EU regulators report a sharp rise in complaints post-GDPR



EU regulators report a sharp rise in complaints post-GDPR

The number of complaints that GDPR regulators are reporting has sharply increased over the past few weeks since the legislation came into effect. The greater degree of data transparency the law offers comes as a welcome change to the previous antiquated data protection laws. The duty of care now rests firmly on the shoulders of data processors and organisations to exercise more careful data management practises.

Across Europe, organisations have been endeavouring to tick the boxes for GDPR compliance, some simply for the sake of seeming to strive for compliance. However, looking as though you are merely trying may not be good enough for the stringent regulators. The time has come for data processors to answer for their shortcomings. Data has been described as ‘the new oil’, insinuating that is has become a commodity of great commercial value. With this in mind, the idea that it be treated with less prudence in its storage and management becomes equally unacceptable. A bank that safeguards money does not flippantly disregard the safety of its currency and under GDPR, organisations are no longer permitted to be so negligent with personal data.

“Data has been described as the new oil”

Consider for a moment the prospect of a large-scale bank robbery in which a large magnitude of currency was stolen, resulting in a huge backlash to the bank for not taking the correct security measures to avoid it. The customers of the bank would demand their money to be returned to them with a guarantee that this would not happen again.

Taking the concept that personal data as a commodity with intrinsic financial value, a data breach could be viewed as a kind of data bank robbery. A theft which previously would have gone without any restitution for its victims.

Data Privacy

Data Privacy

The GDPR has changed this lack of protection for data subjects for the better. Holding organisations that store EU citizens data accountable for the security and careful management of this salient personal information.

A large number of the complaints that EU regulators have received stands testament to the willingness of EU citizens to embrace the new data privacy laws. The organisations that carelessly allow sensitive personal data to be lost are being held to account by those they have failed, the victims of EU data crime now have a platform to voice their concerns with the backup of European regulators.

The GDPR shepherds in a new era of data privacy law that offers much greater protection for EU citizens and their data. Holding organisations responsible for the data they use. With the number of complaints being reported still steadily rising, it is only a matter of time until organisations take note and achieve full compliance by changing the way in which they process EU citizen data, for the better.

How Canada is being impacted by GDPR

How Canada is being impacted by GDPR



GDPR is now firmly implemented across the EU and although the new law only affects its citizen’s data, the impact of the law is being felt worldwide. If you are an organisation that offers goods or services to EU citizens, you are now expected to comply with GDPR, even if you do not have a physical presence there. Therefore, Canadian businesses who collect and process personal data from the EU should ensure that they are compliant with the regulation.

The General Data Protection Regulation is the legal framework regarding data protection and privacy in the European Union that came into full effect May 25, 2018. It affects anyone with clients, customers or website visitors in EU countries. It gives greater protection and rights to individuals and is the biggest change to European Data privacy laws in over 20 years.

If you do business with customers or clients in the EU, by law you have to be compliant with GDPR. If you fail to comply, you will face heavy fines. To understand what these check out our GDPR Infographic – Non-Compliance and Penalties here.

If you are not currently doing business in Europe, adopting the GDPR guidelines is a positive step forward for all businesses. The reason for this is that internet businesses operate on the global stage and it will be easier to update terms and conditions on your website to meet the most stringent requirements across all the countries you operate in, instead of having separate policies for separate countries or regions.  

Simple steps to help you with GDPR

Create a list

Create a list detailing all the places online where you ask people for personal identifiable information. The best place to start is your website. Do you ask them for their names, email addresses or credit card information? Then look at any online forms or sales funnels, comment collection boxes, any email marketing sign-ups or e-commerce points are all potential collection points to take into consideration.

Moving on from the collection points, you need to think about where you are storing this information. Your CRM database or email marketing lists that contain a high volume of sensitive data. You need to ask yourself, did we get permission to collect this information in the first place? Have they given us their explicit consent? You will need to keep a record of that consent given to use in sales and marketing campaigns? The Canadian Anti-Spam Law allows companies to market to customers for up to two years after they have received implied consent. Whereas GDPR is explicit consent only.

How do you track website visitors?

Businesses use tracking tools such as cookies, web beacons or pixels to allow the web browser to remember information about the website visitors browsing session. Information about what device they used, their location and what pages they have visited. This information is PII data and as such you will have to inform visitors from the EU.   

GDPR states that it is not enough to have passive consent for the use of cookies. Websites are now creating pop-ups with a warning for visitors that cookies are in use on the site, “If you continue to this website, you agree to our terms and conditions”. This allows the visitor the option to disable the cookie in their browser or they can leave the site if they do not want to be tracked.

Update your privacy plan

As soon as you understand what PII you are collecting and where it is coming from, you can move on to the next stage. You need to create a detailed plan to protect that data and keep it secure from potential cyber threats. There is also a clear need to be able to keep it safe, share that private information or delete it if it’s requested through a SAR or a Right to Erasure. Also, to meet the requirements under GDPR if you were to suffer a data breach you would have to put measures in place to report it to the regulators and the data subject.

The creation of new plans will need to be communicated throughout the organization. New procedures and processes may need to be rolled out to make employees aware of how to handle the sensitive information and make sure they are aware of what the privacy policies are. Depending on your level of data collection your organization may need to appoint a Data Protection Officer (DPO). 

Clearly State your Privacy Policy

After you have completed all of the above and you have a new privacy policy, it will need to be prominently displayed on your website. Create a separate page on your site and link the privacy policy to your sitemap or page footer so it can be easily referenced. The GDPR mandates the policy be written in easily readable language and be clear and concise in informing visitors what information you intend to collect, how you intend to collect it, why its necessary to collect it and how you intend to secure it. It also needs to outline if the data is ever shared with third parties and how someone can get in touch with you to accesses the data you have stored on them to request access to it or delete it.

As the privacy landscape continues to change worldwide and in Canada, businesses need to keep abreast of their data privacy policies and their impact.


False Positives in Sensitive Data Discovery



False Positives in Sensitive Data Discovery

The amount of data used and stored within your organisation is growing at an exponential rate; it’s the nature of data. However, along with the growth of that data, comes the added responsibility of identifying and securing sensitive information that is stored within your organisation, whether it is in a structured or unstructured format.

Sensitive data is today’s world includes Cardholder data, Personally Identifiable Information, Financial information and Health information. We are also seeing the evolution of sensitive information to include location data, genetic and biometric data too.

This is all well and good, but what happens when there is information within your data that appears to be sensitive information, but actually isn’t? How do you differentiate between what is legitimate sensitive information and what is data that may be masquerading as sensitive data?

This is where I will introduce the term ‘False Positive’, which can be defined (by Google dictionary) as follows:


noun: false positive; plural noun: false positives

  1. a test result which wrongly indicates that a particular condition or attribute is present.

When discovering sensitive data within your organisation’s structured and unstructured information repositories, there is always a possibility that data may incorrectly match types of data you are searching for.

After all, strings of numbers and characters appear throughout computer systems and the combinations of these all have the potential to match sensitive data formats. One can also often encounter seemingly legitimate matches that are actually a False Positive in the context for which you are searching.

Target types

Target types

If we look a little deeper into this issue, we can also see that different numbers and concentrations of False Positives can occur according to the target data repository you are scanning, along with locations within the specific repositories.

For example, you may find differences in False Positives across your workstations, servers or user mailboxes within your environment. Furthermore, you may discover False Positives in a file location within a workstation, such as the applications directory, whereas you may see False Positives appearing in the email signatures within emails in your user mailboxes.

The above examples are just a small sample of where False Positives can be identified when performing a forensic search for sensitive data within your organisation. This sample multiplied across many systems and locations housing your data can adversely affect your ability to discern the actual sensitive data which you are trying to identify, from the False Positives within your target data repositories.

So, how do you address this and ensure you don’t spend your valuable time combing through large numbers of False Positives to get to the real sensitive data?

Enterprise Recon

Enterprise Recon

You use a tool that:

  • Employs False Positive mitigation techniques from the start of your sensitive data discovery.
  • Provides pre-built, complex matching patterns that account for algorithms, checksums and ranges within a wide variety of Data Types.
  • Checks against already known False Positives and Test Data patterns across a wide variety of target data repository types, from a workstation, server, network storage and email, to database and cloud-based targets.
  • Identifies and checks the context of potential matches to determine the certainty of a match being a True Positive instead of a False Positive.
  • Continuously updates and improves the existing patterns and data types within the tool to make them more efficient and in-sync with today’s data type formats.
  • Continuously adds new data types to allow you to search for increasingly complex and unique data types within your data repositories.
  • Allows the customisation of data types and patterns to adapt to data specific to your organisation.

If the above appeals to you and you see the value in saving time and effort by not having to work through excessive numbers of False Positive when searching for sensitive data within your organisation, please visit our website:

Author: Simon Davey

How will the GDPR impact Asia-Pacific-based companies?



How will GDPR impact APAC companies?

GDPR is now law. EU companies have had two years to prepare for it, but what is the cross-continental impact on companies based in APAC? The GDPR is the biggest shift in data protection and privacy in the last 20 years so even an Asia-Pacific -based company may have to comply even if it’s not physically based in Europe. The new rights given to EU citizens means any company who markets, stores or collects PII from an EU citizen based in the EU has to comply with GDPR.

A lot has been discussed what will happen to companies who fail to comply with the new GDPR legislation. For the first time, they face unprecedented risk and sizable penalties for major data breaches – up to 20 Million Euro or 4% of global turnover, whichever is higher. This is only half the story, however.

Companies that operate outside of the EU could find themselves caught out by GDPR with the new reach of the data protection laws. GDPR will apply to your company if you provide services into the EU or you obtain personal sensitive information of an EU citizen and transfer it outside of the EU. There are now rules around consent, how you obtain it and an EU citizen has to give you clear and explicit consent to you use their data for a specific reason.  

Fines, fines and more fines! It’s not just the fines you need to be wary of. The reputational damage to your brand could ultimately far outweigh any penalty. Understanding how the 72-hour breach notification procedure to the regulator and the EU data subject works, along with the additional effect it will have on your business, has to be taken into consideration.

Some key features of GDPR for APAC companies to consider

How personal data is collected

If you are an Asia Pacific-based company without a physical presence in the EU, you can still be affected by the new GDPR if you target EU citizens and collect their personal data online. Your collection points through your website, apps or forms need to be GDPR compliant.  

Regulatory risk

With the increased risk of regulatory scrutiny and possible fines, businesses need to have higher data security provisions set out and procedures in place to support GDPR compliance. More importantly, if you fail to convince your customers of your GDPR compliance, you may lose business to competitors.

72-hour breach notification

All personal data breaches must now be reported to the regulator and the data subjects within 72-hours of suffering the breach. In order to prepare for this, your business will need to re-evaluate the processes, procedures and put new systems in place to develop a strategy to meet the new requirements.

Data transfers to a non-EU country

Under GDPR, data controllers are no longer allowed to use their own views on if the security transfer protocols currently in place are adequate. In particular, they need to address Article 46, where personal data is transferred from the EU to a third-party country or to an international organisation, the data subject shall have the right to be informed or the appropriate safeguards relating to the transfer.

Security by design

Under GDPR, companies need to build privacy-by-design into their systems and data processing activities. Specific impact assessments will need to be carried out for all new technology. It must be able to comply with GDPR, for example, the Right to Access, Rectify and Erase their data.

Reputation is key

The financial and reputational impact of GDPR has to be a board level issue. The new requirements for reporting breaches and updating the regulator creates a new element of risk. Delay in reporting and providing notice has created significant negative publicity in recent breaches.

What does the current data privacy legislation look like in APAC?

There is no similar agreement on data protection in the Asia Pacific region that unifies the laws across the region. However, some countries such as Australia, New Zealand and Hong Kong, have laws in place that cover both the private and public sectors. China, Vietnam, Singapore and Malaysia have laws that exempt the public sector and the Philippines has laws specific to the handling of citizens and non-citizen data. In general, laws are territorial and not extrajudicial as is the GDPR.

Could we see something similar to GDPR in APAC?

The Asia-Pacific Economic Cooperation (APEC) Cross-Border Rules System (CPBRS) requires businesses to implement data privacy policies consistent with the APEC Privacy framework. This is a clear attempt to harmonise rules of data privacy. It hopes to build consumer and business trust in cross-border flows of personal information.

In February this year, the Singapore Personal Data Protection Commission published its publicly collected feedback which is going to align the regulations with the provisions set out under the new GDPR legislation, including the data breach notification requirement.

It could be some time before we see a unified law across APAC, but steps are certainly being taken to improve privacy laws across the region.

GDPR Could Be The Best Thing To Happen To Marketers In 2018



GDPR Could Be The Best Thing To Happen To Marketers In 2018

Now that the deadline for the new GDPR has come and gone, what we witnessed was a barrage of inbox messages to our email accounts, as well as text messages to our ever-present smartphones. The messages ranged from last minute emails to the straight up, all-out legal breakdown on the change to their privacy policy. This has left us, as marketers, feeling a little bit exposed, hoping all of our customers would click agree so we could breathe a sigh of relief.

We all made decisions on which brands and companies we wanted to opt-in with and some just didn’t make the final cut. We also had some brands appear where we couldn’t even remember why we signed up with them in the first place?!

We decided to ask Ground Labs’ own Marketing Manager, Matt Jennings-Temple, to give us his expert opinion on why he thinks this privacy policy reset is so good for marketers.

Below he has given his top four points:

“Don’t forget how important your customers are!”

GDPR has brought companies focus back to the customer, as they are now the ones in the driving seat. How you market your brand, what it stands for and what value you bring to them will shape your organisation’s future. This positive change in the law will force alignment across multiple departments such as IT, Finance, Marketing and Sales in how they collect and store customer information.

“Always look to add value”

We as marketers understand that, in order to get our message across to potential and existing customers, we have to use multiple channels and touchpoints. At each of these points you will be collecting data, but under the new GDPR rules, you can no longer collect it without a specific use or purpose to store it. What GDPR does is force marketers to derive value from the data that is collected and pass that through to the business – the risk of not doing this is too great.

“It’s not like you’re starting from scratch”

Do you remember when you last looked in your CRM and saw thousands and in some cases millions of customers’ details? Unfortunately, you are going to have to let them disappear.

Matt says, “Marketers need to see the positive side to this. Now your customer data has been laid bare, you know exactly what data you have and you can focus your attention on quality customer interaction for maximum benefit to the business.”

“It’s GDPR day every day from here on in”

It may seem like you’re scrambling around trying to market your business post-GDPR deadline, but the truth is, some companies will relish the challenge and succeed in this new era of data privacy. You have to ask yourself, do you want to be one of them that fails. or one that has a forward-focused customer plan that rivals your competition?

Look out for future blogs on Ground Labs very own GDPR journey.

Real business strategies for GDPR implementation

A business strategy for GDPR

A business strategy for GDPR

Now that the GDPR has finally arrived, organisations must take the appropriate steps to ensure that they know where their sensitive data resides. The duty of care now rests fully on the business to meet the requirements of compliance. In this video, John Cassidy, Ground Lab’s Global sales leader gives a comprehensive presentation on the best strategies to help organisations deal with the GDPR.

Organisations that store personal data of any kind must report data breaches to the affected parties within 72 hours, fulfil Subject Access Requests within 30 days and in addition, execute requests for the deletion of stored personal information (The Right to be Forgotten). The activities highlighted above are now essential for organisations to fulfil in order to achieve GDPR compliance. However, achieving and maintaining compliance are two different tasks.

The GDPR has evolved from outdated data protection laws and now adds updated and unified data security features. The symbiosis of many data protection ideals has grown into one another to create a welcome step forward for data transparency in the European Union. With personal data becoming an attractive target for hackers looking to sell it on the dark web to the highest bidder, the new updated data protection laws have been widely welcomed by industry. With high profile scandals such as the Facebook and Cambridge Analytica incident becoming more and more frequent, the new EU law provides some solace for citizens who are concerned about the fate of their personal data.

Data Transparency

Data Transparency

John Cassidy suggests that the best way for organisations to achieve GDPR compliance is for all departments to act in unison. There is a common view that the IT department should be responsible for GDPR protocols but this simply cannot be the case because compliance, once achieved, must become common practice. The IT department, for example, cannot be expected to manage the data of Sales, Marketing and Finance. Inter-departmental cooperation is necessary to avoid data stagnation and to make certain that GDPR compliance activities become a regular part of day-to-day business practises. With all departments working together to manage the flow of information, the organisation as a whole will find itself functioning comfortably within GDPR compliant parameters.

There are no quick fixes for GDPR compliance. Continuous monitoring is the only way to stay within the boundaries of the new legislation and not break the law. In cases where companies are processing large volumes of data each day, the duty of care falls on them to make sure that effective systems are in place to monitor and manage the information. If a GDPR regulator performs an audit and finds a myriad of sensitive personal data cast carelessly into a recycling bin and forgotten or old sensitive information left archived on a disused database, they will not hesitate to penalise.

Cost of GDPR

Cost of GDPR

A commonly held thought by individuals within the data processing industry is that a data tsunami is coming. And with the GDPR now in full effect, that time has never been closer. Organisations must take care in case they fall victim to a massive data breach that could prove extremely costly, both in terms of finance and reputation.

Wherever sensitive data is being stored, it is imperative that organisations keep it in an easily accessible and carefully organised way in order to deal with any compliance related queries in a timely manner.

Organisations that follow this best practice guide for regularised compliance activities and adopt the habit of interdepartmental concurrence will find that GDPR compliance will become a part of their daily business. With this, the process of dealing with the GDPR will be smooth and easy, and all consequences of non-compliance will be avoided as a matter of course. Ultimately the GDPR is about promoting data governance in organisations so consequently organisations that make compliance a part of their usual practises can rest easy in the knowledge that they are up to standard.

To watch the full video please click here

GDPR discussion – what are the implications of the new EU law?

GDPR Discussion - Implications of the GDPR

GDPR Discussion – Implications of the GDPR

Summary: Over 80% of EU business classify themselves as not being ready for GDPR, now its law what are they doing to become ready and compliant? This blog is taken from our recent GDPR video discussion series where Ground Lab’s Global Sales Leader, John Cassidy talks about the implications of GDPR and what he thinks companies need to do now. Watch the Youtube video here.

Is EU business ready for GDPR?

The views in the industry are that 80% of businesses were not ready for GDPR. Either not prepared or took the opinion that they would wait and see how the market and their competitors reacted to it. This could be seen as a risky strategy when you have multiple stakeholders who are concerned about the reputation or on-going well being of the business. Businesses have had 2 years to prepare for it. They have had no excuses for not being ready in time.

Is it too late to start your GDPR compliance journey?

Its never too late to start your compliance journey. In the event of a cyber instance or data breach, the regulator will audit you looking for an explanation from your DPO as to how it happened and the steps that were taken to comply. Doing nothing is not something your customers or stakeholders want to hear. So its never too late to start your process and every company has to start somewhere, but the overriding message from industry experts as well as Ground Labs is to start doing something as soon as possible.

“Its never too late to start”

How can companies ensure they are GDPR complaint?

No longer is it acceptable to run yearly audits for compliance. Businesses need to start looking at the ever-present threat of cybercrime and how it impacts the business. Processes and procedures have to be put in place to educate and create awareness of GDPR. An important factor is this is to enable the ongoing monitoring of the sensitive data to understand what you have and where it is. Ground Labs feels we are part of the solution.

Watch the Youtube video here.


Mandatory Data Breach Notification laws are coming…are you ready?

Australian Mandatory Data Breach Notification

The Mandatory Data Breach notification scheme in Australia has come into effect today. The new scheme will strengthen the protections afforded to everyone’s personal information and will improve transparency in the way that the public and private sectors respond to serious data breaches.

This legislation is a new way of putting data first and companies will be able to prioritise their existing information security programs of work around what is considered to be Personal Identifiable Information (PII).

Who do the changes apply to?

The changes apply to Commonwealth Government agencies and private sector organisations who are currently subject to the Australian Privacy Principles under the Privacy Act.

This includes private sector organisations, including not-for-profits, with annual (group) turnover of more than $3 million. It also includes small businesses that may be earning $3 million or less where they are health service providers involved in trading in personal information, contractors that provide services under a Commonwealth contract or credit reporting bodies, amongst others.

Entities already exempt from the operation of the Australian Privacy Principles remain exempt from the changes.        

For example, the changes apply to private schools or companies with a turnover of more than $3 million per year, but not to local councils or state government agencies.

What are the fines that an entity might face if it is subject to an eligible data breach?

Where an entity experiences an eligible data breach, the occurrence of that data breach in and of itself is unlikely to result in the entity facing penalties. Rather, a failure to report an eligible data breach will be considered an interference with the privacy of an individual affected by the eligible data breach. Under the Privacy Act, this means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the Privacy Commissioner.

Serious or repeated interferences with the privacy of an individual can give rise to civil penalties of up to $2.1 million. (We note that company directors or management will not be personally liable for such serious or repeated interferences.) The biggest impact is expected to be on reputation and the ability of the company to acquire new customers and keep the current customer base due to lack of trust in its ability to protect the information assets of its customers.

Are there any new rules relating to the security of personal data introduced by the changes?

There are no new requirements regarding the security of personal data. However, the changes primarily supplement Australian Privacy Principle 11 which requires entities who hold personal information to take reasonable steps to protect personal data from misuse, interference and loss, and from unauthorised access, modification or disclosure.

How can Ground Labs help?

Ground Labs have developed and commercialised a software that searches for all sensitive information within the network identifying all personal information data types and allowing the organisation to gain complete control over their information assets. The solution will not only identify but also allow the company to remediate any inappropriately stored sensitive information and allow the management team to make a data-driven decision in how to manage the information assets of the organisation.

Enterprise Recon is a worldwide recognised technology that assists with implementation and maintenance of major cybersecurity standards and regulations in Australia and across the globe such as PCI DSS, Australian Privacy Principles, HIPAA, Cyber Security Framework by NIST, IRAP, VPDSS and GDPR.

How US based companies will be affected by GDPR

US companies and GDPR

In May of this year will see the new EU’s General Data Protection Regulation come into law. It will bring about a seismic shift in the data security landscape. For our US-based customers and you have only been following the major headlines, then you would have seen “the Right to be Forgotten”, “Subject Access Request”, “72-hour breach notification” as well as very strong fines from non-compliance. GDPR definitely has some teeth and you are going to have to take notice of it.

EU companies are preparing for the new GDPR legislation, each of them on their own journey to be ready by the May deadline and create a plan with policies in place to show the regulator they have readied themselves for GDPR. The question we get asked a lot about is what about the US companies that have no direct business in the EU, do they need to concern themselves with GDPR?

Well, the answer is yes. Here’s why. If you are a US based company and have a presence in the EU and are collecting personal data, GDPR will apply to your company and so will the fines!

Geographical implications

Article 3 of the new GDPR states that if a company collects Personal data from someone in an EU country they must comply with GDPR. To clarify this further, it means that GDPR only applies if the Data Subjects are in the EU when the data was collected. If the EU citizen is outside of the EU when the data was collected then GDPR will not apply.

Specific consent

The U.S. companies that are selling or direct marketing into the EU will have to adjust their forms to allow for specific consumer consent. The language of the GDPR legislation means that consent must be freely given. Gone are the days where companies can add multiple lines of small print and use that as an excuse. Consent under GDPR means it has to be specific, informed, and unambiguous.

To show this in practice, I will use a Florida based company running a marketing campaign into Germany using a marketing web form to collect email address for a specific project. The Florida based company will need to use clear language informing the data subject what they intend to do with the email addresses once collected as well as a clear check or tick box for consent to use their data.

Once this data has been collected the US companies will have to protect it under the GDPR legislation. If they follow existing data security standard such as PCI DSS this new legislation this should not be a problem.

Breach notification

Part of the new GDPR legislation is the 72-hour breach notification rule which does give some leeway in weighing up the risks to the data subject, but if you have a breach containing a large number of email addresses or sensitive data such as medical or financial data or any sensitive data relating to children then all would require notification to the EU regulator within 72 hours.

There will be ongoing questions about how the EU regulator will enforce these actions against US companies that are doing business and collecting data over the web. However, the EU is very serious in unifying the data privacy laws of its citizens and has already changed the web practices of US companies.

What this means is US companies have to take note of these changing practices and take the adequate steps to make sure they do not become a headline after the 25th of May 2018.

Business: The impact of GDPR

GDPR flag

The new General Data Protection Regulation (GDPR) is the talk of the town in the security world. A day doesn’t seem to pass by without a new security breach being reported in the media. Recent cases such as the Equifax scandal and the data breach at Deloitte has brought the subject of data security to the forefront of the news cycle. There are steps all organisations need to make to stop their name being on the next data breach headline.

The breaches give credence to the idea that there was a serious need for a ratified law across all EU member states, specifically relating to data security and protecting individuals data. The new GDPR legislation was ratified back in 2016 and it outlined the need for each member state to implement it into a new national law by May of 2018. Now with under a year to go, we would like to provide our customers with a better understanding of how this new regulation will impact businesses across the Eurozone and how we can help them comply with the law.

Firstly, why was GDPR created?

GDPR was created to allow individuals greater control over their personal data. It will unify the set of protection laws across the EU, bringing everyone in line with one standard. Companies that are operating outside of the EU will be subject to this law when they collect data concerning an EU citizen.

What is GDPR at is core?

GDPR addresses many of its predecessors (Data Protection Directive) failings including updating requirements for documenting IT procedures, performing risk assessments, notifying the consumer and authorities of a breach and reinforcing the rules for data minimization.

What are the key changes? 

  • Increased Territorial scope

o   The legislation will apply to all organisations holding data belonging to EU citizens.

  • Data Protection Officers

o   Any business that markets goods or services to customers within the EU and collects personal data must appoint a Data Protection Officer.

  • Privacy by design

o   Is the inclusion of data protection resources from the initial design stage of a system.

  • The right to be forgotten

o   Any private citizen will be entitled to request the erasure of their personal data.

  • The right to access

o   The owner of the data has the right to obtain records of their personal information, including where it’s being stored and for what purpose.

  • Breach notifications

o   Companies have an explicit instruction to notify authorities of a breach within 72 hours of one occurring.

What if you don’t comply?

With the new law comes a greater ability to fine companies that don’t comply to GDPR. These fines are significant not just in their size, 4% of global revenue or €20 Million, whichever is the highest out of the two. This has huge implications for companies of any size as if they do suffer a breach it could lead to the company being put out of business!

How do you become GDPR ready?

3 simple steps can help prepare your organisation for GDPR.

  1. Create awareness across the organisation about GDPR, what it covers, and what the fines are for noncompliance.
  2. Use software to find and detect all sensitive data within the organization, including servers, documents, workstations, email inboxes and all cloud storage.
  3. The strategy must be executed within the organization. Appoint a DPO to lead the team and to make sure all of the rulings are adhered to.

How can Ground Labs help?

We offer Free risk assessments to give an organization a snapshot of all of the sensitive data being held in the environment we scan. The assessment will help to identify and understand what the potential GDPR risk is to an organization.

Now you know how to prepare for GDPR, is your company ready? Start your GDPR journey with Ground Labs,  click the link for a free risk assessment

Who is Ground Labs?

Ground Labs is the data security and auditing software provider of choice for over 2500 companies globally. Organizations use our Enterprise Recon and Card Recon products to scan and remediate for unsecured and sensitive data on their computer systems. Securing data allows them to prevent serious data breaches and help to comply with global information standards such as PCI DSS and GDPA. Our 24 / 7 best in class support function focuses on providing a high level of customer care across multiple time zones. Founded in 2007, our global presence is headquartered in Singapore, with offices in Europe and the USA. For further information or to request a product demo please visit