Get Ready To Be Dazzled By The GDPR Professionals

Roll up, roll up, shouts the cybersecurity tout at the conference. "Are you ready to be dazzled by our GDPR product, service and expert?"

We smile, groan or "tut tut." We watch, listen, agree to a meeting, or scold and walk away.

Everyone's an expert these days and all products solve the problem of GDPR, or at least that's what we're being told.

Whether this is the case or not, we can be sure of one thing. The General Data Protection Regulation (GDPR) will come into force in less than a year's time, on May 25th 2018, and it will replace the existing data protection framework under the EU Data Protection Directive.

Personally, I see this as a good thing. But, many business owners in my network are concerned, and regularly ask me: What exactly does this mean? How does it change things? Who will be affected? How much will it cost to become compliant? How long will it take to become compliant? Will those huge fines really be levied?

Cybersecurity professionals ask me: Does it present an opportunity for us in cybersecurity? Can it enable better protection for all data, improved security processes, increased budgets, and access to the top table? And, can we trust the GDPR vendors, service providers and so called "experts" to help us navigate the regulation and implement changes?

Having performed research, accessed my own trusted sources for answers, and listened to knowledgeable professionals discuss this at conferences recently, like Quentyn Taylor, Dhivya Venkatachalam, Dane Warren, and David Joao Vieira Carvalho, I want to share my findings with you.

I also want to let you know that if you'd like to know more about the GDPR then you can sign up for Microsoft Office’s next episode of Modern Workplace, GDPR: What you need to know, which was first on June 13th, 2017 at 8 AM PDT/ 4 PM BST and is availabe for download.

Let's start by examining, albeit briefly in this post, what the GDPR is, and what it aims to do.

What is the GDPR? The GDPR is a regulation that's been in the making for years. It's been created to modernise and simplify data protection for international business by unifying regulation within the EU, and to give control back to EU citizens and residents over their personal data. It applies to all companies that collect and process personal data of EU citizens and residents. And, essentially, it's become the first global data protection law with time specific breach notification guidelines, and potential hefty sanctions for non compliance.

The GDPR specifies many requirements, is complex, and subject to interpretation, but the areas that seem to be causing debate amongst those made accountable for it are those that deal with new obligations on such matters as: data subject consent, data anonymisation, data breach notification, data mapping, cross-border data transfers, data privacy by design, liabilities for data controllers and processors, and the appointment of Data Protection Officers (DPOs). The reasons why are obvious - these requirements involve major operational reform.

Let's look at them in a bit more detail.

Data privacy and data protection. The GDPR is only interested in personal data, which it defines as "any information relating to an identified or identifiable natural person," and as a result it's doing two things. Firstly, it's adjusting the balance between data privacy and data protection. Secondly, it's broadening the definition of personal data and bringing new kinds of personal data under regulation.

For example, it considers any data that can be used to identify an individual (data subject) as personal data, i.e. direct identifiers like a name, home address, photo, email address, ID number, bank details, posts on social networking websites, plus online identifiers such as IP addresses, cookies, RFID tags, mobile device IDs, etc. It also outlines special provisions and compliance requirements for "sensitive personal data" which include genetic data, biometric data, health data, religious or philosophical beliefs, trade union membership, and data relating to sexual orientation, race, ethnicity, political opinions, and so on.

Consent to collect and use personal data. Under the GDPR all organisations collecting personal data must be able to provide proof that consent was given. This needs to be explicit and specific for the exact purpose for which the data is held or processed. This means that going forward they'll need to be able to explain what personal data will be collected, how it will be processed, and how it will be used. It also means that they'll need to interrogate all the personal data they currently hold electronically and non electronically, and find out whether they've the right level of consent, and if they don’t, they’ll have to delete it.

The right to be forgotten. The GDPR requires organisations not to hold personal data for any longer than is absolutely necessary, not to change the use of the personal data from the purpose for which it was originally collected unless consent is given, and to be able to delete any personal data at the request of the data subject.

Pseudonymisation. The GDPR defines this new concept as the processing of personal data so it can't be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and be subject to technical and organisational measures to ensure that the personal data isn't attributed to an identified or identifiable natural person. A good example of pseudonymisation is hashing or encryption, and when an organisation can effectively anonymise its personal data, it substantially mitigates its risk for non GDPR compliance.

Data mapping and cross-border transfers. Although the GDPR doesn't make huge changes to the provisions of the EU Data Protection Directive it does introduce some new clauses for cross-border data transfers and some important changes to the recognition of “adequate” countries. Many see this as the right thing to do as IT isn't static, suppliers continually change, and the Internet knows no boundaries. Furthermore, with the globalisation of IT, many organisations are struggling to pinpoint where their data actually resides, at which point in time, and that obviously presents a risk when having to secure it.

The appointment of Data Privacy Officers (DPO) for certain organisations. Irrespective of a company's size, the GDPR requires public authorities processing personal information to appoint a DPO, as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.” The regulation views the DPO as an extension of the data protection authority i.e. they're there to ensure personal data processes, activities and systems conform to the law by design.

Mandatory privacy impact assessments (PIAs) and privacy by design. Where privacy breach risks are deemed high, the GDPR requires data controllers to conduct PIAs. This means that when projects involve personal data, privacy will have to be considered from the start and be built into processes and technologies by design. These types of projects will need to begin with a privacy risk assessment, and they'll need to be close collaboration with the DPOs so compliance can be ensured throughout the project's lifecycle. Many professionals see this as a good thing, as it presents another opportunity to get access to the top table.

Liability for data processors as well as data controllers. Up until the GDPR, liability for data processing only affected data controllers (those who owned the data). Now, under the GDPR this responsibility and liability is extended to all organisations that touch personal data.

Data breach reporting. The GDPR requires organisations to notify the relevant data protection authorities within 72-hours of discovering a personal data breach. In other words, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Having a limited breach notification time-frame means that organisations will need to ensure they've got adequate people, processes and technologies in place to help them detect and respond. They'll need to present a security breach report to the right supervisory body, which will need to include the facts surrounding the breach, the effects of the breach, the actions taken after the breach, and the DPOs contact details if appropriate.

Fines and sanctions. Under the GDPR there are a wide variety of sanctions that can be imposed, and in a number of ways. For example, some might result in a warning in writing, or regular periodic data protection audits, or fines. If it's the latter, these will be split into 2 broad categories:

The highest category (Article 83(5)) is up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. This fine applies under certain criterion, for example, for breaching: the basic principles for processing (including conditions for consent, data subjects’ rights); international transfer restrictions; and any obligations imposed by Member State law for special cases (e.g. processing employee data and certain orders of a supervisory authority.)

The lower category (Article 83(4)) is up to €10 million or 2% of the organisation's annual global turnover of the preceding financial year. This fine applies if there's been a breach of obligations of the controllers and processors (including security and data breach notification obligations), certification bodies and a monitoring body.
Finally, in terms of whom to trust when it comes to GDPR vendors, service providers and experts, my advice is to ask your trusted sources or to crowd source the information you require. There are many vendors and consultants in the market who can help and operate with integrity.

Now I want to hear from you…

Tell me what aspect of the GDPR challenges you, or if you’ve got more advice please let me know and share it here.
Then, if you'd like to know more about GDPR, sign up for Microsoft Office’s recent episode of Modern Workplace, GDPR: What you need to know, which was first streamed  June 13th, 2017 and is available for download HERE.

During this episode you'll hear from two experts who'll be taking a closer look at the global impact of this all-encompassing privacy law. Brendon Lynch, Microsoft’s Chief Privacy Officer will share his tips on how to move your organisation towards GDPR compliance. Karen Lawrence Öqvist, who's an expert in the GDPR and the CEO at Privasee, will also offer an EU perspective on this new law. Together, these experts will give you insights on how you can best strategise to meet your most urgent cybersecurity needs as they pertain to the GDPR.

Microsoft Modern Workplace Series: register via Linked In:     Microsoft Modern Workplace Series: register via Twitter:

Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this Microsoft Office Modern Workplace Episode. Because your success is important to me, I only align myself with brands I believe in, and Microsoft is one of them.

About Jane Frankland

Jane Frankland is an award-winning entrepreneur, speaker, author, consultant and CISO advisor. She's also one of the top 50 influencers in cyber security in the UK. Jane has 19-years worth of experience in the industry, has built and sold her own global penetration testing firm, been an SC Awards Judge for Europe and the USA, advised boards, and held senior executive positions at several large PLCs, including the NCC Group. As an ambassador for cybersecurity she's passionate about diversity in the workplace and her book, 'In Security: why a failure to attract and retain women in cybersecurity is making us all less safe', is due for release in 2017. You can learn more at http://jane-frankland.com.

You Might Also Read: 

The GDPR Effect On Brexit:

Eight Steps To The GDPR Countdown:

UK SMEs Don’t Have Cybersecurity Recovery Plans:

 

« Video Game Imagines Humans Relying On Robots
Google 'faces €1bn-plus fine' From EU »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Link11 GmbH

Link11 GmbH

Link11 provides DDoS protection solutions to protect websites and complete server infrastructures from DDoS attacks.

TSUNAMI

TSUNAMI

The TSUNAMi center focuses on software and system security and how trustworthy software can be built from COTS software components.

Ridgeback Network Defense

Ridgeback Network Defense

Ridgeback is an enterprise security software platform that defeats malicious network invasion in real time. Ridgeback champions the idea that to defeat an enemy you must engage them.

NetDiligence

NetDiligence

NetDiligence is a privately-held cyber risk assessment and data breach services company.

Zivaro

Zivaro

Zivaro provides transformational consulting and technology services to help clients attain real business value from their technology investments.

CI-CERT

CI-CERT

CI-CERT is the national Computer Incident Response Team for Cote d'Ivoire.

ACM-CCAS

ACM-CCAS

ACM is a UKAS-accredited certification body helping businesses around the world perform to a higher standard. Our certifications include ISO 27001 and ISO 22301.

DAkkS

DAkkS

DAkkS is the national accreditation body for Germany. The directory of members provides details of organisations offering certification services for ISO 27001.

Eaton

Eaton

Eaton provides comprehensive cybersecurity services for operational technology (OT) to help keep your operations and personnel safe.

BlackhawkNest

BlackhawkNest

Blackhawk is the only cyber security solution on the market that combines network monitoring and incident response into a cohesive appliance.

LBMC

LBMC

LBMC is a professional services solutions provider in accounting and finance, human resources, technology, risk and information security, and wealth advisory services.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

Centre for Cyber Security Research & Innovation

Centre for Cyber Security Research & Innovation

The Centre for Cyber Security Research & Innovation is Nepal's First Academic Research Institute to focus on understanding the overall Information Security of Nepalese Organizations.

Kralos

Kralos

Kralos are an experienced team of Software and IT experts, specialized in the development of innovative cybersecurity solutions.

ZAG Technical Services

ZAG Technical Services

ZAG Technical Services is an award-winning information technology consulting firm delivering digital transformation solutions, IT assessments, managed services, security, and support.

Kaine Mathrick Tech (KMT)

Kaine Mathrick Tech (KMT)

KMT deliver comprehensive cyber-first outsourced technology support and solutions that scale with your business.