What is GDPR? | ZoneFox | Insider Threat Detection
 

What is GDPR?

Compliance

GDPR – what it is, and what you can do

The General Data Protection Regulation (GDPR) is a new set of rules coming into force May 25th 2018. These rules will govern how businesses collect, use, and share data from EU citizens. It dictates that organisations,  EU-based or otherwise, are required  to ensure robust protection of the data they hold, or face eye-watering penalties –  up to 4% of global turnover for non-compliance.

Key Takeaways

.

Cyber security and Data Breaches

  • Stricter security obligations, but more guidance
  • Increased due diligence on data processors
  • Data breach reporting within 72 hours
  • DP notification of controller “without undue delay”

 

How to ensure you meet GDPR compliance

  • DCs and DPs should follow developments in relation to the development of codes of conduct and accreditation of certification bodies and consider whether to apply for accreditation. This will assist in demonstrating compliance and help satisfy privacy by design and by default.
  • DCs and DPs should develop or update internal breach notification procedures including incident identification systems and response plans. These should be regularly reviewed.
  • Work with IT/IS teams to ensure they implement appropriate technical and organisational measures to render data unintelligence in case of unauthorised access.
  • Review insurance policies re data breach.
  • Update contracts to require suppliers to notify DPs of data breach proactively and put greater emphasis on duty to cooperate between DC and DP.

Consent

  • Must be freely given, specific, informed and unambiguous
  • Must be by a statement or by a clear affirmative action
  • Parental consent for children under 16 using online services
  • Consent can be withdrawn at any time
  • Separate consents required for different processing
  • Other grounds for processing available e.g.:
  • Contractual necessity
  • Legal obligations under Member State or EU law
  • Legitimate interests of DC or third party

 

What to do to ensure GDPR Compliance:

  • Ensure you are clear about grounds for processing relied on and check these are still applicable under GDPR
  • When relying on consent, ensure quality of consent meets new requirements
  • In particular, check website tick-boxes and omnibus “I agree” consent mechanisms – may need to be made more granular

Individual rights

  • Right to erasure – and take reasonable steps to notify other DCs
  • Right to restriction
  • Right of information and access  and data portability
  • Right of rectification
  • Right to object to direct marketing (absolute right)

What to do to ensure GDPR Compliance:

  • Ensure staff are trained to recognise requests
  • Check IT systems can mark data as restricted pending resolution of complaints
  • Audit privacy notices and policies to ensure individuals are told about the right to object at point of “first communication”
  • For online services, ensure access / portability are automated (e.g. Facebook)
  • Review marketing suppression lists and processes

Consequences of Violations

  • Multifaceted fines
    • €20m or 4% of global turnover (not profits)
    • €10m or 2% of turnover
  • Complaints to supervisory authorities
  • Judicial remedies against data controllers and processors
  • Liability for compensation for financial and non-financial loss

What to do to ensure GDPR Compliance:

  • Run GDPR gap analysis to identify non-compliance and prioritise mitigation
  • Update risk registers
  • Assess  liability under existing contracts and limitation / exclusion clauses
  • Review insurance arrangements

Governance Obligations

  • Appointment of Data Protection Officers (DPOs)
  • Privacy by design
  • Privacy Impact Assessments (PIAs)
  • Using data processors
  • Record of processing activities

What to do to ensure GDPR Compliance:

  • Establish if you are required to designate a DPO and, if so, assess whether your current approach to data protection compliance will meet the GDPR requirements
  • Assign responsibility and budget for data protection compliance within your organisation
  • Implement technical and organisational measures to show you have considered and integrated data compliance measures into your data processing activities
  • Familiarise yourself with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and establish how to implement them in your organisation
  • Assess the situations where it will be necessary to conduct a DPIA.
  • Implement measures to prepare records of your organisation’s processing activities

How can ZoneFox support Compliance?

Our solution is underpinned by our unique 5 factor model. A ‘push’ architecture solution that’s constantly driving data, ZoneFox eradicates the resource-sucking need to transform endless, messy log files into answers by capturing the key information from 5 touchpoints and delivering only the key data around:

  • User
  • Processes
  • Machine/Device
  • Resource – ie file; database; sharepoint
  • Behaviour

It then rapidly analyzes that data to  deliver quick, valuable insights that enable your team to contain the threat and respond as needed.

Discover ZoneFox UEBA

5-factor-model-flow
Find out how ZoneFox can support GDPR compliance

Find out how ZoneFox can support GDPR compliance

Get in touch today and discover how ZoneFox can support GDPR compliance.

Discover how ZoneFox supports GDPR