Managing GDPR – Article 17 “Right to Erasure”

Right to Erasure

GDPR Article 17 – “Right to Erasure”

Imagine for a second, you’re sitting at your work desk in late May 2018. Suddenly, you receive an email notification as a new email is delivered to your inbox. This email contains a request, invoking Article 17 of the recent newly enacted EU GDPR legislation, “The Right to Erasure”. Or in plain English, the right to be forgotten. What does this mean for your business? Well, it means that the person sending the email is requesting that you erase every instance of their personal information you have stored within your organisation, right down to the last digit.

Do you have to comply with this request? The answer is a resounding YES. In addition, this request must be completed without delay and at zero cost to the requestor. This element of the GDPR legislation requires companies to erase all personally identifiable information (PII)that is stored in files, databases, any workstations they may have used (if the requester was a former employee), cloud storage, copied or archived files. Everything! There’s more. As an organisation, you have to be able to prove that you have deleted all such files and if you have ever shared their details with a third party, it’s your responsibility to contact them to instruct them of the erasure request.

The next question that arises from Article 17 is, “Who is responsible for the Right to Erasure requests?” Does this automatically fit into the remit of the IT department? Our experience with customers dealing with the day-to-day process of preparing for GDPR is that it’s more of an organisation-wide approach. GDPR will put a greater burden on organisations to be able to handle these requests, from a process and people management aspect, right through to the IT departments capability to handle and comply with the request.

There is a wider cost indication for a business that is looking to comply with GDPR and be able to state they have taken the necessary steps to do so. Article 17 restricts the use of people’s data to be used only for its original purpose on time of collection. If you as an organisation want to use it for something else then you’re going to have to get the user’s clear consent and approval to do so.

Your data is stored everywhere.

Do you know where your data is?

You need to comply with GDPR

The EU GDPR has a global remit. There is no credence to where exactly the data is stored or where in the world your company is located. If the “data subject” is residing in the EU and they request the right for their information to be erased, then the rules apply to you. Every instance of that data subject’s data has to be erased “without undue delay”. The majority of businesses right now do not have the capability to find all these instances across their entire environment. As we have mentioned previously, there are hefty fines for non-compliance and what that could mean for your business.

With the hefty fines in place and a hard deadline of the 25 th of May for the GDRP coming into law, IT departments and boards are quickly adopting a strategy to comply before the GDPR deadline is reached.

GDPR fines

Don’t get fined

Prepare for GDPR now!

Businesses are very prudent in determining risk and limiting the risk to their business is paramount. However, how many organisations at this moment in time, would be able to act on a right to erasure request effectively? Could you effectively scan your entire environment and find every instance of a person’s sensitive data? If that information is sitting in a database or on a workstation could you find it? And in what timeframe?

Personal information is stored in marketing and sales departments in CRM systems which have their own databases attached to them, in multiple files formats. Personal information also finds its way into word documents, spreadsheets and other files. Can you imagine for a moment, trying to manually trawl through every file, looking for a marker that represents a particular person? It could take weeks that you haven’t got! Having the ability to scan all of these files formats and deliver the discovered results will give your business the edge when it comes to compliance with GDPR and save the job of the head of IT.

Companies are choosing to hold onto data forever, instead of deleting it. Choosing to store the data may seem like a great idea, but with Article 17 coming into force you will now need the ability to scan very specific sections of that data and delete information on request. You need to be ready, as there is no room for error.

Your next steps for compliance 

Ground Labs’ flagship product, Enterprise Recon, allows you to scan your entire environment for sensitive data. With over 200 PII data types already preconfigured out of the box and a custom search facility built into the tool, your ability to handle organisation- wide requests, such as the “Right to Erasure”, becomes a lot easier. From the dashboard, you will have the ability to see precisely across your environment where your sensitive data is being stored, forensically down to which file its stored in. The option to remediate it or show the user where that sensitive data lies can then be achieved. Of the multiple remediation functions, the tool has, the delete function or “nuke it” function is the most powerful in this case. You can clearly show the user that all stored instances of their data across the network has now been permanently deleted and cannot be retrieved. Once “nuked”, its gone for good!

Need help understanding where your unstructured and structured data is and worried how you will handle a “right to erasure request”? Then contact one of our trained GDPR experts who can help you with a free risk assessment. To book a demo please visit www.groundlabs.com/risk-assessment

The real cost of GDPR and how to minimise risk

The cost of GDPR

What is the real cost of GDPR?

Over the past 6 months, during our GDPR related sessions, a number of important questions have arisen from conversations with our clients and customers. One of the questions asked is “How do companies deal with a SAR?” Read our blog post on Subject Access Requests to give you a greater insight into how companies are preparing for them. Another very important questions is the one of cost. What is the actual cost to businesses when preparing for GDPR and how do you minimise the risk?

You can break this question down into a number of bite-sized portions. The first being the financial cost to the business. A recent study (2017) by IBM into the true cost of a security data breach, found the average cost to an organisation suffering a data breach to be $3.62 million. The study covered 419 participating companies. This figure showed a decrease from the previous year, but the size of the breach had risen by 1.8% from the previous year. To read the full report please click here.

This $3.62 million is a small representation of the overall cost to companies who suffer a data breach. With the new GDPR legislation coming into law next year, the potential fines alone for companies suffering a data breach have been well documented. GDPR will have a tiered penalty structure attached to it for companies that do not comply and subsequently suffer a data breach. The more serious the breach the higher the penalty, 4% of global revenue or 20 Million Euro whichever is higher. This would easily eclipse the $3.6 million stated in the IBM report. There are also other fines to take into consideration when planning your GDPR journey. Non-compliance with Article 28 (“Processor”) will also have a fine associated with it. 2% of global revenue can be issued to a company whose records are not in order or if the supervising authority and data subjects are not notified of a breach. The oversight of the planning and breach notification requirement of GDPR could turn out to be very expensive for companies.

There are also other factors that have to be taken into consideration with looking at overall costs and impacts to the business. What impact will a potentially disastrous data breach have your brand? A breach would be felt throughout the business including your employees. Why? Because the brand has been tarnished. In an age of security-conscious consumers who value their own personal data and want to know that it’s being kept safe and secure by the companies they trust to handle it, a breach could be catastrophic. Consumer and business confidence is key to long-term growth in any industry, so can you put a cost on that? This actual cost of a breach may be felt for years, even if the business even comes through it.

So how does Ground Labs software help to reduce this risk of a data breach and help towards becoming compliant with GDPR? Enterprise Recon has over 200 Data Types built into the tool straight out of the box. It’s been enhanced to include data types from all 28 EU countries to help in the search for where in your network your sensitive data is stored. The tool is an on-premise product and forensically searches your entire environment looking for structured and unstructured data.

Once you run a scan on across your environment, all instances of sensitive data found will be reported in the Ground Labs product dashboard.

Enterprise Recon product image

Enterprise Recon Management dashboard

From the dashboard, you will have the option to see exactly across your entire network where your sensitive data is being stored. You then have the ability to decide how you handle that data with multiple remediation and reporting functions.

Our GDPR ready tool is the perfect tool to use, no matter what stage your business is at on the GDPR journey. Understanding where your data is and how to remediate it will help to reduce compliance costs and eliminate the root cause of cybersecurity data breaches.

To download a free copy of our white paper on GDPR please click the link:

Ground Labs_The_GDPR_Journey_Embrace_the_data

If you would like further information on how Ground Labs can help with your GDPR initiative, please visit http://content.groundlabs.com/gdpr_assessment to arrange a free risk-assessment.

 

How can organisations handle a GDPR Subject Access Request?

GDPR SAR

GDPR Subject Access Request

 

Article 15 of GDPR outlines what a Subject Access Request (SAR)is and how business needs to react and how to comply with them. If your organisation is collecting data on EU citizens there is a high possibility that you will start to see a steady flow of SAR’s coming into your inbox. This will impact your business in a multitude of ways.

Firstly there is a business planning element to this and how from an operational aspect could you handle 1 request per week, 10 a week or if you are a larger organisation 100 per week? This poses a number of additional questions for any business. New processes and internal policies will have to be implemented throughout the organisation to making staff and stakeholders aware of how to effectively handle a SAR.

The second element to any SAR is how do you know what information you have on a data subject and more importantly do you have the capability to find it? This is where Ground Labs are positioned to help organisations of any size right across the EU. Our sensitive data discovery tool already has over 200 PII data types preconfigured so the tool works straight out of the box and starts to find sensitive data as soon as the scan has been set up to run. PII types such as name, address, bank details, health numbers, passport numbers and driving licence number all pre-configured into the tool.

If you are running a search tool for a specific SAR our tool will search your entire network for every instance of the data type you are looking for a report back its findings. To comply with Article 15 you have 30 days to respond to the data subject answering in detail where their data has been stored on your network. Enterprise Recon can give you that information. It’s not big and clunky, it’s on-premise and runs quietly in the background without slowing down your network as a scan is being run.

Want to learn more and are you preparing your GDPR policy and don’t know how to manage a Subject Access Request? If so contact Ground Labs today for a free risk assessment. Please visit:

www.groundlabs.com/risk-assessment.

 

 

 

 

 

PCI Community Meeting: GDPR front and centre

PCI Barcelona 2017

Meet us PCI Community Meeting in Barcelona

We recently returned from the AISA Conference in Sydney, Australia, after presenting Ground Labs data security proposition to global and local businesses alike. The organisations we spoke with who had a European presence quickly turned the conversation to the new General Data Protection Regulation (GDPR) deadline of May 2018 and how Ground Labs can help to prepare them for the new regulation.

The organisations we spoke to had an overwhelming realisation that GDPR will play a major role in how they handle sensitive data, privacy policies and data security moving forward into 2018. The need to take a company-wide approach is a new concept, as in the past these decisions would have firmly rested with the IT dept. This new approach will allow businesses to tackle the grey areas of the regulation and allow them to become compliant.

In my previous Blog, I set out how GDPR will impact businesses and the steps they will need to take to prepare themselves for compliance. This week’s PCI Community meeting in Barcelona will put GDPR front and centre.

Our global presence gives us a unique insight into how organisations are dealing with GDPR across all the major markets we do business in (EMEA, APAC and North America) This has allowed us to be a major factor in helping them define their data security policy around their structured and unstructured data.

With this clear messaging from businesses, I felt it necessary to outline our role in helping them deal with the role out of a GDPR initiative. Our positioning takes a different turn to the majority of the noise. As a security software vendor, we understand the importance of securing sensitive data while giving companies the option to protect their environment through our forensic data search tool.

The Ground Labs solution offers proven capability based on Ground Labs’ existing market focus on being the #1 discovery product vendor in the PCI compliance space. However, in response to increased data breach notification and privacy requirements from existing customers and the market in general, Ground Labs has continued to evolve its product capabilities to meet these additional requirements with a broad variety of Personally Identifiable Information (PII) that may also be utilized by organisations over the long term.

Want to learn more? Have further questions about where your data is stored? Register your interest in receiving a free risk assessment click here.

Business: The impact of GDPR

GDPR flag

The new General Data Protection Regulation (GDPR) is the talk of the town in the security world. A day doesn’t seem to pass by without a new security breach being reported in the media. Recent cases such as the Equifax scandal and the data breach at Deloitte has brought the subject of data security to the forefront of the news cycle. There are steps all organisations need to make to stop their name being on the next data breach headline.

The breaches give credence to the idea that there was a serious need for a ratified law across all EU member states, specifically relating to data security and protecting individuals data. The new GDPR legislation was ratified back in 2016 and it outlined the need for each member state to implement it into a new national law by May of 2018. Now with under a year to go, we would like to provide our customers with a better understanding of how this new regulation will impact businesses across the Eurozone and how we can help them comply with the law.

Firstly, why was GDPR created?

GDPR was created to allow individuals greater control over their personal data. It will unify the set of protection laws across the EU, bringing everyone in line with one standard. Companies that are operating outside of the EU will be subject to this law when they collect data concerning an EU citizen.

What is GDPR at is core?

GDPR addresses many of its predecessors (Data Protection Directive) failings including updating requirements for documenting IT procedures, performing risk assessments, notifying the consumer and authorities of a breach and reinforcing the rules for data minimization.

What are the key changes? 

  • Increased Territorial scope

o   The legislation will apply to all organisations holding data belonging to EU citizens.

  • Data Protection Officers

o   Any business that markets goods or services to customers within the EU and collects personal data must appoint a Data Protection Officer.

  • Privacy by design

o   Is the inclusion of data protection resources from the initial design stage of a system.

  • The right to be forgotten

o   Any private citizen will be entitled to request the erasure of their personal data.

  • The right to access

o   The owner of the data has the right to obtain records of their personal information, including where it’s being stored and for what purpose.

  • Breach notifications

o   Companies have an explicit instruction to notify authorities of a breach within 72 hours of one occurring.

What if you don’t comply?

With the new law comes a greater ability to fine companies that don’t comply to GDPR. These fines are significant not just in their size, 4% of global revenue or €20 Million, whichever is the highest out of the two. This has huge implications for companies of any size as if they do suffer a breach it could lead to the company being put out of business!

How do you become GDPR ready?

3 simple steps can help prepare your organisation for GDPR.

  1. Create awareness across the organisation about GDPR, what it covers, and what the fines are for noncompliance.
  2. Use software to find and detect all sensitive data within the organization, including servers, documents, workstations, email inboxes and all cloud storage.
  3. The strategy must be executed within the organization. Appoint a DPO to lead the team and to make sure all of the rulings are adhered to.

How can Ground Labs help?

We offer Free risk assessments to give an organization a snapshot of all of the sensitive data being held in the environment we scan. The assessment will help to identify and understand what the potential GDPR risk is to an organization.

Now you know how to prepare for GDPR, is your company ready? Start your GDPR journey with Ground Labs,  click the link for a free risk assessment http://content.groundlabs.com/gdpr_assessment

Who is Ground Labs?

Ground Labs is the data security and auditing software provider of choice for over 2500 companies globally. Organizations use our Enterprise Recon and Card Recon products to scan and remediate for unsecured and sensitive data on their computer systems. Securing data allows them to prevent serious data breaches and help to comply with global information standards such as PCI DSS and GDPA. Our 24 / 7 best in class support function focuses on providing a high level of customer care across multiple time zones. Founded in 2007, our global presence is headquartered in Singapore, with offices in Europe and the USA. For further information or to request a product demo please visit www.groundlabs.com