Story image

GDPR: the new Notifiable Data Breach on the block

29 May 2018

Article written by Sophos general manager Australia and New Zealand Ashley Wearne

Australian organisations have already made the necessary adjustments (or at least they should have), to ensure they are compliant with NDB (Notifiable Data Breach) laws introduced in late February this year. But if locally-based organisations control, collect or share any personal data belonging to EU citizens, they will also need to be compliant with the soon-to-be-introduced GDPR (General Data Protection Regulation).

GDPR officially came into effect on Friday and any business that now finds itself not in compliance could be hit with big fines (up to €20m or 4% of an organisation’s annual global turnover). However, it’s not just the monetary consequence that organisations should be concerned with – the severity of reputational damage has the potential to far outweigh the financial cost.

The idea behind GDPR is to protect EU citizens’ privacy by giving them greater control over how their personal data is obtained, processed and shared, as well as visibility into how and where that data is used; placing greater accountability on the organisations holding it. This may require that some organisations review their processes and policies around data management as well as assessing whether or not the data they have is still business critical.

Organisations can no longer collect user data haphazardly; GDPR requires that they only collect user data where there is a ‘lawful basis’ to do so, and that basis must be documented. This means that the value of data will shift from being an asset to a potential liability if it is not handled or managed properly. An effective way for organisations to reduce the risk is by permanently deleting data which is no longer needed and to ensure they protect the rest of it.

While reducing the risk of a breach is undoubtedly important for reaching compliance, organisations also need to look at what can be done to stop incoming breach attempts. A three-pronged approach is essential when it comes to protecting an organisation from a breach. This includes;

1. Stop hacking and malware – invest in security software that blocks malware from making it into your system

2. Secure lost or stolen devices – take control from a central location and remove sensitive data if something happens to the device

3. Reduce impact of human error – work with employees to ensure they’re on the lookout, GDPR compliance is everyone’s responsibility

Data handlers will also need to implement more informed consent processes when obtaining customer or user data, so EU citizens are fully aware of what they are opting into when an organisation is entrusted with their PII (Personally Identifiable Information). This is to ensure full disclosure between both parties and avoid any ‘nasty surprises’.

EU citizens can request information on the data held about them, via a subject access request – a written report that must be sent upon request that explains what data is held about them, why it is being used and who it has been shared with. Citizens can also request that any data held on them is deleted.

Finally, GDPR requires that organisations become much more proactive in disclosing a data breach, should one occur. It mandates that any person affected by a data breach be notified within 72 hours of the breach’s discovery, allowing the person/s affected to take any necessary action i.e. notifying their banks. This means that data protection is not just an IT issue, but a board-level issue too. It’s something that all employees should take a level of responsibility of, to ensure they have a sound understanding of the regulations.

GDPR implementation isn’t a technological box to check, it’s largely a matter of creating and formalising processes to meet the new mandates’ requirements. The new regulation has been put in place for the safety and privacy of consumers – something that organisations should keep in mind.

Over the years, we’ve seen the frequency of hacking and data breaches on the rise with a number of organisations trying to cover up their mistakes by keeping silent. Organisations will now be required to do the right thing by their customers in the event of a data breach.

The good news is that GDPR laws have come at an arguably good time for Australian organisations, as over the past 6-12 months they’ve been reviewing and updating processes and policies to ensure they’re NDB compliant. For those that maintain data on EU citizens, the same must be done now to ensure they are GDPR compliant.

Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.