American and European companies are abuzz for the new EU data protection regulation, which is set to take effect on May 2018. Draconian fines are applied to those who don’t update their data protection systems and policies. Also companies with headquarters outside the EU are affected: penalties can reach €20 million or 4% of their global yearly sales volume.
Nowadays, companies are not prepared for the new regulation. According to a TrustArc’s survey (January 2018), 61% of companies haven’t started to apply the GDPR yet. 83% of the sample had declared that the total investment to upgrade their technology would reach 6
figures alone! Another report written by Veritas, highlights 54% of the sample hasn’t begun to prepare at all for the enforcement of the GDPR.
Why don't companies batten down the hatches?
According to McKinsey’s evaluations, big companies could spend 10 million dollars to comply with the General Data Protection Regulation. This compliance implies deep changes in business processes and in ways the data is used. The US is complaining over the severity of this EU law.
Nobody wants to comply before the deadline and a wait-and-see attitude is prevailing.
Who is really responsible for the new law application? Is it the CIO (Chief Information Officer), the CISO (Chief Information Security Officer), the CFO (Chief Financial Officer) or the CPO (Chief Privacy Officer)?
With the GDPR, companies must know exactly where all of their data is stored. A real challenge!
According to a McAfee’s survey, 40% of companies’ cloud services had been bought without the contribution of the IT department, which only has partial access to data with 47% visibility on IT services like data storage.
How to prepare for the GDPR: 5 things to do
Start an email authentication system through Dmarc (Domain-based message authentication, reporting and conformance);
Inventory the cloud services you are using;
Update your privacy policies;
Plan an emergency standard procedure in case of data breach;
Make sure the management board is aligned.
6 THINGS FOR A COMPANY TO DO TO PREPARE FOR BIG DATA PRIVACY OF 2018
It’s never too early to comply with the tied General Data Protection Regulation. IT privacy concerns are on the top of the list, because Big Data is gathered from a myriad of different sources.
Data of different sizes and forms are stored, and they need to be protected. So, what are the best practices that a company has to follow to guarantee correct and safe management of Big Data?
Always check your cloud-based solutions providers’ data privacy
Many cloud system providers may give privacy and security levels that respect the new Big Data protection standards, but it’s on you to ask and pay for them.
Never assume that your cloud service provider is giving you the best solution. Your team has to verify whether the privacy and security levels are good enough for the internal governance standards of Big Data processing.
In addition, ask your external auditor for the IT department to evaluate the privacy and security levels of your cloud services provider. Your provider’s data protection and security levels should be checked at least once a year.
Use private cloud services
The majority of public cloud service providers are also private providers. Storing your data on private cloud infrastructures is more expensive, but it will better organize your company’s data. This is the best investment to keep your data safe and under control.
Make your data anonymous
If you anonymize data, you can protect your clients’ privacy and, at the same time, continue to analyze the most delicate trends of your company’s data. You can anonymize information by encrypting the elements that could personally identify someone.
Another way is to pinpoint individual data for a specific category (e.g. wages) and then, create a composite average that you can insert into a wider data analysis.
A third method can be represented by masking data or their editing.
Inventory all your company’s Big Data and analyze them with a privacy filter
Organizations distribute Big Data to many departments, business units and internal offices. For this reason, there is a risk that some information stored in a department might be mistaken or transmitted to other company’s units. Every exchange between a department and another entity represents a privacy risk.
The department responsible for the data governance and administration should identify and scrupulously control these internal transfers.
Big Data should also be checked by external IT auditors on a monthly base. If several business units and departments use cloud-based services, it is necessary to verify that the privacy level of the IT vendors respects the company’s security standards.
Pay attention to the GDPR
If you are an American company which doesn’t work internationally, you can forget the EU General Data Protection Regulation...for the moment.
But if you have operations in Europe or you forecast to work there in the future, you should scratch your head in bafflement and start to worry about it!
The GDPR is the compass for future data protection policies: if you comply with it now, you are done for the next few years.
Organize social engineering audits
Sometimes it happens that employees sabotage or compromise the company’s data by sharing involuntarily or on purpose sensitive information with colleagues or outsiders. This is a strong reason to arrange social engineering audits in parallel with the yearly monitoring of the company’s IT assets.
A social engineering audit controls hackers and phishing attacks, physical and virtual threats for the company and every kind of physical or virtual cheating attempts from employees.
In this way, it’s possible to bring to light specific vulnerable areas and identify useful IT courses to update the personnel.
GDPR: 7 THINGS COMPANIES MUST KNOW ON THE EU DATA PROTECTION REGULATION
GDPR concerns all companies
The General Data Protection Regulation concerns all companies worldwide which have stored European citizens’ data.
For the first time, the European Commission exports worldwide the European principles on data protection. It means that all information on European citizens must respect the GDPR guidelines, making this EU regulation the first global law on data protection.
GDPR widens the definition of personal data
The regulation widens the definition of personal data to all information that can be used to identify a person and, for the first time, to genetics, mental, cultural, economical and social data.
GDPR enforces the requirements needed to obtain a valid agreement for the use of personal information
The evidence of a valid consensus needed to use personal information represents one of the most important challenges to comply with the GDPR. Organizations must ensure a simple language when they ask for the consensus to gather personal data.
They must clarify the purpose of the personal data usage and accept the fact that silence and inaction doesn’t represent a consensus (tacit agreement).
GDPR makes the DPO mandatory for all public and private company
The GDPR imposes the presence of a DPO (Data Protection Officer) in public administrations and private organizations which deal with personal data as a main activity, and require the monitoring of a large amount of data or process large-scale data on certain people categories.
According to an IAPP’s (International Association of Privacy Professionals) survey, 28,000 DPOs will be hired in Europe to enforce the new regulation.
In Germany, the DPO position is mandatory for companies with more than 10 employees, but this professional profile will also become popular for smaller companies which process great amounts of data.
GDPR introduces the Privacy Impact Assessment
The Privacy Impact Assessment expects privacy auditors to lead impact evaluations on potential attacks and breaches that can put a company's data under risk. The objective is to minimize eventual losses from data snatches.
This compliance must be guaranteed by the DPO for each project that uses personal data.
GDPR introduces common standards to notify data breaches
The GDPR gives common standards to face data breaches, so companies must notify local authorities within 72 hours of discovering a data breach.
It implies organizations buy technologies or IT services that allow fast response to data breaches.
GDPR introduces the right to be forgotten
The right to be forgotten, laid out by the General Data Protection Regulation, is based upon the minimization of data stored. Additionally, it’s mandatory to not change the purpose for which data had been gathered, so if companies want to use data in a different way, they must ask for another consensus.
It means companies should have technologies that allow to delete information in real time, in case of an explicit user request.
Comentarios