CS1907

More documents

Recommendations

Info

GDPR clearly means business." Interestingly, these firms' attacks were by no means the largest, in terms of numbers for 2018. "This could, in fact, be the tip of the iceberg of what is to come," he warns, "but let's hope others are taking copious amounts of notes as to how to handle a breach or, better still, evade the attacks as best they can in the first place." ENSURING CONSENT As Rob Allen, director marketing & technical services at Kingston Technology Europe, rightly points out, the only noticeable effect of the EU's General Data Protection Regulation (GDPR) legislation for most people has been having to click through tedious popups about data sharing and cookies on just about every website. "There's a good reason why they're appearing," he says. "One aspect of GDPR is that it compels organisations to notify users about how their personal data is handled, which very much includes all the information that modern web browsers hoover up. Consent is required for that data to be shared externally, and all possible technical measures must be otherwise taken to safeguard personal information stored on the organisation's network - or there's the potential for extremely strong financial penalties." So, the news that British Airways was hit by a potential £183 million fine by the ICO comes as a sharp reminder that GDPR will be enforced and failure to comply does have consequences. "So far, this is the largest GDPR fine that a UK company has faced. But although the fine is bad news for BA, the managers and bosses of other UK organisations that have been scrambling to meet the requirements of the legislation may breathe a little easier, knowing that the time, effort and cost they have invested into data security has been done for a good reason," he states. "And, let's face it, before the changes to GDPR, many of us had acquired some dreadful habits when it came to handling data, and tightening things up wasn't exactly a priority for many firms." If you're not paying attention, it's all too easy for data to end up in the wrong hands, perhaps because a device is lost or a third party gets unrestricted access to it, Allen adds. "Any improvement requires both organisational and technical changes to keep data secure. Improving company mindset by educating a workforce, better information management and risk management play as much of a part in secure handling of data as technological solutions. Ultimately, though, the use of strong encryption is the foundation that ensures data is always protected, whether it's stored on the firm's own devices or otherwise. That applies to business networks, company servers, removable devices, and all internal storage on company laptops." For an IT manager to sleep well at night, suggests Allen, they need to be certain that the next time a company laptop is inevitably left in a hotel, or a USB stick is misplaced, it's near impossible that mission-critical information can be prised from it. "They need to know that no passwords are stored anywhere in plain text. They need to know that employees understand not to email company documents back home using personal email accounts, store them on an unencrypted laptop or rely on unsanctioned third-party cloud services. "These examples of changes to business behaviour aren't necessarily complicated, so complying with GDPR doesn't have to require moving heaven and earth. Arguably, the examples we've suggested are merely good practice anyway and GDPR is rewarding organisations that already had solid data management measures in place, before it became law to do so," he concludes. BREACHES RACKING UP "Hefty fines and reputational damage haunted businesses in the build-up to the passing of the General Data Protection Regulation," recalls Martin Warren, cloud solutions manager, EMEA at NetApp. "We all know by now that data security and privacy are, in fact, two different, complementary issues and, with the number of data breaches racking up this year, we are facing the evolving reality of data security in a world where we essentially live digital-first lives. "In a world in which our data and its privacy are paramount, data security ensures the front door is bolted shut; data privacy, meanwhile, requires data management processes with privacy-by-design at its core." While data security is certainly important for businesses, encryption and data masking will not help a business become GDPR compliant, he adds. CULTURE CHANGE "GDPR has succeeded in increasing the profile of data protection within most organisations," says Robert O'Brien, CEO MetaCompliance. "Changing the culture of privacy by design and privacy by default will take organisations a significant time to deploy. There is still a long way to go for most companies. "It's still early to comment on the impact of GDPR in delivering enforcement. There has not yet been the flurry of financial sanctions that many people feared. The ability of the regulator to stop an organisation processing data might become a more powerful and effective tool than fines in the future." However, he does see GDPR as the gold standard for privacy worldwide. "This can be seen in the construction of the Brazilian and the Californian privacy directives." 12 computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk
case study "Equally, it does not help companies if they secure data they are not legally allowed to have. Therefore, GDPR is not just an IT issue. The compliance process needs to be led from the C-suite down, as a legal and business concern before a technology one - we might have hoped that this massive shift in mindset would be more evident almost a year on." Large-scale data breaches from trusted companies are now perceived with more clarity by consumers, who are awake and more aware of their data rights, suggests Warren. "This only makes the reputational risks of non-compliance more significant." WIDER IMPACT What is happening with GDPR and its growing influence though punitive action in Europe is one thing - but how has it impacted other national data protection regulations? "GDPR has emerged as the new standard for data privacy and has directly influenced similar regulations in other parts of the world, such as LGPD in Brazil and CCPA in the State of California," says Jonathan Deveaux, comforte AG. "In addition, the European Commission has reached an agreement of reciprocal adequacy with Japan, meaning that data subjects in the EU enjoy the same protections in Japan and vice versa. "Most recently, Thailand passed their own Personal Data Protection Act, which will go into effect in May 2020. "As this global trend continues, more and more organisations will be looking into cross-regulatory compliance strategies, in order to synergise their investments into complying with overlapping data privacy laws around the globe." RULES OF THE GAME It's a theme that Wim Nauwelaerts, privacy and cybersecurity partner at Sidley Austin, expands on. "Under the GDPR, EU data protection law applies when personal data is processed in the context of the (business) activities of a controller's or processor's establishment in the European Union (EU). This rule applies, regardless of whether or not the data processing takes place in the EU. For example, a pharmaceutical company with headquarters in France sponsors a clinical trial in Bangladesh and receives (coded) study data from the Bangladeshi site. Although the data processing takes place in Bangladesh, it is carried out in the context of the activities of the sponsor/controller established in France. Therefore, the provisions of the GDPR apply to such processing." Even if a company is not established in the EU, the GDPR can still apply, if the company (a) 'targets' individuals in the EU by offering them products or services; or (b) 'monitors' their behaviour, in as much as that behaviour takes place in the EU. TARGETING AND MONITORING "Since the GDPR came into effect last year, there has been confusion around the targeting and monitoring criteria, and how to apply them in practice. For companies that have no physical presence in the EU, but are receiving personal data relating to individuals in the EU, it is not always clear whether their data processing activities fall within the ambit of the GDPR," Nauwelaerts states. "On November 23, 2018, the European Data Protection Board (EDPB) published draft guidelines, with a view towards addressing the lack of clarity around the territorial scope of the GDPR (Guidelines). The guidelines explain, for instance, that a key element for the application of the targeting criterion is whether the conduct of the controller or processor demonstrates its intention to offer goods or services to an individual located in the EU. In other words, the targeting criterion can only apply, if controllers/processors outside of the EU have manifested their intention to establish (commercial) relations with individuals - mostly consumers - in the EU." Regarding the monitoring criterion, the guidelines consider that a broad range of monitoring activities through various types of Jonathan Deveaux, comforte AG: GDPR has emerged as the new standard for data privacy and has directly influenced similar regulations in other parts of the world Martin Warren, NetApp: data security ensures the front door is bolted shut. www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security 13
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment NATION IN TRANSFORMATION In
Page 5 and 6: p ent est INFORMATION SECURITY ASSU
Page 7 and 8: editor's focus from the public and
Page 9 and 10: True multi-factor authentication wi
Page 11: GDPR fine is preliminary," states A
Page 15 and 16: product review WEBROOT BUSINESS END
Page 17 and 18: financial focus an online banking u
Page 19 and 20: inside track EDUCATION, EDUCATION,
Page 21 and 22: Webroot empowers businesses with pr
Page 23 and 24: threat intelligence have seen an im
Page 25 and 26: 12th edition of the most recognized
Page 27 and 28: cyber espionage a "sobering story"
Page 29 and 30: CYBER SECURITY europe 9-10 October
Page 31 and 32: industrial cyber security MULTIPLE
Page 33 and 34: endpoint detection and response GET
Page 36: Brookcourt Solutions (A Shearwater

CS1907

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?