GDPR Needs You To Know Where Your Sensitive Data Is. Do You Know?

Do you know where all your sensitive data is?

Companies across the EU know they need to become GDPR complaint by the 25th of May this year. GDPR will affect some businesses. more than others but the large majority of companies will have to increase their level of security around the PII data they collect and how they store it. But before they can go ahead and do this they first have to find out where their sensitive data is currently stored and figure what to do with it.

All businesses want to protect the data they collect but how can you protect something if you don’t know where it is?

Ask any IT manager in the EU today if finding out where their sensitive data is across their network is simple, without a tool to use, and I guarantee you won’t like their response! In simple terms finding that data right now is a long and laborious process which takes time! Time is something every business doesn’t have a lot of let alone the already under pressure IT department. So discovering that data for all businesses has to be a priority.

Businesses have to know what data is relevant under GDPR, what systems and departments hold the most sensitive data, who’s workstation or cloud storage has sensitive data on it which might put the business at a higher state of risk if they were to be breached.

There seems to be some misconception around the Cloud. As most companies have a lack of understanding what sensitive data is being stored there and they themselves must take responsibility to secure. GDPR guidelines clearly state if you are storing sensitive data irrespective of where you have to take steps is secure it. This is a great example of needing the correct tool that can discover and remediate sensitive data across your entire network nit just certain parts of it.

Deleting all your sensitive data is like cleaning all the dust in your house, it always comes back. So you need continuous monitoring.

At Ground Labs, we use an analogy of cleaning your house being similar to cleaning up your sensitive data. You can vacuum and the dirt is gone but you are not going to clean your house once. The dirt will always find its way back into the house. This is similar to sensitive data, once you manage to clean it up, it will always find a way back into your business. So the tool you choose has to be able to continuously look to discover and monitor where your sensitive data is.

This where the correct data discovery tool plays a major factor in finding your sensitive data. Such a tool as data security at its core and it allows organisations to constantly track where the sensitive data. I’m sure some of you will be asking the question, “could we not find our own sensitive data?”

Maybe…but to discover and identify where every last instance of sensitive data is across your entire network has to be the foundation of your compliance for GDPR. The hefty fines of 4% of global turnover or 20 Million, if you get something wrong, should not be taken lightly.

A discovery tool can provide business insights into exactly where the sensitive data is and give options to make some quick wins by remediating the data found. By having a tool in place the process of discovering data becomes an ongoing process.


Instead of eating into the IT departments already hefty schedule, you need to find a tool that works for your company. As your GDPR compliance project continues past the deadline having such a tool will become invaluable to help you fight cybercrime and the possibility of a data breach because you will know where all your sensitive data is and you have secured it.

10 Practical tips for GDPR compliance

GDPR and Ground Labs

As we all saw yesterday Facebook is now looking at the prospect of a hefty fine, had this information come to the commission’s attention on May the 25th. It could have been a different story. Time is running out not just for Facebook to protect all our data but for everyone else as well. For those of you that are still struggling with challenges faced by the new GDPR, please read on for some practical tips.

The Facebook-Cambridge Analytica situation this week has thrown the way companies handle data into spotlight and mainstream news once again. Cybersecurity and cybercriminals now have become commonplace in our daily news cycle. Time marches on to the May 25th deadline when all companies will need to comply with the new EU Global Data Protection Regulation (GDPR). Business across the UK and the EU have only two months to consider how they handle, collect and store citizens personal data that do not infringe on their rights.

We know about the fines facing companies that don’t comply or have no plan in place to show the commission they are preparing for GDPR but let us talk frankly for a minute. What would the reputational damage be for a company hitting the headlines because of a data breach? For these large organisations, how do shareholders now view the stock? How does the average consumer on the high street now see the company that lost their data? We are all consumers and we trust companies to take care of our personal data. We trust them to take adequate steps to protect it where it’s stored. We trust them enough to assume they have taken the necessary steps to stop the constant threat of cyber criminals hell-bent on stealing that data. But look at Facebook as an example. They are a massive global organisation with endless resources to secure personal data, but they failed. We as consumers feel helpless when our data is splashed across the news headlines and the reputational damage to the business and the brand sometimes outways whatever the fine will be.

There are some positives we can take from high profile data breaches. Many company executives have been forced to sit up and take note. The old idea of leaving compliance to the IT manager has gone. Companies now realise they have a responsibility to keep the data they collect secure. They also have to minimise the risk of data breaches as best they can by taking a company-wide approach to data management.

These companies are now driving a lot of the governance work, including revised policies, training and assurance, which is time-consuming, but necessary. A company’s ability to inform the ICO (information commissioner’s office) of a data breach within 72 hours of being alerted, and being able to respond to subject access requests within one month is currently a large challenge. Companies are being forced to take the appropriate steps to review how they process data and take adequate action.

To help you with the GDPR mind field I have created 10 practical tips for compliance, hopefully, this helps?

1.   Map out where personal data is, where it came from, who has access to it and what it’s being used for.

2.   Expand on your consent notices, across your website, brochures and third-party contracts.

3.   Explain the option to opt out of future marketing, when data might be collected, and exactly how it could be used to meet the new requirement for ‘clear affirmative action’, and an end to pre-ticked boxes and bundled consents.

4.   Signpost privacy notices better across all mediums.

5.   Highlight to your customers when data that’s been collected may be sent outside the European Economic Area (EEA), to Government Digital Service centres overseas for example, where data protection may not be as strong as within the EEA.

6.   Ensure customers are aware of their right to demand full details of the information held on them. Under the new GDPR citizens now have rights on what data is being stored.

7.   Understand that a company’s appointed data controller must notify privacy regulators and affected individuals in the event of certain data privacy breaches within 72 hours – without the correct tools this could take some time!

8.   Conduct a full data audit, and review data collection forms and privacy notices. How much sensitive data you have and where it is.

9.   Demonstrate compliance to regulators on a security by design basis and maintain records of data protection management. If you have not got consent to hold a person’s personal data – delete it.

10. Take practical steps to deal with Subject Access Requests and the Right to Erasure – again there are tools out there to help speed this process up.

Good luck as time is ticking!

Mandatory Data Breach Notification laws are coming…are you ready?

Australian Mandatory Data Breach Notification

The Mandatory Data Breach notification scheme in Australia has come into effect today. The new scheme will strengthen the protections afforded to everyone’s personal information and will improve transparency in the way that the public and private sectors respond to serious data breaches.

This legislation is a new way of putting data first and companies will be able to prioritise their existing information security programs of work around what is considered to be Personal Identifiable Information (PII).

Who do the changes apply to?

The changes apply to Commonwealth Government agencies and private sector organisations who are currently subject to the Australian Privacy Principles under the Privacy Act.

This includes private sector organisations, including not-for-profits, with annual (group) turnover of more than $3 million. It also includes small businesses that may be earning $3 million or less where they are health service providers involved in trading in personal information, contractors that provide services under a Commonwealth contract or credit reporting bodies, amongst others.

Entities already exempt from the operation of the Australian Privacy Principles remain exempt from the changes.        

For example, the changes apply to private schools or companies with a turnover of more than $3 million per year, but not to local councils or state government agencies.

What are the fines that an entity might face if it is subject to an eligible data breach?

Where an entity experiences an eligible data breach, the occurrence of that data breach in and of itself is unlikely to result in the entity facing penalties. Rather, a failure to report an eligible data breach will be considered an interference with the privacy of an individual affected by the eligible data breach. Under the Privacy Act, this means that a failure to notify affected individuals of an eligible data breach could be the subject of a complaint to the Privacy Commissioner.

Serious or repeated interferences with the privacy of an individual can give rise to civil penalties of up to $2.1 million. (We note that company directors or management will not be personally liable for such serious or repeated interferences.) The biggest impact is expected to be on reputation and the ability of the company to acquire new customers and keep the current customer base due to lack of trust in its ability to protect the information assets of its customers.

Are there any new rules relating to the security of personal data introduced by the changes?

There are no new requirements regarding the security of personal data. However, the changes primarily supplement Australian Privacy Principle 11 which requires entities who hold personal information to take reasonable steps to protect personal data from misuse, interference and loss, and from unauthorised access, modification or disclosure.

How can Ground Labs help?

Ground Labs have developed and commercialised a software that searches for all sensitive information within the network identifying all personal information data types and allowing the organisation to gain complete control over their information assets. The solution will not only identify but also allow the company to remediate any inappropriately stored sensitive information and allow the management team to make a data-driven decision in how to manage the information assets of the organisation.

Enterprise Recon is a worldwide recognised technology that assists with implementation and maintenance of major cybersecurity standards and regulations in Australia and across the globe such as PCI DSS, Australian Privacy Principles, HIPAA, Cyber Security Framework by NIST, IRAP, VPDSS and GDPR.

How US based companies will be affected by GDPR

US companies and GDPR

In May of this year will see the new EU’s General Data Protection Regulation come into law. It will bring about a seismic shift in the data security landscape. For our US-based customers and you have only been following the major headlines, then you would have seen “the Right to be Forgotten”, “Subject Access Request”, “72-hour breach notification” as well as very strong fines from non-compliance. GDPR definitely has some teeth and you are going to have to take notice of it.

EU companies are preparing for the new GDPR legislation, each of them on their own journey to be ready by the May deadline and create a plan with policies in place to show the regulator they have readied themselves for GDPR. The question we get asked a lot about is what about the US companies that have no direct business in the EU, do they need to concern themselves with GDPR?

Well, the answer is yes. Here’s why. If you are a US based company and have a presence in the EU and are collecting personal data, GDPR will apply to your company and so will the fines!

Geographical implications

Article 3 of the new GDPR states that if a company collects Personal data from someone in an EU country they must comply with GDPR. To clarify this further, it means that GDPR only applies if the Data Subjects are in the EU when the data was collected. If the EU citizen is outside of the EU when the data was collected then GDPR will not apply.

Specific consent

The U.S. companies that are selling or direct marketing into the EU will have to adjust their forms to allow for specific consumer consent. The language of the GDPR legislation means that consent must be freely given. Gone are the days where companies can add multiple lines of small print and use that as an excuse. Consent under GDPR means it has to be specific, informed, and unambiguous.

To show this in practice, I will use a Florida based company running a marketing campaign into Germany using a marketing web form to collect email address for a specific project. The Florida based company will need to use clear language informing the data subject what they intend to do with the email addresses once collected as well as a clear check or tick box for consent to use their data.

Once this data has been collected the US companies will have to protect it under the GDPR legislation. If they follow existing data security standard such as PCI DSS this new legislation this should not be a problem.

Breach notification

Part of the new GDPR legislation is the 72-hour breach notification rule which does give some leeway in weighing up the risks to the data subject, but if you have a breach containing a large number of email addresses or sensitive data such as medical or financial data or any sensitive data relating to children then all would require notification to the EU regulator within 72 hours.

There will be ongoing questions about how the EU regulator will enforce these actions against US companies that are doing business and collecting data over the web. However, the EU is very serious in unifying the data privacy laws of its citizens and has already changed the web practices of US companies.

What this means is US companies have to take note of these changing practices and take the adequate steps to make sure they do not become a headline after the 25th of May 2018.

The countdown is truly on for GDPR and the time to act is now!

Act now for GDPR

16th PCI London, 25 January 2018, London, UK

Without sounding over dramatic but time is truly running out for businesses who have yet to engage or consider how to become compliant for GDPR. The clock is ticking and with less than 6 months remaining until GDPR is rolled out across the EU, the time to start your complaint process is now. Researching GDPR is easy with the vast volume of information the internet is producing each day, but who do organisation’s turn to for practical help that will aid them in becoming compliant? We believe Ground Labs is part of the solution.

In under 6 months-time, GDPR will be rolled out across the UK and the wider EU putting into law a set of regulations that will impact every business when dealing directly with EU citizens personal information.

Who within the organisation does the responsibility of preparing for GDPR ultimately fall on? Can this important task be left to the head of IT? From our experience, we are finding that the GDPR journey needs to be more of a company-wide approach. The regulation is very clear that businesses must ensure privacy by design when projects are undertaken. Privacy and security must go hand in hand from the beginning to the end of any project and to take a wider organisational approach to compliance will yield better results.

The clock is ticking for GDPR

Taking a companywide decision allows businesses to get ahead of GDPR and put into place the necessary steps. We are also noticing businesses who use the PCI DSS framework for compliance have taken major steps in their preparation process for the ongoing GDPR storm, those who take this path will help them to build a total compliance framework covering all standards.

The compliance frameworks are just one part of the bigger picture of GDPR. There is a real business need in the market for practical ways to address these challenges on a daily basis and to help assist with continuous compliance. We suggest having the ability to forensically scan for all structured and unstructured data across your entire businesses environment.

Enterprise Recon

Having a tool that has over 200 data types preconfigured to allow you to highlight what sensitive data was found and report back on it is one thing but once this data is found there needs to be practical policies in place to remediate it. Enterprise Recon not only gives you the power to scan and remediate sensitive data within your environment but through the custom scanning capability it will help you comply with Article 15 “Right to Accesses” or a Subject Access Request and Article 17 “Right to Erasure”. Once you know where the sensitive data is currently sitting you want the ability to effectively manage it and report back to the data subject.

We understand this is only one part of the process but taking steps now to discover, monitor and remediate sensitive data is key to PCI and GDPR, so act now!


The PCI DSS has set a goal of Business-As-Usual security, while GDPR needs businesses to ensure privacy by design. Under these rules, businesses will have to integrate data privacy and security from the start to end of all projects. Our Enterprise Recon software allows you to simplify the processes needed to make security a Business-As-Usual practice for your organisation. Recurring scans can be set to ensure continuous monitoring. You can also receive concise and detailed reports of your business’ data build-up, directly on your management dashboard. Finally, we believe being at this year’s PCI London event will give us the opportunity to share our experiences in the market and give practical tips to businesses to deal with the four main articles of GDPR.

Meet us at this year’s PCI London event in Park Plaza Victoria, 239 Vauxhall Bridge Road, London, SW1V 1EQ. UK. To register your interest in a Demo please contact

Managing GDPR – Article 17 “Right to Erasure”

Right to Erasure

GDPR Article 17 – “Right to Erasure”

Imagine for a second, you’re sitting at your work desk in late May 2018. Suddenly, you receive an email notification as a new email is delivered to your inbox. This email contains a request, invoking Article 17 of the recent newly enacted EU GDPR legislation, “The Right to Erasure”. Or in plain English, the right to be forgotten. What does this mean for your business? Well, it means that the person sending the email is requesting that you erase every instance of their personal information you have stored within your organisation, right down to the last digit.

Do you have to comply with this request? The answer is a resounding YES. In addition, this request must be completed without delay and at zero cost to the requestor. This element of the GDPR legislation requires companies to erase all personally identifiable information (PII)that is stored in files, databases, any workstations they may have used (if the requester was a former employee), cloud storage, copied or archived files. Everything! There’s more. As an organisation, you have to be able to prove that you have deleted all such files and if you have ever shared their details with a third party, it’s your responsibility to contact them to instruct them of the erasure request.

The next question that arises from Article 17 is, “Who is responsible for the Right to Erasure requests?” Does this automatically fit into the remit of the IT department? Our experience with customers dealing with the day-to-day process of preparing for GDPR is that it’s more of an organisation-wide approach. GDPR will put a greater burden on organisations to be able to handle these requests, from a process and people management aspect, right through to the IT departments capability to handle and comply with the request.

There is a wider cost indication for a business that is looking to comply with GDPR and be able to state they have taken the necessary steps to do so. Article 17 restricts the use of people’s data to be used only for its original purpose on time of collection. If you as an organisation want to use it for something else then you’re going to have to get the user’s clear consent and approval to do so.

Your data is stored everywhere.

Do you know where your data is?

You need to comply with GDPR

The EU GDPR has a global remit. There is no credence to where exactly the data is stored or where in the world your company is located. If the “data subject” is residing in the EU and they request the right for their information to be erased, then the rules apply to you. Every instance of that data subject’s data has to be erased “without undue delay”. The majority of businesses right now do not have the capability to find all these instances across their entire environment. As we have mentioned previously, there are hefty fines for non-compliance and what that could mean for your business.

With the hefty fines in place and a hard deadline of the 25 th of May for the GDRP coming into law, IT departments and boards are quickly adopting a strategy to comply before the GDPR deadline is reached.

GDPR fines

Don’t get fined

Prepare for GDPR now!

Businesses are very prudent in determining risk and limiting the risk to their business is paramount. However, how many organisations at this moment in time, would be able to act on a right to erasure request effectively? Could you effectively scan your entire environment and find every instance of a person’s sensitive data? If that information is sitting in a database or on a workstation could you find it? And in what timeframe?

Personal information is stored in marketing and sales departments in CRM systems which have their own databases attached to them, in multiple files formats. Personal information also finds its way into word documents, spreadsheets and other files. Can you imagine for a moment, trying to manually trawl through every file, looking for a marker that represents a particular person? It could take weeks that you haven’t got! Having the ability to scan all of these files formats and deliver the discovered results will give your business the edge when it comes to compliance with GDPR and save the job of the head of IT.

Companies are choosing to hold onto data forever, instead of deleting it. Choosing to store the data may seem like a great idea, but with Article 17 coming into force you will now need the ability to scan very specific sections of that data and delete information on request. You need to be ready, as there is no room for error.

Your next steps for compliance 

Ground Labs’ flagship product, Enterprise Recon, allows you to scan your entire environment for sensitive data. With over 200 PII data types already preconfigured out of the box and a custom search facility built into the tool, your ability to handle organisation- wide requests, such as the “Right to Erasure”, becomes a lot easier. From the dashboard, you will have the ability to see precisely across your environment where your sensitive data is being stored, forensically down to which file its stored in. The option to remediate it or show the user where that sensitive data lies can then be achieved. Of the multiple remediation functions, the tool has, the delete function or “nuke it” function is the most powerful in this case. You can clearly show the user that all stored instances of their data across the network has now been permanently deleted and cannot be retrieved. Once “nuked”, its gone for good!

Need help understanding where your unstructured and structured data is and worried how you will handle a “right to erasure request”? Then contact one of our trained GDPR experts who can help you with a free risk assessment. To book a demo please visit

The real cost of GDPR and how to minimise risk

The cost of GDPR

What is the real cost of GDPR?

Over the past 6 months, during our GDPR related sessions, a number of important questions have arisen from conversations with our clients and customers. One of the questions asked is “How do companies deal with a SAR?” Read our blog post on Subject Access Requests to give you a greater insight into how companies are preparing for them. Another very important questions is the one of cost. What is the actual cost to businesses when preparing for GDPR and how do you minimise the risk?

You can break this question down into a number of bite-sized portions. The first being the financial cost to the business. A recent study (2017) by IBM into the true cost of a security data breach, found the average cost to an organisation suffering a data breach to be $3.62 million. The study covered 419 participating companies. This figure showed a decrease from the previous year, but the size of the breach had risen by 1.8% from the previous year. To read the full report please click here.

This $3.62 million is a small representation of the overall cost to companies who suffer a data breach. With the new GDPR legislation coming into law next year, the potential fines alone for companies suffering a data breach have been well documented. GDPR will have a tiered penalty structure attached to it for companies that do not comply and subsequently suffer a data breach. The more serious the breach the higher the penalty, 4% of global revenue or 20 Million Euro whichever is higher. This would easily eclipse the $3.6 million stated in the IBM report. There are also other fines to take into consideration when planning your GDPR journey. Non-compliance with Article 28 (“Processor”) will also have a fine associated with it. 2% of global revenue can be issued to a company whose records are not in order or if the supervising authority and data subjects are not notified of a breach. The oversight of the planning and breach notification requirement of GDPR could turn out to be very expensive for companies.

There are also other factors that have to be taken into consideration with looking at overall costs and impacts to the business. What impact will a potentially disastrous data breach have your brand? A breach would be felt throughout the business including your employees. Why? Because the brand has been tarnished. In an age of security-conscious consumers who value their own personal data and want to know that it’s being kept safe and secure by the companies they trust to handle it, a breach could be catastrophic. Consumer and business confidence is key to long-term growth in any industry, so can you put a cost on that? This actual cost of a breach may be felt for years, even if the business even comes through it.

So how does Ground Labs software help to reduce this risk of a data breach and help towards becoming compliant with GDPR? Enterprise Recon has over 200 Data Types built into the tool straight out of the box. It’s been enhanced to include data types from all 28 EU countries to help in the search for where in your network your sensitive data is stored. The tool is an on-premise product and forensically searches your entire environment looking for structured and unstructured data.

Once you run a scan on across your environment, all instances of sensitive data found will be reported in the Ground Labs product dashboard.

Enterprise Recon product image

Enterprise Recon Management dashboard

From the dashboard, you will have the option to see exactly across your entire network where your sensitive data is being stored. You then have the ability to decide how you handle that data with multiple remediation and reporting functions.

Our GDPR ready tool is the perfect tool to use, no matter what stage your business is at on the GDPR journey. Understanding where your data is and how to remediate it will help to reduce compliance costs and eliminate the root cause of cybersecurity data breaches.

To download a free copy of our white paper on GDPR please click the link:

Ground Labs_The_GDPR_Journey_Embrace_the_data

If you would like further information on how Ground Labs can help with your GDPR initiative, please visit to arrange a free risk-assessment.


How can organisations handle a GDPR Subject Access Request?


GDPR Subject Access Request


Article 15 of GDPR outlines what a Subject Access Request (SAR)is and how business needs to react and how to comply with them. If your organisation is collecting data on EU citizens there is a high possibility that you will start to see a steady flow of SAR’s coming into your inbox. This will impact your business in a multitude of ways.

Firstly there is a business planning element to this and how from an operational aspect could you handle 1 request per week, 10 a week or if you are a larger organisation 100 per week? This poses a number of additional questions for any business. New processes and internal policies will have to be implemented throughout the organisation to making staff and stakeholders aware of how to effectively handle a SAR.

The second element to any SAR is how do you know what information you have on a data subject and more importantly do you have the capability to find it? This is where Ground Labs are positioned to help organisations of any size right across the EU. Our sensitive data discovery tool already has over 200 PII data types preconfigured so the tool works straight out of the box and starts to find sensitive data as soon as the scan has been set up to run. PII types such as name, address, bank details, health numbers, passport numbers and driving licence number all pre-configured into the tool.

If you are running a search tool for a specific SAR our tool will search your entire network for every instance of the data type you are looking for a report back its findings. To comply with Article 15 you have 30 days to respond to the data subject answering in detail where their data has been stored on your network. Enterprise Recon can give you that information. It’s not big and clunky, it’s on-premise and runs quietly in the background without slowing down your network as a scan is being run.

Want to learn more and are you preparing your GDPR policy and don’t know how to manage a Subject Access Request? If so contact Ground Labs today for a free risk assessment. Please visit:






PCI Community Meeting: GDPR front and centre

PCI Barcelona 2017

Meet us PCI Community Meeting in Barcelona

We recently returned from the AISA Conference in Sydney, Australia, after presenting Ground Labs data security proposition to global and local businesses alike. The organisations we spoke with who had a European presence quickly turned the conversation to the new General Data Protection Regulation (GDPR) deadline of May 2018 and how Ground Labs can help to prepare them for the new regulation.

The organisations we spoke to had an overwhelming realisation that GDPR will play a major role in how they handle sensitive data, privacy policies and data security moving forward into 2018. The need to take a company-wide approach is a new concept, as in the past these decisions would have firmly rested with the IT dept. This new approach will allow businesses to tackle the grey areas of the regulation and allow them to become compliant.

In my previous Blog, I set out how GDPR will impact businesses and the steps they will need to take to prepare themselves for compliance. This week’s PCI Community meeting in Barcelona will put GDPR front and centre.

Our global presence gives us a unique insight into how organisations are dealing with GDPR across all the major markets we do business in (EMEA, APAC and North America) This has allowed us to be a major factor in helping them define their data security policy around their structured and unstructured data.

With this clear messaging from businesses, I felt it necessary to outline our role in helping them deal with the role out of a GDPR initiative. Our positioning takes a different turn to the majority of the noise. As a security software vendor, we understand the importance of securing sensitive data while giving companies the option to protect their environment through our forensic data search tool.

The Ground Labs solution offers proven capability based on Ground Labs’ existing market focus on being the #1 discovery product vendor in the PCI compliance space. However, in response to increased data breach notification and privacy requirements from existing customers and the market in general, Ground Labs has continued to evolve its product capabilities to meet these additional requirements with a broad variety of Personally Identifiable Information (PII) that may also be utilized by organisations over the long term.

Want to learn more? Have further questions about where your data is stored? Register your interest in receiving a free risk assessment click here.

Business: The impact of GDPR

GDPR flag

The new General Data Protection Regulation (GDPR) is the talk of the town in the security world. A day doesn’t seem to pass by without a new security breach being reported in the media. Recent cases such as the Equifax scandal and the data breach at Deloitte has brought the subject of data security to the forefront of the news cycle. There are steps all organisations need to make to stop their name being on the next data breach headline.

The breaches give credence to the idea that there was a serious need for a ratified law across all EU member states, specifically relating to data security and protecting individuals data. The new GDPR legislation was ratified back in 2016 and it outlined the need for each member state to implement it into a new national law by May of 2018. Now with under a year to go, we would like to provide our customers with a better understanding of how this new regulation will impact businesses across the Eurozone and how we can help them comply with the law.

Firstly, why was GDPR created?

GDPR was created to allow individuals greater control over their personal data. It will unify the set of protection laws across the EU, bringing everyone in line with one standard. Companies that are operating outside of the EU will be subject to this law when they collect data concerning an EU citizen.

What is GDPR at is core?

GDPR addresses many of its predecessors (Data Protection Directive) failings including updating requirements for documenting IT procedures, performing risk assessments, notifying the consumer and authorities of a breach and reinforcing the rules for data minimization.

What are the key changes? 

  • Increased Territorial scope

o   The legislation will apply to all organisations holding data belonging to EU citizens.

  • Data Protection Officers

o   Any business that markets goods or services to customers within the EU and collects personal data must appoint a Data Protection Officer.

  • Privacy by design

o   Is the inclusion of data protection resources from the initial design stage of a system.

  • The right to be forgotten

o   Any private citizen will be entitled to request the erasure of their personal data.

  • The right to access

o   The owner of the data has the right to obtain records of their personal information, including where it’s being stored and for what purpose.

  • Breach notifications

o   Companies have an explicit instruction to notify authorities of a breach within 72 hours of one occurring.

What if you don’t comply?

With the new law comes a greater ability to fine companies that don’t comply to GDPR. These fines are significant not just in their size, 4% of global revenue or €20 Million, whichever is the highest out of the two. This has huge implications for companies of any size as if they do suffer a breach it could lead to the company being put out of business!

How do you become GDPR ready?

3 simple steps can help prepare your organisation for GDPR.

  1. Create awareness across the organisation about GDPR, what it covers, and what the fines are for noncompliance.
  2. Use software to find and detect all sensitive data within the organization, including servers, documents, workstations, email inboxes and all cloud storage.
  3. The strategy must be executed within the organization. Appoint a DPO to lead the team and to make sure all of the rulings are adhered to.

How can Ground Labs help?

We offer Free risk assessments to give an organization a snapshot of all of the sensitive data being held in the environment we scan. The assessment will help to identify and understand what the potential GDPR risk is to an organization.

Now you know how to prepare for GDPR, is your company ready? Start your GDPR journey with Ground Labs,  click the link for a free risk assessment

Who is Ground Labs?

Ground Labs is the data security and auditing software provider of choice for over 2500 companies globally. Organizations use our Enterprise Recon and Card Recon products to scan and remediate for unsecured and sensitive data on their computer systems. Securing data allows them to prevent serious data breaches and help to comply with global information standards such as PCI DSS and GDPA. Our 24 / 7 best in class support function focuses on providing a high level of customer care across multiple time zones. Founded in 2007, our global presence is headquartered in Singapore, with offices in Europe and the USA. For further information or to request a product demo please visit