[BreachExchange] Don’t delay when it comes to data protection

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 10 21:25:45 EDT 2016


http://www.itproportal.com/2016/05/09/dont-delay-when-it-comes-to-data-protection/

After four years of discussions, the European Parliament finally passed its
vote for the new General Data Protection Regulation (GDPR) last month,
leading us into a new age of data protection for European citizens, and the
businesses they interact with. Over the next 24 months, businesses will
have to get to grips with the regulations and ensure they are fully
compliant by the time the new laws come into play in 2018.

The regulation sets to harmonise laws across Europe and make them
applicable to both European and non-European companies offering online
services in the EU. To date, organisations processing personal data of EU
residents have had to deal with a patchwork of the 28 different national
data protection laws.

Data for good

This new legislation, in short, will bring much needed clarity to the data
market. Individuals need to be clearly informed around how their data will
be used, and this is especially true in today’s threat landscape. Every
week we are faced with yet another news story about a high profile company
experiencing a data breach in which sensitive and valuable customer
information has been leaked onto the internet. Ultimately this data ends up
in an online marketplace, on the dark web, whereby it ends up in the hands
of the criminal with the highest bid. Therefore, it’s no surprise we are
now more concerned than ever about the state of our data. In fact, GBG
research found that 86 per cent of consumers were worried about identity
theft whereas 83 per cent feared that someone could obtain their data for
profit.

However, whilst these concerns are justified, we shouldn’t just see our
data as something risky. All too often, people forget the benefits of
sharing data. For example, earlier this year the former Mayor of London
heralded a dramatic increase in the number of London hospitals sharing
data, as more than half of London’s emergency departments now share
information with the police to help improve public safety, solve crimes and
reduce violence across the capital.

In addition, when done properly, data-driven marketing means that you are
not bombarding your customers with marketing on products or services that
they have no interest in. By using the data accumulated by businesses
effectively, marketers can create targeted campaigns which result in
satisfied customers. Today, companies need to use the data available to
them intelligently, to help protect individuals – not just from security
threats but also from not having the desired customer experience they
expect from a brand.

Responsible data protection

This protection of individuals in the EU is at the heart of the new
legislation. In fact, European Parliament said they believe it will ‘ensure
that the fundamental rights to personal data protection is guaranteed for
all’. Therefore, under the new legislation, a number of principles are
outlined related to the processing of personal data, including that
personal data has to be processed lawfully and in a transparent manner. It
also has to be collected for specified, explicit and legitimate purposes.
This point is interesting – especially when we considered that in the same
GBG research, over half of businesses (59 per cent) surveyed in the report
said they collect data which is not used or not useful to the organisation.

A requirement today which continues under the EU GDPR, personal data has to
be accurate and kept up to date. Businesses must take every reasonable step
to ensure that if the personal data of their customers is inaccurate, is
erased or rectified without delay. Finally, it is the businesses that are
responsible for ensuring they follow these principles and have to be able
to show compliance.

Overcoming the challenges

Of course, complying with these new regulations will not be without its
challenges. So how can companies overcome them to ensure they are ready for
2018? Here are my top tips:

1) Change your mindset

Typically compliance has been regarded as a tick box culture. Your
organisation needs to establish new internal controls to ensure compliance
as quickly as possible. It is important to be proactive, continually
assessing how data is processed to ensure the fundamental rights and
privacy of an individual is honoured.

2) Clean up your data

Take stock of all the customer data held within your businesses and then
decide which data you should keep hold of or which you can get rid of. Of
course, when it comes to disposing of customer data, it is crucial that is
done in a safe manner. Organisations have a duty of care to ensure
customers are not at risk of fraud or identity theft.

3) Be introspective within your organisation

If you rely on consent as the basis for data processing, you should
consider how this is currently gathered. Look at your privacy policy and
what approach is being used to obtain consent. Consent must be freely
given, specific and unambiguous. This can be achieved by ensuring the
information provided is concise, transparent and in an intelligible form.

The ICO has also published a 12-step checklist which is a great starting
point for businesses needing a step by step guide.

Two years may seem like a long time, but it will pass us by faster than we
know. My advice would be to not delay – read the steps outlined in the
checklist and consider how they apply to your organisation. Compliance with
the new regulations will not be something an individual can achieve on
their own. Successful implementation and ongoing review will only come from
company-wide awareness, with the relevant controls in place to trigger
where a plan is required. As the saying goes, ‘don’t put off until tomorrow
what you can do today’. Businesses that take action now will find
themselves in a much more advantageous position come 2018.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160510/35a1be6c/attachment.html>


More information about the BreachExchange mailing list