Foregenix Blog

Richard Jones

GDPR – Keeping things simple.

GDPR, Cybersecurity

,02/11/17 10:33


Type GDPR into Google and you will get just shy of 6 million results. Factor in the complexity of each and every article and it’s easy to see why many are parking it in the ‘too difficult’ pile...

That said, the UKs ICO is doing a pretty good job of busting a few myths and articulating the requirements in easily digestible chunks. When you strip away the layers of GDPR, at its core, it’s similar to the current Data Protection Act (DPA). It’s just been scaled up to reflect the tech-centric environments within which all organisations now operate.

Data has been described as the new ‘oil’. As such, it now holds a value way beyond what it did when the current DPA was conceived back in 1998. It’s for this reason that businesses will be required to protect and use Personally Identifiable Information (PII) in much the same way as we have come to trust financial institutions to invest and protect our money. There is however, one key difference.

For the most part we pay for the financial institution to do a job for us and also accept that investments can work for us or against us. Where our PII is concerned; privacy and security should be taken as a given, whether or not it is fundamental to an organisations ability to deliver the service for which it has been engaged.

Whilst accidents happen in all aspects of our life, data breaches are all too often thought as being simply an unavoidable consequence of operating online. GDPR sets out to change that by enforcing a level of responsibility onto those who rely on PII to deliver their services, be they commercial or otherwise.

As we have said before in other blog posts, GDPR is not about fines. It’s about the customers, patients, passengers, guests, fans, members and benefactors. Regardless of how they are seen within the context of a business, their data needs to be used and protected in line with the GDPR. For most, it should really be a case of ‘beefing up’ what is already being done and putting an organisation into what could be described as a ‘defensible position’.

With no defined standard or audit process like PCI DSS, no certified assessors or pass/fail assessment, compliance with GDPR requires organisations to engage with expertise to support them in the right areas. Some aspects of GDPR will be one off changes to business policies, procedures and processes in compliance with the requirement. Other aspects will be more dynamic, requiring ongoing improvements; particularly those surrounding the security of personal data.

Changes to the ‘cyber threat-scape’ mean that organisations must remain constantly vigilant to signs of a potential data breach. It’s also important to bear in mind that with an insatiable appetite for PII, new bubbles of noncompliance can crop up at any time. This is why dynamic data discovery will prove to be an essential requirement to keep businesses operating as usual.

As they say ‘many hands make light work’ which I believe will very much be the case with GDPR. Not necessarily in terms of getting to a state of compliance, but putting an organisation into the domain of being in a ‘defensible position’.

The business will need to be doing the right things all the time and to achieve this, the onus will be on education. It will be down to businesses to create a culture of awareness, whereby PII is treated with the reverence of cash in a traditional trading environment. From an early age we become unconsciously competent when it comes to money. We value it and certainly don’t leave it lying around, be it our own or that of those who have entrusted us with it. Put simply, we respect it, no questions asked. The same should ultimately apply to PII – can it get simpler than that?

GET GDPR READY                    


Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Richard Jones
14/02/18 11:14

Foregenix Partner With Ground Labs To Strengthen GDPR Services

The clock is ticking and we are swiftly moving toward the GDPR deadline, with organisations of all shapes and sizes preparing themselves for the new ...

Read More

Jake Dennys
12/02/18 15:18

5 Steps To Make Your Travel Agency PCI Compliant

PCI compliance is no easy feat, it can be a challenge to obtain, but results in lasting consumer trust and peace of mind knowing their data is ...

Read More

Kirsty Trainer
07/02/18 12:34

Foregenix expands into Brazil with new São Paulo office

After an exciting growth period in 2017, we were able to officially launch Foregenix in Australia, extending our service delivery into the land down ...

Read More

Jake Dennys
06/02/18 09:30

Foregenix aim to help travel agents meet IATA accreditation deadline

Travel agents are in a  race against time to meet IATA’s deadline for PCI DSS compliance. They've been given the deadline of March 2018 to become PCI ...

Read More

Benjamin Hosack
05/02/18 13:45

Foregenix expands APAC presence with Dan Ball, Territory Manager. 

Foregenix has further expanded their APAC presence with the addition of Dan Ball to the team as a Territory Manager in Australia, with ...

Read More