GDPR and “Opting-Out” for Good

GDPR -Opt-Out

GDPR -Opt-Out


The internet serves as an excellent method of keeping up to date with news, products and current events. Occasionally you may be asked if you would like to subscribe to a mailing list or if you would like to become a recipient of a serial newsletter. This can be useful if you have a genuine interest in the subject matter and wish to keep up to date with their offering. However, from time to time these lists can become troublesome and constantly inundate your mailbox with irrelevant and annoying spam. When this happens you find yourself asking:

“Can I opt-out?”

When you choose to subscribe to an online mailing list, you usually have the option to “opt-out”, meaning that you can request to be removed from the mailing list and will no longer receive the unwanted correspondences.

If the company is reputable and offers a genuine advantage to being a subscriber to their lists, such as special reduced prices or useful information, then it might be worth handing over your email address.

Who do you trust with your email address? 


But there is always the chance that you will be added to a list that becomes a target for a cascade of irritating spam emails.

Most people choose the option to “opt-out” when these spam emails begin to clog up their inboxes and this puts a halt to the spam problem. However, it is a little-known fact that if you do indeed choose to “opt-out”, you may have shuffled free of the constant spam emails but your personal data may remain in the list owner’s database.

In many cases, these mailing list holders retain your personal information and continue to circulate it recklessly. The GDPR will prevent these list holders from retaining subscriber’s personal data once they have elected to “opt-out”.

“GDPR gives you greater control of your personal data”


When the GDPR comes into law on the 25th of May 2018, these mailing list holders will be held accountable to fully delete and not retain any personal data that was requested under the Right to be Forgotten mandate, to be removed by subscribers that have “opted-out”. Organisations that rely on users personal data will need to make certain they have the correct solutions in place in order to deal with the incoming regulation. There are few solutions available that are as effective at dealing with Sensitive Data Discovery as Enterprise Recon. This tool was designed specifically to discover, monitor and remediate sensitive data within an organisation’s data storage environment, making it the ideal choice for adhering to data security standards.

With this new regulation being brought in by the European Union, people now have control over their personal information and how it can be used and who knows, is this the beginning of the end for spam emailing?

Meeting the General Data Protection Regulation with Ground Labs

GDPR Compliance

GDPR Compliance

Meeting the General Data Protection Regulation with Ground Labs

The relationship between an organisation and their customer is important, the customer must trust that the data they share with an organisation is being managed responsibly.

When an organisation is responsible for managing large quantities of their customer’s data, they must ensure that every care is taken to ensure that this data is secure. If a breach occurs and this data is lost, the company’s reputation may suffer, but more importantly, the customer loses faith in the business they once trusted. They feel cheated because the company did not exercise due care to ensure that it was safe.

“Discover – Identify personal data and where it resides”

With the new GDPR policy coming into force on the 25th of May, it is time for companies to ensure that they put effective systems in place in order to deal with any data queries they are responsible for.

When a customer calls upon an organisation to show them all of the data that the organisation is storing that belongs to them, this is called a Subject Access Request. The duty to answer this request falls upon the organisation and will be enforced under GDPR legislation. Failure to adhere to this request could result in the company being fined up 4% of their global annual turnover or €20 million, whichever sum is greater.

“Monitor – establish security controls to detect and respond to requests and data breaches”

Subject access requests can be an onerous task for businesses that do not have the correct systems in place for dealing with such an appeal. Scanning once is simply not a plan of action for any company that is looking to comply with GDPR on a long-term basis. Systems and processes need to be implemented from the CEO down to deal with GDPR, but what do you do once the data has been found?

“Remediate – giving you real-time access to take affirmative action on sensitive data”

Very few products are as effective at finding and securing sensitive data as Ground Labs with our flagship product: Enterprise Recon. Customers are using Enterprise Recon to find and remediate their stored sensitive data. The solution is pre-configured with over 200+ sensitive data types but also gives the user the ability to add their own custom data types to scan for, which is an invaluable tool when dealing with GDPR Subject Access Requests and subsequently provides a platform to fulfil the right to erasure requests.

GDPR is happening now so don’t become the next headline, get ready with Enterprise Recon.

To learn more about how we find sensitive data or would like a live product demonstration please visit

How US based companies will be affected by GDPR

US companies and GDPR

In May of this year will see the new EU’s General Data Protection Regulation come into law. It will bring about a seismic shift in the data security landscape. For our US-based customers and you have only been following the major headlines, then you would have seen “the Right to be Forgotten”, “Subject Access Request”, “72-hour breach notification” as well as very strong fines from non-compliance. GDPR definitely has some teeth and you are going to have to take notice of it.

EU companies are preparing for the new GDPR legislation, each of them on their own journey to be ready by the May deadline and create a plan with policies in place to show the regulator they have readied themselves for GDPR. The question we get asked a lot about is what about the US companies that have no direct business in the EU, do they need to concern themselves with GDPR?

Well, the answer is yes. Here’s why. If you are a US based company and have a presence in the EU and are collecting personal data, GDPR will apply to your company and so will the fines!

Geographical implications

Article 3 of the new GDPR states that if a company collects Personal data from someone in an EU country they must comply with GDPR. To clarify this further, it means that GDPR only applies if the Data Subjects are in the EU when the data was collected. If the EU citizen is outside of the EU when the data was collected then GDPR will not apply.

Specific consent

The U.S. companies that are selling or direct marketing into the EU will have to adjust their forms to allow for specific consumer consent. The language of the GDPR legislation means that consent must be freely given. Gone are the days where companies can add multiple lines of small print and use that as an excuse. Consent under GDPR means it has to be specific, informed, and unambiguous.

To show this in practice, I will use a Florida based company running a marketing campaign into Germany using a marketing web form to collect email address for a specific project. The Florida based company will need to use clear language informing the data subject what they intend to do with the email addresses once collected as well as a clear check or tick box for consent to use their data.

Once this data has been collected the US companies will have to protect it under the GDPR legislation. If they follow existing data security standard such as PCI DSS this new legislation this should not be a problem.

Breach notification

Part of the new GDPR legislation is the 72-hour breach notification rule which does give some leeway in weighing up the risks to the data subject, but if you have a breach containing a large number of email addresses or sensitive data such as medical or financial data or any sensitive data relating to children then all would require notification to the EU regulator within 72 hours.

There will be ongoing questions about how the EU regulator will enforce these actions against US companies that are doing business and collecting data over the web. However, the EU is very serious in unifying the data privacy laws of its citizens and has already changed the web practices of US companies.

What this means is US companies have to take note of these changing practices and take the adequate steps to make sure they do not become a headline after the 25th of May 2018.

The countdown is truly on for GDPR and the time to act is now!

Act now for GDPR

16th PCI London, 25 January 2018, London, UK

Without sounding over dramatic but time is truly running out for businesses who have yet to engage or consider how to become compliant for GDPR. The clock is ticking and with less than 6 months remaining until GDPR is rolled out across the EU, the time to start your complaint process is now. Researching GDPR is easy with the vast volume of information the internet is producing each day, but who do organisation’s turn to for practical help that will aid them in becoming compliant? We believe Ground Labs is part of the solution.

In under 6 months-time, GDPR will be rolled out across the UK and the wider EU putting into law a set of regulations that will impact every business when dealing directly with EU citizens personal information.

Who within the organisation does the responsibility of preparing for GDPR ultimately fall on? Can this important task be left to the head of IT? From our experience, we are finding that the GDPR journey needs to be more of a company-wide approach. The regulation is very clear that businesses must ensure privacy by design when projects are undertaken. Privacy and security must go hand in hand from the beginning to the end of any project and to take a wider organisational approach to compliance will yield better results.

The clock is ticking for GDPR

Taking a companywide decision allows businesses to get ahead of GDPR and put into place the necessary steps. We are also noticing businesses who use the PCI DSS framework for compliance have taken major steps in their preparation process for the ongoing GDPR storm, those who take this path will help them to build a total compliance framework covering all standards.

The compliance frameworks are just one part of the bigger picture of GDPR. There is a real business need in the market for practical ways to address these challenges on a daily basis and to help assist with continuous compliance. We suggest having the ability to forensically scan for all structured and unstructured data across your entire businesses environment.

Enterprise Recon

Having a tool that has over 200 data types preconfigured to allow you to highlight what sensitive data was found and report back on it is one thing but once this data is found there needs to be practical policies in place to remediate it. Enterprise Recon not only gives you the power to scan and remediate sensitive data within your environment but through the custom scanning capability it will help you comply with Article 15 “Right to Accesses” or a Subject Access Request and Article 17 “Right to Erasure”. Once you know where the sensitive data is currently sitting you want the ability to effectively manage it and report back to the data subject.

We understand this is only one part of the process but taking steps now to discover, monitor and remediate sensitive data is key to PCI and GDPR, so act now!


The PCI DSS has set a goal of Business-As-Usual security, while GDPR needs businesses to ensure privacy by design. Under these rules, businesses will have to integrate data privacy and security from the start to end of all projects. Our Enterprise Recon software allows you to simplify the processes needed to make security a Business-As-Usual practice for your organisation. Recurring scans can be set to ensure continuous monitoring. You can also receive concise and detailed reports of your business’ data build-up, directly on your management dashboard. Finally, we believe being at this year’s PCI London event will give us the opportunity to share our experiences in the market and give practical tips to businesses to deal with the four main articles of GDPR.

Meet us at this year’s PCI London event in Park Plaza Victoria, 239 Vauxhall Bridge Road, London, SW1V 1EQ. UK. To register your interest in a Demo please contact

Managing GDPR – Article 17 “Right to Erasure”

Right to Erasure

GDPR Article 17 – “Right to Erasure”

Imagine for a second, you’re sitting at your work desk in late May 2018. Suddenly, you receive an email notification as a new email is delivered to your inbox. This email contains a request, invoking Article 17 of the recent newly enacted EU GDPR legislation, “The Right to Erasure”. Or in plain English, the right to be forgotten. What does this mean for your business? Well, it means that the person sending the email is requesting that you erase every instance of their personal information you have stored within your organisation, right down to the last digit.

Do you have to comply with this request? The answer is a resounding YES. In addition, this request must be completed without delay and at zero cost to the requestor. This element of the GDPR legislation requires companies to erase all personally identifiable information (PII)that is stored in files, databases, any workstations they may have used (if the requester was a former employee), cloud storage, copied or archived files. Everything! There’s more. As an organisation, you have to be able to prove that you have deleted all such files and if you have ever shared their details with a third party, it’s your responsibility to contact them to instruct them of the erasure request.

The next question that arises from Article 17 is, “Who is responsible for the Right to Erasure requests?” Does this automatically fit into the remit of the IT department? Our experience with customers dealing with the day-to-day process of preparing for GDPR is that it’s more of an organisation-wide approach. GDPR will put a greater burden on organisations to be able to handle these requests, from a process and people management aspect, right through to the IT departments capability to handle and comply with the request.

There is a wider cost indication for a business that is looking to comply with GDPR and be able to state they have taken the necessary steps to do so. Article 17 restricts the use of people’s data to be used only for its original purpose on time of collection. If you as an organisation want to use it for something else then you’re going to have to get the user’s clear consent and approval to do so.

Your data is stored everywhere.

Do you know where your data is?

You need to comply with GDPR

The EU GDPR has a global remit. There is no credence to where exactly the data is stored or where in the world your company is located. If the “data subject” is residing in the EU and they request the right for their information to be erased, then the rules apply to you. Every instance of that data subject’s data has to be erased “without undue delay”. The majority of businesses right now do not have the capability to find all these instances across their entire environment. As we have mentioned previously, there are hefty fines for non-compliance and what that could mean for your business.

With the hefty fines in place and a hard deadline of the 25 th of May for the GDRP coming into law, IT departments and boards are quickly adopting a strategy to comply before the GDPR deadline is reached.

GDPR fines

Don’t get fined

Prepare for GDPR now!

Businesses are very prudent in determining risk and limiting the risk to their business is paramount. However, how many organisations at this moment in time, would be able to act on a right to erasure request effectively? Could you effectively scan your entire environment and find every instance of a person’s sensitive data? If that information is sitting in a database or on a workstation could you find it? And in what timeframe?

Personal information is stored in marketing and sales departments in CRM systems which have their own databases attached to them, in multiple files formats. Personal information also finds its way into word documents, spreadsheets and other files. Can you imagine for a moment, trying to manually trawl through every file, looking for a marker that represents a particular person? It could take weeks that you haven’t got! Having the ability to scan all of these files formats and deliver the discovered results will give your business the edge when it comes to compliance with GDPR and save the job of the head of IT.

Companies are choosing to hold onto data forever, instead of deleting it. Choosing to store the data may seem like a great idea, but with Article 17 coming into force you will now need the ability to scan very specific sections of that data and delete information on request. You need to be ready, as there is no room for error.

Your next steps for compliance 

Ground Labs’ flagship product, Enterprise Recon, allows you to scan your entire environment for sensitive data. With over 200 PII data types already preconfigured out of the box and a custom search facility built into the tool, your ability to handle organisation- wide requests, such as the “Right to Erasure”, becomes a lot easier. From the dashboard, you will have the ability to see precisely across your environment where your sensitive data is being stored, forensically down to which file its stored in. The option to remediate it or show the user where that sensitive data lies can then be achieved. Of the multiple remediation functions, the tool has, the delete function or “nuke it” function is the most powerful in this case. You can clearly show the user that all stored instances of their data across the network has now been permanently deleted and cannot be retrieved. Once “nuked”, its gone for good!

Need help understanding where your unstructured and structured data is and worried how you will handle a “right to erasure request”? Then contact one of our trained GDPR experts who can help you with a free risk assessment. To book a demo please visit

The real cost of GDPR and how to minimise risk

The cost of GDPR

What is the real cost of GDPR?

Over the past 6 months, during our GDPR related sessions, a number of important questions have arisen from conversations with our clients and customers. One of the questions asked is “How do companies deal with a SAR?” Read our blog post on Subject Access Requests to give you a greater insight into how companies are preparing for them. Another very important questions is the one of cost. What is the actual cost to businesses when preparing for GDPR and how do you minimise the risk?

You can break this question down into a number of bite-sized portions. The first being the financial cost to the business. A recent study (2017) by IBM into the true cost of a security data breach, found the average cost to an organisation suffering a data breach to be $3.62 million. The study covered 419 participating companies. This figure showed a decrease from the previous year, but the size of the breach had risen by 1.8% from the previous year. To read the full report please click here.

This $3.62 million is a small representation of the overall cost to companies who suffer a data breach. With the new GDPR legislation coming into law next year, the potential fines alone for companies suffering a data breach have been well documented. GDPR will have a tiered penalty structure attached to it for companies that do not comply and subsequently suffer a data breach. The more serious the breach the higher the penalty, 4% of global revenue or 20 Million Euro whichever is higher. This would easily eclipse the $3.6 million stated in the IBM report. There are also other fines to take into consideration when planning your GDPR journey. Non-compliance with Article 28 (“Processor”) will also have a fine associated with it. 2% of global revenue can be issued to a company whose records are not in order or if the supervising authority and data subjects are not notified of a breach. The oversight of the planning and breach notification requirement of GDPR could turn out to be very expensive for companies.

There are also other factors that have to be taken into consideration with looking at overall costs and impacts to the business. What impact will a potentially disastrous data breach have your brand? A breach would be felt throughout the business including your employees. Why? Because the brand has been tarnished. In an age of security-conscious consumers who value their own personal data and want to know that it’s being kept safe and secure by the companies they trust to handle it, a breach could be catastrophic. Consumer and business confidence is key to long-term growth in any industry, so can you put a cost on that? This actual cost of a breach may be felt for years, even if the business even comes through it.

So how does Ground Labs software help to reduce this risk of a data breach and help towards becoming compliant with GDPR? Enterprise Recon has over 200 Data Types built into the tool straight out of the box. It’s been enhanced to include data types from all 28 EU countries to help in the search for where in your network your sensitive data is stored. The tool is an on-premise product and forensically searches your entire environment looking for structured and unstructured data.

Once you run a scan on across your environment, all instances of sensitive data found will be reported in the Ground Labs product dashboard.

Enterprise Recon product image

Enterprise Recon Management dashboard

From the dashboard, you will have the option to see exactly across your entire network where your sensitive data is being stored. You then have the ability to decide how you handle that data with multiple remediation and reporting functions.

Our GDPR ready tool is the perfect tool to use, no matter what stage your business is at on the GDPR journey. Understanding where your data is and how to remediate it will help to reduce compliance costs and eliminate the root cause of cybersecurity data breaches.

To download a free copy of our white paper on GDPR please click the link:

Ground Labs_The_GDPR_Journey_Embrace_the_data

If you would like further information on how Ground Labs can help with your GDPR initiative, please visit to arrange a free risk-assessment.


How can organisations handle a GDPR Subject Access Request?


GDPR Subject Access Request


Article 15 of GDPR outlines what a Subject Access Request (SAR)is and how business needs to react and how to comply with them. If your organisation is collecting data on EU citizens there is a high possibility that you will start to see a steady flow of SAR’s coming into your inbox. This will impact your business in a multitude of ways.

Firstly there is a business planning element to this and how from an operational aspect could you handle 1 request per week, 10 a week or if you are a larger organisation 100 per week? This poses a number of additional questions for any business. New processes and internal policies will have to be implemented throughout the organisation to making staff and stakeholders aware of how to effectively handle a SAR.

The second element to any SAR is how do you know what information you have on a data subject and more importantly do you have the capability to find it? This is where Ground Labs are positioned to help organisations of any size right across the EU. Our sensitive data discovery tool already has over 200 PII data types preconfigured so the tool works straight out of the box and starts to find sensitive data as soon as the scan has been set up to run. PII types such as name, address, bank details, health numbers, passport numbers and driving licence number all pre-configured into the tool.

If you are running a search tool for a specific SAR our tool will search your entire network for every instance of the data type you are looking for a report back its findings. To comply with Article 15 you have 30 days to respond to the data subject answering in detail where their data has been stored on your network. Enterprise Recon can give you that information. It’s not big and clunky, it’s on-premise and runs quietly in the background without slowing down your network as a scan is being run.

Want to learn more and are you preparing your GDPR policy and don’t know how to manage a Subject Access Request? If so contact Ground Labs today for a free risk assessment. Please visit:






PCI Community Meeting: GDPR front and centre

PCI Barcelona 2017

Meet us PCI Community Meeting in Barcelona

We recently returned from the AISA Conference in Sydney, Australia, after presenting Ground Labs data security proposition to global and local businesses alike. The organisations we spoke with who had a European presence quickly turned the conversation to the new General Data Protection Regulation (GDPR) deadline of May 2018 and how Ground Labs can help to prepare them for the new regulation.

The organisations we spoke to had an overwhelming realisation that GDPR will play a major role in how they handle sensitive data, privacy policies and data security moving forward into 2018. The need to take a company-wide approach is a new concept, as in the past these decisions would have firmly rested with the IT dept. This new approach will allow businesses to tackle the grey areas of the regulation and allow them to become compliant.

In my previous Blog, I set out how GDPR will impact businesses and the steps they will need to take to prepare themselves for compliance. This week’s PCI Community meeting in Barcelona will put GDPR front and centre.

Our global presence gives us a unique insight into how organisations are dealing with GDPR across all the major markets we do business in (EMEA, APAC and North America) This has allowed us to be a major factor in helping them define their data security policy around their structured and unstructured data.

With this clear messaging from businesses, I felt it necessary to outline our role in helping them deal with the role out of a GDPR initiative. Our positioning takes a different turn to the majority of the noise. As a security software vendor, we understand the importance of securing sensitive data while giving companies the option to protect their environment through our forensic data search tool.

The Ground Labs solution offers proven capability based on Ground Labs’ existing market focus on being the #1 discovery product vendor in the PCI compliance space. However, in response to increased data breach notification and privacy requirements from existing customers and the market in general, Ground Labs has continued to evolve its product capabilities to meet these additional requirements with a broad variety of Personally Identifiable Information (PII) that may also be utilized by organisations over the long term.

Want to learn more? Have further questions about where your data is stored? Register your interest in receiving a free risk assessment click here.

Business: The impact of GDPR

GDPR flag

The new General Data Protection Regulation (GDPR) is the talk of the town in the security world. A day doesn’t seem to pass by without a new security breach being reported in the media. Recent cases such as the Equifax scandal and the data breach at Deloitte has brought the subject of data security to the forefront of the news cycle. There are steps all organisations need to make to stop their name being on the next data breach headline.

The breaches give credence to the idea that there was a serious need for a ratified law across all EU member states, specifically relating to data security and protecting individuals data. The new GDPR legislation was ratified back in 2016 and it outlined the need for each member state to implement it into a new national law by May of 2018. Now with under a year to go, we would like to provide our customers with a better understanding of how this new regulation will impact businesses across the Eurozone and how we can help them comply with the law.

Firstly, why was GDPR created?

GDPR was created to allow individuals greater control over their personal data. It will unify the set of protection laws across the EU, bringing everyone in line with one standard. Companies that are operating outside of the EU will be subject to this law when they collect data concerning an EU citizen.

What is GDPR at is core?

GDPR addresses many of its predecessors (Data Protection Directive) failings including updating requirements for documenting IT procedures, performing risk assessments, notifying the consumer and authorities of a breach and reinforcing the rules for data minimization.

What are the key changes? 

  • Increased Territorial scope

o   The legislation will apply to all organisations holding data belonging to EU citizens.

  • Data Protection Officers

o   Any business that markets goods or services to customers within the EU and collects personal data must appoint a Data Protection Officer.

  • Privacy by design

o   Is the inclusion of data protection resources from the initial design stage of a system.

  • The right to be forgotten

o   Any private citizen will be entitled to request the erasure of their personal data.

  • The right to access

o   The owner of the data has the right to obtain records of their personal information, including where it’s being stored and for what purpose.

  • Breach notifications

o   Companies have an explicit instruction to notify authorities of a breach within 72 hours of one occurring.

What if you don’t comply?

With the new law comes a greater ability to fine companies that don’t comply to GDPR. These fines are significant not just in their size, 4% of global revenue or €20 Million, whichever is the highest out of the two. This has huge implications for companies of any size as if they do suffer a breach it could lead to the company being put out of business!

How do you become GDPR ready?

3 simple steps can help prepare your organisation for GDPR.

  1. Create awareness across the organisation about GDPR, what it covers, and what the fines are for noncompliance.
  2. Use software to find and detect all sensitive data within the organization, including servers, documents, workstations, email inboxes and all cloud storage.
  3. The strategy must be executed within the organization. Appoint a DPO to lead the team and to make sure all of the rulings are adhered to.

How can Ground Labs help?

We offer Free risk assessments to give an organization a snapshot of all of the sensitive data being held in the environment we scan. The assessment will help to identify and understand what the potential GDPR risk is to an organization.

Now you know how to prepare for GDPR, is your company ready? Start your GDPR journey with Ground Labs,  click the link for a free risk assessment

Who is Ground Labs?

Ground Labs is the data security and auditing software provider of choice for over 2500 companies globally. Organizations use our Enterprise Recon and Card Recon products to scan and remediate for unsecured and sensitive data on their computer systems. Securing data allows them to prevent serious data breaches and help to comply with global information standards such as PCI DSS and GDPA. Our 24 / 7 best in class support function focuses on providing a high level of customer care across multiple time zones. Founded in 2007, our global presence is headquartered in Singapore, with offices in Europe and the USA. For further information or to request a product demo please visit