Did you know that if any third-party vendor your company uses is not compliant with the General Data Protection Regulation (GDPR), you could be held liable for their actions? And even if you aren’t, your company’s reputation could suffer if a data breach occurs. The case for complying with GDPR is indisputable—the penalties are hefty and the public relations damage can derail your company’s performance. One thing is certain: detailed and ongoing vendor monitoring from a data protection perspective is critical. Unfortunately, it’s not as simple as outsourcing data governance and privacy compliance to your vendors.
Despite the hype around GDPR in May of this year, when the EU’s new General Data Protection Legislation came into effect, many companies still do not have a robust GDPR programme or sufficient protection measures and processes in place. As Jonathan Armstrong of compliance lawyers Cordery explained to Interactive Services, “I think there have been various surveys that have said that people were not ready for GDPR when it came in. That is certainly my experience.
As you may already know, one of the biggest changes to EU data protection rules is coming into effect on May 25, 2018. The General Data Protection Regulation (GDPR) is a wide-ranging set of rules you must follow when collecting, processing, and storing an individual’s personal data. Some of its key aims are to strengthen and harmonise data protection legislation throughout the EU and to ensure that individuals are fully informed about, and in control of, their personal data. So, does this mean that data privacy and GDPR are one and the same? Not quite.
“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.” ― David Brin It seems hardly a week goes by without some news of a data breach or cyberattack, but the latest media firestorm involving Facebook has caught the world’s attention and called into doubt companies’ accountability when it comes to data protection.
The General Data Protection Regulation (GDPR), which comes into effect in May 2018 for companies in the UK, EU and throughout the world, is designed “to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.” (Source: https://www.eugdpr.org/) However, data privacy and data protection for large global companies, including those in the United Kingdom (UK) despite Brexit, is similar to the fight against doping and the use of performance-enhancing drugs in sport. Organisations can have controls, procedures and tests in place
Access Control Requirements & PCI-DSS Training Access control and account management allow organizations to deny or allow the use of physical or electronic means to reach PAN and cardholder data. Access may only be granted on a verified, need-to-know basis. Standard physical access control measures include hardware, file cabinet and server room door locks. Here are the PCI-DSS’ requirements for access control. Requirement 1 - Restrict Access to Cardholder Data Systems and processes must be in place to limit access to critical data. Access is granted based on need-to-know, specific job duties and authorized personnel status.
Employee Data Access: Scenarios That Compromise Security Companies are continually challenged with providing appropriate data and system access, not just for new employees but for current ones as well. Of course, hiring managers want their employees to have access in order to get them up and running as quickly as possible. In many cases, managers tend to model their requested access for a new employee with permissions granted to a current employee, but this can have some unexpected pitfalls. These are 2 common scenarios that are often overlooked when it comes to ensuring data privacy and protection within organizations.
Data Privacy and Ransomware Attacks The latest trend in cybercrime is the ransomware attack—hackers introduce a virus into a system which shuts down the target's computer, then the hackers demand money to release the system. The recent WannaCry ransomware attack took down computers in Europe, America, and Asia, before being foiled by a malware specialist. Despite dire warnings from the FBI and cyberwarfare specialists that "nothing can be done" against ransomware attacks, companies can take steps to minimize damage and limit exposure to these new threats to maintain data privacy. Maintain malware/spyware compliance.
When we think of cybersecurity, we think of top training IT professionals who are working every day to stop huge data breaches from happening. While that's true, we forget that cyber security can be simple - some of the best cybersecurity guards are right in the office. Employees are dealing with data, passwords, usernames, and secure customer information on a daily basis; they are the first in line to preventing cyber hacks and data breaches. Ensure Strong Passwords: This is the simplest method of prevention yet the easiest way for systems to be hacked.
One of the most important things that your company should do is to protect the data of your customers. Protecting privacy is considered to be an ethical obligation companies should uphold that is also obligatory by law. Data privacy is defined as the duty a company upholds in relation to their customer’s private information. If you do not already have data privacy processes in place then it’s time for your company to invest in data privacy training provided by professionals in the field.