Get Into Gear On GDPR

Uploaded on 2017-12-21 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The introduction of the General Data Protection Regulation (GDPR) in May 2018 represents a watershed moment for data regulation. 

The Data Protection Act of 1998 will be bolstered by the European regulation that is set to reshape how organisations handle personal data with ramifications for every organisation doing business in Europe. This legislation has created a flurry of fear and confusion globally which has been building towards its enforcement date. 

Scenario planning must be front and center when a company’s finances, brand or reputation is at stake; and the GDPR is no different. 

The regulation’s legal obligations will require those businesses in possession of European citizens’ personal data to be honest, open and transparent about their digital practices, more so than ever before, protecting the rights of natural persons. Slowly but surely, organisations are waking up to the challenge, amid concerns around the potential financial implications of what failed compliance would look like.

Worryingly however, the majority of organisations are still a long way off GDPR compliance. According to a recent global survey from Veritas Software, less than two per cent of organisations currently meet the necessary requirements. It’s unlikely however that mere laziness is the cause, but rather inertia over decision-making. 

Simply getting started on the journey towards compliance is undoubtedly one of the biggest obstacles. Both the intricate nature of the regulation and its multiple parts, are likely to be the root causes for the lack of action in many companies. 
Certain measures will generate results faster than others. Our recommendation is to first examine the IT estate to pinpoint those applications most likely to be used to access personal data. A manufacturing organisation on our books has 35,000 employees that regularly use as many as 11,000 distinct software titles, both on premise and in the cloud, a significant amount of software, but no more so than any other organisation of this scale. 

But 11,000 is still a high number of software titles to filter through manually, requiring an understanding of each application, the kind of data that is likely to be accessed, where it is being accessed and by whom. 

Comparing the software inventory with those applications with identifiable potential GDPR risk alone means the organisation can focus on less than 500 applications, as opposed to the original 11,000. A seemingly impossible task now becomes manageable. 

Those who comprise the GDPR team (i.e. data, legal and SAM teams) must still be able to identify which applications are accessing what data; who was using that application, how that data is being stored and where it is located. This work is now only required for the less-than-five percent of applications that are relevant to the GDPR, as opposed to every piece of software owned by the company. 

RoPA Yourself
Those starting now must focus on what can be addressed before the deadline to make themselves a less attractive target to those regulators charged with enforcing the GDPR.  To satisfy regulators and build a plan for achieving compliance in a sensible timeframe, GDPR teams should turn to the Record of Processing Activities (RoPA) (Article 30 of the regulation), which comprises five key obligations. For those consultants launching an ‘emergency’ project for clients, they should be making it crystal clear the RoPA is essential for focus and success.

The inventory of applications is also key when creating the RoPA, enabling the GDPR team to spot and investigate any risks associated with the data. Teams internally and externally can then complete the RoPA and address any major risks head on. 

You can only do your best
The deadline of May 2018 is only the beginning, not the end. Policy makers are already under monumental pressure to smoke out prosecutable cases in the aftermath of the regulation’s implementation. As an organisation, if you cannot complete your GDPR project in time for the deadline, taking firm steps to indicate ‘best efforts’ are vital to make your organization a far less attractive target. 

Evidence that you are investigating the risks and have a continuing plan in place to mitigate them could, and should, be enough. 

Infosecurity Magazine:

You Might Also Read: 

The GDPR Advisory Board Offers Expert Advice:

The New GDPR Rules Focus On Consumer Protection:

What Does The UK’s Data Protection Bill Mean For Business?:
 

« Russian Hackers Steal $10M From Banks
Why Is The Price Of Bitcoin So High? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

NuHarbor Security

NuHarbor Security

NuHarbor is a leading information security consulting and advisory firm specializing in Information Security, Compliance, and Risk Management.

TSUNAMI

TSUNAMI

The TSUNAMi center focuses on software and system security and how trustworthy software can be built from COTS software components.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

MKD-CIRT

MKD-CIRT

MKD-CIRT is the national Computer Incident Response Team for Macedonia.

e2e-assure

e2e-assure

e2e Protective Monitoring and Security Operations Centre (SOC) Service is a complete cyber defence service to protect your critical assets from cyber attacks and GDPR breaches.

SecureBrain

SecureBrain

SecureBrain software and services help protect against Japanese-specific cybercrime and global internet security threats such as online fraud, phishing, drive-by downloads and malware attacks.

California Cybersecurity Institute (CCI) - Cal poly

California Cybersecurity Institute (CCI) - Cal poly

The CCI provides a hands-on research and learning environment to explore new cyber technologies and train and test tactics alongside law enforcement and cyberforensics experts.

KLDiscovery

KLDiscovery

KLDiscovery is a global leader in delivering best-in-class eDiscovery, information governance and data recovery solutions.

LEADS

LEADS

LEADS is considered as a leading ICT Solution Provider and an IT partner of choice in Bangladesh.

TeskaLabs

TeskaLabs

TeskaLabs is a software vendor of cybersecurity and data privacy products.

Cybersecurity Coalition

Cybersecurity Coalition

The mission of the Cybersecurity Coalition is to bring together leading companies to help policymakers develop consensus-driven policy solutions to achieve improvements in cybersecurity.

SecondWrite

SecondWrite

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware.

Cyber Crucible

Cyber Crucible

Cyber Crucible is a cybersecurity Software as a Service company definitively removing the risk of data extortion from customer environments.

Stack Identity

Stack Identity

Stack Identity protects access to cloud data by prioritizing identity and access vulnerabilities via a live data attack map.

SkillsDA

SkillsDA

SkillsDA is pureplay company in cyber security involved in capacity building towards National Security.

CovertSwarm

CovertSwarm

Since 2020 CovertSwarm have been radically redefining how enterprise security risks are discovered. We outpace the cyber threats faced by our clients using a constant cyber attack methodology.