Your Questions Answered By The GDPR Advisory Board
The big GDPR questions are answered by senior Cyber Security experts at the GDPR Advisory Board, Dr Alfred Rolington and Piers Clayden, founder of Clayden Law.
To reach out to the GDPR Advisory Board visit their website www.gdpr-board.co.uk To find out more about accessible online GDPR training visit www.melearning.co.uk
How can my business protect personal data?
As we move through the digital age and into the 4th Industrial Revolution, more people have realised that vital information about their life, work and activities is being stored online by governments, commercial companies and organisations.
This means that individuals now need to have some faith in the security of these systems. But a lot of cyber security breaches in the last few years has made much of the global population and certainly business employees far more aware of the problems of data protection security and often the lack of its complete effectiveness.
The number of times and the extent of cyber-attacks on a business have made a growing audience question the strength of an organisation’s website's security and how it’s broader cyber security is working And this pressure can now affect whether or not a customer chooses to use a business commercially in the first place.
It is now very important for businesses and their employees to understand what their business is doing to protect their personal and client data.
Things Business should do to Secure their Sites and Data
Ensure you have effective endpoint, network and email protection that filters out spam, malware and dangerous file types.
It is very important to continue to train employees to be wary of emails, especially those that contain attachments, and to report any unusual emails or attachments to IT and security employees. These malware hacks will differ from different attackers and they will become more sophisticated and so on-going training for employees and management is very necessary.
Segregate your networks with next-generation firewalls so that your internal departments are separated. Install endpoint protection software that can identify and block infections in and going to your systems.
Implement full disk protection and encrypt sensitive data stored on servers, or removable media. Particularly those used for sharing with business partners.
Make your clients aware of your cyber security efforts and the training you give to employees as this will give them more confidence in their commercial relationship with your business.
And if you move to the cloud make sure that the ability to encrypt the data, both in the cloud and also when being transferred, is properly dealt with.
How can my company implement technical infrastructure that will ensure optimal governance of client data?
No matter how large or small your company is, you need to have a strategy and tactical plan to ensure the security of your information and data assets - particularly client data.
The process of creating a security program will make you think more broadly about your organisation’s security and particularly about your data protection effectiveness.
A security program is very necessary and provides the agenda for keeping your company at a sensible security level by assessing the risks you face.
The strategy and planning should decide how you will mitigate and alleviate them, and there should be planning for how you keep the program and your security practices up to date if you are attacked, so that you can ensure client data security and that you protect your company’s name and Press relations (PR).
Your company’s press and publishing relationships are exceedingly important as a hack that gets negative comments in the news has a devastating effect on business.
Organisation’s Data and its Security enhances it Value
If your data management practices are not already covered by regulations, consider the value of the following areas of data security:
Customer Data, including any confidential information you hold on behalf of clients and customers.
Product and service data, including charters, patents, copy-rights, designs, source code, submissions and applications.
Your business financial information, market knowledge and analysis. If a hack takes place inside your accounting records and changes the data in your business security, then the systems need to be able to inform you immediately.
A secure program and data audit review should be irregularly undertaken so that even most of the staff don’t know when it will take place. This helps to mean that your organisation will have a far more secure cyber systems and process in place. Critically always ensure you have workable steps - to mitigate the risk of or losing data or having data externally changed.
Your security program defines what data is covered and what is not. It assesses the risks your company faces, and how you plan to mitigate them if you are successfully attacked.
How can my business uphold these new regulations and define client data collection and storage?
GDPR requires categorising types of information by value and confidentiality and companies should prioritise what data they should secure and protect first.
Document and plan what types of personal data your company processes, where it came from, and who you share it with to improve documentation.
For example, if you have inaccurate personal data and you have shared with it another organisation, you won’t be able to identify the inaccuracy and report it to your business partner unless you know precisely what personal data you hold. Therefore, begin with a thorough review of your existing database.
Client data information systems are an excellent place to begin because only a few specific systems typically own the ability to update that information. Securing unstructured information such as contracts, financial releases and customer correspondence is important and should be reviewed out on a departmental basis.
It's essential to understand current workflows, both procedurally and in practice, to see how confidential information flows around an organisation.
Identifying the major business processes that involve confidential information is a straightforward exercise, but determining the risk of seepage requires a more in-depth examination.
Organisations need to ask themselves the following questions of each major business process:
- Which employees or services these information assets?
- How are these assets created, modified, processed or distributed by these participants?
- What is the chain of events?
- Is there a gap between stated policies/procedures and actual behavior?
By analysing information flows with these questions in mind, companies can quickly identify vulnerabilities in their handling of sensitive information.
Based on the risk assessment, an organisation can quickly craft distribution policies for various types of confidential information.
These policies should address who exactly who can access, use or receive which type of content and when, as well as oversee implementation, enforcement and prosecution actions for violations of those policies.
Review the following:
- Executive and Management communications
- Customer information
- Intellectual property
- Employee records
Once distribution and sharing policies are defined, it's essential to implement monitoring of the communication streams.
Jurisdiction positions should be established to monitor information usage and traffic, authenticating compliance with dispersal policies and performing enforcement when policies are broken.
Due to the immense amount of digital information in modern organisational workflows, these monitoring systems should have powerful identification abilities to avoid false alarms and have the ability to stop unauthorised traffic.
A variety of software products can provide the means to monitor electronic communication channels for sensitive information.
In addition, systems should be reviewed extensively in the event of a breach to analyse system failures and to identify suspicious activity.
External Systems Audits are very useful for checking vulnerabilities and threats.
Companies often implement security systems but either fail to review events and any incidence reports that occur.
Protecting confidential information assets throughout an enterprise is an on-going process rather than a one-time event. It fundamentally requires a systematic way to identify sensitive data; understand current business processes and review the improving systems software that might help in future.
How can my business handle different types of data streams?
Data is rapidly becoming the lifeblood and nervous system of the global economy. In the connected world of data, IoT and Artificial Intelligence (AI), data represents a new type of economic asset.
Data can offer companies a decisive competitive advantage, as well as damage the reputation and bottom-line of those that remain unsuccessful at ensuring the security and confidentiality of critical corporate and customer data.
Despite the severe repercussions of compromised data security, until recently, the fines for breach of data protection regulations were limited and enforcement actions infrequent.
However, the introduction of a potentially revolutionary European General Data Protection Regulation (GDPR) is likely to transform the way data-driven companies handle customer data by exposing them to the risk of hefty fines and severe penalties in the event of incompliance and data breach.
Data Protection by Design and Default — Up until now, businesses were required to take technical and organisational measures to protect personal data. But implementation of the GDPR will require companies to demonstrate that the data protection measures are continuously reviewed and updated.
To avoid the huge fines and severe penalties, businesses need to have complete and mature data governance in place.
From reviewing the existing contracts to getting the key people in organisations trained for effective actions. Businesses are now required to review and to analyse their data process management in order to become GDPR compliant and to mitigate PR reputational and sever commercial risks.
Data Protection Impact Assessment (DPIA) — DPIAs are used by organisations to identify, understand, and mitigate any risks that might arise when developing new solutions or undertaking new activities that involve the processing of customer data. This includes data analytics and data-driven systems, including Business Intelligence, data-basing, data lakes, and marketing applications.
GDPR makes it a necessary requirement for all organisations to conduct a DPIA and consult with a Data Protection supervisory authority if the review identifies any inherent issues and risks.
Minimise Risks to Protect your Commercial Reputation
Taking the following measures can help you ensure your compliance to the new data protection legislation.
Strategically create a roadmap and Understand your sources of data input, processing tools, practices, and the methodologies that you use, and when and how your data is shared with other organisations.
- Designate a Data Protection Officer —Appoint a Data Protection Officer who has the skills, support, and authority to assess and mitigate non-compliance issues.
- Fast and Effective Response to Withdrawal Requests — Respond to the customers’ requests for withdrawal in an effective and efficient fashion and update the system to flag that the user has withdrawn consent to prevent further direct marketing.
Can a business handle different types of data streams?
To ensure their compliance to the GDPR and avoid the severe consequences of non-compliance, businesses are not only required to ensure optimal control and privacy of static batch data, but also develop means to collect, categorise, and process data provided by high-speed data streams. Data stream management software is a viable solution to this challenge.
A data stream manager allows businesses to:
- Collect and distribute data in a private and compliant way
- Reduce costs and complexity in data life cycle management
- Have real-time access to all structured and unstructured data via the cloud or on premise
- Centralise all data sources for improved visibility and control
- Develop a controlled environment for data-driven operations
- With a data stream manager, Data Protection Officers can define privacy levels, manage user rights, get an insight into how their info is being collected or used, and more.
How will GDPR impact Cloud Cybersecurity?
Recently a new file-encrypting virus was detected on Google and Microsoft Cloud services. Often organisations that use the Cloud have malware infections.
GDPR and Your Cloud ServiceCompanies that use Cloud - Software as a Service (SaaS) solutions are facing new challenges with the introduction of the EU regulations. There is a responsibility to comply with GDPR and how it applies to a SaaS solution when it is an EU website visitor.
Choosing a SaaS vendor has never been an easy task, especially when GDPR compliance is a factor. Adding the additional privacy constraints to the equation, multiplies the complexity.
Here are areas to focus on when choosing a vendor.
Verify whether your users’ private information leaves any tracks in the data path when it passes through and is processed by a third party.
If this happens, the first question to ask is, where is your data? This means the physical location. It is important to trace and follow/record the path of the data during the lifecycle of the process to ensure it is secure at every point.
Understand how the supplier handles your data and what methods they use to guarantee that it is safely managed, processed and stored. The supplier must prove to you how your data is secured by explaining the controls and security management processes in place.
By focusing your specific requirements, you can comprehend if the supplier has secure applicable security standards in place.
Confirm that the supplier has a precise access control policy that is well audited. Understand who can view and access your data, under what circumstances and if this access is being monitored.
Finally, comprehend and question how much your supplier involves in information security and clear data protection.
Some SaaS and IaaS companies may have a great product and are considered leaders in their space but sometimes security is not a clear issue they completely engage with and comprehend for their clients.
And finally from Piers Clayden, the legal expert on the GDPR Advisory Board and Founder of Clayden Law - How will GDPR affect data-driven organisations?
GDPR will affect organisations big and small to a greater or lesser extent if they handle any personal data – even if it is just employee data. But for organisations who use personal data for marketing purposes, particularly targeting and profiling, the GDPR is going to pose some particular challenges. This is because the use of that data (processing) has to be lawful and to be lawful has to be done on one of the legal grounds for processing. Historically, organisations have taken the view that so long as it is dealt with in the privacy policy then it is ok to do it (without ever really bothering to consider the actual legal basis).
However, under GDPR, organisation have to be MUCH more transparent in their privacy notices on how they use personal data. This means spelling it out in the privacy policy – if relying on “legitimate interests” then you have to say what those interests are and why the processing is necessary for those interests. For some of the more sophisticated profiling, the legitimate interest ground is less likely to be satisfied since it may be outside of an individual’s reasonable expectation. And organisations are less likely to be able to get consent for this sort of activity, since the hurdles for a valid consent have increased.
You Might Also Read:
How GDPR Affects Your Marketing Strategy: