What is the real cost of GDPR and how to minimise the risk?

The cost of GDPR

What is the real cost of GDPR?

Over the past 6 months, there has been a number of important questions when Ground Labs are in discussions with clients and customers in all of our GDPR related sessions. One of the questions asked is how do companies deal with a SAR? Read our blog post on Subject Access Requests to give you a greater insight into how companies are preparing for them. Another very important questions are the one of cost. What is the actual cost to businesses when preparing for GDPR and how to minimise the risk?

You can break this question down into a number of bite-sized portions. The first is the financial cost to the business. A recent study (2017) by IBM into the true cost of a security data breach found the average cost to an organisation who suffered a data breach to be $3.62 million. The study had 419 companies who participated. This figure had decreased from the previous year but the size of the breach had risen by 1.8% from the previous year. To read the full report please click here.

This $3.62 million is a small representation of the overall cost to companies who suffer a data breach. With the new GDPR legislation coming into law next year, the fines alone for companies suffering a data breach have been well documented. GDPR will have a tiered penalty structure attached to it for companies that do not comply and suffer a data breach. The more serious the breach the higher the penalty, 4% of global revenue or 20 Million Euro whichever is higher could potentially eclipse the $3.6 million stated in the IBM report. There are also other fines to take into consideration when planning your GDPR journey. Complying with Article 28 will also have a fine associated with it. 2% of global revenue can be issued to a company whose records are not in order or the supervising authority and data subjects are not notified of a breach. The oversight of the planning and breach notification part of GDPR could turn out to be very expensive for companies.

There are also other factors that have to be taken into consideration with looking at overall costs and impacts to the business. What impact will a potentially disastrous data breach have on the brand? A breach would be felt right across the business including its staff.  Why? Because the brand has been tarnished. In an age of security-conscious consumers who value their own personal data and want to know it’s being kept safe and secure by the companies they trust to handle it, could be catastrophic. Consumer and business confidence is key to long-term growth in any industry, so can you put a cost on that? This actual cost may be felt for years if the business even comes through it.

So how does Ground Labs software help to reduce this risk of a data breach and help towards becoming compliant with GDPR? Our Enterprise Recon has over 200 Data Types built into the tool straight out of the box. It’s been upgraded to include data types from all 28 EU countries to help you search where in your network your sensitive data is stored. The tool is an on-premise product and forensically search’s your entire network looking for structured and unstructured data.

Once you run a scan on across your network it will report all instances of sensitive data found in Ground Labs product dashboard.

Enterprise Recon product image

Enterprise Recon management dashboard

There you will have the option to see exactly across your entire network where your sensitive data is being stored. You then have options to decide how you handle that data with multiple remediation functions.

Our GDPR ready tool is a perfect tool to use to no matter where your business is on the GDPR journey. Understanding where your data is and how to remediate it will help to reduce compliance costs and eliminate the root cause of cybersecurity data breaches.

To download a free copy of our white paper on GDPR please click the link:

Ground Labs_The_GDPR_Journey_Embrace_the_data

If you would like further information on how Ground Labs can help with your GDPR initiative. Please visit http://content.groundlabs.com/gdpr_assessment to organise a free risk-assessment.


How can organisations handle a GDPR Subject Access Request?


GDPR Subject Access Request


Article 15 of GDPR outlines what a Subject Access Request (SAR)is and how business needs to react and how to comply with them. If your organisation is collecting data on EU citizens there is a high possibility that you will start to see a steady flow of SAR’s coming into your inbox. This will impact your business in a multitude of ways.

Firstly there is a business planning element to this and how from an operational aspect could you handle 1 request per week, 10 a week or if you are a larger organisation 100 per week? This poses a number of additional questions for any business. New processes and internal policies will have to be implemented throughout the organisation to making staff and stakeholders aware of how to effectively handle a SAR.

The second element to any SAR is how do you know what information you have on a data subject and more importantly do you have the capability to find it? This is where Ground Labs are positioned to help organisations of any size right across the EU. Our sensitive data discovery tool already has over 200 PII data types preconfigured so the tool works straight out of the box and starts to find sensitive data as soon as the scan has been set up to run. PII types such as name, address, bank details, health numbers, passport numbers and driving licence number all pre-configured into the tool.

If you are running a search tool for a specific SAR our tool will search your entire network for every instance of the data type you are looking for a report back its findings. To comply with Article 15 you have 30 days to respond to the data subject answering in detail where their data has been stored on your network. Enterprise Recon can give you that information. It’s not big and clunky, it’s on-premise and runs quietly in the background without slowing down your network as a scan is being run.

Want to learn more and are you preparing your GDPR policy and don’t know how to manage a Subject Access Request? If so contact Ground Labs today for a free risk assessment. Please visit:







PCI Community Meeting: GDPR front and centre

PCI Barcelona 2017

Meet us PCI Community Meeting in Barcelona

We recently returned from the AISA Conference in Sydney, Australia, after presenting Ground Labs data security proposition to global and local businesses alike. The organisations we spoke with who had a European presence quickly turned the conversation to the new General Data Protection Regulation (GDPR) deadline of May 2018 and how Ground Labs can help to prepare them for the new regulation.

The organisations we spoke to had an overwhelming realisation that GDPR will play a major role in how they handle sensitive data, privacy policies and data security moving forward into 2018. The need to take a company-wide approach is a new concept, as in the past these decisions would have firmly rested with the IT dept. This new approach will allow businesses to tackle the grey areas of the regulation and allow them to become compliant.

In my previous Blog, I set out how GDPR will impact businesses and the steps they will need to take to prepare themselves for compliance. This week’s PCI Community meeting in Barcelona will put GDPR front and centre.

Our global presence gives us a unique insight into how organisations are dealing with GDPR across all the major markets we do business in (EMEA, APAC and North America) This has allowed us to be a major factor in helping them define their data security policy around their structured and unstructured data.

With this clear messaging from businesses, I felt it necessary to outline our role in helping them deal with the role out of a GDPR initiative. Our positioning takes a different turn to the majority of the noise. As a security software vendor, we understand the importance of securing sensitive data while giving companies the option to protect their environment through our forensic data search tool.

The Ground Labs solution offers proven capability based on Ground Labs’ existing market focus on being the #1 discovery product vendor in the PCI compliance space. However, in response to increased data breach notification and privacy requirements from existing customers and the market in general, Ground Labs has continued to evolve its product capabilities to meet these additional requirements with a broad variety of Personally Identifiable Information (PII) that may also be utilized by organisations over the long term.

Want to learn more? Have further questions about where your data is stored? Register your interest in receiving a free risk assessment click here.

Business: The impact of GDPR

GDPR flag

The new General Data Protection Regulation (GDPR) is the talk of the town in the security world. A day doesn’t seem to pass by without a new security breach being reported in the media. Recent cases such as the Equifax scandal and the data breach at Deloitte has brought the subject of data security to the forefront of the news cycle. There are steps all organisations need to make to stop their name being on the next data breach headline.

The breaches give credence to the idea that there was a serious need for a ratified law across all EU member states, specifically relating to data security and protecting individuals data. The new GDPR legislation was ratified back in 2016 and it outlined the need for each member state to implement it into a new national law by May of 2018. Now with under a year to go, we would like to provide our customers with a better understanding of how this new regulation will impact businesses across the Eurozone and how we can help them comply with the law.

Firstly, why was GDPR created?

GDPR was created to allow individuals greater control over their personal data. It will unify the set of protection laws across the EU, bringing everyone in line with one standard. Companies that are operating outside of the EU will be subject to this law when they collect data concerning an EU citizen.

What is GDPR at is core?

GDPR addresses many of its predecessors (Data Protection Directive) failings including updating requirements for documenting IT procedures, performing risk assessments, notifying the consumer and authorities of a breach and reinforcing the rules for data minimization.

What are the key changes? 

  • Increased Territorial scope

o   The legislation will apply to all organisations holding data belonging to EU citizens.

  • Data Protection Officers

o   Any business that markets goods or services to customers within the EU and collects personal data must appoint a Data Protection Officer.

  • Privacy by design

o   Is the inclusion of data protection resources from the initial design stage of a system.

  • The right to be forgotten

o   Any private citizen will be entitled to request the erasure of their personal data.

  • The right to access

o   The owner of the data has the right to obtain records of their personal information, including where it’s being stored and for what purpose.

  • Breach notifications

o   Companies have an explicit instruction to notify authorities of a breach within 72 hours of one occurring.

What if you don’t comply?

With the new law comes a greater ability to fine companies that don’t comply to GDPR. These fines are significant not just in their size, 4% of global revenue or €20 Million, whichever is the highest out of the two. This has huge implications for companies of any size as if they do suffer a breach it could lead to the company being put out of business!

How do you become GDPR ready?

3 simple steps can help prepare your organisation for GDPR.

  1. Create awareness across the organisation about GDPR, what it covers, and what the fines are for noncompliance.
  2. Use software to find and detect all sensitive data within the organization, including servers, documents, workstations, email inboxes and all cloud storage.
  3. The strategy must be executed within the organization. Appoint a DPO to lead the team and to make sure all of the rulings are adhered to.

How can Ground Labs help?

We offer Free risk assessments to give an organization a snapshot of all of the sensitive data being held in the environment we scan. The assessment will help to identify and understand what the potential GDPR risk is to an organization.

Now you know how to prepare for GDPR, is your company ready? Start your GDPR journey with Ground Labs,  click the link for a free risk assessment http://content.groundlabs.com/gdpr_assessment

Who is Ground Labs?

Ground Labs is the data security and auditing software provider of choice for over 2500 companies globally. Organizations use our Enterprise Recon and Card Recon products to scan and remediate for unsecured and sensitive data on their computer systems. Securing data allows them to prevent serious data breaches and help to comply with global information standards such as PCI DSS and GDPA. Our 24 / 7 best in class support function focuses on providing a high level of customer care across multiple time zones. Founded in 2007, our global presence is headquartered in Singapore, with offices in Europe and the USA. For further information or to request a product demo please visit www.groundlabs.com

Tech Connect Live: Ireland’s Largest technology event

On the 31st of May, the RDS (Royal Dublin Society) is hosting the biggest tech summit of the year, and Ground Labs in association with the GDPR Coalition will be there!

With Irish and International attendees, including over 200 keynote speakers, 400 investors, 1000 different companies from across the tech industry, and 1500 purchasers from across a variety of sectors and industries, TechConnect is an unprecedented and unmissable opportunity to network and hear the latest updates in a fast-changing industry.

Ireland’s largest summit will also be hosting a dedicated GDPR (General Data Protection Regulation) zone run by the GDPR Coalition. Throughout the day there will be numerous panel discussions covering all the key questions surrounding the legislation and practical advice for businesses when preparing for GDPR. Ground Labs VP John Cassidy will be speaking on a panel covering the topic “Small, Medium, or Large Company? What are the GDPR/Data Protection Business realities” which takes place at 2.40 pm.  

A Full agenda of all GDPR  panel discussion and events on the day can be found here.

TechConnect Live is a great opportunity to meet, connect, and explore. We’re really excited to be a part of such a large and international symposium here in Dublin!

To register for free for the event and access the full list of speakers, vendors, startups, and agenda, follow this link.

TechConnect Live is being held on Wednesday, May 31st, at the RDS Arena, Irelands’ largest event venue located on Merrion Road, Ballsbridge, Dublin 4

Hope to see you there!


For more information on GDPR, download our practical guide.

Bring on the Revolution!


Ground Labs is delighted to announce we will be exhibiting at the General Data Protection Regulation Conference: Preparing for the Regulation Revolution, May 30th Manchester, UK.

Held at the AJ Bell Stadium, the conference aims to tackle some of the important issues concerning British businesses and the upcoming European Data Protection Legislation that comes into effect on May 25th, 2018, including:

– The broad implications: it’s being called the biggest change in data security in the past 20 years. Find out what that means

-How to prepare: From useful tips to step-by-step guidelines, find out how to get GDPR ready

– Tech and management tools to help you get ready

– The Network and Infrastructure Directive (NIS) and the implications

– Cybercrime, and the rise in threat to cyber security

– The impact of EU legislation outside of Europe

– the EU-US Privacy Shield framework

– Data protection Officers, and their role in keeping companies GDPR compliant

Discover the technical solutions available to aid you in becoming GDPR ready, learn more about how finding and securing your sensitive data is fundamental when preparing for the legislation. Gain a better understanding of the risks and benefits of GDPR, all in one place.

The Ground Labs team along with our partners and fellow GDPR specialists Softcat and Cybercrowd will be at stand number 9. Stop by our stand to discuss a GDPR plan with our experts and book in for a FREE GDPR Assessment.

Register now!

Hope to see you there!


Dublin Datasec 2017

The General Data Protection Regulation (GDPR) will become law across the EU on May 25th, 2018. GDPR applies to the protection of all personal data belonging to any EU citizen held by an Organisation. The fines for non-compliance start at 2% of global turnover and can be as high as 4% of global turnover or €20 Million.

Despite it being just over a year until GDPR is enforced, many Organisations are still unclear on GDPR, what it covers, who it applies to and where to start to ensure they are compliant.

The Dublin DataSec 2017 conference, which takes place in the RDS on May 3rd, will provide expert speakers, information and insight to help businesses comply with GDPR and get the most out of the legislation.

Ground Labs VP of Global Sales John Cassidy, will be part of a panel discussing GDPR at the event. The Ground Labs team will be there on the day to give one to one GDPR consultations focusing on the first step in GDPR preparation, Data Discovery and Accountability.

The first step in preparing for GDPR is finding the personal data held within your Organisation. Ground Labs leading Data Discovery tool Enterprise Recon is the complete solution for the identification, remediation and monitoring of personal data across an entire network.

For more information on GDPR download our free guide

Hope to see you at Dublin Datasec 2017!

The Right to Be Forgotten: What You Need to Know

Along with a number of other changes to the rules governing how sensitive data is stored, GDPR implementation in May of 2018 also brings one of the most talked-about clauses; ‘the right to be forgotten’.

Under article 17 of the EU GDPR (the General Data Protection Regulation), the Right to Erasure, also called the Right to Be Forgotten, means that any individual within the EU can ask a company or organisation to delete all personal data from that organisation. The purpose is for consumers to be able to maintain better control of their personal details, and to limit the amount of data stored passed its usefulness. It’s also set up to help protect individuals from having their private information processed unlawfully, either fraudulently or otherwise without their consent.

In many respects, this clause is good for businesses. Frequently, after the end of a transaction, PCI and PII information is simply stored somewhere in the company, often forgotten about, and contributes to the volume of data vulnerable to breaches and hacks. Just because an organisation is done with the data, doesn’t mean it won’t be considered valuable to hackers or data thieves. Knowing where all sensitive data ends up, is the first step to avoiding costly and brand damaging situations.

The Right to Erasure does have some limitations, and it’s important to know where these are. It is also important to note that article 17 does not mean a total erasure of all record, just of specific data types within an organisation. Where this can get a little tricky, however, is that if any of that data was shared with any third parties, then your organisation is required to inform each of those parties of the request.



Under article 17, there are two major distinctions. The most straightforward function and the one most companies will be concerned about, is an individual’s request requiring an organisation to search and remove their sensitive data. The second function is a slightly more complex issue, whereby information made public by entities other than the individual concerned, is not deleted from the primary source, but an effort is made to remove the result from the person’s name. In situations dealing with video content, or newspaper articles, for example, it would be difficult, if not impossible to remove all traces from a search engine, but steps could be taken to ensure that searching for a person’s names would not bring up the offending results. As ‘the right to be forgotten’ becomes a key phrase in the run up to GDPR, the impact on workflow is a key concern for many companies.

If the information in question directly relates to an ongoing transaction, is public knowledge,  is a part of legal proceedings, or could be reasonably argued to provide a public benefit (such as scientific, historical, or public health records) then your organisation might have reasonable grounds to refuse. Likewise, if the request in any way compromises freedom of expression, or freedom of information, then your organisation is not required to go through with the request

For most organisations, however, if an EU citizen submits a request for erasure, it will be a matter of finding their sensitive data and deleting it from wherever it has been stored in your network. This makes it imperative that every company begin by knowing exactly where this information is hiding. Under GDPR, it’s no longer enough to guess at sensitive data types and locations, or to push the difficulty of unseen data caches off, in favour of more pressing daily concerns; monitoring sensitive data has become crucial to business success.

For more information on GDPR download our GDPR Guide or take our Free Risk Assessment to find our where your organisation is at risk.

Ground Labs talk GDPR at CEBIT Germany 2017

Screen Shot 2017-03-13 at 09.26.46

Ground Labs is teaming up with our partner Twinsoft at the CEBIT Global Event for Digital Business.

When: Tuesday, March 21st 2017, the conference runs from the 20th-24th

Where: The Hannover Congress Centrum, Hannover, Germany

Take advantage of one of the industry’s biggest and most comprehensive conferences to network, plan, discuss, discover, and learn! With attendance from around the world, the CEBIT conference is  a great way to take advantage of a meeting of some of the best minds and most interesting ideas out there.

Along with an impressive line-up of speakers, including CEO’s, technology innovators, and leaders of both thought and practice in an age of technology and surveillance, Ground Labs VP of Global Sales John Cassidy will be discussing GDPR, and providing some practical solutions to ensure your organisation is GDPR ready.

Come find the Ground Labs team and our partner Twinsoft at stand E29/C30 in hall 6, the GDPR presentation will be held at 3pm on Tuesday March 21st, followed by a Q and A session.

Hope to see you there!



RSA Conference: Where the World Talks Security

Moscone Centre, San Francisco USA

Booth #3008

FEB 13th – 17th 2017

Going to RSA This year?

We are!

As leaders in Data Security Software, we are committed to helping organisations find and secure sensitive information BEFORE a breach.

We make it part of our business practice to keep up-to-date with all developments in tech security across the globe, there’s no better way to keep a finger on the pulse, than to meet people face to face.

Visit our booth #3008 in the North Hall for a product demo and see for yourself how Ground Labs can find and secure sensitive data ensuring your organisations sensitive data is protected from cyberattacks.

We also enjoy some friendly competition and lots of prizes! Show off your golf skills on our putting green at our booth #3008, and you could win a prize!



Screen Shot 2017-02-10 at 10.20.22


Still not signed up? Use our code: XE7GRNDLABS and register here to get a FREE expo pass