Popular Posts

Artificial intelligence and automation initiatives are proliferating. We’re seeing more proactive and predictive analytics to harness data intelligently. Consumers are demanding more digital centralisation for their connected technologies.

Distributed workforces want consistent multi-channel-per-user collaborative experiences. And organisations that thought they were well positioned ahead of GDPR have woken up to the fact that areas like their supply chains may not be as joined up as they thought.

Across all these trends a common thread is getting security right. Enterprise/project risk assessments and compliance objectives emphasise the need for security by design in everything. Vohkus can help you stay ahead of the game.

There are currently over 2.5 quintillion bytes of data produced every day, and much of that data is personal in nature and used for various reasons by companies worldwide.

GDPR requires a comprehensive review of internal policies for data retention, business processes, and technology systems. In turn, all these elements must work together in coordination with supplier systems to meet the GDPR principles laid out below:

Accuracy

Every reasonable step must be taken to ensure that personal data is accurate and processed in accordance with the agreed terms that were laid out in layman's terms when consent was given.

Accountability

Organisations must be able to demonstrate that their technical systems operationally adhere to data protection principles and citizen rights. It requires organisations to maintain a repository of the functional requirements of their technology systems.

They will also need to be able to demonstrate how these requirements are delivered through associated design, plans, functional testing and assessment documentation.

Transparency

Companies are required to articulate to individuals what their data is being used for and with whom it has been shared with meaning companies can no longer assume consent. Websites will have to turn cookies (code used to track visitor behaviour) off by default and only start tracking after visitors have explicitly agreed.

Data minimisation

Companies must limit personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.

Security

Organisations must use appropriate technical and organisational security measures to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration.

Retention

Organisations may only hold on to personal data for as long as is necessary to fulfil the intended purpose of collection.

Deletion

If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organisation (i.e. cloud providers).

 

Compliance and security challenges in today’s tech-oriented world:

With The European Markets in Financial Instrument Directive (MiFID II) and the accompanying regulation (MiFIR) which came into force on 3rd January 2018, the GDPR poses further operational challenges that are difficult for technology to deal with:

  • Technology thrives on certainty, rules and clear requirements, yet the GDPR is both complex and open to interpretation.
  • The GDPR requires organisations to manage all personal data, yet many do not know where all their personal data resides.
  • The GDPR requires organisations to control the processing of all personal information, yet the rise of shadow IT takes control away from the IT department and disperses it across the business functions.
  • Finding impartial reliable advice is difficult with an explosion of solutions on the market that promise great things but have not had the time to matature and prove their credibility.

IT : managing and securing data, technology stacks and the solution.

Not having a clear process for capturing, storing, securing and processing data and the ever-expanding technology stacks are just some of the issues that GDPR is trying to solve. As such, it is obvious that as well as being part of the problem, information technology must be part of the solution.

“Privacy by design”

Good data protection means technology needs to be matched to your processes, not the other way around. Embedding privacy and data protection into the design and architecture of IT systems, technology infrastructure and business practices is, therefore, an integral part of any initiative from the outset. This removes the potential for human error and alleviates any concern around a breach. Using the GDPR framework as a basis for assessing the capabilities of a current technology stack and determining core gaps in basic functionality ensures a proactive approach to privacy, not reactive.

Have good risk management

Risk-based security ensures that priorities are established and decisions are made through a process of evaluating data sensitivity, system vulnerability and the likelihood of threats. This is a key component of knowing your current state and essential for building an appropriate GDPR compliant programme.

Monitor:

The GDPR requires organisations to report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. This is despite the fact that 191 days is the average time it takes to identify a breach. Having toolsets in place that can identify incidents across your estate is an effective mitigation tactic. Real-time visibility of events, alerts and notifications ensures your businesses can take rapid action to avoid or resolve system issues.

System administration:

Incidents and outages can be minimised by outsourcing your system administration. IT consultants can provide traditional 'housekeeping' and patch management, automated event response and root cause analysis to identify breaches and maximise system availability.

Asset management and disposal:

The GDPR will make it compulsory for organisations to be able to recover lost personal data quickly. If personal data is compromised during the asset disposal process, even after it has left your organisation, you may still be responsible for breaching the DPA. Implementing a reliable asset management and disposal process ensures compliance with disposal regulations.

Internal data:

Under the GDPR, employees within an organisation are also considered data subjects. Employees who are responsible for processing a client’s personal data should be fully up to date with your company’s GDPR compliance programme and how it will affect how they collect, process and access personal data. Don’t get caught up in the processing of external data and forget about your internal procedures and obligations to protect employees under GDPR.

 

 

Asset 4.svg

EBOOK: JANUARY 2018

THE 8 MUST-HAVES YOUR IT DEPARTMENT NEEDS TO SUCCEED

DOWNLOAD NOW

Asset 3.svg

GDPR compliance for data centres

Not only does a data centre handle customer data and financial information, they’re also essential to the daily operations of thousands of businesses. Consequently, data centre providers are heavily affected by an important piece in the GDPR compliance chain.

As both controllers of their own data and processors of data that is controlled by third parties, data centre operators potentially have dual liability under the legislation.

  • Firstly as data controllers of personal information that they hold, store and process for their own purposes.
  • Secondly as data processors of data held within their facilities by third-party data controllers – their customers.

Giving customers and client confidence in their data storage is a major issue data centres have to confront when it comes to complying with the GDPR. If a breach or hack occurs, customers need to trust the data centre to deal with it effectively and immediately. Implementing appropriate technical and organisational measures to be able to demonstrate that processing is performed in accordance with GDPR is essential for instilling confidence in their customers of data centres. This means running internal security audits and hiring dedicated staff whose sole responsibility is data safety.

gdpr for data centres

Cloud Security: How to ensure GDPR compliance in the cloud

Cloud models by definition involve workloads and information that are not on-premises but distributed, managed and processed across hardware, software and networks/systems of third parties. Organisations need to be working with providers to understand where data is.

  • Know the location where cloud apps are processing or storing data. Identify all of the active cloud apps in your organisation and establish where they are hosting your data. Consider that cloud providers may also have members of staff, data centres, parent organisations and processes scattered around the world. The flow of data between all of them needs to be protected.
  • Take adequate security measures to protect personal data from loss, alteration, or unauthorised processing. Extending existing security investments off premises needs to seamlessly integrate with current security layers so that your employees are protected anywhere they work – and on any device. Identify which apps meet your security standards, and either block or institute compensating controls for ones that don’t.

  • Close a data processing agreement with the cloud apps you’re using. Once you discover the apps in use in your organisation and consolidate those with overlapping functionality, sanction a handful and execute a data processing agreement with them to ensure that they are adhering to the data privacy protection requirements set out in the GDPR.

  • Don’t allow cloud apps to use personal data for other purposes. Ensure through your data processing agreement that apps state clearly in their terms that the customer owns the data and that they do not share the data with third parties.

  • Ensure that you can erase the data when you stop using the app. Make sure that the app’s terms clearly state that you can download your own data immediately and that the app will erase your data immediately once you’ve terminated service.

  • Check that your cloud provider has an effective disaster recovery system in place. With your own cloud-based disaster recovery you can protect workloads no matter where they are stored: on-premises, the cloud, or in hybrid or multi-cloud environments. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident is a legal requirement under GDPR. Demand certain outcomes such as guarantees from suppliers to ensure you are not at risk.

  • Have a centralised database to ensure effective monitoring and logging of data. You should be able to know what’s going on in your environment at all times. When looking at GDPR and the need to prove your compliance and best efforts, keeping track of all events and being able to query backwards is very important

How will the GDPR affect security in cloud computing?

Responsibility

Many IT buyers assume that because they’re effectively outsourcing the running of their infrastructure to a trusted third party, the provider takes care of everything. However, it is the customer who is 100% responsible for security “in” the cloud – data, apps, identity management, OS, network and firewall configuration, network traffic, server-side encryption, and client-side data.

Centralised control

As employees, applications, and data move beyond the perimeter, IT teams need to be able to simply and effectively manage security from one single place. Complete visibility and control for all internet activity, including traffic to bespoke and SaaS cloud applications, is necessary to remain protected against internal and external threats, like malware, compromised accounts, and data breaches.

Email: The #1 threat vector

The weakest point of security in any organisation is the users, either due to a lack of awareness or security fatigue. Attackers know this, and they target users through email because, with a working email address, a malicious but well-crafted attack could easily get in front of a vulnerable employee.

The first line of defence then should be the protection of the mailbox. Scanning messages for keyword patterns and doing signature-based virus detection are no longer sufficient in the face of advanced threats. Stopping attackers adept at evading basic techniques involves deploying machine learning systems and multilevel intent analysis that are capable of identifying dormant threats without impacting your system’s performance.

Detect, protect and recover

When planning compliance, you always prepare for the worst. The assumption should be that a security breach is only a matter of time. A combination of solutions, encompassing web application firewalls, next-generation firewalls, DDoS mitigation, strong data encryption, identity and access controls, SIEM, IDS/IPS, endpoint protection and data protection and archiving should put you in good stead to protect against cybercrime.
Encrypt everything of value.

 

 

Asset 4.svg

CASE STUDY: A VOHKUS NETWORKING & SECURITY SOLUTION

PRESERVING CUSTOMER LOYALTY & TRUST

DOWNLOAD NOW

Asset 3.svg

3 tips to ensure data security

1. Keep your data collection legal and ‘fair’
Keep data up to date and delete it if it’s not needed anymore. Let customers know (in Layman's terms) exactly what they are consenting to and only collect what you need.

2. Encrypt everything of value
No business is too small to consider itself immune to hacking or a data breach. With hackers and data thieves constantly striving to stay one step ahead of data protection software, it is essential to lock down your info with a sophisticated level of encryption.

3. Form relationships with quality vendors
If a poorly-chosen third party mishandles your data, you’re likely to find your own business held responsible by the ICO. As such, it’s critical to form relationships with quality vendors who have a comprehensive training programme for their staff and use the most advanced detection and prevention methods.

 

 

Asset 4.svg

CASE STUDY: A VOHKUS MANAGED SERVICE SOLUTION

ALL-INCLUSIVE FOR PROFESSIONAL HEALTH CARE

DOWNLOAD NOW

Asset 3.svg

UK GDPR Compliance: Brexit & GDPR

Despite the UK’s departure from the European Union in 2019, the GDPR (or at least something substantially similar) will still apply. Whilst it is not known at this stage exactly what changes (if any) will incur, the general consensus is that Brexit is not going to prevent the need for data protection and privacy. Those business that are confirming to best practice come the time of the UK’s exit will be in the best position.

Data Protection and Compliance: From Obligation to Opportunity

GDPR shouldn’t be seen as a risk but as an opportunity to update your organisation’s approach to risk management, build trust with clients and leverage customer loyalty.

Enhance your cybersecurity

Cyber Attacks are increasing in frequency, severity and sophistication, and with an increasing multiplicity of personal devices and the Internet of Things (IoT), there has become an inherent need for a cybersecurity solution that will address the edgeless perimeter present in most offices.

According to the government’s Cyber Security Breaches Survey 2017, the most common breaches include:

  • Fraudulent emails encouraging the reader to share passwords or financial information.
  • Viruses, malware and ransomware.
  • Individuals impersonating the business online.
  • Data/information sent to the wrong individual either digitally or through the post.

The GDPR and cybersecurity are complementary to one another, with both playing a crucial role in keeping data safe. While the GDPR works to ensure processes and procedures are secure, cybersecurity defends and protects virtual stores from human error e.g. phishing scams or malware. Detection-based cybersecurity allows network owners to assess what is going on within the perimeter, track down threats and eliminate them before they pose a serious problem.

To keep your industry reputation pristine and your data secure, your IT department needs to adopt these 5 essential security features:

  • Strong firewalls to protect your network and computers
  • Row and column access control (RCAC)
  • Encrypted portable devices
  • Regular backups and a good backup strategy for your data centre
  • Data leak prevention

People working on data in an office

Improve data management

GDPR requires businesses to audit all the data they hold. Detecting and disposing of redundant, obsolete and trivial (ROT) files that your organisation retains will slash costs on storing and processing stagnant data that is having a negative effect on your ROI.

Leverage enhanced data

GDPR-compliant businesses can make their products and services better, keep customers happy by making services more efficient, and target them with the right offers at the right time, which in turn creates a much better customer experience journey.

Improve ROI

Businesses with clean databases can leverage a far more captivated market. Whilst it may be narrower in volume, it provides better opportunity to do hyper-personalization, micro-segmentation, and attribution modelling.

Embrace new technologies

GDPR accelerates the adoption of new technology and bring a company’s systems out of the dial-up era and into the cloud-computing age. Adoption of progressive technologies such as machine learning and multilevel intent analysis will prevent targeted phishing attacks, whilst helping to assist customers with dealing with their “right to be forgotten” and more efficiently browsing the data you might have stored on them.

Strengthen customer relationships

57% of customers do not trust organisations to manage their data. But under GDPR, greater transparency obligations mean organisations must be clearer with customers around how their personal data is handled. This presents a real opportunity for organisations to boost trust, which in turn could lead to enhanced customer loyalty. Over time, this can play a role in consumer choice.

Define a new business era

GDPR presents an opportunity for businesses to present themselves as human committed to serving their customers with integrity and respect. By adhering to the GDPR, businesses will cultivate the values of data security in their employees and nurture social responsibility in business. Ultimately, businesses will reap the benefits of a brighter and more trustworthy relationship with their customers.

GET IN TOUCH

Learn more about how Vohkus IT solutions can help you and your company save money and get ahead of the competition.

Did you enjoy this article?

Press Links

CONTACT US

Phone
0345 647 3000

Email
online.enquiries@vohkus.com

QUICK LINKS

V-IP eProcurement

Create an Account

Services

About

News

Contact | Shop Sign in | Privacy Policy | Cookie Policy | Terms and Conditions of Sale | Website Terms and ConditionsAccreditations | Anti-Slavery | Carbon Reduction Plan | Complaints Policy

©  2025 VOHKUS LTD