Maintaining GDPR Compliance

Uploaded on 2018-07-27 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, TECHNOLOGY--Resilience

Though the much anticipated General Data Protection Regulation implementation date has come and gone, compliance efforts undertaken by security and compliance groups within many global organisations are far from achieved.

In fact, in many cases, the work is just beginning. As a risk-based regulation, the GDPR requires organisations to determine and implement data security best practices. These best practices apply differently depending on the circumstances of specific organisations.

As most organisations have learned by now, the GDPR applies to any organisation that processes the personal data of European Union citizens and residents or provides services to EU residents.

Organisations in any industry or sector, including profit and nonprofit, operating in the EU or selling goods and services to EU residents are in scope for this regulation.

One of the main goals of the GDPR is to address the lack of accountability seen under previous data protection regulations such as the EU Data Protection Directive.

To increase data-related protections given to data subjects requires organisations to define what best practices should be implemented and, perhaps more importantly, to create a plan to continually monitor and adjust these best practices as technologies used by organisations and cyber-criminals evolve.

GDPR and Data Security

With organisations relying more heavily on big data and the resulting business intelligence derived from such information, personal and corporate data is now more valuable than ever. At the same time, this business intelligence is more at risk.

Given that accountability and enforcement are two of the key aspects of GDPR, organisations must look closely at operational behaviors and evaluate how those behaviors tie into their current and future approaches to information security.

Furthermore, because Article 30 of GDPR requires records of processing, it is imperative for organisations to know how and why data is being collected, stored and processed.

Specifically, organisations need to establish information security best practices to ensure that data is:

  • Collected for specific purposes.
  • Processed securely, limiting risk of compromise.
  • Stored for a defined amount of time.
  • Wiped to remove personally identifiable data when necessary.

In addition to the records criteria touched upon in Article 30, GDPR also requires full disclosure of processing activities through privacy notices (Article 13) and identification of legal basis for data processing (Article 6), and it also lays out conditions for obtaining data subject consent (Article 7).

All these requirements mandate that organisations establish ongoing, risk-based due diligence internally, and for any third party that might access or process their data.

While data controllers and processors have different roles under the GDPR, the potential of large fines and associated reputational damage for noncompliance means that all involved parties must take exceptional care with information security practices.

Establish Best Practices

As organisations continue honing their approaches to information security to address GDPR-related requirements, they will need to fill the historic gaps typically found with out-of-date and often antiquated practices.

Organisations can begin to shift focus from detection and remediation efforts to more proactive measures by embracing current security-related best practices including:

  • Establishment of more robust data protection policies for current and forward-looking privacy principles.
  • Creation and enforcement of appropriate mobile device management policies and standards, including operating system policies, passwords, encryption, remote wipe, bring-your-own device criteria, lost or stolen device policies, and apps policies and management.
  • Development and effective maintenance of up-to-date encryption standards for servers, systems, laptops and mobile devices.
  • Establishment of a formal, physical, and logical security training program for all personnel and a well-planned and rehearsed approach to incident response.

Security-related best practices can address critical components of GDPR compliance. However, by establishing such robust practices, organisations can also begin to realise a significant return on investment.

Consumers want to know their information is safe, properly secured, and handled appropriately, which is increasingly reflected in their spending habits.
 
Employees also want to trust employers’ handling of their personal data, so organisations interested in securing the best talent should take GDPR compliance seriously.

Organisations that understand the importance of GDPR compliance can better attract and serve consumers and engage talented employees.

Get Proactive

Data is the most valuable asset for organisations today. The related information security practices put in place to secure that data are not only critical for compliance and governance issues, but for aspects of operational, reputational, and fiscal concerns as well.

As organisations move deeper into 21st-century technology and data requirements, they can use increasingly stricter regulatory requirements to help propel business forward.

Though it might seem an onerous task, the GDPR and efforts to maintain compliance could bring improved efficiencies, savings, and cost benefits to organisations that embrace it.

Even more, consumers and employees might be more likely to gravitate toward companies that prioritise maintaining privacy rights and strong information security.

Information- Management
 
You Might Also Read: 

Get Ready For ePrivacy Regulation:

Playing Catch-Up With GDPR:

 

« Help The Aged: Indian Cops Give Cybersecurity Tips
What is Digital Twin Technology? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Rackspace Technology

Rackspace Technology

Rackspace Technology is a leading provider of managed services across all major public and private cloud technologies. Secure your IT environments with powerful cloud security solutions and support.

CloudSigma

CloudSigma

CloudSigma, a pure-cloud IaaS provider offers flexible and innovative cloud hosting solutions for companies of all sizes both in Europe and the US.

HyTrust

HyTrust

HyTrust specialises in security, compliance and control software for virtualization and cloud environments.

IBLISS Digital Security

IBLISS Digital Security

How cyber-resilient is your business now? We help companies to continuously answer this never-ending C-level question.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

Outsource UK

Outsource UK

Outsource UK is an independent recruitment company supplying highly-skilled technology, change and engineering talent to clients within a range of specialist sectors including Cyber Security.

Civic Technologies

Civic Technologies

Civic’s Secure Identity Platform (SIP) uses a verified identity for multi-factor authentication on web and mobile apps without the need for usernames or passwords.

Cambridge Cybercrime Centre

Cambridge Cybercrime Centre

The Cambridge Cybercrime Centre is a multi-disciplinary initiative combining expertise from the Department of Computer Science and Technology, Institute of Criminology and Faculty of Law.

CYDES

CYDES

CYDES is the first event in Malaysia to showcase advanced solutions and technologies to address cyber defence and cyber security challenges for the public and private sectors.

Point Predictive

Point Predictive

Point Predictive build Predictive Models using Artificial Intelligence and Machine Learning techniques that help our customers stop fraud and early payment default (EPD).

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

Cybersecurity Center for Secure Evolvable Energy Delivery Systems (SEEDS)

SEEDS conducts research and develops innovative cybersecurity technologies, tools, and methodologies that advance the energy sector’s ability to survive cyber incidents.

NewAE Technology

NewAE Technology

NewAE Technology is revolutionizing the hardware security market by making every engineer and designer aware of side-channel power analysis and glitching as important attack vectors.

Torch.AI

Torch.AI

Torch.AI’s Nexus™ platform changes the paradigm of data and digital workflows, forever solving core impediments caused by the ever-increasing volume and complexity of information.

NSI Global

NSI Global

NSI Global is a specialist Global Risk and Intelligence Advisory Firm that has built a reputation for consistently managing complex projects.

Upstack

Upstack

UPSTACK - One partner, end-to-end expertise, helping develop the solutions you need – when you need them.

Meta 1st

Meta 1st

Meta 1st are a progressive SAAS enterprise, dedicated to harnessing the power of AI to address the most critical vulnerabilities in the world of cybersecurity: the Human Layer.