pondělí 9. října 2017

Preparing for GDPR compliance: Where you need to be now and how to get there

Preparing for GDPR compliance:
"Where you need to be now and how to get there"

Autor článku: Doug Drinkwater - an experienced technology and security journalist. Článek najdete na portálu: csoonline.com na adrese:
Cituji vybrané části textu. Pro stručnost prezentuji samotné myšlenky, aniž bych uváděl bližší souvislosti jejich vzniku. Autory textů hledejte ve zmiňovaných zdrojích.
-" Failure to comply with the EU General Data Protection Regulation (GDPR) leaves firms vulnerable to penalties, but many U.S. companies doing business in Europe are in danger of missing the deadline. Here’s how to catch up.
- "Behind the noise, hype, and misunderstanding is a substantial piece of legislation that will change how organizations operating in Europe approach data protection.
"It also harmonizes data protection across 28 EU member states, replacing the need for national legislation. The headlines are ... as well as mandatory security notifications, new rules around user consent, a clearer definition around what could be personal data (such as IP addresses, for example), and greater rights for people to access — or request deletion of — the information companies hold on them.
- "As such, GDPR transcends IT and spreads into areas like sales and marketing, but this complex legislation carries numerous misconceptions. The ambiguity over data processors and controllers — not aided by the controversial Google Spain court case of 2015 — has also caused headaches, especially around data stored in the cloud.
- "A lot of businesses are now holding back full implementation for compliance because it's hard to determine what compliance looks like, and are putting faith in a clear plan of action will be enough to deter the regulator.”
- "The big shock everyone has with GDPR is that they weren't operating in compliance with current data protection legislation. 
- "Data subjects are given rights to make it easier to access their own data, a right to data portability a clearer "right to be forgotten"  plus a right to be informed if your personal data have been subject to a serious breach.”
- "Rules on accountability and transparency are strengthened, and they will have to embrace concepts such as ‘data protection by design and default.’ 
GDPR readiness: Where business are today
- "The regulation, after all, stipulates companies must provide a “reasonable” level of protection
- "Like many, we've taken a risk-based approach for the implementation of controls; we're identifying where our data is, how it's protected, and ensuring our supply chain has agreed to new terms.”
- "We established a cross-departmental team to understand the scope of the new legislation, assess the processes and controls we have in place, and identify any gaps we had, before then addressing them. We then implemented a mechanism to automate the identification and searching of data stores across our systems and tied it to data classification technology that tags data based on its confidentiality. This is linked to data loss prevention controls that only allow certain data types to travel between networks.”
- "Vocalink jointly developed the firm’s strategy for GDPR among the legal, operations, and security teams, analyzing their environment against the EU regulations and drawing up a roadmap to quickly address any gaps.
- "The Drum, revealed how GDPR had enabled it to look at digital marketing in a new way — putting the customer at the center. 
- "The CIO of telco O2 spoke of how GDPR was an “opportunity to get our customers’ trust.” 
- "GDPR can bring some positives to business, such as improved data management and customer loyalty. “Better information management is one clear benefit, but the principle of privacy by design can deliver products and services that, cannily marketed, could be very commercially successful,” says Baines.
- "Most organizations are falling behind, only now appointing DPOs and steering committees, and fighting for boardroom buy-in. Others are progressing slowly with information audits and generally developing company-wide awareness. 
- "There’s the risk of additional penalties if you don’t meet any of these within the timeline given. Such penalties can cause a huge administrative burden and even cost the organization more than the fine,” 
- "Mandatory notification in 72 hours is clearly achievable. This isn't about a full diagnostic and report into what happened. This is the cursory notification to the regulator that something is afoot. Share what you know; your plan for further investigation and triage along with and anticipated timeline.”
- "How do companies accelerate their GDPR initiatives?
- "Organizations work closely with the DPO and their teams. If they don’t have a DPO, CISOs and CIOs should be lobbying their board hard to introduce one on the basis that “data protection isn't and shouldn't be, the sole responsibility of an information security lead.”
- "Organizations get some “validated and authentic” advice, and entrust a person or group of people to manage all aspects of GDPR, from delivering company-wide training to ensuring the supply chain is up-to-date (contract updates are recommended). At the heart of it, he says, is good data management. 
- “Work out what personal data you have. Where it is? How did you get it? Get rid of it if you don’t need it, a DPO could be considered good practice.
- "Organizations must understand the type of data, its location, and how it is being used. This should then be compared versus regulation requirements. “You have to maintain this level of compliance throughout your organization. Embedding privacy-compliant thinking into projects and programs, using tools like a privacy impact assessment, to understand the risk of each activity.”