Story image

GDPR: the new Notifiable Data Breach on the block

29 May 18

Article written by Sophos general manager Australia and New Zealand Ashley Wearne

Australian organisations have already made the necessary adjustments (or at least they should have), to ensure they are compliant with NDB (Notifiable Data Breach) laws introduced in late February this year. But if locally-based organisations control, collect or share any personal data belonging to EU citizens, they will also need to be compliant with the soon-to-be-introduced GDPR (General Data Protection Regulation).

GDPR officially came into effect on Friday and any business that now finds itself not in compliance could be hit with big fines (up to €20m or 4% of an organisation’s annual global turnover). However, it’s not just the monetary consequence that organisations should be concerned with – the severity of reputational damage has the potential to far outweigh the financial cost.

The idea behind GDPR is to protect EU citizens’ privacy by giving them greater control over how their personal data is obtained, processed and shared, as well as visibility into how and where that data is used; placing greater accountability on the organisations holding it. This may require that some organisations review their processes and policies around data management as well as assessing whether or not the data they have is still business critical.

Organisations can no longer collect user data haphazardly; GDPR requires that they only collect user data where there is a ‘lawful basis’ to do so, and that basis must be documented. This means that the value of data will shift from being an asset to a potential liability if it is not handled or managed properly. An effective way for organisations to reduce the risk is by permanently deleting data which is no longer needed and to ensure they protect the rest of it.

While reducing the risk of a breach is undoubtedly important for reaching compliance, organisations also need to look at what can be done to stop incoming breach attempts. A three-pronged approach is essential when it comes to protecting an organisation from a breach. This includes;

1. Stop hacking and malware – invest in security software that blocks malware from making it into your system

2. Secure lost or stolen devices – take control from a central location and remove sensitive data if something happens to the device

3. Reduce impact of human error – work with employees to ensure they’re on the lookout, GDPR compliance is everyone’s responsibility

Data handlers will also need to implement more informed consent processes when obtaining customer or user data, so EU citizens are fully aware of what they are opting into when an organisation is entrusted with their PII (Personally Identifiable Information). This is to ensure full disclosure between both parties and avoid any ‘nasty surprises’.

EU citizens can request information on the data held about them, via a subject access request – a written report that must be sent upon request that explains what data is held about them, why it is being used and who it has been shared with. Citizens can also request that any data held on them is deleted.

Finally, GDPR requires that organisations become much more proactive in disclosing a data breach, should one occur. It mandates that any person affected by a data breach be notified within 72 hours of the breach’s discovery, allowing the person/s affected to take any necessary action i.e. notifying their banks. This means that data protection is not just an IT issue, but a board-level issue too. It’s something that all employees should take a level of responsibility of, to ensure they have a sound understanding of the regulations.

GDPR implementation isn’t a technological box to check, it’s largely a matter of creating and formalising processes to meet the new mandates’ requirements. The new regulation has been put in place for the safety and privacy of consumers – something that organisations should keep in mind.

Over the years, we’ve seen the frequency of hacking and data breaches on the rise with a number of organisations trying to cover up their mistakes by keeping silent. Organisations will now be required to do the right thing by their customers in the event of a data breach.

The good news is that GDPR laws have come at an arguably good time for Australian organisations, as over the past 6-12 months they’ve been reviewing and updating processes and policies to ensure they’re NDB compliant. For those that maintain data on EU citizens, the same must be done now to ensure they are GDPR compliant.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.