Story image

GDPR, changing what it means to be a good data custodian

19 Jun 18

As the deadline for compliance with Europe’s General Data Protection Regulation (GDPR) has finally come to pass, its impact on the business world is becoming clear. After years of ambiguity, the spotlight is fixed upon how data is used and what it means to be a good data custodian. Some of what the spotlight has shown isn’t good, but the mere presence of that spotlight is immensely important – this is the data privacy discussion we needed to have.

Many individuals have seen this play out in their inboxes in recent months as all of the major social media and web players have been updating their terms of service to become GDPR compliant. For example, LinkedIn made changes around how user data “…can be used to personalise ads,” as well as how the service “…customises… experiences based on your data, including what you see, what we suggest and how we generate insights.”

Some companies like Twitter say they will raise their standards by creating a “bespoke experience” for EU users.  A small number of others say they will simply withdraw from the EU entirely rather than meet the GDPR standards. These events are quite significant. Arguably, for the first time, we are being made aware of where our data goes, how it affects what we see online, and how committed companies are to keeping it secure.

The GDPR is designed to ensure that the collection, storage, and processing of member states’ citizens’ data is consistent, secure, and non-invasive. However, it is not merely European firms that are affected. In fact, the regulation isn’t even limited to enterprises with physical operations in Europe. Rather, any organisation that stores or processes the personal data of European citizens must uphold GDPR. Failure to comply is expensive – the fines can amount to 20 million Euros (A$31.7 million) or four percent of a non-compliant organisation’s revenue.

One of the key elements of the GDPR is that it empowers citizens to have a voice in how their data is used. Data subjects, including employees, have various rights and can take legal action against those that misuse their data. As such, organisations must take steps to inhibit data misuse, prevent unauthorised access, record data processing, and demonstrate compliance. To meet these requirements they need security capabilities that encompass cloud, endpoints, BYOD, and outside threats such as malware. Below are a few key areas for organisations to consider in their quest for GDPR compliance.

Visibility

To attain data security, organisations must first gain thorough visibility over their data. Whether said data is being stored in another country, transferred abroad temporarily, or ex.filtrated by employees to unsanctioned cloud apps, firms must keep track of where it is stored, sent, and accessed – otherwise, they cannot secure it. As such, the enterprise must adopt solutions that offer comprehensive, cross-app visibility for every app, action, and user that touches data.

Certifications

Organisations are encouraged to have codes of conduct and certifications that demonstrate various levels of compliance with GDPR. While these are intended to be a form of voluntary self-regulation, there will be accredited, independent bodies that determine if organisations are in compliance with the certifications that they pursue. Tools that provide transparency and security with respect to data storage, access, and usage can help an enterprise demonstrate its adherence to varied data protection standards.

Breach notifications

Finally, GDPR mandates that a breached organisation provides documentation on the causes and effects of a breach, as well as the security measures taken to address it. Because of this, organisations need solutions that log all activities involving corporate data and prevent breaches ahead of time. This requirement is less impactful in Australia and other nations where data breach notifications are already mandatory. However, the standardisation of breach notifications abroad should serve to enhance data protection practices internationally.

In a world where personal data is viewed as a currency and complex individual profiles are built by aggregating countless pieces of information, a proper public conversation on data usage is proving its worth. Everyone is entitled to having the privacy of their personal information respected. Organisations must now comply with GDPR or face the reality that they have no place in our increasingly cloud-first world.

Article by Bitglass vice president of sales for Asia Pacific and Japan, David Shephard.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.