[BreachExchange] Acting On Data Protection

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 20 18:58:47 EDT 2017


http://www.huffingtonpost.co.uk/charlie-mayes/acting-on-
data-protection_b_16896522.html

New legislation and changes to regulations such as the General Data
Protection Regulation (GDPR) can be extremely daunting for both public and
private sector organisations. One of the principal reasons for this is that
many of these don't always have the necessary manpower and/or expertise,
making the task in hand feel onerous.

However, there is good reason to ensure that we comply. Take the recent
global ransomware attack, WannaCry; policies and practices must be in place
to not only comply with regulation, but also to protect our businesses and
our customers. WannaCry has infected numerous computers in more than 150
countries so far, including at least 16 organisations affiliated with the
NHS, wreaking havoc for hospitals and patients alike.

This attack is a timely reminder of the inherent vulnerabilities of the
Internet and stark evidence that many of the technologies on which we have
come to rely are not always as resilient as we would like to think,
highlighting why robust information security is so important. The most
basic of practices like backing up data, updating software and repeating
these activities routinely, might have prevented these organisations from
falling victim.

Protecting such data has long been an obligation of all organisations and
the Data Protection Act has provided the legislative core for protecting
the associated rights of citizens in the UK for the last few decades. Yet,
in the absence of an identifiable data breach, how easy or otherwise is it
to test for widespread compliance? With the advent of GDPR, the stakes are
about to get higher and pressure is on organisations to get things in order.

The good news is that the introduction of GDPR will clear up most of the
complexity around understanding the various local data protection
regulations in Europe. GDPR is preparing for a new era now defined by
cloud, mobile, social, big data and an increased exchange of data across
national borders. It affects all companies that process the personal data
of EU-citizens and this also extends to companies that process data of EU
citizens without having a physical presence in the EU.

Despite the proliferation of articles covering GDPR and the fact that the
GDPR is only less than 12 months away, it would appear that many
organisations are still not prepared or indeed preparing. According to a
recent survey by IDC of 700 European companies of various sizes, almost 80%
of IT decision-makers have a poor understanding of GDPR's impact of or have
not even heard of it. Of the 20% surveyed who said they were aware of GDPR,
only 20% said that they already meet the new requirements.

It feels like one of those scenarios where, the hardest part is getting
started. Although GDPR builds on the existing Data Protection Act, it's a
sizable piece of legislation. But with closer regulatory oversight
anticipated, especially on the SME community, it's important to get going
now.

For most organisations, there's a good chance that many of the underlying
processes will already be in place, so the route to compliance may be
shorter than anticipated. The key is to ensure that, you know what you need
to do in order to prepare and that you give yourself adequate time and
resources to ensure that you do this properly.

Here are a few steps to help with your planning for GDPR:

1. Raise awareness - make sure that decision makers understand the reasons
for compliance and what the journey to compliance involves.
2. Brief staff on the changes they can expect to the way they work and
handle personal data.
3. Perform a data audit and a risk assessment to ensure an effective
security policy is implemented.
4. Communicate clearly to data subjects -all data subjects should be made
aware in clear language that their personal data is being collected, for
what purpose, and how long it will be stored.
5. Consider the purpose of data collection and think about how data is
deleted.
6. Understand data subject rights - they have the right to request access
to data related to them that an organisation may be storing or processing.
7. Provide data subjects with the means to move their personal data away -
this is a new and unexplored requirement and a common framework needs to be
established.
8. Conduct a data protection impact assessment - especially in scenarios
where data processing is likely to result in a high level risk to the data
subject rights.
9. The confidentiality, integrity and availability of data processing
systems must be guaranteed and documented.
10. Overall ensure you have effective policies and technology in place to
limit your risk exposure.

It may feel as though there are priorities other than GDPR right now, but
May 2018 will come round very quickly and the consequences for getting it
wrong will be exponentially more severe. Transgressors will face
considerable fines which act as a large incentive in itself, but as the
UK's Information Commissioner has recently commented: "The digital economy
is primarily built upon the collection and exchange of data, including
large amounts of personal data - much of it sensitive. Growth in the
digital economy requires public confidence in the protection of this
information." Therefore, it is in the best interests of businesses to
ensure they get their act together when it comes to the new legislation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170620/c6a6696f/attachment.html>


More information about the BreachExchange mailing list