GDPR - Its Complicated.

Uploaded on 2018-01-02 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

One Example Of the Complexity Businesses Have To Face to Become GDPR Compliant is Document Handling. 

An Many firms deploy document management solutions. This can range from Alfresco to DocuWare, SharePoint to IBM Content Manager. They deploy these solutions to provide structured organisation and control of documents; enable search; provide document security, audit, versioning and provide the capability to manage retention.

The one thing they are not easily capable of is identifying and separating personally identifiable information (PII) from everything else in each document. As such, any document that contains PII must be treated in its entirety as sensitive under GDPR.

Access to Documents
GDPR requires control over access and the ability to obtain large volumes of documents must be prevented. Clearly good security policies will implement access restrictions but GDPR necessitates a review of System Administrator, Help-Desk and Support staff access.
We all know of stories where employees boast they still have access to their email years after they leave a company. Processes must be robustly implemented to grant or remove access to PII when staff join, move within or exit the company.

Encryption of Documents
GDPR requires “encryption at rest”. For most document management solutions this is a feature that is easily enabled. However, when documents are “Checked out” and being worked on, the documents are often moved to local storage which is rarely encrypted. To be compliant with GDPR, documents must remain encrypted whether stored in document management, in-transit, stored locally or when backed up for disaster recovery.

Additionally, if you are implementing a new document management solution or upgrading your existing solution, documents copied and used for testing must also be encrypted and any sensitive information viewable only to those with legitimate access. Where possible, documents used for this purpose should be anonymised to avoid accidental breach.

Remote Working
Implementing controls for remote workers to remain compliant with GDPR is complex. Documents could be placed on personal equipment or moved into public Cloud solutions like DropBox, Google Docs, etc. This creates a potential exposure that must be addressed to ensure compliance.

Breach Notification
GDPR requires a firm to notify the ICO within 72 hours of a breach. Data breaches can be very minor, for example, a breach occurs if an employee with legitimate access puts a document into a Dropbox folder. Such a breach must be notified to the ICO and to the data subject. 

If you can prove to the ICO that the document is encrypted, then you are removed from the obligation to report the breach to the data subject. However, you must still report it to the ICO.

The fines under GDPR are proportional to action / in-action. However, they are designed to be punitive. For such a breach as described above it is unlikely you will receive the maximum fine (€20M or 4% of your worldwide turnover, whichever is the greater) but the breach will not come cheap and failure to notify will be very expensive. 

Firms that have followed best practice and made reasonable efforts to be compliant will be seen in a better light than organisations which have ignored the regulation.

Planning for a Breach
Hope for the best but plan for the worst! Sage Advice that you should heed. Identify a DPO (Data Protection Officer) and task your DPO to create and test action plans to mitigate any breaches that do occur, so that a positive dialogue can be started with the ICO at the start of an incident.

Other Processes
So far we have focused on access to document, but GDPR has granted eight rights to EU citizens. All of these rights affect document processing no matter where in the world the data is stored and processed or where the processing company is domiciled. The eight rights granted to EU citizens are:

1. Right to be Informed – Companies must be transparent in the disclosure of what Personally Identifiable Information (PII) is collected and how it is used. This is normally achieved through a Privacy Notice
2. Right to Access – On request you must be able to inform a data subject what information you hold about them and what you are doing with it. This information must be provided free of charge.
3. Right to Rectification –  Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
4. Right to Erasure –  The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
5. Right to Restrict Processing –  Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
6. Right to Data Portability – The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
7. Right to Object – Individuals have the right to object to:

a) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
b) direct marketing (including profiling); and
c) processing for purposes of scientific/historical research and statistics.

8. Rights related to automated decision making and profiling – The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.  You should identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.

Summary
You should treat GDPR as the stimulus to review you existing data handling and document management systems and processes to ensure they are aligned with current industry standards and best practices. Old versions of software, weak access controls and a poor data security culture weakens your position under GDPR and plans for improvement will be mandatory.

GDPR Guys

This Blog is written by Peter Borner of The GDPR Guys – to contact them  Click Here

You Might Also Read: 

The New GDPR Rules Focus On Consumer Protection:

Directors Who Conceal Cyber Attacks Could Face Prison:

GDPR Will Impact Data Management In The USA:

 

« When Terrorists Learn How to Hack
Social Media Is 'Ripping Society Apart' »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

First National Technology Solutions (FNTS)

First National Technology Solutions (FNTS)

First National Technology Solutions is a leading provider of flexible, customized hosted and remote managed services including IT security and compliance.

Athena Dynamics

Athena Dynamics

Athena Dynamics focuses on Cyber Security, especially in Critical Information Infra-structure Protection and Enterprise IT Operation Management products and Services.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

Endian

Endian

Endian’s mission is to provide a secure platform that connects distributed people and things, simplifying the digitalization of businesses.

Fraugster

Fraugster

Fraugster provides the most precise anti-fraud solution for e-commerce businesses.

SOCOTEC Certification International

SOCOTEC Certification International

SOCOTEC Certification International has been providing management systems assessment and accredited ISO certification services to organisations around the world since 1995.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

Bolster

Bolster

Bolster (formerly RedMarlin) is an AI-based cyber-security platform designed to detect phishing and fraudulent sites in real-time.

Inetum

Inetum

Inetum (formerly Gfi Informatique) is an agile IT services providing digital services and solutions, and a global group that helps companies and institutions to get the most out of digital flow.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

SafeStack Academy

SafeStack Academy

SafeStack Academy is an online cyber security and privacy education platform. Our content is designed by experts to suit small businesses, growing companies, and development teams.

GoodAccess

GoodAccess

GoodAccess is the cybersecurity platform that gives your business the security benefits of zero trust without the complexities so your users can securely access digital resources anytime, anywhere.

Privasee

Privasee

Make GDPR compliance simple with Privasee. Our software makes it easy to protect your data and ensure you’re compliant with the new regulations.

Omantel Innovation Labs

Omantel Innovation Labs

The Omantel Innovation Labs is a platform to enable startups and innovators to develop and commercialize solutions within selected technology verticals including cybersecurity.

View

View

View is the leader in smart building technologies including OT cybersecurity to securely connect buildings to the cloud and manage building networks and OT devices.

Hive Systems

Hive Systems

Hive Systems specialize in tailored solutions that unify risk assessments, IT, security awareness, and cybersecurity operations for businesses of all sizes.