applicability, enhanced responsibilities for data controllers and data processors, privacy by design, transparency, breach notification, and a penalty of 4% of annual worldwide turnover for non-compliance. With very little time remaining for General Data Protection Regulation to become effective, organizations need to know what has to be done to achieve compliance and also evaluate how they will address the technology and process challenges. With this webinar, we also explore the impact of GDPR on blockchain systems, as well as the scope of using a blockchain to implement GDPR solutions. 

Keywords: [“GDPR”,”data”,”compliance”]

GDPR could wipe 2% from Google’s revenues, according to Deutsche Bank

The European Union’s new General Data Protection Regulation could wipe 2 percentage points from the revenues of Alphabet, Google’s corporate parent, according to Deutsche Bank analyst Lloyd Walmsley and his team. GDPR comes into effect on May 25, 2018, and requires any company that does business in the EU to protect the privacy of consumers’ data, restrict what kinds of data companies can collect, and make data collection law across the continent simpler. The Deutsche Bank team regard the regulatory climate as somewhat threatening to Google, given recent negative rulings from the European Commission around Google’s alleged monopoly status in terms of online shopping, search and the bundling of Google apps on Android phones. When GDPR comes into effect, companies will be required to treat consumers with a high level of privacy by default, and get consent for further data transfers. Deutsche Bank estimates that about 33% of Google’s revenues come from Europe, and within that population, 30% of users might opt out of data sharing. 69 at the time of writing, having risen from $796 a year earlier. 

Google reported $28 billion in revenues for Q3 2017.. 

Keywords: [“Google”,”Data”,”company”]

EU General Data Protection ​Regulation

With fines up to four percent of annual revenue for a data breach possible through the GDPR – now is the time to re-think your privacy, security, and data governance strategy. AvePoint, in partnership with the Centre for Information Policy Leadership, a global privacy and cyber security think tank, surveys organizations around the world for GDPR readiness. Find out how your organization measures against the results. The broad terms of the GDPR mean that any company with a website offering goods or services to citizens of the EU may be subject to the regulation. This marks a significant change to the previous law, which most courts generally agree only maintains jurisdiction over companies with an established business in a particular state. 

The Operational Impact of the European Union General Data Protection Regulation on IT. Get a closer look at the impact the GDPR has on how your data is managed to understand how to disclose data privacy and protection practices, provide transparency, choice, and consent to your customers. Learn where to implement safeguards and controls around the collection, storage, protection, and sharing of personal data. 

Keywords: [“data”,”GDPR”,”Protection”]


Store personal data exclusively in GDPR compliant systems such as Pitchero. Where necessary, have processes in place to gain consent for the data you hold(see the consent form contained within our GDPR Toolkit). Decide on appropriate retention policies for each type of data stored. Put in place appropriate organisational and technical measures to protect personal data. Where required, record your data processing activities and appoint a data protection officer. 

Undertake data protection impact assessments where necessary;. Provide tools to help access data needed for subject requests. Clearly display who has access to data and provide tools to add or remove access where appropriate. Data security Pitchero is committed to the secure storage of all user data, whether that be personal information or data important to your organisation. The Pitchero production system runs exclusively in Amazon Web Services data centres. 

AWS Cloud Security information . Where data is moved or stored outside of the EU, providers are vetted for compliance with the EU-US Privacy Shield. This prevents the interception of data between your browser and the Pitchero system. 

Keywords: [“Data”,”information”,”GDPR”]

GDPR News Center News for 07-29-2018

GDPR & SAP BI Compliance

By clarifying regulations around data privacy, the regulation also aims to simplify compliance for businesses. Of course, one might be forgiven for believing the opposite, because the introduction of any new data privacy regime has complications and pitfalls for all business entities. The GDPR gives data subjects the right to seek compensation for distress caused by the mishandling of private information, which may vastly increase the cost of data breaches beyond the statutory penalties. The objective seems to be to make data privacy difficult, if not impossible, to ignore. Privacy is the price we pay for doing business with EU data subjects. 

Data privacy should be regarded as a best practice in your business processes, rather than as an inconvenience. One way to reduce information security risk is to limit the data subject information you gather to what is specifically necessary to your dealings with the data subjects. In general, private information should be anonymized and encrypted at every opportunity, and you should note that the GDPR applies not just to information that is clearly private, but also to any data that can be traced to identify an individual. In general, data subjects have the right to control the who, where, when, why and how of the ways in which their personal information is collected, processed and retained. Perhaps the most important of the rights of data subjects is the right to understand and determine level of consent. 

You must have clear consent to use the data for the purpose for which it was collected. This right needs to be considered throughout your BI processes from the collection of data, through the creation of BI content, and its distribution for use in decision making. 

Keywords: [“Data”,”information”,”GDPR”]

GDPR Compliance for WordPress and WooCommerce in 2018

I attended WordCamp Manchester and WordCamp Stockholm in the last few months, and they had one thing in common: lots of questions about GDPR. I heard a number of discussions around what WooCommerce site owners needed to do, and if they were ready for GDPR. To help our WooCommerce site owners get ready for the GDPR, we wanted to provide some information about the regulation, along with our GDPR plans at WooCommerce. On 25th May 2018, the GDPR enacted by the EU will come into effect. Stronger rules on data protection from May 2018 mean citizens have more control over their data. 

Tell the user who you are, why you collect the data, for how long, and who receives it. Each of these bullet points is subject to many caveats, exceptions, and degrees of how much you need to do, but they do serve as a good starting point. Each WooCommerce site uses a different set of plugins, has a different flow for shipping, etc. You’ll need to know what you need to do for your specific site. If you sell any products to customers based in the EU, or have EU visitors to your site, you’ll need to make sure your site complies with GDPR. 

Your site can be considered GDPR-compliant, depending on how you’ve set it up. Code in WP has put together a breakdown of how the GDPR affects WordPress sites. It’s also up to you as the site owner to communicate how your customers’ information is being used – it’s more of a communication and process question, rather than something that can be solved with technology. GDPR affects every site that operates in the EU – there are lots of resources to assist you further. We expect that Automattic products and services will be in compliance with GDPR requirements by May 2018. 

Keywords: [“site”,”GDPR”,”Data”]

GDPR Basics: Understanding And Complying With The GDPR

Big data describes both structured and unstructured volumes of data: the data is typically so large that it presents logistical challenges in its management. Volume as the data is large and has many sources, velocity because data streams at a fast speed and variety because big data is presented in many formats. Pseudonymised data takes elements of personal data and replaces them with artificial identifiers. The purpose is to render the data record less identifying and therefore reduce concerns with data sharing. The difference between pseudonymised and anonymised data is that the pseudonym allows tracking back of data to its origins, meaning the subjects could be eventually identified again. 

Does the GDPR apply: If the data necessary to re-identify the individuals is destroyed the GDPR does not apply, if the company retains the data to identify the individuals then the GDPR applies. Anonymised data is data held in a form that does not identify individuals. The GDPR also states that anonymised data is not personal data and thus does not need to comply with the data protection principles set out by the GDPR. Does the GDPR apply: no. Datasets containing personal data can only be published as open data by controllers or processors with the consent of the data subject or on some other legitimate basis. 

The data GDPR data can only be transferred to a country that is also subject to the GDPR unless that receiving country has been deemed to have equal or better data protection laws in place. The data subjects have the right to access how their data is being used by the data controller. The data is also to be immediately destroyed after having used it, meaning that most grey data will be eliminated. 

Keywords: [“Data”,”GDPR”,”open”]

GDPR News Center News for 07-27-2018

GDPR Privacy Policy

The main focus of the General Data Protection Regulation is the protection of personal data and digital privacy. Unify the current data protection privacy laws throughout the EU, and. While the Data Protection Directive only applied to data controllers, the GDPR now applies to data processors as well. Data controllers must now conduct Data Privacy Impact Assessments and add more thorough methods of obtaining consent for collecting data. Data processors will have to start keeping written records, increasing security measures to protect data and notify data controllers of any breaches that occur with the data. 

In some instances you may be required to appoint a Data Protection Officer to oversee your data security strategy and GDPR compliance. Find more information here to help you determine if you need a DPO. The GDPR requires that users are provided with thorough information about how their personal data is processed. The data controller will likely be your business, unless your business operates as a data processor for other companies. A Privacy Notice is a short, concise yet informative notice that lets a user know why you’re collecting data. 

It’s easy to see how a short Privacy Notice at the point of data collection can help users be informed of your data collection practices in a concise, clear and easy-to-understand way. This section covers accessing data, correcting it, deleting it, objecting to it being collected, declining to provide it and other rights users have under the GDPR. Another important part of the GDPR is that businesses cannot retain data beyond a reasonable time. Add Privacy Notices in places where you’re asking for consent to collect data to help users understand what they’re consenting to. 

Keywords: [“Data”,”information”,”GDPR”]

GDPR Regulations and Requirements

The General Data Protection Regulation is a legislation aimed at protecting the personal data of European Union citizens. The GDPR applies to any company doing business with EU data subjects. Simply put, if an organization offers goods or services, maintains offices, or operates a website in the EU, the GDPR likely applies. Depending on the severity of the infraction, non-compliance can result in formidable consequences, including fines up to €20m or four percent of your organization’s global annual revenue-whichever is greater. LogRhythm’s GDPR Compliance Module provides you with a consolidated framework to help ensure your organization is compliant. 

LogRhythm’s GDPR Compliance Module addresses 16 technology-focused GDPR Articles – making it easier for you to meet and exceed regulations. You’ll realize immediate benefits from pre-built content, including rules and alerts, investigations, and reports. LogRhythm’s Compliance Module is included free of charge for LogRhythm Threat Lifecycle Management platform customers. GeoIP Configurations: Enrich log data with geographic context to help identify when data may be entering your environment from an EU member country and facilitate the application of regulatory requirements. Machine Data Intelligence Fabric: Process and enrich diverse data sources and streams to achieve enterprise-wide visibility and enable effective analytics. 

Risk Based Prioritization: Every event is assigned a risk, threat, and confidence score, ensuring your security team can accurately identify and prioritize true threats. With the LogRhythm GDPR Compliance Module, you’ll be better able to protect your organization’s personal data-ultimately avoiding fines, a damaged reputation, and loss of customer confidence. 

Keywords: [“Data”,”GDPR”,”LogRhythm”]

Designed to strengthen data protection and privacy for individuals within the European Union, it will have an impact on all organisations that collect data. GDPR gives EU citizens the right to know the details of any personal data you hold about them and how that data is processed and used. If you hold data about anyone, they can now ask for that data to be passed to another organisation. Some organisations have kept serious data breaches secret for months in order to protect them from bad publicity and other unwanted consequences. Under GDPR, any data you hold about an individual must be accurate. 

If you hold data about political affiliations, whether that is their membership of a particular party or just a political opinion gathered on a survey, it needs protection under the GDPR. Greater security demands on business. From May, organisations will be required to implement reasonable data protection measures to protect EU citizens’ personal data and privacy by design. GDPR extends beyond the EU. GDPR is designed to protect the data and privacy of EU citizens. 

The UK’s Data Protection Act was passed in 1984, 11 years before the EU got around to issuing its Data Protection Directive in 1995. The size of the fines which can be given to organisations that do not comply with GDPR is an indication of how determined the EU is to tackle issues with data protection and data privacy. The issue of transferring data to countries or organisations with less adequate data protection should be a major concern for any company that has a website. Private data is secured using mod security rules and fool-proof physical, electronic and managerial procedures, and we backup shared servers to avoid data loss in case of disasters. 

Keywords: [“data”,”GDPR”,”organisation”]

GDPR News Center News for 07-26-2018


As of May 25, 2018, registrant information-name, organization, address, phone number, and email-will be considered personal data that can no longer be published in the public Whois. While the audience for registrant data may no longer be the entire public, it will still be sizable. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the Whois output, an option that will not be provided as a part of GDPR data protection. The personal data associated with a domain that is protected by Whois privacy will not be shared with registries. Here we will disclose all the uses of personal data that are required by contract in order for us to provide the requested domain service. 

At this time, we will also request consent from the data subject for those data uses where our legal basis is their consent. Request consent for any data elements that are not required by contract,. Certain registries require additional information in order to complete domain registrations, and in these cases, we will include in our contract a point about processing those additional pieces of registrant data. We give the option of processing any piece of personal data that isn’t essential or necessary to provide the service. For most domain registrations, we don’t require the registrant to provide their phone number, but by collecting this piece of data we are able to provide a backup verification method. 

The data is required by a third party, with whom we do not yet have a GDPR-compliant contract. If we don’t have a GDPR-compliant contract with this particular registry, we would have to request consent from the data subject to process and share this extra piece of personal data before completing the registration. 

Keywords: [“data”,”Whois”,”domain”]


GDPR is one of the most prominent regulatory changes coming up in 2018. Companies that breach the GDPR legislation will receive a fine of €20 million of 4% of annual turnover, whichever is higher. Businesses and other organisations will be required by law to prove their employees have received communication about the GDPR and that they understand what it means for them and the organisation they work for. As a function, we also need to be aware of the information we hold on our employees and ensure that we are complying with the new legislation too. Here are some key things to consider when preparing for the GDPR:. 

Find out who is overseeing the GDPR programme/process in your organisation and ask to join the project team, if you’re not already part of it. It’s important internal communication help to guide the strategy from the outset as cutting through the noise and ensuring all employees are aware of the changes will be a legal requirement. Start communicating regularly with your employees now to help them understand what the legislation means and what they are required to do around recognising and protecting information. The GDPR may affect how you manage internal communication. Remember, this information might be stored locally in paper, GDPR is not only about digital records. 

Internal communication need to understand the impact those changes might have on employees and share appropriate, targeted communication about policy changes, training on the new legislation etc. Now is the time to understand how they are being used and ensure employees understand how these channels are impacted by the GDPR and what their responsibility is to keep information secure. We strongly recommend that internal communicators start preparing for GDPR now. 

Keywords: [“GDPR”,”employees”,”information”]

GDPR Support

GDPR compliance is a worry for many businesses based in the EU. This free extension supports Cookie Compliance and Customer Data Anonymisation. The ZERO-1 GDPR Support module for Magento 1 adds some key features to aid your support in meeting the requirements set out in the new General Data Protection Regulation legislation which comes into effect throughout the EU on 25 May 2018. Key requirements under the new legislation include the removal of customer data on request. Magento Core code does not currently facilitate this therefore all sites without this extension will not be adhering to legal requirements, given Magento can store customer cart data and customer order data for failed orders. 

Both these should not be retained by Magento under new laws. The ‘Express Consent’ law also requires that you refrain from setting ALL non-essential cookies from operating UNTIL express consent has been granted. Features: Cookie Notification Popup requesting ‘express consent’ from your website visitors upon entering your website. Delete Customer & Anonymise Data from Admin or Front-end – Although legally a business is permitted to retain customer information if the customer has purchased from you, Magento does have functionality to record sales data even if the order has not technically resulted in a completed sale. This extension allows you to fully anonymise customer data from Customer, Sales, Quotes tables so that you can feel assured that you have met your GDPR obligations. 

ZERO-1 have also partnered up with a law firm specialising in supporting the other requirements which must be met. These include onsite documentation such as Privacy, Terms & Conditions and Cookie Policy. This extension requires a basic understanding of Google Tag Manager. 

Keywords: [“Customer”,”Data”,”Magento”]

GDPR News Center News for 06-25-2018

Personal information under GDPR: What it is

We hear of personal data, personally identifiable information, PII, and sensitive personal data. All PII is personal data but not all personal data is PII. Personal data in the context of GDPR covers a broader range of information. To comply with GDPR you need to look at the broader context of what personal data is and that includes PII as well as other forms of personal data. With reference to the GDPR meaning of personal information, it also determines the type and amount of data that you can collect, process, and store. 

Under DPD, the definition it is a little vague as to whether data such as IP addresses, cookies, and device IDs are classified as personal data. Under the GDPR, this data is classified as personal. It is defined in the GDPR under Personal Data and Unique Identifiers. ‘Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Encryption does not convert personal data to non-personal data. Genetic and biometric data categories under the GDPR are classified as sensitive personal data. 

Linked personal data examples Linkable personal types Sensitive Full name First name only Biometric data Date of birth Last name only Racial data Residential Address A portion of the address Health data Telephone number Age Category not specific Ethnic origin Email Address Place of work Political opinions Passport number Position at work Religious or philosophical belief Identification number IP address Trade union details Drivers Licence number Device ID Genetic data Social security number Sexual preference Banking/card numbers Privacy regulations, not only GDPR, are hitting home hard. You just need to remember that personal data under the GDPR clarifies much more information than it did under the DPD and incorporates more than the American definition of PII. You need to address the broader context – all the data categories and their specific requirements to type, storage, collection, and processing. 

Keywords: [“Data”,”personal”,”information”]

How Microsoft tools and partners support GDPR compliance – Microsoft Secure

As an Executive Security Advisor for enterprises in Europe and the Middle East, I regularly engage with Chief Information Security Officers, Chief Information Officers and Data Protection Officers to discuss their thoughts and concerns regarding the General Data Protection Regulation, or GDPR. In my last post about GDPR, I focused on how GDPR is driving the agenda of CISOs. This is based on how Microsoft technology can support requirements about collection, storage, and usage of personal data; it is necessary to first identify the personal data currently held. Office 365 includes powerful tools to identify personal data across Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business environments. Windows 10 and Windows Server 2016 have tools to locate personal data, including PowerShell, which can find data housed in local and connected storage, as well as search for files and items by file name, properties, and full-text contents for some common file and data types. 

The tool provides an in-depth analysis of an organization’s readiness and offers actionable guidance on how to prepare for compliance, including how Microsoft products and features can help simplify the journey. The Microsoft GDPR Detailed Assessment is intended to be used by Microsoft partners who are assisting customers to assess where they are on their journey to GDPR readiness. In a nutshell, the GDPR Detailed Assessment is a three-step process where Microsoft partners engage with customers to assess their overall GDPR maturity. The Microsoft GDPR Detailed Assessment is intended for use by Microsoft partners to assess their customers’ overall GDPR maturity. Customers are responsible to ensure their own GDPR compliance and are advised to consult their legal and compliance teams for guidance. 

This tool is intended to highlight resources that can be used by partners to support a customer’s journey towards GDPR compliance. To address these challenges, Microsoft announced a new compliance solution to help organizations meet data protection and regulatory standards more easily when using Microsoft cloud services – Compliance Manager. Image 7 shows a dashboard summary illustrating a compliance posture against the data protection regulatory requirements that matter when using Microsoft cloud services. 

Keywords: [“Data”,”Microsoft”,”GDPR”]

An Introduction to GDPR and Elasticsearch, the Elastic Stack

Replacing the previous 1995 EU Data Protection Directive, GDPR was developed in recognition of the increasing need to protect the rights and personal data of each individual EU resident. GDPR is becoming increasingly recognized as regulation that will be leveraged to stem the increasing number of damaging data breaches reported across a variety of sectors. While previously compliant organizations may find many similarities to the earlier Directive, GDPR brings in some significant changes to the way personal data can be handled, rules on how breaches must be reported, and hefty penalties for non-compliance. EU and Non-EU establishments may be affected by GDPR depending on their business models, geographical reach, and the subjects from which they control or process data. GDPR defines roles or personas in terms of Data Subjects, Data Controllers, Data Processors, Sub-processors, and Authorities. 

Data Subject: Persons in the EU. Data Controller: Controls purpose and means of processing. Direct responsibility to data subject and data protection authority. GDPR seeks to build on some of the key pillars of the current Data Protection Directive by significantly enhancing the rules around the processing and storage of personal data. The rules for handling data breaches within the GDPR framework are clear: organizations must inform their local data protection authority of a breach within 72 hours of detection. 

Transfers of Personal Data out of the EU to a country that is not deemed to provide an adequate level of protection are only permitted if the controller or processor provide appropriate safeguards as described in the GDPR. These safeguards may include standard data protection clauses adopted by the European Commission, binding corporate rules, or an approved self-certification program such as the EU-US Privacy Shield. The simplified model below summarizes the decision process a GDPR Affected organization may consider when determining how it treats Personal Data. In future posts in this series, we’ll cover additional GDPR-related topics such as data onboarding, GDPR pseudonymization, and access controls for GDPR. For additional reading now, please check out our new white paper, GDPR Compliance and the Elastic Stack, or get in touch with an Elastic expert. 

Keywords: [“data”,”GDPR”,”personal”]

GDPR News Center News for 05-29-2018

GDPR Compliance – The steps that I take to prepare

Commentary: GDPR: Will It Transform U.S. Corporate Titans?

GDPR will codify data protection rules for all companies that collect data from EU citizens while greatly expanding individuals’ control over how and when their personal data is collected and used. If even a single EU citizen visits the website of a company based anywhere in the world and data is collected on that individual, that company must comply with GDPR or risk severe penalization. Under the new rules, these companies will need to be much more specific about how they will use data and get permission for these specific uses. In the U.S. especially, where many companies are built on their ability to capture, sell, or leverage data to target individuals, the new regulations-which grant individuals the right to have their information deleted from databases under various circumstances-will force businesses of all sizes and kinds to dramatically rethink their data practices. 

With member nations ramping up their enforcement capabilities as we speak, it is becoming clear that all companies, not just the industry giants, could be targeted. Facing a new regulatory minefield, U.S.-based companies have a narrow window of time to assess their capabilities and vulnerabilities and address areas of concern. Companies will no longer be able to rely on the fine print and must have privacy policies that are clear and consumer-friendly. EU citizens will now have the right to know what information a company has gathered on them. GDPR extends this right much further, requiring companies to delete even non-publicly shared data under a variety of circumstances. 

If the user asks to be forgotten and then a month later gets an email solicitation from that company, they can file a complaint. Because there is no history to study, all companies must start from square one. Many companies are waiting for the first shoe to drop in order to react. 

Keywords: [“company”,”Data”,”GDPR”]

How Europe’s GDPR Will Mean Your Data Belongs to You: QuickTake

The European Union is introducing tougher rules for how data collectors gather and use its citizens’ information, and lets consumers control their own data. Starting May 25, all 28 EU nations will be applying the General Data Protection Regulation, which sets new standards for any holder of sensitive data, from Amazon to your local government council. These rules will apply to any company that collects the personal data of EU residents. Consumers will have the right to retrieve their data and give it to another business. If a firm is smaller than 250 but is collecting large quantities of sensitive data, it will also need a DPO. 

If there’s a data breach, electronic data collectors will have to notify authorities within 72 hours and will have to alert customers in a timely manner if the breach poses a risk to them. So situations like Uber’s attempts to cover up of its 2016 data hack, or the slow release of information on Yahoo’s massive breach in 2013 will now be punishable with huge fines. In cases of negligence or violating the conditions of consent and infringing on data subject rights, the fines can go as high as $24.8 million, or 4 percent of annual worldwide revenue, whichever is higher. They’ll have free access to the data that’s been collected on them and more information on how it’s being used. Data will be destroyed when it is no longer needed for the original task. 

To request access to their data, consumers will contact the data controller or controllers, whose contact info must be provided to consumers whenever information is collected. Because consumers will own their data, eventually they may be able to trade things like gift certificates from Zara in exchange for their shopping histories with J. Crew.8. They’ll need to make sure that the data they’ve collected adheres to new protocols. 

Keywords: [“data”,”collect”,”information”]

A flaw-by-flaw guide to Facebook’s new GDPR privacy changes – TechCrunch

The new privacy change and terms of service consent flow will appear starting this week to European users, though they’ll be able to dismiss it for now – although the May 25th GDPR compliance deadline Facebook vowed to uphold in Europe is looming. Facebook says it will roll out the changes and consent flow globally over the coming weeks and months with some slight regional differences. Facebook brought a group of reporters to the new Building 23 at its Menlo Park headquarters to preview the changes today. Feedback was heavily critical as journalists grilled Facebook’s deputy chief privacy officer Rob Sherman. Questions centered around how Facebook makes accepting the updates much easier than reviewing or changing them, but Sherman stuck to talking points about how important it was to give users choice and information. 

Trouble at each step of Facebook’s privacy consent flow. Facebook’s consent flow starts well enough with the screen above offering a solid overview of why it’s making changes for GDPR and what you’ll be reviewing. A major concern that’s arisen in the wake of Zuckerberg’s testimonies is how Facebook uses data collected about you from around the web to target users with ads and optimize its service. Facebook recently rewrote its terms of service and data use policy to be more explicit and easy to read. It didn’t make any significant changes other than noting the policy now applies to its subsidiaries like Instagram and Messenger. 

To keep all users abreast of their privacy settings, Facebook has redesigned its Privacy Shortcuts in a colorful format that sticks out from the rest of the site. Overall, it seems like Facebook is complying with the letter of GDPR law, but with questionable spirit. When asked to clear a higher bar for privacy, Facebook delved into design tricks to keep from losing our data. 

Keywords: [“Facebook”,”users”,”data”]

GDPR News Center News for 05-23-2018

GDPR: 3 Plugin WordPress Utili per mettere un Sito a norma

Google Sharply Limits DoubleClick ID Use, Citing GDPR

Google is making it more difficult for advertisers to have an independent view of the data generated from ad buys in its ecosystem. In a note to partners sent Friday and obtained by AdExchanger, Google said it will no longer let buyers use the DoubeClick ID when leveraging its data transfer service. The DoubleClick ID pulls together data from the company’s various ad and consumer-facing products around a unique user ID associated with the DoubleClick cookie. As of May 25th, the same day the EU’s GDPR goes into effect, the DoubleClick ID will no longer be available for data transfers on YouTube impressions and those recorded by the DCM ad server and the DoubleClick Bid Manager DSP. Those IDs also won’t be available for DBM first in the EU, and eventually globally. 

Google will also remove encrypted cookie IDs, IP addresses and user list names from data transfer for all bids in Google Ad Exchange. For buyers, stripping out the DoubleClick ID cuts off visibility to user activity within the DoubleClick ecosystem. The change will limit advertisers’ ability to measure the reach and frequency of Google campaigns against other platforms by limiting any measurement using the DoubleClick ID to Google’s own Ads Data Hub. In its note to advertisers, Google has included that the DoubleClick ID, tied to sensitive information like user search histories, could violate the strict data privacy requirements of GDPR. But for marketers, the changes make common analyses, like attribution, reach and frequency, difficult or impossible to do, said Ari Paparo, CEO of Beeswax. 

Google could be banking on the fact that the long tail of advertisers will buy into its entire stack and use the DoubleClick ID as the default understanding of their audience, Heimlich said. This isn’t the first time Google has tried to get marketers on Ads Data Hub – and deeper inside the walls of its ecosystem – this month. A few weeks ago, Google suspended third-party ad serving in the EU on YouTube citing concerns over GDPR compliance. Google also said this month that a plan announced in January to discontinue third-party pixel tracking on YouTube will come into effect under GDPR. Update: This story has been updated to reflect that the DoubleClick ID is not associated with PII like names and addresses but the DoubleClick cookie. 

Keywords: [“Google”,”DoubleClick”,”data”]

InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework: Technical specifications for IAB Europe Transparency and Consent Framework that will help the digital advertising industry interpret and comply with EU rules on data protection and

Hosted in this repository are the technical specifications for IAB Europe Transparency and Consent Framework that will help the digital advertising industry interpret and comply with EU rules on data protection and privacy – notably the General Data Protection Regulation that comes into effect on May 25, 2018. In November 2017, IAB Europe and a cross-section of the publishing and advertising industry, announced a new Transparency & Consent Framework to help publishers, advertisers and technology companies comply with key elements of GDPR. The Framework will give the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content. IAB Tech Lab is charged with the technical governance of these specifications. Consent string and vendor list formats v1.1 Final. 

The IAB Technology Laboratory is a non-profit research and development consortium that produces and provides standards, software, and services to drive growth of an effective and sustainable global digital media ecosystem. Comprised of digital publishers and ad technology firms, as well as marketers, agencies, and other companies with interests in the interactive marketing arena, IAB Tech Lab aims to enable brand and media growth via a transparent, safe, effective supply chain, simpler and more consistent measurement, and better advertising experiences for consumers, with a focus on mobile and TV/digital video channel enablement. The IAB Tech Lab portfolio includes the DigiTrust real-time standardized identity service designed to improve the digital experience for consumers, publishers, advertisers, and third-party platforms. Established in 2014, the IAB Tech Lab is headquartered in New York City with an office in San Francisco and representation in Seattle and London. IAB Europe is the voice of digital business and the leading European-level industry association for the interactive advertising ecosystem. 

GDPR Technical Working Group members provide contributions to this repository. Participants in the GDPR Technical Working group must be members of IAB Tech Lab. Technical Governance for the project is provided by the IAB Tech Lab GDPR Commit Group. 

Keywords: [“IAB”,”advertising”,”Tech”]

GDPR and the End of the Internet’s Grand Bargain

In May the European Union’s General Data Protection Regulation goes into effect, two years after passage by the European Parliament. Data collectors can be held responsible for violations by third-party users. Though the new law was intended to unify and simplify European data practices the minimum cost of compliance for anyone doing business with any EU resident is estimated by one survey at $1 million just for changes to IT systems, not to mention the costs of a newly designated data protection officer. While European data may still be legally stored outside of the EU, for example, it’s much easier to comply with GDPR if data remains within the borders – a boon to a fledgling European cloud services industry. Internet companies have had over a decade to integrate basic data collection and use safeguards into their operations, including limiting the data they collect and adopting international information security standards. 

Until now, a fast-spreading epidemic of data misuse incidents has been largely overlooked by lawmakers, including breaches and data misuse at Yahoo, Facebook, Target, Equifax, and Under Armour. That’s bad news, and not just for companies increasingly reliant for revenue on data collection, analysis and intelligence. While GDPR is certain to improve choice, control, and transparency for EU consumers, these new powers come with new responsibilities and new costs for users, not least of which are ballooning budgets for government data management and enforcement bureaucracies worldwide. Governments are hardly the experts on data security. There have been even bigger breaches of sensitive data controlled by U.S. 

and EU governments themselves. Social media providers, and e-commerce platforms, along with user forums, news sites, and emerging internet-of-things service providers large and small, may rationally conclude that the new costs and potential penalties associated with collecting, analyzing, and marketing user-provided information have become unsustainable, requiring a new business model altogether. If the grand bargain unravels, entrepreneurs will no doubt innovate new ways to make money and continue developing disruptive products and services. 

Keywords: [“Data”,”new”,”information”]