Get Ready To Be Dazzled By The GDPR Professionals

Uploaded on 2017-06-21 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Law

Roll up, roll up, shouts the cybersecurity tout at the conference. "Are you ready to be dazzled by our GDPR product, service and expert?"

We smile, groan or "tut tut." We watch, listen, agree to a meeting, or scold and walk away.

Everyone's an expert these days and all products solve the problem of GDPR, or at least that's what we're being told.

Whether this is the case or not, we can be sure of one thing. The General Data Protection Regulation (GDPR) will come into force in less than a year's time, on May 25th 2018, and it will replace the existing data protection framework under the EU Data Protection Directive.

Personally, I see this as a good thing. But, many business owners in my network are concerned, and regularly ask me: What exactly does this mean? How does it change things? Who will be affected? How much will it cost to become compliant? How long will it take to become compliant? Will those huge fines really be levied?

Cybersecurity professionals ask me: Does it present an opportunity for us in cybersecurity? Can it enable better protection for all data, improved security processes, increased budgets, and access to the top table? And, can we trust the GDPR vendors, service providers and so called "experts" to help us navigate the regulation and implement changes?

Having performed research, accessed my own trusted sources for answers, and listened to knowledgeable professionals discuss this at conferences recently, like Quentyn Taylor, Dhivya Venkatachalam, Dane Warren, and David Joao Vieira Carvalho, I want to share my findings with you.

I also want to let you know that if you'd like to know more about the GDPR then you can sign up for Microsoft Office’s next episode of Modern Workplace, GDPR: What you need to know, which was first on June 13th, 2017 at 8 AM PDT/ 4 PM BST and is availabe for download.

Let's start by examining, albeit briefly in this post, what the GDPR is, and what it aims to do.

What is the GDPR? The GDPR is a regulation that's been in the making for years. It's been created to modernise and simplify data protection for international business by unifying regulation within the EU, and to give control back to EU citizens and residents over their personal data. It applies to all companies that collect and process personal data of EU citizens and residents. And, essentially, it's become the first global data protection law with time specific breach notification guidelines, and potential hefty sanctions for non compliance.

The GDPR specifies many requirements, is complex, and subject to interpretation, but the areas that seem to be causing debate amongst those made accountable for it are those that deal with new obligations on such matters as: data subject consent, data anonymisation, data breach notification, data mapping, cross-border data transfers, data privacy by design, liabilities for data controllers and processors, and the appointment of Data Protection Officers (DPOs). The reasons why are obvious - these requirements involve major operational reform.

Let's look at them in a bit more detail.

Data privacy and data protection. The GDPR is only interested in personal data, which it defines as "any information relating to an identified or identifiable natural person," and as a result it's doing two things. Firstly, it's adjusting the balance between data privacy and data protection. Secondly, it's broadening the definition of personal data and bringing new kinds of personal data under regulation.

For example, it considers any data that can be used to identify an individual (data subject) as personal data, i.e. direct identifiers like a name, home address, photo, email address, ID number, bank details, posts on social networking websites, plus online identifiers such as IP addresses, cookies, RFID tags, mobile device IDs, etc. It also outlines special provisions and compliance requirements for "sensitive personal data" which include genetic data, biometric data, health data, religious or philosophical beliefs, trade union membership, and data relating to sexual orientation, race, ethnicity, political opinions, and so on.

Consent to collect and use personal data. Under the GDPR all organisations collecting personal data must be able to provide proof that consent was given. This needs to be explicit and specific for the exact purpose for which the data is held or processed. This means that going forward they'll need to be able to explain what personal data will be collected, how it will be processed, and how it will be used. It also means that they'll need to interrogate all the personal data they currently hold electronically and non electronically, and find out whether they've the right level of consent, and if they don’t, they’ll have to delete it.

The right to be forgotten. The GDPR requires organisations not to hold personal data for any longer than is absolutely necessary, not to change the use of the personal data from the purpose for which it was originally collected unless consent is given, and to be able to delete any personal data at the request of the data subject.

Pseudonymisation. The GDPR defines this new concept as the processing of personal data so it can't be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and be subject to technical and organisational measures to ensure that the personal data isn't attributed to an identified or identifiable natural person. A good example of pseudonymisation is hashing or encryption, and when an organisation can effectively anonymise its personal data, it substantially mitigates its risk for non GDPR compliance.

Data mapping and cross-border transfers. Although the GDPR doesn't make huge changes to the provisions of the EU Data Protection Directive it does introduce some new clauses for cross-border data transfers and some important changes to the recognition of “adequate” countries. Many see this as the right thing to do as IT isn't static, suppliers continually change, and the Internet knows no boundaries. Furthermore, with the globalisation of IT, many organisations are struggling to pinpoint where their data actually resides, at which point in time, and that obviously presents a risk when having to secure it.

The appointment of Data Privacy Officers (DPO) for certain organisations. Irrespective of a company's size, the GDPR requires public authorities processing personal information to appoint a DPO, as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.” The regulation views the DPO as an extension of the data protection authority i.e. they're there to ensure personal data processes, activities and systems conform to the law by design.

Mandatory privacy impact assessments (PIAs) and privacy by design. Where privacy breach risks are deemed high, the GDPR requires data controllers to conduct PIAs. This means that when projects involve personal data, privacy will have to be considered from the start and be built into processes and technologies by design. These types of projects will need to begin with a privacy risk assessment, and they'll need to be close collaboration with the DPOs so compliance can be ensured throughout the project's lifecycle. Many professionals see this as a good thing, as it presents another opportunity to get access to the top table.

Liability for data processors as well as data controllers. Up until the GDPR, liability for data processing only affected data controllers (those who owned the data). Now, under the GDPR this responsibility and liability is extended to all organisations that touch personal data.

Data breach reporting. The GDPR requires organisations to notify the relevant data protection authorities within 72-hours of discovering a personal data breach. In other words, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Having a limited breach notification time-frame means that organisations will need to ensure they've got adequate people, processes and technologies in place to help them detect and respond. They'll need to present a security breach report to the right supervisory body, which will need to include the facts surrounding the breach, the effects of the breach, the actions taken after the breach, and the DPOs contact details if appropriate.

Fines and sanctions. Under the GDPR there are a wide variety of sanctions that can be imposed, and in a number of ways. For example, some might result in a warning in writing, or regular periodic data protection audits, or fines. If it's the latter, these will be split into 2 broad categories:

The highest category (Article 83(5)) is up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. This fine applies under certain criterion, for example, for breaching: the basic principles for processing (including conditions for consent, data subjects’ rights); international transfer restrictions; and any obligations imposed by Member State law for special cases (e.g. processing employee data and certain orders of a supervisory authority.)

The lower category (Article 83(4)) is up to €10 million or 2% of the organisation's annual global turnover of the preceding financial year. This fine applies if there's been a breach of obligations of the controllers and processors (including security and data breach notification obligations), certification bodies and a monitoring body.
Finally, in terms of whom to trust when it comes to GDPR vendors, service providers and experts, my advice is to ask your trusted sources or to crowd source the information you require. There are many vendors and consultants in the market who can help and operate with integrity.

Now I want to hear from you…

Tell me what aspect of the GDPR challenges you, or if you’ve got more advice please let me know and share it here.
Then, if you'd like to know more about GDPR, sign up for Microsoft Office’s recent episode of Modern Workplace, GDPR: What you need to know, which was first streamed  June 13th, 2017 and is available for download HERE.

During this episode you'll hear from two experts who'll be taking a closer look at the global impact of this all-encompassing privacy law. Brendon Lynch, Microsoft’s Chief Privacy Officer will share his tips on how to move your organisation towards GDPR compliance. Karen Lawrence Öqvist, who's an expert in the GDPR and the CEO at Privasee, will also offer an EU perspective on this new law. Together, these experts will give you insights on how you can best strategise to meet your most urgent cybersecurity needs as they pertain to the GDPR.

Microsoft Modern Workplace Series: register via Linked In:     Microsoft Modern Workplace Series: register via Twitter:

Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this Microsoft Office Modern Workplace Episode. Because your success is important to me, I only align myself with brands I believe in, and Microsoft is one of them.

About Jane Frankland

Jane Frankland is an award-winning entrepreneur, speaker, author, consultant and CISO advisor. She's also one of the top 50 influencers in cyber security in the UK. Jane has 19-years worth of experience in the industry, has built and sold her own global penetration testing firm, been an SC Awards Judge for Europe and the USA, advised boards, and held senior executive positions at several large PLCs, including the NCC Group. As an ambassador for cybersecurity she's passionate about diversity in the workplace and her book, 'In Security: why a failure to attract and retain women in cybersecurity is making us all less safe', is due for release in 2017. You can learn more at http://jane-frankland.com.

You Might Also Read: 

The GDPR Effect On Brexit:

Eight Steps To The GDPR Countdown:

UK SMEs Don’t Have Cybersecurity Recovery Plans:

 

« Video Game Imagines Humans Relying On Robots
Google 'faces €1bn-plus fine' From EU »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Security Mentor

Security Mentor

Security Mentor provides innovative, online security awareness training designed for how people learn and work.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

Guardtime

Guardtime

Guardtime's Black Lantern platform provides real-time cybersecurity and data-centric asset protection.

IoT Security Foundation (IoTSF)

IoT Security Foundation (IoTSF)

IoTSF is a collaborative, non-profit organisation with a mission to raise the quality and drive pervasive security in the Internet of Things.

RiskSense

RiskSense

RiskSense empowers enterprises and governments to reveal cyber risk, quickly orchestrate remediation, and monitor the results.

Canadian Security Intelligence Service (CSIS)

Canadian Security Intelligence Service (CSIS)

CSIS collects and analyzes threat-related information concerning the security of Canada in areas including terrorism, espionage, WMD, cybersecurity and critical infrastructure protection.

BetterCloud

BetterCloud

BetterCloud puts IT in control of the modern workplace through user lifecycle management, data discovery, and IT and security automation purpose-built for SaaS.

Idaho National Laboratory (INL)

Idaho National Laboratory (INL)

INL is an applied engineering laboratory dedicated to supporting the US Dept of Energy's missions in energy research, nuclear science and national defense including critical infrastructure protection.

Cyber Academy

Cyber Academy

Cyber Academy is one of the first institutions in the SE Europe region that provides a hands-on program in cyber security, blockchain and AI.

RiskXchange

RiskXchange

RiskXchange's cybersecurity risk rating solution helps businesses solve complex cybersecurity and compliance challenges by providing a 360-degree view of your cybersecurity posture.

Redsquid

Redsquid

At Redsquid we are all about making a difference to our customers with the use of technology, as an innovative provider of solutions within IoT, Cyber security, ICT, Data Connectivity & Voice.

Pivot Technology School

Pivot Technology School

Pivot Tech offers Data Analytics, Software Development and Cyber Security training in boot camp style cohorts.

senhasegura

senhasegura

senhasegura is a global Privileged Access Management vendor. Our mission is to eliminate privilege abuse in organizations around the globe and build digital sovereignty.

Orro Group

Orro Group

Orro create 'future now' solutions that make it faster, simpler and safer for you to access, store and share information. Wherever, whenever and with whomever you want.

Space Hellas

Space Hellas

Space Hellas is a dynamic, established System Integrator and Value Added Solutions Provider, holding a leading position in the high technology arena.

Relatech

Relatech

Relatech is a Digital Enabler Solution Knowledge (D.E.S.K.) Company that offers digital services and solutions dedicated to the digital transformation of businesses.