21 August 2017
The GDPR goes into effect on 25 May 2018 and will affect every organization, anywhere in the world, that collects, processes or retains any “personally identifiable information, or PII” of European Union citizens. Recent news on GDPR:
Global Trade: GDPR – What’s Going On And Why Should I Care?
GDPR has been under draft by the European Commission since 2011 and organizations are required to be compliant when it goes live on May 25, 2018. With over 3,000 amendments since the first draft it is officially the most heavily lobbied piece of legislation ever, and the completed regulation is over 200 pages long.
Infosecurity Magazine: Preparing for GDPR: Pay Attention to Third Party Services
A June 2017 poll by Spiceworks found that only 9% of US firms were even aware of what the GDPR was all about, and how it will affect their company. Even those firms that are fully prepared are unlikely to be ready to meet perhaps the biggest GDPR challenge: how to ensure that the firms they partner with follow the rules, lest they suffer the consequences the regulations impose.
Compliance Briefing: London - 6 step guide to GDPR compliance
All businesses, whatever their size, must be GDPR compliant. This guide’s aim is to cut through the noise and provide a basic framework on which to build your GDPR compliance strategy. “Of course, this is only a basic guide and readers will be able to learn far more on how to action the plan by attending our full conference at County Hall, London on 12th October.”
GDPR compliance covers a whole bunch of things that can only be achieved through compliant behaviour and processes. So, while it's a good thing that Microsoft has made WIndows 10 more secure, it's not quite as simple as Microsoft makes out.
“Today’s attackers have the advantage as cybercrime is a thriving economy and attacks are focused on infiltrating the network and stealing important company information,” said Ananda Rajagopal, vice president of products at Gigamon. “More worrisome is how this will impact U.K. organisations’ ability to comply with GDPR requirements.”
Computer Weekly: Overcoming the GDPR indifference problem
Information technology customers have become hardened to “scaremonger marketing”, going back at least to the millennial bug (Y2K). In this case, the real problem is that many board members do not understand why security is so important today and that GDPR has teeth – and will bite. Unfortunately, hoping this will all go away, if ignored for long enough, is not going to work.
While the General Data Protection Regulation (GDPR) has enjoyed fairly thorough, the closely connected ePrivacy Regulation (ePR) has, by contrast, remained in relative obscurity. While the GDPR regulates the processing and sharing of personal information (PI), the ePR addresses the rules organisations must follow when sending electronic direct marketing (EDM), and using tracking technologies such as cookies.
GDPR and Mifid II both come into effect in 2018. At the heart of the two regulations there appears to be an ideological conflict that may pose particular problems for financial institutions, with Mifid II striving to create greater transparency in the markets on one hand and GDPR boosting the privacy rights of EU residents on the other.
The data audit, conducted by W8 data, found that only 25% of existing customer data meets GDPR requirements. These include consent requirements where, from next May, permissions must be "opt-in", with a clear affirmative action required. Failure to opt out will no longer constitute sufficient consent. Additionally, consent must be granular, with separate options being provided to customers.
In the shadow of the massive disruption that is coming in just 10 months with the EU’s GDPR and ePrivacy regulations, the recent child privacy class-action lawsuits filed against Disney, Viacom/Nickelodean and Kiloo, as well as their 3rd-party data processors, should be a call to action to all game publishers to start paying attention to privacy compliance.
As Brian Vecci, Technology Evangelist for Varonis says, “Most companies aren’t prepared at all. You’ve got companies sitting in the mid-west of the United States, that because someone from the EU signed up for their newsletter, are suddenly subject to one of the most onerous privacy regulations ever. If you have PII from one of the 28 member states, then it impacts your organization.”
CSO Online: Hacking the GDPR
GDPR is all about the data. How you collect it, how you process it, and how you handle access management. The GDPR recognizes de-identification of data as a good way to help minimize data leakage, and in doing so, applies exemptions to de-identified data. Techniques for this, and therefore reducing the overhead of GDPR compliance, include anonymization and pseudonymization.
Finding and deleting PII data that is not compliant, or because of a request from a data subject to be forgotten, is a lot harder and more costly than most people assume. Databases typically have not been built in a way that offers a comprehensive, clear view of the data they hold. And there is a question of whether the data needs to be “shredded” in a manner that prevents recovery, even after it is deleted.
Bankinfosecurity.com: GDPR and Vendor Risk Management
In this recorded interview about GDPR compliance, Elizabeth Fischer, General Counsel at BitSight, discusses why organizations remain unprepared for GDPR; what is most misunderstood about vendor risk management; and the value of vendor cybersecurity ratings and continuous monitoring. “Contracts alone will not satisfy compliance”.
Cybersecurity experts are heavily criticizing the UK version of the forthcoming EU General Data Protection Regulation (GDPR), concerned that specifications within the British legislation could criminalize security research aimed at improving digital privacy for British consumers. The clause in question states it will be a criminal offence to “intentionally or recklessly re-identify individuals from anonymised or pseudonymised data”, which researchers must do to uncover vulnerabilities in current systems.
welivesecurity.com: Fines of £17m for unprotected UK firms
Imposing fines on companies for failing to be protected could prompt companies to spend more on security; this, of course, would be positive. But it is possible that companies will then try to hide any incident to avoid a fine. The consequences of which mean the security industry fails to learn the techniques used, resulting in an inability to create the protection needed against future attacks.
Rich Vining is a Sr. Product Marketing Manager for Data Protection Solutions at Hitachi Data Systems and has been publishing his thoughts on data storage and data management since the mid-1990s. The contents of this blog are his own.