GDPR Compliance & Personal Data Protection

Uploaded on 2018-01-08 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, TECHNOLOGY--Resilience

The General Data Protection Regulation is set to be a fact of life in less than six months, and arguably the biggest challenge facing enterprises across the globe is locating personal data sources and classifying them correctly.

Most organisations will have some degree of legacy data, whether paper or digital, and before taking any technical steps at all it is essential to ensure that this personal data locked in ERP and CRM systems is classified according to risk.

Although the general thrust of GDPR has been widely debated in the media and among security industry peers, much of the coverage to date has focused on the huge penalties for non-compliance, rather than looking at the opportunities of data discovery and process improvements for enterprises of all shapes and sizes. Indeed, a recent study found that 60 percent of EU organisations say they will face serious challenges in being GDPR-compliant, and in fact 40 percent of respondents report that their organisations do not view compliance with GDPR by the deadline as a priority.

Geographical Complications
This is all a matter of fact, rather than conjecture, but business responses to GDPR and its implications have varied considerably in my experience. Anecdotally, not many European and UK organisations have been giving the regulation enforcement date as a high priority as perhaps they could have done. Some will only be kicking off in December 2017, leaving them a mere six months to comply.

US companies are generally speaking not particularly prepared, and the complexity of the legal landscape is going to make it difficult for those who have not thought ahead. 

For example, companies with significant operations such as head offices outside the EU face the issue of adequacy, so will potentially need to construct a lawful mechanism to transfer data. The model contract clause is one such mechanism, another is binding corporate rules, but this mechanism does require prior planning, and approval from the ICO.

Geography and legalities aside, the most important element of a robust GDPR strategy is to evaluate people and processes first, technology is a facilitator to the processes that need to be put in place. 

This initiative is not a tick box compliance approach, and there is no plugin or tool that will simply make it all go away. On the positive side, there is plenty of opportunity to take this watershed moment in personal data management and look at harmonising company data policies, which have often grown up over time with significant overlap.

Data Discovery
Finding the precise location of data defined as ‘personal’ under GDPR from among the thousands of tables and columns (or fields) in complex and customised packaged systems, represents a significant challenge. 
Traditional tools and methods, such as searching for documentation, using templates and reference models or employing external consultants, do not address the challenge in an effective and timely fashion.

Safyr offers an interesting approach, it interfaces with all the most popular ERP and CRM solutions in order to speed up that discovery process. 

Speed and accuracy here are vital for several reasons, obviously ‘bad’ data discovery initially means that risk assessments will be skewed, and even worse it may cause a loss of focus, so that less critical issues are fixed first, rather than the real high risk issues. These issues are the major benefit of using a discovery tool, rather than attempting hand cranked scripted procedures.

Data Protection Impact Assessment
Unstructured data will be a major challenge for many organizations because of the nebulous nature of it and obtaining full information about it. For example, Salesforce, which historically slurps up huge amounts of information that might not be essential for everyday business, but will be highly relevant in a GDPR context.

The result is hidden risk, where in the event of a data breach business could be exposed to far greater penalties than they think if information is not correctly categorised. 

All new systems or updates to data systems should have a complete data protection impact assessment (DPIA), as mandated under article 35, that assess the risk profile, as well as facilitating the scoping of a new system. A DPIA is an excellent programme management technique, and should from now be a matter of course - if it was not before!

Information Asset Register
Another vital element of preparation for and compliance with GDPR is the setting up of an Information Asset register, which is specifically detailed under article 30. The aim is to inventory all the systems, electronic and paper based, that hold personal information. 

Data glossaries and/or data dictionaries support this register, and there are plenty of tools that can help with this, including many content management systems.

Overall, the imminent arrival of GDPR should be seen as a fantastic opportunity to get in-house policies, systems and technologies into shape, as well as demonstrating compliance in time for the deadline. While many enterprises are only just beginning to get started, those with the longest run-up will be those with the fewest unforeseen problems come mid-2018.

Information-Management

For Further GDPR Information please also contact The GDPR Advisory Board

You Might Aslo Read: 

The GDPR Advisory Board Offers Expert Advice:

 

« US Cyber Soldiers Go To The Battlefield
Canada’s Electronic Spies Unleashed »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

CloudSigma

CloudSigma

CloudSigma, a pure-cloud IaaS provider offers flexible and innovative cloud hosting solutions for companies of all sizes both in Europe and the US.

Qolcom

Qolcom

Qolcom is a leading UK based integrator of secure wireless network and mobile device management solutions.

MD5

MD5

MD5 is a leading UK provider of Digital Forensic & eDiscovery services to large multi-national corporate businesses, Law Enforcement & Government Agencies, high profile legal firms.

CyberForce Program - US Department of Energy

CyberForce Program - US Department of Energy

The Department of Energy’s (DOE) CyberForce Program is a workforce development program that seeks to inspire and develop the next generation of cyber defenders for the energy sector.

Gilbert + Tobin

Gilbert + Tobin

Gilbert + Tobin is an Australian corporate law firm serving clients throughout Australia, and around the world, on a broad range of legal issues including cyber security.

Build38

Build38

Build38 provides the highest levels of security for mobile applications.

Get Safe Online

Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety.

Cyber Science

Cyber Science

Cyber Science is the flagship conference of C-MRiC, focusing on pioneering research and innovation in Cyber Situational Awareness, Social Media, Cyber Security and Cyber Incident Response.

Cytellix

Cytellix

Cytellix is an industry-standards-based, managed cybersecurity service provider, specializing in proactive behavioral analytics and situational awareness of an organization’s cyber posture.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

1Password

1Password

1Password combines industry-leading security with award-winning design to bring private, secure, and user-friendly password management to everyone.

Mitiga

Mitiga

Mitiga uniquily combines the top cybersecurity minds in Incident Readiness and Response with a cloud-based platform for cloud and hybrid environments.

Quantum eMotion (QeM)

Quantum eMotion (QeM)

Quantum eMotion is a Montreal-based advanced developer leading the way towards a new generation of quantum-safe encryption for the quantum computing age.

Covenant Technologies

Covenant Technologies

Make Covenant Technologies the only choice for your IT and cybersecurity recruitment needs. We deliver quality candidates at the forefront of the cybersecurity and IT industry.