Story image

How to adapt to a shifting data protection paradigm

30 Oct 17

Article by Alban Schmutz, OVH vice president

Failure to comply with the EU’s General Data Protection Regulation (GDPR) can result in significant penalties for data breaches when it comes into effect. The likelihood that Australian companies are leaving themselves exposed to the consequences of non-compliance is a true and present danger.

From May 2018, the GDPR takes over from existing laws. It sets new, more stringent personal data protection laws that not only apply to European companies but must be abided by any organisation that handles the personal data of a European citizen.

To effectively mitigate risk, the onus to meet compliance criteria shouldn’t be underestimated. To date, most have only had to consider local privacy laws, however, as Australian organisations engage in the global economy, they must consider global approaches to their operations and meet customer expectations in the countries in which they operate.

What does this mean

To protect its citizens from privacy and data breaches in an increasingly data-driven world, the GDPR mandates the use of appropriate data protection standards. This applies to all industries, which means no one is immune.

The GDPR ultimately seeks to ensure the protection of individuals with regard to the processing of personal data and the free movement of such data. So, while the process of compliance may be arduous, the outcome is a virtuous one.

Building and maintaining trust

The GDPR provides unprecedented privacy protections that strengthen the rights individuals have to control their own data. So, if you look at the virtues of data protection, providing your customers with assurances around how their personal data is handled is a favourable outcome.

This level of transparency will deliver a level of trust that will build positive relationships because your customer knows their personal information is protected. As such, compliance promises to add value by delivering best practice customer service, which is ultimately good for business and the bottom-line.

How to identify your risk

First, you should read the GDPR, and the additional guidelines published by European Data Protection Authorities. Once you have a better understanding of what it is, you will be better placed to identify whether it is an issue for you or not. Get an understanding of where your potential risks reside and investigate to what extent you are required to comply.

Also, understand that the GDPR is still a work in progress so getting an early working knowledge of its framework will greatly assist the process of compliance down the track. Working with professionals who already have the knowledge or tools to take you down the correct path could also be of great assistance.

What you can do now

A good place to start is by beginning to undertake mapping of your internal processes in relation to handling customer data. This will allow you to identify potential points of exposure and where compliance needs to be implemented.

Once you’ve evaluated your risk, the path to compliance requires defining a workable plan to implement the required changes. Mapping gives you the ability to critically determine potential exposure points and whether vulnerabilities are yours, your suppliers or from external providers.

If for example, you are working with a cloud provider, ask them if they comply. The CISPE association (Cloud Infrastructure Services Providers in Europe) has been working with the EU to develop the CISPE Data Protection Code of Conduct to ensure Cloud Infrastructure offerings are compliant with the GDPR requirements. Ask your supplier whether they’ve met the criteria set out in the Code of Conduct.

Joint liabilities

A breach is a breach. So, if someone in your external network or “value chain”, like a cloud/SaaS provider breaches the GDPR, liability could come back to you. You should be asking your cloud provider to demonstrate your compliance with the GDPR.

The jurisprudence will probably set better and/or more precise rules. Keep in mind the financial fine could be up to 4% of the worldwide turnover (limited to 20 million euros).

Privacy by design

The GDPR states that Personal Data has to be protected by design, through the implementation of technical and organisational measures including pseudonymisation or data minimisation. Therefore, basic cybersecurity measures won’t be enough to ensure data protection.

Each process or platform needs to be (re)designed taking those principles into account. You need to look beyond technology and adopt the appropriate processes to meet the evolving regulatory and threat landscape.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.