Artificial intelligence and automation initiatives are proliferating. We’re seeing more proactive and predictive analytics to harness data intelligently. Consumers are demanding more digital centralisation for their connected technologies.
Distributed workforces want consistent multi-channel-per-user collaborative experiences. And organisations that thought they were well positioned ahead of GDPR have woken up to the fact that areas like their supply chains may not be as joined up as they thought.
Across all these trends a common thread is getting security right. Enterprise/project risk assessments and compliance objectives emphasise the need for security by design in everything. Vohkus can help you stay ahead of the game.
Organisations must use appropriate technical and organisational security measures to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration.
Organisations may only hold on to personal data for as long as is necessary to fulfil the intended purpose of collection.
If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organisation (i.e. cloud providers).
Compliance and security challenges in today’s tech-oriented world:
Technology thrives on certainty, rules and clear requirements, yet the GDPR is both complex and open to interpretation.
The GDPR requires organisations to manage all personal data, yet many do not know where all their personal data resides.
The GDPR requires organisations to control the processing of all personal information, yet the rise of shadow IT takes control away from the IT department and disperses it across the business functions.
Finding impartial reliable advice is difficult with an explosion of solutions on the market that promise great things but have not had the time to matature and prove their credibility.
IT: managing and securing data, technology stacks and the solution.
Not having a clear process for capturing, storing, securing and processing data and the ever-expanding technology stacks are just some of the issues that GDPR is trying to solve. As such, it is obvious that as well as being part of the problem, information technology must be part of the solution.
“Privacy by design”
Good data protection means technology needs to be matched to your processes, not the other way around. Embedding privacy and data protection into the design and architecture of IT systems, technology infrastructure and business practices is, therefore, an integral part of any initiative from the outset. This removes the potential for human error and alleviates any concern around a breach. Using the GDPR framework as a basis for assessing the capabilities of a current technology stack and determining core gaps in basic functionality ensures a proactive approach to privacy, not reactive.
Risk-based security ensures that priorities are established and decisions are made through a process of evaluating data sensitivity, system vulnerability and the likelihood of threats. This is a key component of knowing your current state and essential for building an appropriate GDPR compliant programme.
The GDPR requires organisations to report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. This is despite the fact that 191 days is the average time it takes to identify a breach. Having toolsets in place that can identify incidents across your estate is an effective mitigation tactic. Real-time visibility of events, alerts and notifications ensures your businesses can take rapid action to avoid or resolve system issues.
Incidents and outages can be minimised by outsourcing your system administration. IT consultants can provide traditional 'housekeeping' and patch management, automated event response and root cause analysis to identify breaches and maximise system availability.
Under the GDPR, employees within an organisation are also considered data subjects. Employees who are responsible for processing a client’s personal data should be fully up to date with your company’s GDPR compliance programme and how it will affect how they collect, process and access personal data. Don’t get caught up in the processing of external data and forget about your internal procedures and obligations to protect employees under GDPR.
EBOOK: JANUARY 2018
THE 8 MUST-HAVES YOUR IT DEPARTMENT NEEDS TO SUCCEED
Not only does a data centre handle customer data and financial information, they’re also essential to the daily operations of thousands of businesses. Consequently, data centre providers are heavily affected by an important piece in the GDPR compliance chain.
As both controllers of their own data and processors of data that is controlled by third parties, data centre operators potentially have dual liability under the legislation.
Firstly as data controllers of personal information that they hold, store and process for their own purposes.
Secondly as data processors of data held within their facilities by third-party data controllers – their customers.
Giving customers and client confidence in their data storage is a major issue data centres have to confront when it comes to complying with the GDPR. If a breach or hack occurs, customers need to trust the data centre to deal with it effectively and immediately. Implementing appropriate technical and organisational measures to be able to demonstrate that processing is performed in accordance with GDPR is essential for instilling confidence in their customers of data centres. This means running internal security audits and hiring dedicated staff whose sole responsibility is data safety.
Cloud Security: How to ensure GDPR compliance in the cloud
Cloud models by definition involve workloads and information that are not on-premises but distributed, managed and processed across hardware, software and networks/systems of third parties. Organisations need to be working with providers to understand where data is.
Know the location where cloud apps are processing or storing data. Identify all of the active cloud apps in your organisation and establish where they are hosting your data. Consider that cloud providers may also have members of staff, data centres, parent organisations and processes scattered around the world. The flow of data between all of them needs to be protected.
Take adequate security measures to protect personal data from loss, alteration, or unauthorised processing. Extending existing security investments off premises needs to seamlessly integrate with current security layers so that your employees are protected anywhere they work – and on any device. Identify which apps meet your security standards, and either block or institute compensating controls for ones that don’t.
Close a data processing agreement with the cloud apps you’re using. Once you discover the apps in use in your organisation and consolidate those with overlapping functionality, sanction a handful and execute a data processing agreement with them to ensure that they are adhering to the data privacy protection requirements set out in the GDPR.
Don’t allow cloud apps to use personal data for other purposes. Ensure through your data processing agreement that apps state clearly in their terms that the customer owns the data and that they do not share the data with third parties.
Ensure that you can erase the data when you stop using the app. Make sure that the app’s terms clearly state that you can download your own data immediately and that the app will erase your data immediately once you’ve terminated service.
Check that your cloud provider has an effective disaster recovery system in place. With your own cloud-based disaster recovery you can protect workloads no matter where they are stored: on-premises, the cloud, or in hybrid or multi-cloud environments. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident is a legal requirement under GDPR. Demand certain outcomes such as guarantees from suppliers to ensure you are not at risk.
Have a centralised database to ensure effective monitoring and logging of data. You should be able to know what’s going on in your environment at all times. When looking at GDPR and the need to prove your compliance and best efforts, keeping track of all events and being able to query backwards is very important
How will the GDPR affect security in cloud computing?
Many IT buyers assume that because they’re effectively outsourcing the running of their infrastructure to a trusted third party, the provider takes care of everything. However, it is the customer who is 100% responsible for security “in” the cloud – data, apps, identity management, OS, network and firewall configuration, network traffic, server-side encryption, and client-side data.
As employees, applications, and data move beyond the perimeter, IT teams need to be able to simply and effectively manage security from one single place. Complete visibility and control for all internet activity, including traffic to bespoke and SaaS cloud applications, is necessary to remain protected against internal and external threats, like malware, compromised accounts, and data breaches.
Email: The #1 threat vector
The weakest point of security in any organisation is the users, either due to a lack of awareness or security fatigue. Attackers know this, and they target users through email because, with a working email address, a malicious but well-crafted attack could easily get in front of a vulnerable employee.
When planning compliance, you always prepare for the worst. The assumption should be that a security breach is only a matter of time. A combination of solutions, encompassing web application firewalls, next-generation firewalls, DDoS mitigation, strong data encryption, identity and access controls, SIEM, IDS/IPS, endpoint protection and data protection and archiving should put you in good stead to protect against cybercrime. Encrypt everything of value.
CASE STUDY: A VOHKUS NETWORKING & SECURITY SOLUTION
1. Keep your data collection legal and ‘fair’ Keep data up to date and delete it if it’s not needed anymore. Let customers know (in Layman's terms) exactly what they are consenting to and only collect what you need.
3. Form relationships with quality vendors If a poorly-chosen third party mishandles your data, you’re likely to find your own business held responsible by the ICO. As such, it’s critical to form relationships with quality vendors who have a comprehensive training programme for their staff and use the most advanced detection and prevention methods.
Despite the UK’s departure from the European Union in 2019, the GDPR (or at least something substantially similar) will still apply. Whilst it is not known at this stage exactly what changes (if any) will incur, the general consensus is that Brexit is not going to prevent the need for data protection and privacy. Those business that are confirming to best practice come the time of the UK’s exit will be in the best position.
Data Protection and Compliance: From Obligation to Opportunity
GDPR shouldn’t be seen as a risk but as an opportunity to update your organisation’s approach to risk management, build trust with clients and leverage customer loyalty.
Enhance your cybersecurity
Cyber Attacks are increasing in frequency, severity and sophistication, and with an increasing multiplicity of personal devices and the Internet of Things (IoT), there has become an inherent need for a cybersecurity solution that will address the edgeless perimeter present in most offices.
Fraudulent emails encouraging the reader to share passwords or financial information.
Viruses, malware and ransomware.
Individuals impersonating the business online.
Data/information sent to the wrong individual either digitally or through the post.
The GDPR and cybersecurity are complementary to one another, with both playing a crucial role in keeping data safe. While the GDPR works to ensure processes and procedures are secure, cybersecurity defends and protects virtual stores from human error e.g. phishing scams or malware. Detection-based cybersecurity allows network owners to assess what is going on within the perimeter, track down threats and eliminate them before they pose a serious problem.
GDPR requires businesses to audit all the data they hold. Detecting and disposing of redundant, obsolete and trivial (ROT) files that your organisation retains will slash costs on storing and processing stagnant data that is having a negative effect on your ROI.
Leverage enhanced data
GDPR-compliant businesses can make their products and services better, keep customers happy by making services more efficient, and target them with the right offers at the right time, which in turn creates a much better customer experience journey.
Businesses with clean databases can leverage a far more captivated market. Whilst it may be narrower in volume, it provides better opportunity to do hyper-personalization, micro-segmentation, and attribution modelling.
Embrace new technologies
GDPR accelerates the adoption of new technology and bring a company’s systems out of the dial-up era and into the cloud-computing age. Adoption of progressive technologies such as machine learning and multilevel intent analysis will prevent targeted phishing attacks, whilst helping to assist customers with dealing with their “right to be forgotten” and more efficiently browsing the data you might have stored on them.
Strengthen customer relationships
57% of customers do not trust organisations to manage their data. But under GDPR, greater transparency obligations mean organisations must be clearer with customers around how their personal data is handled. This presents a real opportunity for organisations to boost trust, which in turn could lead to enhanced customer loyalty. Over time, this can play a role in consumer choice.
Define a new business era
GDPR presents an opportunity for businesses to present themselves as human committed to serving their customers with integrity and respect. By adhering to the GDPR, businesses will cultivate the values of data security in their employees and nurture social responsibility in business. Ultimately, businesses will reap the benefits of a brighter and more trustworthy relationship with their customers.
GET IN TOUCH
Learn more about how Vohkus IT solutions can help you and your company save money and get ahead of the competition.