logo.png
GET GDPR READY

Foregenix Blog

Richard Jones

GDPR – Keeping things simple.

GDPR, Cybersecurity

,02/11/17 10:33

 

Type GDPR into Google and you will get just shy of 6 million results. Factor in the complexity of each and every article and it’s easy to see why many are parking it in the ‘too difficult’ pile...

That said, the UKs ICO is doing a pretty good job of busting a few myths and articulating the requirements in easily digestible chunks. When you strip away the layers of GDPR, at its core, it’s similar to the current Data Protection Act (DPA). It’s just been scaled up to reflect the tech-centric environments within which all organisations now operate.

Data has been described as the new ‘oil’. As such, it now holds a value way beyond what it did when the current DPA was conceived back in 1998. It’s for this reason that businesses will be required to protect and use Personally Identifiable Information (PII) in much the same way as we have come to trust financial institutions to invest and protect our money. There is however, one key difference.

For the most part we pay for the financial institution to do a job for us and also accept that investments can work for us or against us. Where our PII is concerned; privacy and security should be taken as a given, whether or not it is fundamental to an organisations ability to deliver the service for which it has been engaged.

Whilst accidents happen in all aspects of our life, data breaches are all too often thought as being simply an unavoidable consequence of operating online. GDPR sets out to change that by enforcing a level of responsibility onto those who rely on PII to deliver their services, be they commercial or otherwise.

As we have said before in other blog posts, GDPR is not about fines. It’s about the customers, patients, passengers, guests, fans, members and benefactors. Regardless of how they are seen within the context of a business, their data needs to be used and protected in line with the GDPR. For most, it should really be a case of ‘beefing up’ what is already being done and putting an organisation into what could be described as a ‘defensible position’.

With no defined standard or audit process like PCI DSS, no certified assessors or pass/fail assessment, compliance with GDPR requires organisations to engage with expertise to support them in the right areas. Some aspects of GDPR will be one off changes to business policies, procedures and processes in compliance with the requirement. Other aspects will be more dynamic, requiring ongoing improvements; particularly those surrounding the security of personal data.

Changes to the ‘cyber threat-scape’ mean that organisations must remain constantly vigilant to signs of a potential data breach. It’s also important to bear in mind that with an insatiable appetite for PII, new bubbles of noncompliance can crop up at any time. This is why dynamic data discovery will prove to be an essential requirement to keep businesses operating as usual.

As they say ‘many hands make light work’ which I believe will very much be the case with GDPR. Not necessarily in terms of getting to a state of compliance, but putting an organisation into the domain of being in a ‘defensible position’.

The business will need to be doing the right things all the time and to achieve this, the onus will be on education. It will be down to businesses to create a culture of awareness, whereby PII is treated with the reverence of cash in a traditional trading environment. From an early age we become unconsciously competent when it comes to money. We value it and certainly don’t leave it lying around, be it our own or that of those who have entrusted us with it. Put simply, we respect it, no questions asked. The same should ultimately apply to PII – can it get simpler than that?

GET GDPR READY                    

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Ray Simpson
19/06/18 13:48

Getting to Grips With the Australian Notifiable Data Breaches Scheme.

In light of the Notifiable Data Breaches (NDB) scheme which came into effect in Australia on 22nd February 2018, Foregenix has launched three service ...

Read More

Paul Taylor
21/05/18 09:14

Foregenix Identify Multiple Dell EMC RecoverPoint Zero-Day Vulnerabilities

Foregenix is disclosing six vulnerabilities which were identified in Dell EMC RecoverPoint products during a recent engagement. In the course of the ...

Read More

Andrew McKenna
17/05/18 14:26

Risk & Privacy: What are the board level considerations?

Problem: You’re on the board of a business and want to verify the business is implementing appropriate measures to adhere to security and privacy ...

Read More

Benjamin Hosack
16/05/18 12:30

New Services to Secure Blockchain & Cryptocurrency

Foregenix is proud to announce the launch of its Blockchain & Cryptocurrency Security Practice. Building upon years of experience in the Payment Card ...

Read More

Jake Dennys
14/05/18 15:42

Foregenix Take Best Security at The Techies 2018!

The Techie Awards 2018 are a Business Exchange initiative, created to celebrate the innovation and entrepreneurship of the IT community in Swindon & ...

Read More