Story image

GDPR, changing what it means to be a good data custodian

19 Jun 2018

As the deadline for compliance with Europe’s General Data Protection Regulation (GDPR) has finally come to pass, its impact on the business world is becoming clear. After years of ambiguity, the spotlight is fixed upon how data is used and what it means to be a good data custodian. Some of what the spotlight has shown isn’t good, but the mere presence of that spotlight is immensely important – this is the data privacy discussion we needed to have.

Many individuals have seen this play out in their inboxes in recent months as all of the major social media and web players have been updating their terms of service to become GDPR compliant. For example, LinkedIn made changes around how user data “…can be used to personalise ads,” as well as how the service “…customises… experiences based on your data, including what you see, what we suggest and how we generate insights.”

Some companies like Twitter say they will raise their standards by creating a “bespoke experience” for EU users.  A small number of others say they will simply withdraw from the EU entirely rather than meet the GDPR standards. These events are quite significant. Arguably, for the first time, we are being made aware of where our data goes, how it affects what we see online, and how committed companies are to keeping it secure.

The GDPR is designed to ensure that the collection, storage, and processing of member states’ citizens’ data is consistent, secure, and non-invasive. However, it is not merely European firms that are affected. In fact, the regulation isn’t even limited to enterprises with physical operations in Europe. Rather, any organisation that stores or processes the personal data of European citizens must uphold GDPR. Failure to comply is expensive – the fines can amount to 20 million Euros (A$31.7 million) or four percent of a non-compliant organisation’s revenue.

One of the key elements of the GDPR is that it empowers citizens to have a voice in how their data is used. Data subjects, including employees, have various rights and can take legal action against those that misuse their data. As such, organisations must take steps to inhibit data misuse, prevent unauthorised access, record data processing, and demonstrate compliance. To meet these requirements they need security capabilities that encompass cloud, endpoints, BYOD, and outside threats such as malware. Below are a few key areas for organisations to consider in their quest for GDPR compliance.

Visibility

To attain data security, organisations must first gain thorough visibility over their data. Whether said data is being stored in another country, transferred abroad temporarily, or ex.filtrated by employees to unsanctioned cloud apps, firms must keep track of where it is stored, sent, and accessed – otherwise, they cannot secure it. As such, the enterprise must adopt solutions that offer comprehensive, cross-app visibility for every app, action, and user that touches data.

Certifications

Organisations are encouraged to have codes of conduct and certifications that demonstrate various levels of compliance with GDPR. While these are intended to be a form of voluntary self-regulation, there will be accredited, independent bodies that determine if organisations are in compliance with the certifications that they pursue. Tools that provide transparency and security with respect to data storage, access, and usage can help an enterprise demonstrate its adherence to varied data protection standards.

Breach notifications

Finally, GDPR mandates that a breached organisation provides documentation on the causes and effects of a breach, as well as the security measures taken to address it. Because of this, organisations need solutions that log all activities involving corporate data and prevent breaches ahead of time. This requirement is less impactful in Australia and other nations where data breach notifications are already mandatory. However, the standardisation of breach notifications abroad should serve to enhance data protection practices internationally.

In a world where personal data is viewed as a currency and complex individual profiles are built by aggregating countless pieces of information, a proper public conversation on data usage is proving its worth. Everyone is entitled to having the privacy of their personal information respected. Organisations must now comply with GDPR or face the reality that they have no place in our increasingly cloud-first world.

Article by Bitglass vice president of sales for Asia Pacific and Japan, David Shephard.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.