CS Nov-Dec 2022

GDPR
Dan Middleton, Veeam: Businesses must
place data integrity, security and
resilience at the heart of their operations.
facilitate the transfer of personal data from
the EU to a third country or international
organisation, while ensuring that the data
continues to benefit from a high level of
protection. "This continuity of protection
is important, given that in today's world
data moves easily across borders and the
protections guaranteed by the GDPR would
be incomplete, if they were limited to
processing inside the EU. The toolbox
includes actively engaging with key partners
with a view to reaching an adequacy
finding and yielded important results such
as the creation between the EU and Japan
of the world's largest area of free and safe
data flows. Ongoing work also concerns
other transfer mechanisms, such as
standard contractual clauses and
certification, to harness the full potential of
the GDPR rules on international transfers."
What is all too clear from the sizeable fines
that were imposed on Instagram and others
is that data protection authorities are
making use of a wide range of corrective
powers provided by the GDPR, such as
administrative fines, warnings and
reprimands, orders to comply with data
subject's requests, orders to bring processing
operations into compliance with the
Regulation, to rectify, erase or restrict
processing. Nor is it all about fines as a
means to keep businesses in line. As the
EC states: "The GDPR also provides for a
broader palette of corrective powers. For
example, the effect of a ban on processing
or the suspension of data flows can be
much stronger than a financial penalty."
CHANNEL 4 - TOTAL VISIBILITY
One organisation intent on ensuring it
meets its GDPR obligations is Channel 4,
which is said to be saving its security
department thousands each year after
partnering with Invicti Security to gain
complete visibility into its web assets.
As part of protecting the information it
collects, in line with regulations such as
GDPR, Channel 4 - which operates the UK's
biggest free streaming service, All 4, plus a
network of 12 television channels - needs
to secure vast amounts of information,
including the data of 24 million All 4
subscribers, as well as staff details, and all
of its intellectual property and be able to
demonstrate that this data is safe and
secure.
As a large organisation with thousands
of web assets, security was previously a
complex and expensive task, involving
numerous penetration tests with multiple
third parties, costing significant sums to the
business. "We would perform a penetration
test and after getting the results, we'd have
to fix the issue and then pay for another
penetration test," says Channel 4 CISO Brian
Brackenborough. "That could be quite a
cycle depending on how complicated the
particular project was."
Channel 4 now uses Invicti to gain visibility
into whether websites are collecting
personally identifiable information (PII). It
can then perform vulnerability scans and
penetration tests on those websites. The
efficiency gains and cost savings are clear:
partnering with Invicti saved Channel 4
thousands in the first year alone. "The
budget, which we were spending every
year on penetration testing, decreased
approximately 60%. The following year,
it decreased close to 80%," he adds.
Using Invicti, Channel 4 can start
performing automated and continuous
penetration tests or vulnerability scans
against systems at certain milestones of
a project to make sure it stays on track. It
allows Channel 4 to catch any issues early
on in the process, prioritising vulnerabilities
that put the organisation at risk, so it can
fix them with less manual effort.
"That makes our lives a lot easier and allows
us to ensure we are delivering projects on
budget and on time," says Brackenborough.
40
computing security Nov/Dec 2022 @CSMagAndAwards www.computingsecurity.co.uk