Cybersecurity: GDPR a new element to consider
GDPR (General Data Protection Regulation) will be effective from May 25th 2018 in all EU countries. This regulation imposes a strict code regarding EU citizens’ data. A GDPR guide is necessary. To 18 months from the effectiveness, a lot of companies are not prepared yet. According to a recent survey from Veritas more than half of the examined businesses (54%) have not started any kind of process to satisfy GDPR minimum standards. This survey includes more than 2.500 senior decision makers from hi-tech companies.
Another research from Dell and Dimensional Research shows this kind of results. According to them just 9% of IT pros is ready for GDPR. From another study emerges that Italian companies are heavily late for GDPR application. (Osservatorio Security & Privacy del Politecnico di Milano)
What is GDPR?
The European parliament adopted this set of rules in April 2016. It took four years of discussions and negotiations. These rules enforce data protection because of the increasing concern about privacy. Who needs to prepare for this new set of rules? Every company with legal residence in the EU and companies that even if they have legal residence outside EU, process EU citizens’ data. GDPR also introduces a new figure: the DPO .
These rules coordinate with other effective laws in all the 28 countries. GDPR violations are a serious matter: fines up to 20 million (euros) or 4% of the total income, if superior.
GDPR guide: what are companies afraid of?
According to Veritas survey, almost 40% of the companies thinks not to be ready. On the other hand, 31% of the companies is worried about the possible damage to brand reputation caused by shady data policies.
Common responsibility is crucial to avoid these events to become true. GDPR data protection implies conformity programs that the whole company can promote. According to an AvePoint and Think Tank Centre for Information Policy Leadership (CIPL) report companies should integrate security data requirements in all of the business process.
GDPR guide: who’s responsible?
It’s hard to understand who’s responsible for the application of the rules. 32% of interviewed people thinks that it should be up to the Chief Information Officer (CIO), 21% attributes it to the Chief Information Security Officer (CISO), while 14% thinks that the CEO should be responsible. The last 10%, instead, points at the Chief Data Officer as the man in charge.
According to AvePoint and CIPL report, all of these members of the organization are responsible for data processing. “GDPR and privacy conformity are strictly related to business data strategy, big data and analytics. Data are necessary. Not only for business. That’s why GDPR application must be a synergic effort. All of the executives should cooperate.
GDPR guide: violation warning
The men in charge of the data must inform (within 72 hours) the authorities about any violation that could jeopardize people’s rights. Moreover, all affected people should be warned in case of a high-risk violation.
Many companies already started a procedure to alert the authorities and developed an internal plan to give answers. “This allows them to respect these new standards. By the way, differently from the US, where alerts are mandatory in every field, just a minority of companies develops real plans to warn authorities in charge. Moreover, most of the companies do not have any cyber insurance.
GDPR guide: high-risk data
When companies use new technologies or process high-risk data because they are dangerous to people’s rights or freedom, Formal Data Privacy Impact Assessment (DPIA) becomes necessary. It includes several activities regarding data process. In addition, it concerns the monitoring of public areas (CCTV).
The right thing to do is setting up a risk assessment plan to deal with data privacy and grant conformity. In addition Information Commissioner’s Office (ICO) suggests adding a little description of the processing operations. A risk assessment and the current laws that permit facing them.
There should be a particular spotlight on data handled by cloud services on external premises. Cloud providers must guarantee the conformity of data process in order to satisfy GDPR.
This is the reason why cloud providers launched CISPE. Basically, this initiative guarantees that all those who joined provide solutions aligning with GDPR.
GDPR guide: data handling and processing
New data portability rights let individuals send their own personal data to another organization in a readable format. Companies have to protect their “obscurity right” when data are no longer meaningful of necessary.
Data policies and handling iter must be reviewed too, as long as people in charge will be required to undergo GDPR. They need to start keeping tracks of the whole data process system, with all this information catalogued and classified.
GDPR guide: an opportunity for digital economy
Firstly, GDPR might seem oppressing for companies. However, this set of rules should have a positive impact on audience and companies that deals with data.
“GDPR represents a big chance to consider data privacy in a strategic and holistic way. As it becomes the key for data strategy and digital transformation of the business”, said Bojana Bellamy, CIPL CEO.
“With the right policies and the perfect planning, companies can benefit a higher credit if users trust data security.” Elizabeth Denham continues: ”digital economy implies sensitive data collection and trade. Digital economy growth requires people trust, they need to be aware of data security.”
What is the solution?
In order to assure to your business the best tool available, Swascan together with Raoul Chiesa ( Raoul Chiesa interview ) developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our three services cover all the governance needs in terms of risk management and periodic assessment. Basically, if you need to understand the areas in which your efforts must focus, Vulnerability Assessment, Network Scan and Code Review are the right tools for you. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ).