Story image

GDPR: the new Notifiable Data Breach on the block

29 May 2018

Article written by Sophos general manager Australia and New Zealand Ashley Wearne

Australian organisations have already made the necessary adjustments (or at least they should have), to ensure they are compliant with NDB (Notifiable Data Breach) laws introduced in late February this year. But if locally-based organisations control, collect or share any personal data belonging to EU citizens, they will also need to be compliant with the soon-to-be-introduced GDPR (General Data Protection Regulation).

GDPR officially came into effect on Friday and any business that now finds itself not in compliance could be hit with big fines (up to €20m or 4% of an organisation’s annual global turnover). However, it’s not just the monetary consequence that organisations should be concerned with – the severity of reputational damage has the potential to far outweigh the financial cost.

The idea behind GDPR is to protect EU citizens’ privacy by giving them greater control over how their personal data is obtained, processed and shared, as well as visibility into how and where that data is used; placing greater accountability on the organisations holding it. This may require that some organisations review their processes and policies around data management as well as assessing whether or not the data they have is still business critical.

Organisations can no longer collect user data haphazardly; GDPR requires that they only collect user data where there is a ‘lawful basis’ to do so, and that basis must be documented. This means that the value of data will shift from being an asset to a potential liability if it is not handled or managed properly. An effective way for organisations to reduce the risk is by permanently deleting data which is no longer needed and to ensure they protect the rest of it.

While reducing the risk of a breach is undoubtedly important for reaching compliance, organisations also need to look at what can be done to stop incoming breach attempts. A three-pronged approach is essential when it comes to protecting an organisation from a breach. This includes;

1. Stop hacking and malware – invest in security software that blocks malware from making it into your system

2. Secure lost or stolen devices – take control from a central location and remove sensitive data if something happens to the device

3. Reduce impact of human error – work with employees to ensure they’re on the lookout, GDPR compliance is everyone’s responsibility

Data handlers will also need to implement more informed consent processes when obtaining customer or user data, so EU citizens are fully aware of what they are opting into when an organisation is entrusted with their PII (Personally Identifiable Information). This is to ensure full disclosure between both parties and avoid any ‘nasty surprises’.

EU citizens can request information on the data held about them, via a subject access request – a written report that must be sent upon request that explains what data is held about them, why it is being used and who it has been shared with. Citizens can also request that any data held on them is deleted.

Finally, GDPR requires that organisations become much more proactive in disclosing a data breach, should one occur. It mandates that any person affected by a data breach be notified within 72 hours of the breach’s discovery, allowing the person/s affected to take any necessary action i.e. notifying their banks. This means that data protection is not just an IT issue, but a board-level issue too. It’s something that all employees should take a level of responsibility of, to ensure they have a sound understanding of the regulations.

GDPR implementation isn’t a technological box to check, it’s largely a matter of creating and formalising processes to meet the new mandates’ requirements. The new regulation has been put in place for the safety and privacy of consumers – something that organisations should keep in mind.

Over the years, we’ve seen the frequency of hacking and data breaches on the rise with a number of organisations trying to cover up their mistakes by keeping silent. Organisations will now be required to do the right thing by their customers in the event of a data breach.

The good news is that GDPR laws have come at an arguably good time for Australian organisations, as over the past 6-12 months they’ve been reviewing and updating processes and policies to ensure they’re NDB compliant. For those that maintain data on EU citizens, the same must be done now to ensure they are GDPR compliant.

Cryptomining apps discovered on Microsoft’s app store
It is believed that the eight apps were likely developed by the same person or group.
WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.
Swiss Post asks public to hack its e-voting system
Switzerland’s postal service Swiss Post is inviting keen-eyed security experts and white hats to hack its e-voting system.
Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.
Flashpoint signs on emt Distribution as APAC partner
"Key use cases that we see greatly benefiting the region are bolstering cybersecurity, combating insider threats, confronting fraud, and addressing supply chain risk, to name a few."
The attack surface: 2019's biggest security threat
As businesses expand, so does their attack surface – and that may be the biggest cybersecurity risk of them all, according to Aon’s 2019 Cyber Security Risk Report.
Opinion: Cybersecurity as a service answer to urgent change
Alan Calder believes a CSaaS model can enable a company to build a cyber resilience strategy in a coherent and consistent manner.
Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.