What Your Board Needs To Know About GDPR

Uploaded on 2018-05-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Executives in businesses around the globe have been tracking The European Union's (EU) General Data Protection Regulation (GDPR), which goes into effect 25 May 2018. Those who operate primarily in the EU have had plenty of time to focus on this and no excuses for not paying attention. 
 
Those who operate primarily elsewhere also have no excuse to not be aware of the GDPR and should have already assessed how things should change because of these new rules. 
 
We have found, however, that many firms in the EU and the US and elsewhere are still not paying enough attention to these very serious rules. 
 
The objective of these new rules is to improve privacy and security of critical personal information. The rules are also designed to harmonise many different rules active across Europe and this should make overall compliance easier. 
But still, for most, compliance will require changes be put into place for how data is stored and also changes put in place for how people can be put in control of their own data. 
 
Remember, the GDPR is not just about firms that operate in the EU. It applies to firms that have data on EU citizens. 
The GDPR requires that to collect info on EU citizens, the citizens must give their consent and the citizen also has the right to be forgotten. The data it applies to is broad, including even IP addresses.
 
At this point, just 20 days away from the compliance deadline, we recommend all firms do three things:
 
1. Read the rules yourself. They are not that hard to read and think about
 
2. Consult outside counsel. Pick a law firm you know and trust and ensure they have knowledge of the GDPR. Ask us if you need some recommendations.
 
3. Seek an external review of your technical architectures for compliance. Our firm, Crucial Point, is a good place to start here.
We recommend that Boards (including Audit Committees for those that have them) should evaluate their company's data retention activities and policies to see if they are in need of modification to comply. 
Boards should ask CEOs and the management team to assess where exposure to GDPR non-compliance is greatest and prioritise actions to fix. 
 
Boards should ask questions to determine if line of business leaders realise they are responsible for compliance vice just assuming this is an IT function. And boards should know who the Data Protection Officer (DPO) is for the firm.
 
Here is more on the GDPR:
 
• Fines for non-compliance are up to 4% of annual revenues.
• Customers must consent for processing of their data
• Personal data must be protected. This includes anything related to a natural person or anything that can be used to indirectly identify the person. This includes names, photos, email addresses, bank details, addresses, posts on social media sites, medical info, IP addresses
• The rule describes a new position, a Data Protection Officer (DPO), which will be required for firms that do large scale monitoring or processing of sensitive data
• Consent of users is required and it must be asked for and granted in specific ways before collecting and processing data.
• Citizens are given new authorities over their data including right to have it removed (a right to be forgotten)
• Data protections are expected to be designed into systems
• If there is a breach of personal information, the citizen will be notified and impact assessments done
• Transfer of data to other countries and organizations is regulated
• Companies are expected to maintain a state of the art cybersecurity architecture and posture
 
We can accelerate your compliance with GDPR and do so in a way that helps your security posture. 
 
CTO Vision
 
To contact the GDPR Advisory Board please click HERE:  
 
You mIght Also Read: 

The Pitfalls Of GDPR & Cyber Security For Micro Organisations:
 
Cybersecurity Advice For SMEs:
 
« A Guide To Preventing Charity Cybercrime
Meet Tess: The Mental Health Chatbot »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CORDIS

CORDIS

CORDIS is the European Commission's primary public repository and portal to disseminate information on all EU-funded research projects and their results.

Qualitest Group

Qualitest Group

Qualitest is the world’s largest pure play Quality Assurance and software testing company.

Infiltrate

Infiltrate

INFILTRATE is a deep technical conference that focuses entirely on offensive security issues.

CSA Events

CSA Events

Cloud Security Alliance conducts a series of conferences around the world. This listing provides a link to details of upcoming events.

Team8

Team8

Team8 is Israel’s most prestigious cybersecurity think tank and venture creation foundry.

Smarttech247

Smarttech247

Smarttech247 deliver a range of cyber security solutions, including cognitive security services using IBM Watson for Cybersecurity, SIEM, Compliance & Governance, and Penetration Testing.

Intelligent Business Solutions Cyprus (IBSCY)

Intelligent Business Solutions Cyprus (IBSCY)

IBSCY Ltd is a leading provider of total IT solutions and services in Cyprus specializing in the areas of cloud services and applications, systems integration, IT infrastructure and security.

Armis

Armis

Armis offers the markets leading asset intelligence platform designed to address the new threat landscape that connected devices create.

National Cybersecurity Society (NCSS)

National Cybersecurity Society (NCSS)

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

TriagingX

TriagingX

TriagingX successfully created the first generation malware sandbox that is being used by many Fortune 500 companies for daily malware analysis.

Sentinel

Sentinel

Sentinel works with governments, media and defence agencies to help protect democracies from disinformation campaigns by developing a state-of-the-art AI detection platform.

3i Infotech

3i Infotech

3i Infotech offers consulting & professional services to assess, design and build next gen IT infrastructure, and managed services to operate, optimize and continuously improve.

Visory

Visory

Great businesses depend on great technology. We make sure our clients go to market with enterprise-level technology and world-class security for their data and infrastructure.

TuxCare

TuxCare

TuxCare make Linux more secure. We take care of Linux so that organizations can use Linux to support environments that require high levels of Cybersecurity, stability, and availability.

DerSecur

DerSecur

DerSecur has been engaged in advanced technology activities in the field of Application Security since 2011. We offer R&D technology solutions in the field of SAST, DAST and SCA analysis.