Story image

How to adapt to a shifting data protection paradigm

30 Oct 2017

Article by Alban Schmutz, OVH vice president

Failure to comply with the EU’s General Data Protection Regulation (GDPR) can result in significant penalties for data breaches when it comes into effect. The likelihood that Australian companies are leaving themselves exposed to the consequences of non-compliance is a true and present danger.

From May 2018, the GDPR takes over from existing laws. It sets new, more stringent personal data protection laws that not only apply to European companies but must be abided by any organisation that handles the personal data of a European citizen.

To effectively mitigate risk, the onus to meet compliance criteria shouldn’t be underestimated. To date, most have only had to consider local privacy laws, however, as Australian organisations engage in the global economy, they must consider global approaches to their operations and meet customer expectations in the countries in which they operate.

What does this mean

To protect its citizens from privacy and data breaches in an increasingly data-driven world, the GDPR mandates the use of appropriate data protection standards. This applies to all industries, which means no one is immune.

The GDPR ultimately seeks to ensure the protection of individuals with regard to the processing of personal data and the free movement of such data. So, while the process of compliance may be arduous, the outcome is a virtuous one.

Building and maintaining trust

The GDPR provides unprecedented privacy protections that strengthen the rights individuals have to control their own data. So, if you look at the virtues of data protection, providing your customers with assurances around how their personal data is handled is a favourable outcome.

This level of transparency will deliver a level of trust that will build positive relationships because your customer knows their personal information is protected. As such, compliance promises to add value by delivering best practice customer service, which is ultimately good for business and the bottom-line.

How to identify your risk

First, you should read the GDPR, and the additional guidelines published by European Data Protection Authorities. Once you have a better understanding of what it is, you will be better placed to identify whether it is an issue for you or not. Get an understanding of where your potential risks reside and investigate to what extent you are required to comply.

Also, understand that the GDPR is still a work in progress so getting an early working knowledge of its framework will greatly assist the process of compliance down the track. Working with professionals who already have the knowledge or tools to take you down the correct path could also be of great assistance.

What you can do now

A good place to start is by beginning to undertake mapping of your internal processes in relation to handling customer data. This will allow you to identify potential points of exposure and where compliance needs to be implemented.

Once you’ve evaluated your risk, the path to compliance requires defining a workable plan to implement the required changes. Mapping gives you the ability to critically determine potential exposure points and whether vulnerabilities are yours, your suppliers or from external providers.

If for example, you are working with a cloud provider, ask them if they comply. The CISPE association (Cloud Infrastructure Services Providers in Europe) has been working with the EU to develop the CISPE Data Protection Code of Conduct to ensure Cloud Infrastructure offerings are compliant with the GDPR requirements. Ask your supplier whether they’ve met the criteria set out in the Code of Conduct.

Joint liabilities

A breach is a breach. So, if someone in your external network or “value chain”, like a cloud/SaaS provider breaches the GDPR, liability could come back to you. You should be asking your cloud provider to demonstrate your compliance with the GDPR.

The jurisprudence will probably set better and/or more precise rules. Keep in mind the financial fine could be up to 4% of the worldwide turnover (limited to 20 million euros).

Privacy by design

The GDPR states that Personal Data has to be protected by design, through the implementation of technical and organisational measures including pseudonymisation or data minimisation. Therefore, basic cybersecurity measures won’t be enough to ensure data protection.

Each process or platform needs to be (re)designed taking those principles into account. You need to look beyond technology and adopt the appropriate processes to meet the evolving regulatory and threat landscape.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.