China Ascendant? Maybe, Maybe Not

China Ascendant? Maybe, Maybe Not

China seems to be beating us at leadership in tech in just about every category. In a decade they are supposed to be the largest economy in the world. But is it all built on a foundation of sand? China and the US are in
Have You Spotted the Turn?

Have You Spotted the Turn?

You are hammered to be ready for the latest technologies. But all of them have lifecycles. It is just as important to identify when they’re diminishing, maybe even dying. Look for the turn or risk a millstone around your neck. They seem like they will

GDPR Compliance

Set a reminder: On May 25, 2018, the new General Data Protection Regulation directive from the European Union will go into effect. Although its goal to protect consumer data is admirable, about a third of global companies don’t know whether they need to comply with the stricter guidelines.

Spoiler alert: They probably do.

Even companies outside the EU are subject to the regulation if they store or process the data of people who live in Europe. Companies that don’t do any business within the EU aren’t safe, either — just having the data of EU citizens from other channels is enough. Cloud service providers, which were previously insulated from most data privacy liabilities, will be held responsible as “data processors” under GDPR.

Complying with the new rule will not be cheap, with 68 percent of affected U.S. companies anticipating costs above $1 million. Companies that fail to comply could be subject to fines of up to 4 percent of their global revenues. That’s an extreme punishment, but it could hit any company that fails to abide by the GDPR. Companies that only pay lip service to the rules will see the steepest penalties.

How, though, can businesses log every part of every transaction involving EU citizen data? For CSPs with legacy systems, such sweeping changes are nearly impossible — and, when possible, extremely costly.

The better plan is for companies to take this opportunity to upgrade their data security processes. Don’t think of GDPR as the framework. Instead, build a new one. Start and follow data flows; then, map out any business process that collects, uses, retains, stores, or transmits information that falls under the new rule.

The Privacy Challenge

Companies usually only need to worry about privacy when using consumer information. Under GDPR, however, anyone who processes the information is subject to scrutiny.

This new level of responsibility requires companies to stay vigilant about how they interact with consumer data. For CSPs, that means ensuring data can only go where it should, preventing sensitive information associated with one product from being transferred to another.

Logging and tracking information is the most difficult — and most important — aspect of the new rule. EU citizens will soon have the “right to be forgotten,” which allows them to tell search engines and CSPs to erase them from the web.

To respond to requests like the one above, companies must log and tag all their information meticulously. That way, not only can they delete it, but they can also be sure that the information is truly gone. Without these “privacy by design” policies in place, companies will struggle to tell citizens (and regulators) that they’re fully confident the data has been erased.

The Quick and Dirty Guide to GDPR Compliance

Clearly, companies around the world face a steep climb to GDPR compliance. But by following these straightforward strategies, companies can prepare themselves to be as compliant as possible, safeguard EU data, and avoid losing chunks of their revenue in the bargain.

1. Map out Data Flows

By plotting out the process by which they consume, store, and use consumer data, companies can understand to what degree GDPR affects them. Only then can they start to safeguard it according to GDPR standards.

The first question is easy: “Do we have EU data?” If the answer is “no,” then the next question becomes “Are we sure we are not collecting EU data and will not in the future?”

Check whether any clients have customers in the EU and ask whether they collect data. If they answer “yes” to either, ask what their GDPR classification will be. Classifications include processors and controllers, each with its own privacy obligations under the new rule.

With those questions answered, designate someone within the organization to map and maintain data flows. Many businesses have a great deal of documentation on processes, but they fail to overlay that information with the types of data they collect, use, and store. Use this data flow mapping tool to get started.

2. Reduce the Scope

The easiest way to comply with new data rules is to not possess data affected by them. After mapping business processes, identify which ones are critical to your company and which ones are not. Then, dispose of and stop collecting non-critical information, starting with the processes that make GDPR compliance more complex.

Although the EU doesn’t use Social Security numbers, it provides a good example for stateside companies. Scan the network for areas where Social Security numbers are stored; then, work outward to identify other collected information, such as dates of birth, addresses, and more.

Define what data is considered protected by the EU, and then use data discovery or loss protection and prevention tools to scan the environment for various rule sets on protected data.

3. Perform a Gap Analysis

After defining and reducing the scope, the next step is to identify areas of higher risk. Where does the company collect and store large quantities of data, how is that information stored, and what are the risks of breach or improper use of information? Work down from the area of highest risk to tackle pressing issues first. Then, do a full sweep of data collection areas within the company.

This process is sometimes referred to as a privacy impact assessment (PIA) or GDPR’s required data protection assessment (DPIA). Rather than do a PIA or DPIA once and forget the results, establish a cadence to complete sweeps of all data collection areas. Hit different processes as time passes; then, swing back around and do it again to prevent oversights.

4.Designate a Privacy Officer

Compliance isn’t a one-time event. Create a committee to assess compliance on a monthly or quarterly basis. By starting with a group, the person who should be in charge will emerge naturally over time.

GDPR encourages companies to retain a privacy officer within the company. If the committee leader can’t formally assume those duties, the officer could be a new hire, a pivot from an existing role, or simply the CIO. After setting up that role, empower that person to own the road map of compliance and correct mistakes when discovered.

GDPR sets a new standard for data stewardship across the world. It will take time before the full effects of the regulation become clear, but for CSPs and other companies involved in data, compliance must come first. Follow this guide to safeguard data, create better internal processes, and avoid costly penalties.

By Brad Thies

Brad Thies

Brad Thies is the founder and president of BARR Advisory, an assurance and advisory firm specializing in cybersecurity, risk management, and compliance. Brad speaks regularly at industry events such as ISACA conferences, and he is a member of AICPA’s Trust Information Integrity Task Force. Brad’s advice has been featured in Entrepreneur, Small Business CEO, and Information Security Buzz. Prior to founding BARR, Brad managed KPMG's risk consulting division. He is a CPA and CISA.

View Website

TOP ARCHIVES

10 Enterprise Analytics Trends to Look Out For in 2019

10 Enterprise Analytics Trends to Look Out For in 2019

10 Enterprise Analytics Trends Today’s intelligent world requires more from businesses then they have ever had to deliver. Prioritizing and ...
BitTitan Cloud Predictions and IT Migration Trends for 2019

BitTitan Cloud Predictions and IT Migration Trends for 2019

IT Migration Trends The beginning of a new year is an ambitious time for people and businesses. Strategic initiatives are ...
5 Simple Tips to Help Avoid Ransomware

5 Simple Tips to Help Avoid Ransomware

5 Tips to Avoid Ransomware Ransomware is a particularly pernicious form of malware: unsatiated by simply using your system as ...
Apcela

Can your network meet the challenges of Office 365?

Network Challenges of Office 365 Microsoft's focus on growing commercial adoption of Office 365 in 2018 has resulted in the ...
Why Accept the Hype? Time to Transform How We Approach Emerging Technology

Why Accept the Hype? Time to Transform How We Approach Emerging Technology

Time to Transform How We Approach Emerging Technology It’s like a rite of passage – a new technology pops onto ...
Four Tips For Better Information Security In The Cloud

Four Tips For Better Information Security In The Cloud

Information Security Businesses are increasingly relying on cloud based application deployments and are open to entrusting their most critical data to it. Unlike the early days of cloud, now, there is wider acceptance that cloud-based data can be as secure ...
10 Prototyping Tools To Help Build Your Startup

10 Prototyping Tools To Help Build Your Startup

Prototyping Tools We are continuing this week by focusing on startup tools, tips and tweaks that will help you build, design, manage and market your way into the cloud based business that you want to be. Last week we offered a ...
12 WordPress Managed Hosting Services

12 WordPress Managed Hosting Services

WordPress Hosting Services WordPress hosting services has exploded in popularity as a blogging tool and content management system in recent years, and is now used by more than 23.3 percent (2018 Edit: 53%) of the top 10 million websites worldwide. Due ...

CLOUD PROGRAMS

Project Management Course Bundle

Project Management Course Bundle

Need to earn 60 PDUs to maintain your Project Management Professional (PMP)® certification? Are you also looking for a high quality and interesting training program to fulfill this requirement? ...

$999.00Enroll Now

Certificate Program: Essentials of Cybersecurity

Certificate Program: Essentials of Cybersecurity

What You'll Learn: Describe the vast array of roles and sectors within the Cybersecurity industry; Explain the relationship between management and technology in cybersecurity protection; Identify appropriate types of security controls to the actions of different and evolving threat actors; ...

$396.00 $356.40Learn More

Cloud Community Supporters

(ISC)²
AWS
HPE
CA Technologies
Cisco

Cloud community support comes from sponsorship, service opportunities and collaborative network partnership initiatives.