France: 5G telecoms decision based on security and performance, nobody to be ruled out

France: 5G telecoms decision based on security and performance, nobody to be ruled out

PARIS (Reuters) - Finance Minister Bruno Le Maire said a decision by France regarding the 5G telecoms network would be based on security and performance of networks, and added that Paris would not rule out a specific operator as not being welcome. Last week, French
/
Huawei will continue security support for Android smartphones

Huawei will continue security support for Android smartphones

LONDON (Reuters) - Huawei said on Monday it would continue to provide security updates and services for its smartphones and tablets after being barred from Google updates to its Android operating system. But it did not say what would happen with phones it would sell
/

GDPR Compliance

Set a reminder: On May 25, 2018, the new General Data Protection Regulation directive from the European Union will go into effect. Although its goal to protect consumer data is admirable, about a third of global companies don’t know whether they need to comply with the stricter guidelines.

Spoiler alert: They probably do.

Even companies outside the EU are subject to the regulation if they store or process the data of people who live in Europe. Companies that don’t do any business within the EU aren’t safe, either — just having the data of EU citizens from other channels is enough. Cloud service providers, which were previously insulated from most data privacy liabilities, will be held responsible as “data processors” under GDPR.

Complying with the new rule will not be cheap, with 68 percent of affected U.S. companies anticipating costs above $1 million. Companies that fail to comply could be subject to fines of up to 4 percent of their global revenues. That’s an extreme punishment, but it could hit any company that fails to abide by the GDPR. Companies that only pay lip service to the rules will see the steepest penalties.

How, though, can businesses log every part of every transaction involving EU citizen data? For CSPs with legacy systems, such sweeping changes are nearly impossible — and, when possible, extremely costly.

The better plan is for companies to take this opportunity to upgrade their data security processes. Don’t think of GDPR as the framework. Instead, build a new one. Start and follow data flows; then, map out any business process that collects, uses, retains, stores, or transmits information that falls under the new rule.

The Privacy Challenge

Companies usually only need to worry about privacy when using consumer information. Under GDPR, however, anyone who processes the information is subject to scrutiny.

This new level of responsibility requires companies to stay vigilant about how they interact with consumer data. For CSPs, that means ensuring data can only go where it should, preventing sensitive information associated with one product from being transferred to another.

Logging and tracking information is the most difficult — and most important — aspect of the new rule. EU citizens will soon have the “right to be forgotten,” which allows them to tell search engines and CSPs to erase them from the web.

To respond to requests like the one above, companies must log and tag all their information meticulously. That way, not only can they delete it, but they can also be sure that the information is truly gone. Without these “privacy by design” policies in place, companies will struggle to tell citizens (and regulators) that they’re fully confident the data has been erased.

The Quick and Dirty Guide to GDPR Compliance

Clearly, companies around the world face a steep climb to GDPR compliance. But by following these straightforward strategies, companies can prepare themselves to be as compliant as possible, safeguard EU data, and avoid losing chunks of their revenue in the bargain.

1. Map out Data Flows

By plotting out the process by which they consume, store, and use consumer data, companies can understand to what degree GDPR affects them. Only then can they start to safeguard it according to GDPR standards.

The first question is easy: “Do we have EU data?” If the answer is “no,” then the next question becomes “Are we sure we are not collecting EU data and will not in the future?”

Check whether any clients have customers in the EU and ask whether they collect data. If they answer “yes” to either, ask what their GDPR classification will be. Classifications include processors and controllers, each with its own privacy obligations under the new rule.

With those questions answered, designate someone within the organization to map and maintain data flows. Many businesses have a great deal of documentation on processes, but they fail to overlay that information with the types of data they collect, use, and store. Use this data flow mapping tool to get started.

2. Reduce the Scope

The easiest way to comply with new data rules is to not possess data affected by them. After mapping business processes, identify which ones are critical to your company and which ones are not. Then, dispose of and stop collecting non-critical information, starting with the processes that make GDPR compliance more complex.

Although the EU doesn’t use Social Security numbers, it provides a good example for stateside companies. Scan the network for areas where Social Security numbers are stored; then, work outward to identify other collected information, such as dates of birth, addresses, and more.

Define what data is considered protected by the EU, and then use data discovery or loss protection and prevention tools to scan the environment for various rule sets on protected data.

3. Perform a Gap Analysis

After defining and reducing the scope, the next step is to identify areas of higher risk. Where does the company collect and store large quantities of data, how is that information stored, and what are the risks of breach or improper use of information? Work down from the area of highest risk to tackle pressing issues first. Then, do a full sweep of data collection areas within the company.

This process is sometimes referred to as a privacy impact assessment (PIA) or GDPR’s required data protection assessment (DPIA). Rather than do a PIA or DPIA once and forget the results, establish a cadence to complete sweeps of all data collection areas. Hit different processes as time passes; then, swing back around and do it again to prevent oversights.

4.Designate a Privacy Officer

Compliance isn’t a one-time event. Create a committee to assess compliance on a monthly or quarterly basis. By starting with a group, the person who should be in charge will emerge naturally over time.

GDPR encourages companies to retain a privacy officer within the company. If the committee leader can’t formally assume those duties, the officer could be a new hire, a pivot from an existing role, or simply the CIO. After setting up that role, empower that person to own the road map of compliance and correct mistakes when discovered.

GDPR sets a new standard for data stewardship across the world. It will take time before the full effects of the regulation become clear, but for CSPs and other companies involved in data, compliance must come first. Follow this guide to safeguard data, create better internal processes, and avoid costly penalties.

By Brad Thies

Brad Thies

Brad Thies is the founder and president of BARR Advisory, an assurance and advisory firm specializing in cybersecurity, risk management, and compliance. Brad speaks regularly at industry events such as ISACA conferences, and he is a member of AICPA’s Trust Information Integrity Task Force. Brad’s advice has been featured in Entrepreneur, Small Business CEO, and Information Security Buzz. Prior to founding BARR, Brad managed KPMG's risk consulting division. He is a CPA and CISA.

View Website
5 Predictions for Data in the Cloud and Cloud Platforms

5 Predictions for Data in the Cloud and Cloud Platforms

5 Predictions for Data in the Cloud 2017 has proven to be a big year for migrating data to the ...
Apcela

Can your network meet the challenges of Office 365?

Network Challenges of Office 365 Microsoft's focus on growing commercial adoption of Office 365 in 2018 has resulted in the ...
ERP Ain’t Got the Same Soul, I Like that Old Time Rock ‘n’ Roll

ERP Ain’t Got the Same Soul, I Like that Old Time Rock ‘n’ Roll

Designing Enterprise Software around People Looking back, business owners talked to their customers and employees in person or by phone ...
Critical Success Factors when shifting Workloads into the Cloud

Critical Success Factors when shifting Workloads into the Cloud

Shifting Workloads into the Cloud By 2020, 92 percent of all workloads will reside in the cloud. Yet challenges remain ...