Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 31 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

The Impact of GDPR Outside the EU

by The Gurus
January 30, 2017
in This Week's Gurus
Share on FacebookShare on Twitter

On 25 May 2018, the General Data Protection Regulation, or GDPR[1], takes effect in the European Union.  The regulation mandates strict protection requirements over personal data concerning EU citizens.  Governments and companies inside the EU have been preparing, but many companies outside of the EU may yet be unaware of how this regulation will affect their businesses.  GDPR applies to any organization that holds or processes data on EU citizens, regardless of where it is headquartered.  This includes companies that have employees in the EU, sell or market products or services in the EU, or partner with EU organizations. The penalties for non-compliance can be as high as 4% of global revenue.
User consent is a cornerstone of this new law.  GDPR defines personal data as physical address, email address, IP addresses, age, gender, locations, health information, search queries, items purchased, etc.  Many companies today freely harvest this data, use it, share it, and sell it under the auspices of their ever-changing, usually unintelligible click-through “privacy policies”.  In a post-GDPR world, users must issue explicit consent for each attribute collected and for each use or transfer of these attributes.  If an organization’s privacy policy or data sharing agreements change, users must consent to the changes before they take effect.
Moreover, organizations collecting this data must allow users to take their data with them or delete it entirely if requested.  Compliance audits will become regular events.  GDPR mandates privacy by design and by default.  A quick interpretation means that users must “opt-in” rather than “opt-out” of data collection schemes.
Data minimization, purpose and storage limitations are important principles in the new regulation.  Simply put, don’t collect more information than necessary, don’t use it for purposes other than what you state, and store it only as long as needed.  Exceptions do exist for health, public safety, and national security reasons.
Within each EU member state, the GDPR establishes the position of Supervisory Authority, a government official responsible for overseeing the implementation and enforcement of the regulation.  When organizations detect a breach of EU citizens’ personal data, they are required to report it to the Supervisory Authority in each affected Member State within 72 hours.  The use of encryption on PII can be a mitigating factor in data breaches, which may obviate the need for disclosure to data subjects.
Ideally, data about EU citizens should be housed within the EU.  GDPR has provisions for data transfers outside the EU, and the best way to avoid being subject to these conditions is to keep it local.  One weakness of GDPR is that it doesn’t adequately define the term “third country”.  This will likely cause additional legal debate.
In cases where regular transfers of EU subject data are expected to occur between Member States and other countries or international organizations, the EU Commission may make “adequacy decisions” which facilitate these exchanges.  One such example is the EU-US Privacy Shield[2].  The EU-US Privacy Shield framework replaced the former Safe Harbor, which was ruled invalid by the European Court of Justice.  Companies may apply and self-certify that they meet the criteria contained therein.
With a little over a year to go before GDPR implementation, now is the time to prepare. To help customers comply, software vendors, e.g. IAM, IaaS, SaaS, and marketing solutions providers, need to:

  • Build fine-grained consent options into their UIs
  • Provide granular data encryption capabilities
  • Automate privacy policy change notifications and re-consent prompts
  • Respond to personal data export and data deletion requests
  • Where appropriate, allow parents or guardians to control the use of children’s PII
  • Develop GDPR compliance auditing and reporting tools

Organizations that have European operations or do business with EU citizens will need to:

  • Inventory all data
  • Conduct data privacy impact assessments
  • Encrypt PII data at rest and in transit
  • Modify privacy policies, data collection processes, and data handling procedures
  • Develop rapid data breach notification processes
  • Add mechanisms to customer portals so that users can provide consent to data usage
  • Possibly migrate and prune PII from systems
  • Apply for EU Commission approved transfer adequacy programs, e.g. EU-US Privacy Shield

GDPR will certainly enhance EU citizen privacy, but the fines for violations could be substantial.  Make sure your IT systems and processes are ready.
[1] http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
[2] https://www.privacyshield.gov/PrivacyShield/ApplyNow
About the author
John Tolbert is a senior analyst at KuppingerCole, with internationally recognized expertise in cybersecurity and identity management. John has consulted for national governments, and has 20 years of experience working in Aerospace, Defense, Manufacturing, and Financial industries. John was honored as an OASIS Distinguished Contributor in 2014, and as an Associate Technical Fellow at Boeing in 2011. In addition to working with OASIS, he has also participated in Kantara Initiative, Transglobal Secure Collaboration Program (TSCP), the FIDO Alliance. He has numerous technical security publications, and is a frequent speaker at cybersecurity and identity management events

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Retailers, it’s time to reduce the hacker threat

Next Post

EA Sports hacked? Gamers unable to play Fifa, Madden or Battlefield after servers suffer outage

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information