Tag: GDPR

GDPR worked but has a few kinks

The European Union (EU) General Data Protection Regulation (GDPR) has been assessed as an overall success in terms of meeting expectations and objectives, but a two year progress report suggests that there are still a few kinks which need to be ironed out.

The European Commission (EC) said it would be premature to draw definite conclusions as to the application of the GDPR, and to provide for proposals for any revisions, but said it had identified a number of areas where improvements could eventually be made.

It said that the GDPR had made EU citizens feel more empowered and aware of their enforceable rights and protections – according to the EU Fundamental Rights Agency, 69 percent of those aged over 16 have heard of the GDPR, and 71 percent have heard about their national data protection agency. In general, it said, people feel they can play an active role in controlling their data.

GDPR helping cyber criminals

While GDPR has been important in making sure that companies look after customer’s data it is providing an opportunity for cyber criminals to further their own agenda.

BlackBerry has found a new trend in the last couple of years with ransomware groups using GDPR to their advantage, threatening to alert data regulators to the fact that victims had been breached, adding additional pressure on the targets to cave to their demands.

Adam Bangle, Vice President EMEA at BlackBerry  said that two years ago, few could have predicted that a regulation put in place to make data safer could turn into a tool for blackmail.

Brits start to understand need to encrypt

Apricorn today announced findings from a survey highlighting the rise in encryption technology post-GDPR enforcement. Two-thirds of respondents now hardware encrypt all information as standard, which is a positive step considering over a quarter noted the lack of encryption as being one of the leading causes of a data breach within their organisation.

After a year of GDPR, firms still don’t get it

GDPR’s one-year milestone is less than a month away, but organisations are still failing to protect personal data,  according to ESET researchers.

Unencrypted USB devices are still widely used by businesses despite the fact that unsecured data could lead to GDPR fines. New research conducted by global security company ESET, and Kingston Technology, a world leader in technology products, shows that 55 percent of business don’t encrypt their removable devices, leaving themselves exposed to data leaks.

Government and security companies will improve regulation in 2019

Barracuda Networks has been playing poker with tarot cards in the staff cafe and given ChannelEye its 2019 predictions.

BJ Jenkins, President & CEO said he thought over the next year is government and security companies starting to work together to improve regulations to protect companies and individuals.

“Time after time, organisations have shown they cannot be trusted with users’ data because it is not secured correctly and ends up available to be exploited easily by attackers.”

Education sector’s compliance with GDPR low

schoolNew research has revealed that there are low levels of GDPR compliance among educational facilities. Hardly a surprise.

A survey conducted by NW Security Group finds only 22 percent of schools, colleges and universities believe their data protection policies are up to scratch in the run-up to GDPR’s deadline

Despite high levels of awareness regarding the incoming EU General Data Protection Regulation (GDPR) only 22 percent of schools, colleges and universities of the 500 surveyed felt their data protection policies were compliant. Furthermore, 70 percent said that if they fell foul to a data breach, they wouldn’t be able to evidence that the correct procedures were in place.

The survey was conducted by NW Security Group. The research sought the feedback of head teachers, governors, IT, security and facility managers in the North West of England to determine their awareness levels of, and adherence to, the GDPR. The main findings were:

  • Only 22 percent of respondents believe their data protection processes are GDPR compliant
    64 percent are aware of the GDPR but require further information regarding its impact
  • 11 percent of schools, colleges and universities have experienced a data breach and not informed the Information Commissioner’s Office (ICO)
  • If made aware of a data breach, 14 percent of respondents would ignore the issue and hope the problem resolves itself
  • 31 percent of respondents don’t believe their employees and contractors are adequately trained in data protection

The survey also highlighted that only 16 percent of educational institutions had fallen victim to a data breach, despite a rapid increase in attacks in recent times targeted at the sector. This seemingly low figure, in contrast to wider industry trends, was of particular interest and might be explained by respondents struggling to identify what constitutes a data breach.

A data breach could include: emailing data to the wrong recipient; openly discussing Personally Identifiable Information (PII); leaving hard-copy materials in plain view; or the loss or theft of unencrypted data. These could all lead to the loss of PII and are breaches of GDPR.

Nigel Peers, Security and Risk Management Consultant at NW Security Group, said, “These findings are concerning, especially considering GDPR’s imminent deadline. This is putting educational facilities at great risk of severe fines and reputational damage. There appears to be a large amount of confusion regarding the regulations, and with 64 percent of those who’d heard of the GDPR still requiring further information, it is clear more work is needed to propel educational facilities towards full compliance.

“Employees are a school, college or university’s first line of defence and if they are unable to identify what a data breach is, the likelihood of achieving GDPR compliance is dramatically reduced. That is why it was a concern to learn that, according to our survey, 31 percent of respondents didn’t believe their employees and contractors were adequately trained in data protection”.

These results are synonymous with NW Security Group’s own experiences conducting Organisational Readiness Assessments for education customers seeking to determine their progress on the journey to GDPR compliance. During those assessments, it was observed that although many facilities believed their processes were up to scratch, the reality was a somewhat different picture. Outdated policies and a lack of documentation were frequent failings indicating low levels of GDPR compliance throughout the education sector.

Big Blue man warns that GDPR will change businesses

Dele-Atanda-1-730x480IBM’s iX Automotive, Aerospace and Defence Chief Digital Officer and digital entrepreneur Dele Atanda warned that when the General Data Protection Regulation comes into effect on 25 May 2018 the context in which businesses and their customers collect, share and use data will change forever.

He is setting up a personal data wallet and marketplace dubbed MetaMe which takes advantage of the “Clean Data” economy that the new law inspires.

Atanda said that GDPR would allow for a rebalance regarding the relationship between data seekers (businesses for example) and individuals. Finally, individuals – customers – will have more say over how their personal information is captured and processed. Companies will have to ensure the data they hold is valid, confidential and fit for purpose.

Under GDPR notions of privacy, consent, transparency and accuracy become paramount. And while these new regulations will enforce businesses to reset how they operate, it’s clear that this redistribution of power will enable them to innovate and allow for new equitable and sustainable opportunities.

Atanda said the Clean Data economy is underpinned by privacy, individual ownership and mutual benefit for individuals and businesses from the use of personal data in contrast to the nefarious tracking and exploitative data acquisition practices of the surveillance led ‘Dirty Data’ economy. In the Clean Data economy, businesses pay individuals for their data creating a more fair and equitable relationship between both.

Clean Data is made tangible by MetaPods (mPods), which are crypto information objects that use artificial intelligence (AI) to enable granular, precise and minimum units of data to be isolated and encrypted based on an intention – buying or selling health insurance for example. mPods are shared and traded privately and contextually in exchange for Krypto Koins, MetaMe’s currency.

Atanda said: “To give an example of how mPods can revolutionise the digital sphere, let’s use the burgeoning wellness industry as a demonstration.

“mPods are efficiently like digital cards – they serve information. Each card has a colour code and a score. The colour code – or RAG status – relates to how identifiable the data stored on each card is. So a green card shows that no information on that card can be used to identify the individual. An amber card means some information could be identifiable. A red card indicates that some or all of the information is confidential.

“The score signifies how sensitive the information is. So the m-Exercise card has a rating of two out of ten because it contains no sensitive material – this information (exercise activity, steps are taken) is similar to data captured by any standard activity tracking device such as a Fitbit. The card is green because it contains no identifiable information.

“MetaMe’s system makes it easy for people to understand how sensitive their information is and therefore how careful they need to be with it. Moreover, the more sensitive the information, the more value it has to companies operating within the wellness sphere and thus the more people can expect to be paid for sharing this information with brands in our marketplace.

“As a non-identifiable and low sensitivity card, the m-Exercise pod could also be shared with a personal trainer. The trainer could check how well an individual was maintaining a fitness programme. If required, the trainer can provide remote coaching, intervention, support or motivation according to an individual’s performance.

“At all points, the value of an mPod is couched contextually. Sharing health or exercise information with an insurer will command more value when looking for life insurance. This is key. The value of an mPod is based upon identifiability, sensitivity and context. The value of an mPod fluctuates depending on who’s enquiring for its information.

“If you want to maintain a healthy lifestyle for example you could share the m-Diet, m-Exercise and m-Health Plan cards with companies you know will provide you with healthy products. These companies will pay you for this information to better understand you as a customer and better tailor their products and services to your needs. By selling these mPods to relevant companies, you can receive tailored offers seamlessly and transparently. You only need share the minimum amount of information required to achieve your goal – in this case earning money and getting healthy products and services tailored to you.

“You can take this further and use these mPods to receive concierge services from your trainer, nutritionist and the marketplace based on your wellness behaviour and data. The choice is always in your hands. You choose how much – or how little – information you share and you will only receive information or offers that are relevant to your requirements.

“Only companies that meet ethical and responsible data usage criteria that agree to abide by the rules of MetaMe’s marketplace will be able to access your mPods. You won’t even have to manage mPods on an individual basis. You can put rules on your data, and only companies that meet your criteria will be allowed to access your mPods. You can do this holistically or individually by mPod.

“With MetaMe you retain complete sovereignty of your information. You’re just allowing third parties to access your data as and when the need requires based on rules that benefit you and brands you like and trust. Your information is no longer scattered across the web; it’s in your data store under your control.

“And while this might seem like a giant leap into the dark, it isn’t really. In the digital era, we are used to sharing things on social media and getting recommendations based on previous purchases. This is no different. That photo you shared on Facebook is a piece of information. The like you received on Twitter for your latest playlist is of value. Recommendations can only be served because of data companies hold about you.

“The critical objective of mPods and MetaMe, the app used to make them, is to create a framework whereby people can be paid and fairly rewarded for sharing this data safely without having to think about it. The culture of sharing information and receiving recommendations is well established, and the ecosystem is in place. It is just that the value exchange is out of balance. It’s not a huge cultural shift or massive behaviour change for people to be rewarded for the sharing they already do regularly. We’re simply applying behavioural patterns already embraced in a slightly different and more personally beneficial manner.

“The big social media companies are making billions of dollars on the back of people sharing information. What MetaMe aims to achieve is the same, but making that exchange, that transaction more equitable.”

Dele Atanda continued: “MetaMe’s primary commercial model is to enable people and businesses to share information with each other in a mutually beneficial manner, creating a virtual circle that encourages both sides to share more with each other.

“This eliminates wastes by ensuring that businesses are ultimately matched with people who value their services. People can find products and services they require or desire, but more importantly, it lays a foundation for the fair and ethical use of data and artificial intelligence to benefit people, companies and society as a whole.

“This fundamental alignment of interests is not only more responsible and sustainable for business in general; it is essential to the establishment of a fair, safe and trustworthy digital economy that does not expose us to rampant manipulation and exploitation.”

Only seven percent are ready for GDPR

ant-and-grasshopperOnly seven percent of global businesses are fully compliant with GDPR.

A new study from analytics firm SAS shows that 93 percent of firms have not met all of the demands posed by GDPR. This is despite the fact that it comes into force next month.

Less than half of respondents (49 percent) said they would be compliant before the May 25 deadline. European companies seem to be more prepared for the law, though.

Currently, 53 percent of EU and 54 percent of British organisations are expected to meet the deadline, compared to just 30 percent in the United States.

UK SAS’s GDPR technology head David Smith said that despite the long run-up to GDPR, the vast majority of UK organisations still don’t have processes in place to manage their data in compliance with the new rules

“At this point, senior leadership needs to take ownership of getting the whole company on board, from IT to operations, to make sure that all personal data is accurately located and appropriately handled.”

While the study shows that most businesses are struggling to meet the deadline, 93 percent said they are working on plans to become compliant.

Most see GDPR as a good thing, with 84 percent of respondents saying they expect GDPR to improve their data protection abilities. And 68 percent believe that the law will enhance customer trust.

In other findings, 58 percent of respondents said they had developed a structured plan to become GDPR-compliant, but 15 percent of US respondents and 4 percent of EU respondents said they have no such plans at all.

Smith added: “There’s a great opportunity contained within the challenge of GDPR. Organisations that gain greater control and understanding of their data will be better able to provide their customers with the services they want, in the manner that they wish to them.

“Those companies that can innovate through GDPR will gain a significant advantage over competitors who get stuck in the long grass of compliance.”

IDC warns SMBs not ready for GDPR acronymn

Eu-flag-vector-material2Beancounters at IDC have added up some numbers and divided them by their shoe size and reached the conclusion that only 29 percent of European small business and 41 percent of midsize companies “have taken steps to prepare” for GDPR.

Among non-European SMBs, the share of prepared firms falls to nine percent among small firms and 20 percent of midsize companies. Oddly a fifth of small businesses in the UK and Germany “are not aware” of GDPR and probably think it is a train service.

This means they have seven weeks before the EU’s privacy legislation comes into force on 25 May.

IDC senior research analyst Carla La Croce said: “When looking at GDPR in western Europe, adoption is moving ahead as expected. Bigger companies move faster than smaller companies, and at a country level, Nordic countries are implementing GDPR faster than other western European countries.

GDPR compliance and implementation has been identified as the top security priority.”

The EU claims that by making data protection law identical throughout member states, companies will make savings of £2million annually.

However, the potential penalties for failing to meet these requirements are severe: up to £17.5m or four percent of annual revenues.

SMB research VP at IDC Raymond Boggs added: “As SMB around the world increasingly looks to grow revenue by reaching out to new customers, the importance of global expansion increases.

“But so does the need for first-rate security and data protection, which is why GDPR compliance is important, not just to avoid fines, but to ensure that vital customer information is secure and protected.”

Cisco finds that GDPR is not helping sales

euCisco has warned that many customers are concerned the tech they buy will not adhere to the General Data Protection Regulation (GDPR) coming in May.

For those who came in late,  GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

It was thought that the rush to become compliant would create a bit of a bonanza for those selling security, data management and authentication tools.

Cisco has discovered that far from rushing into buying fresh technology,  two thirds of those businesses quizzed were reporting sales delays because of customer data privacy concerns.

Cisco’s Privacy Maturity Benchmark Study found that some of the public sector verticals, including health and government, are suffering the longest delays because of the stricter standards they are working towards.

The Cisco study also exposed the level of losses with what the vendor termed as “privacy-immature” companies being hit the hardest.

A lot of the concerns stem from doubts that products and services purchased will have the privacy protections that are required under GDPR.

As well as delaying spending it also reveals the levels of confusion that still exist around just what will be required to become compliant.

Research from  Clearswift looked at the preparations for GDPR in the UK, US, Germany and Australia found that only 21 percent of middle management felt they were ready for the compliance regulations.

The firm found a disconnect between the board and middle management, with the more senior executives more optimistic about the ability to take right to be forgotten requests.

 

SMEs expected to send SOS to resellers

SOS-300x217GDPR data regulations are nearly a year away from implementation and Canalys is expecting more SMEs to turn to resellers for help prepare.

Canalys said that GDPR data regulations are going to lead to revenue for the channel particularly from the SME customer base.

Forecasts from Canalys have highlighted the security spending that is going to come across Europe as firms get themselves compliant with the data protection regulations.

The analyst house is predicting a 16 percent increase in the Western and Central Eastern European security market, reaching $11.5 billion in 2018.

Some customers are better prepared than others with the channel heartlands of the SME community needing a bit of help from resellers.

Canalys senior analyst Nushin Vaiani said large businesses are well informed on information security regulations, with resources in place to ensure compliance.

“With ransomware threats such as WannaCry causing havoc, shareholders will be more willing to accept increased data security and compliance budgets to protect their long-term investment,” Vaiani said.

“SMBs naturally have fewer resources, putting constraints on implementation. But there are potentially massive fines for non-compliance with GDPR, putting SMBs under threat of bankruptcy. Businesses must take action now to safeguard from this danger,” Vaiani added.

No one expects the European General Data Protection Regulation

6748f8ea516944e171a49983c7f5e696More than half of the companies affected by the European General Data Protection Regulation (GDPR) will not be ready by the end of 2018.

Beancounters at Gartner have added up some numbers and divided by their collective shoe size and worked out that when the GDPR goes live on 25 May 2018 more than half will eligible for fines of up to €20m – or four percent of turnover – for non-compliance.

Gartner research director Bart Willemsen said that the GDPR will affect not only EU-based organisations, but many data controllers and processors outside the EU too.

“Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”

All this opens the way for the channel to step in and provide customers with the advice they so desperately need.

They need someone to tell them their role under the GDPR. Outfits need to appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.

Most will have to hire a data protection officer (DPO). This is especially important when the organisation is a public body, is processing operations needing regular and systematic monitoring, or has large-scale processing activities.

Gartner said that too few organisations have found every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to keep compliance in future personal data processing activities.

Organisations must prove an accountable ground posture and transparency in all decisions regarding personal data processing activities. Outside parties must also follow relevant requirements that can affect supply, change management and procurement processes. It is important to note that accountability under the GDPR needs proper data subject consent acquisition and registration. Prechecked boxes and implied consent will be in the past. A clear and express action is needed that will require organisations to implement streamlined techniques to obtain and document consent and consent withdrawal.