15 August 2017
The GDPR goes into effect on 25 May 2018 and will affect every organization, anywhere in the world, that collects, processes or retains any “personally identifiable information, or PII” of European Union citizens. Recent news on GDPR:
More than 100,000 names and driver's license numbers were stolen in a 2014 data breach of Uber's database, operated by Amazon Web Services. The FTC said the company could have made low-cost attempts, like using multi-factor authentication, to prevent the breach. If this happens in 2018, Uber’s fine for GDPR non-compliance could be US$260 million!
This is an excellent primer on GDPR as it applies to both Internet-based and traditional businesses. The author, Rand Morimoto, compares the efforts to prepare for GDPR to those of preparing for Y2K, during which he served as an advisor on Y2K to the U.S. White House.
The German Data Protection Authorities (“DPAs”) released a paper on fines under Art. 83 General Data Protection Regulation (“GDPR”) in July 2017. In it, they argue that the definition of “an undertaking” refers to an organization subject to a non-compliance fine plus any parent and subsidiary organization. Therefore, fines will be determined based on the total turnover of the entire corporate group. Large, multi-national enterprises: be aware!
A draft Data Protection Bill, intended to take the place of GDPR once the UK completes its exit from the European Union, contains only minor deviations from GDPR. In a statement of intent, the government says "intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data" will be an offence. Those who knowingly handle or process such data will also be committing a crime.
Forrester: You Need an Action Plan for GDPR (registration required)
Privacy-by-design will be the biggest challenge to address. Sustained collaboration between teams will be critical, so firms will have to establish new processes to encourage, enforce, and oversee it. For example, security and privacy experts should sit with the marketing team to build the business requirements and development plan for any new app to make sure it complies with the new regulation.
General Data Protection Regulation (GDPR) is a welcome first step in creating an environment fit for the digital age. It gives consumers the ability to manage who has their data and what they do with it. As individuals, we should be delighted by this.
In addition to Cavirin’s broad support for international guidelines, the platform now supports a GDPR-specific module that permits testing of an organization’s technical controls and identifies any weaknesses, in addition to a manual attestation module that applies to people and processes.
Among the 99 articles in the GDPR, Article 17 and its ‘right to be forgotten’ mandate may have the most impact on IT professionals. The concept of tracking down all copies of data and erasing a specific individual’s personal data seems almost impossible. Consider the simple case of personal data in a database. How many copies of that database exist and where are they? How many DBAs have made extra copies for testing and extra protection?
Information Security Buzz: Swedish Data Breach
As we get closer to GDPR coming into force, we are going to see more examples of historical data breaches coming to light. Organisations will be looking to ‘clear the decks’ now for anything that could come back to haunt them financially after the legislation comes into effect.
netimperative: Top mobile marketing tips: Say hello to the savvy consumer
With just 6% of consumers happy to share their personal information, Rimma Perelmuter, CEO Mobile Ecosystem Forum (MEF), looks at the impact of trust on businesses serving the mobile audience. 41% said they did not want to share data but felt compelled to do so if they wanted to use the app or service. However, GDPR is a game-changer, placing the consumer at the heart of the data exchange.
The House of Lords EU Home Affairs Sub-Committee ("the Committee") has published a report on the EU Data Protection Package and the impact of Brexit ("the Report"). The Report considers the implications of the UK's exit from the EU for cross-border data transfers, and for UK data protection policy more generally.
International Business Times: EU's GDPR: What Will American Companies Have To Do To Comply?
"For every company that sells to a customer in the EU, you now have to set up a different instance or a different hub where your data can be stored that cannot be accessed or shared outside of the EU,” Monica Eaton-Cardone, the founder and chief operating officer of Chargebacks911, told International Business Times.
CSO Online: GDPR – how to make your DR compliant
The rules for GDPR are as applicable to your DR systems as they are your production systems, so ensuring they are compliant is critical. Whether you manage your DR in-house or use an external DR provider, there’s a high chance that you’ll need to do things differently.
The new version of EU GDPR Documentation Toolkit is designed to help organisations prepare all the critical documents needed in order to meet and comply with the GDPR requirements. It provides a comprehensive set of customisable document templates developed by legal and GDPR experts, and is designed to save data protection professionals involved in a GDPR compliance project weeks of work.
Information Management: Opinion - How to implement privacy-by-design requirements for GDPR
Article 25 requires the use of appropriate technical and organizational measures that protect the security and privacy of personal data on European citizens. This process is known as “data protection by design”. This starts with evaluating the purposes and functionality of the proposed product, the categories of data that might be collected, and the intended uses, sharing, retention, or disposal of the data. Only a clear and detailed flowchart will allow understanding the potential effect of that design on the privacy rights of the end-users and other affected parties.
Computer Business Review: GDPR: Should Your Organisation Purchase Cyber Insurance?
With data breaches at a record high and the average cost of a cyber-security breach costing upwards of £1.15m, is it about time your business got insurance? It will be imperative for any organization that deals with corporate and customer data to be able to protect themselves financially in the event of a breach. The good news is that cyber insurance firms are offering new policies to help organisations protect themselves from the financial implications of a breach.
Diginomica: Wake up America – GDPR is not that far away
The best way to look at GDPR is not as some onerous regulation imposed on hard-working people by a bunch of Brussels bureaucrats, but as part of a natural progression. It’s a signal that this industry has grown up and while it has more growth ahead, some sensible guardrails need putting in place. The trick now is to be ready for May 25, 2018.
Rich Vining is a Sr. Product Marketing Manager for Data Protection Solutions at Hitachi Data Systems and has been publishing his thoughts on data storage and data management since the mid-1990s. The contents of this blog are his own.