CS1907
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GDPR<br />
Rob Allen, Kingston Technology Europe:<br />
GDPR is rewarding organisations that<br />
already had solid data management<br />
measures in place.<br />
Wim Nauwelaerts, Sidley Austin: even if<br />
a company is not established in the EU,<br />
the GDPR can still apply.<br />
networks and technologies could bring data<br />
processing under the scope of the GDPR, as<br />
long as the monitored behaviour takes place<br />
within EU territory. "The guidelines provide the<br />
example of an Indian pharmaceutical<br />
company without a business presence or<br />
establishment in the EU, which sponsors<br />
clinical trials carried out by sites in Belgium,<br />
Luxembourg, and the Netherlands. Since trial<br />
participants in these EU countries are being<br />
'monitored', the sponsor in India is arguably<br />
subject to the GDPR."<br />
It's a highly complex issue, no better<br />
demonstrated than by the fact that the<br />
guidelines were open for public consultation<br />
until January 18, 2019 and expected to be<br />
finalised shortly afterwards. "However, during<br />
the public consultation, many stakeholders<br />
raised questions about the interaction<br />
between the provisions in the GDPR around<br />
territorial scope and Chapter V of the GDPR,<br />
which deals with data transfers outside of the<br />
EU," explains Nauwelaerts.<br />
"For instance, whether data transfer<br />
safeguards, such as model contracts that have<br />
been pre-approved by the European<br />
Commission, should be put in place vis-à-vis<br />
controllers/processors outside the EU that are<br />
subject to the GDPR, because the targeting or<br />
monitoring criterion is met. The guidelines<br />
currently fail to address these questions. At<br />
this point, it is still unclear when the EDPB will<br />
publish its finalised guidelines and to what<br />
extent they will include guidance on the<br />
GDPR's data transfer restrictions."<br />
ABOVE AND BEYOND<br />
GDPR alone will not keep personal data<br />
secure, of course, as Richard Blanford, chief<br />
executive, Fordway, emphasises. "GDPR<br />
may be part of every organisation's business<br />
practices, but has it really made personal data<br />
more secure? In my view, the answer is no.<br />
I believe GDPR is a business issue. It has<br />
ensured organisations know where they hold<br />
Personally Identifiable Information (PII), and<br />
have controls in place for how they store, use<br />
and delete that data through what should be<br />
a clearly defined and well-understood policy,<br />
with appropriate business processes to ensure<br />
compliance.<br />
"However, GDPR does not address the actual<br />
security of an organisation's networks and the<br />
devices on which they store and access PII. So,<br />
if their perimeter is breached, GDPR is<br />
meaningless. And with data increasingly going<br />
outside an organisation as employees and<br />
partners tunnel through or bypass network<br />
perimeters, good cyber security discipline is<br />
more vital than ever."<br />
KEY DISCIPLINES<br />
According to Blanford, data security really<br />
requires four key disciplines: identity and<br />
authentication management; information<br />
lifecycle management; network security; and<br />
business continuity planning. "To develop an<br />
effective data security policy, organisations<br />
need to take a holistic look at their entire<br />
infrastructure, from how data is created or<br />
acquired to how it is valued, stored, accessed<br />
and disposed of," he advises.<br />
"This includes data that comes in from<br />
customers, partners and suppliers as well as<br />
data created internally. They also need to<br />
consider their users. No technology or<br />
regulation will be effective, unless all<br />
employees adhere to security procedures.<br />
"This means educating users on why security<br />
matters, the consequences of getting it wrong<br />
and what to do, if the worst happens. They<br />
are much more likely to comply, if they<br />
understand the risks, rather than simply seeing<br />
security as a set of annoying rules which<br />
prevent them working as they wish. Achieving<br />
recognised security standards such as Cyber<br />
Essentials, ISO27001 and ISO20000, will help<br />
an organisation improve its security and,<br />
importantly, reassure its customers that it has<br />
done so."<br />
See page 20 for another expert take on GDPR<br />
and its impact.<br />
14<br />
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk