Foregenix Blog

Richard Jones

GDPR – Keeping things simple.

02/11/17 10:33

 

Type GDPR into Google and you will get just shy of 6 million results. Factor in the complexity of each and every article and it’s easy to see why many are parking it in the ‘too difficult’ pile...

That said, the UKs ICO is doing a pretty good job of busting a few myths and articulating the requirements in easily digestible chunks. When you strip away the layers of GDPR, at its core, it’s similar to the current Data Protection Act (DPA). It’s just been scaled up to reflect the tech-centric environments within which all organisations now operate.

Data has been described as the new ‘oil’. As such, it now holds a value way beyond what it did when the current DPA was conceived back in 1998. It’s for this reason that businesses will be required to protect and use Personally Identifiable Information (PII) in much the same way as we have come to trust financial institutions to invest and protect our money. There is however, one key difference.

For the most part we pay for the financial institution to do a job for us and also accept that investments can work for us or against us. Where our PII is concerned; privacy and security should be taken as a given, whether or not it is fundamental to an organisations ability to deliver the service for which it has been engaged.

Whilst accidents happen in all aspects of our life, data breaches are all too often thought as being simply an unavoidable consequence of operating online. GDPR sets out to change that by enforcing a level of responsibility onto those who rely on PII to deliver their services, be they commercial or otherwise.

As we have said before in other blog posts, GDPR is not about fines. It’s about the customers, patients, passengers, guests, fans, members and benefactors. Regardless of how they are seen within the context of a business, their data needs to be used and protected in line with the GDPR. For most, it should really be a case of ‘beefing up’ what is already being done and putting an organisation into what could be described as a ‘defensible position’.

With no defined standard or audit process like PCI DSS, no certified assessors or pass/fail assessment, compliance with GDPR requires organisations to engage with expertise to support them in the right areas. Some aspects of GDPR will be one off changes to business policies, procedures and processes in compliance with the requirement. Other aspects will be more dynamic, requiring ongoing improvements; particularly those surrounding the security of personal data.

Changes to the ‘cyber threat-scape’ mean that organisations must remain constantly vigilant to signs of a potential data breach. It’s also important to bear in mind that with an insatiable appetite for PII, new bubbles of noncompliance can crop up at any time. This is why dynamic data discovery will prove to be an essential requirement to keep businesses operating as usual.

As they say ‘many hands make light work’ which I believe will very much be the case with GDPR. Not necessarily in terms of getting to a state of compliance, but putting an organisation into the domain of being in a ‘defensible position’.

The business will need to be doing the right things all the time and to achieve this, the onus will be on education. It will be down to businesses to create a culture of awareness, whereby PII is treated with the reverence of cash in a traditional trading environment. From an early age we become unconsciously competent when it comes to money. We value it and certainly don’t leave it lying around, be it our own or that of those who have entrusted us with it. Put simply, we respect it, no questions asked. The same should ultimately apply to PII – can it get simpler than that?

GET GDPR READY                    

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Jake Dennys
10/09/18 11:37

Using a hosted payment page? This is why you still need to secure your website.

Many companies that host payment pages will boast of their ability to securely process payments. Whilst this may be true, it does not mean that your ...

Read More

Jake Dennys
22/08/18 13:25

Foregenix to join the PCI SSC Global Executive Assessor Roundtable.

We're proud to consider ourselves one of the industry leaders in the cybersecurity arena, and we are constantly striving to share our knowledge with ...

Read More

Akash Sharma
22/08/18 10:50

FGX-Web gets a fresh new look!

FGX-Web gets a fresh new look! Initially, FGX-Web was created to aid our Forensic Analysts in conducting investigations following a data breach. ...

Read More

Jake Dennys
16/08/18 17:12

What can a Website Security Health Check provide you?

Everyday there's another data compromise. Check the news, big breaches are happening all the time - and that's just the high profile ones. It's the ...

Read More

Kirsty Trainer
15/08/18 14:39

P2PE - What are the benefits to retail merchants?

Point-to-Point-Encryption, known to most as P2PE is a standard that is quickly becoming the preferred way for acquirers and merchants to secure ...

Read More