Business: The impact of GDPR

GDPR flag

The new General Data Protection Regulation (GDPR) is the talk of the town in the security world. A day doesn’t seem to pass by without a new security breach being reported in the media. Recent cases such as the Equifax scandal and the data breach at Deloitte has brought the subject of data security to the forefront of the news cycle. There are steps all organisations need to make to stop their name being on the next data breach headline.

The breaches give credence to the idea that there was a serious need for a ratified law across all EU member states, specifically relating to data security and protecting individuals data. The new GDPR legislation was ratified back in 2016 and it outlined the need for each member state to implement it into a new national law by May of 2018. Now with under a year to go, we would like to provide our customers with a better understanding of how this new regulation will impact businesses across the Eurozone and how we can help them comply with the law.

Firstly, why was GDPR created?

GDPR was created to allow individuals greater control over their personal data. It will unify the set of protection laws across the EU, bringing everyone in line with one standard. Companies that are operating outside of the EU will be subject to this law when they collect data concerning an EU citizen.

What is GDPR at is core?

GDPR addresses many of its predecessors (Data Protection Directive) failings including updating requirements for documenting IT procedures, performing risk assessments, notifying the consumer and authorities of a breach and reinforcing the rules for data minimization.

What are the key changes? 

  • Increased Territorial scope

o   The legislation will apply to all organisations holding data belonging to EU citizens.

  • Data Protection Officers

o   Any business that markets goods or services to customers within the EU and collects personal data must appoint a Data Protection Officer.

  • Privacy by design

o   Is the inclusion of data protection resources from the initial design stage of a system.

  • The right to be forgotten

o   Any private citizen will be entitled to request the erasure of their personal data.

  • The right to access

o   The owner of the data has the right to obtain records of their personal information, including where it’s being stored and for what purpose.

  • Breach notifications

o   Companies have an explicit instruction to notify authorities of a breach within 72 hours of one occurring.

What if you don’t comply?

With the new law comes a greater ability to fine companies that don’t comply to GDPR. These fines are significant not just in their size, 4% of global revenue or €20 Million, whichever is the highest out of the two. This has huge implications for companies of any size as if they do suffer a breach it could lead to the company being put out of business!

How do you become GDPR ready?

3 simple steps can help prepare your organisation for GDPR.

  1. Create awareness across the organisation about GDPR, what it covers, and what the fines are for noncompliance.
  2. Use software to find and detect all sensitive data within the organization, including servers, documents, workstations, email inboxes and all cloud storage.
  3. The strategy must be executed within the organization. Appoint a DPO to lead the team and to make sure all of the rulings are adhered to.

How can Ground Labs help?

We offer Free risk assessments to give an organization a snapshot of all of the sensitive data being held in the environment we scan. The assessment will help to identify and understand what the potential GDPR risk is to an organization.

Now you know how to prepare for GDPR, is your company ready? Start your GDPR journey with Ground Labs,  click the link for a free risk assessment

Who is Ground Labs?

Ground Labs is the data security and auditing software provider of choice for over 2500 companies globally. Organizations use our Enterprise Recon and Card Recon products to scan and remediate for unsecured and sensitive data on their computer systems. Securing data allows them to prevent serious data breaches and help to comply with global information standards such as PCI DSS and GDPA. Our 24 / 7 best in class support function focuses on providing a high level of customer care across multiple time zones. Founded in 2007, our global presence is headquartered in Singapore, with offices in Europe and the USA. For further information or to request a product demo please visit

65% of Large UK Businesses Were Breached Last Year. Were You One of Them?

If statistics are anything to go by, UK businesses are as well equipped to fight back against hackers as a toddler is against a pack of wolves.

More than 65% of large companies in the UK have suffered at least one cyber security attack in the past 12 months, according to the recently released Cyber Security Breaches Survey 2016.

Such poor data security practices have led to devastating financial repercussions. In the largest data breach case, more than £3 million was lost.

Read more

Data Breach of Verizon a Grim Reminder To Us All: No One’s Bulletproof

To your everyday man on the street, Verizon Communications is an American broadband and telecommunications company. But to those of us in the IT security line, Verizon is also one of the frontliners in the fight against cybercrime, responsible for helping many Fortune 500 companies respond to massive data breaches.

But in a tragic turn of events, Brian Krebs reported last week that Verizon has suffered a data breach, resulting in the theft of 1.5 million records of their customers’ information. Read more

Cardholder Data Discovery: Anatomy of a Credit Card, BIN ranges & Luhn checks

We often get the same questions regarding length of a PAN number, BIN ranges and Luhn checks when dealing with cardholder data discovery projects. We thought some clarification was needed so we will describe below what a PAN number is made of, what BIN ranges refer to and how you can work out a Luhn check (also know as MOD10) and validate a credit card using pen and paper.

Anatomy of a Credit Card

A credit card number, for example: 1234567812345678, consists of 3 parts:
Anatomy of a creditcard
The bank identification number
The first six digits is the bank identification number (BIN) or issuer identification number (IIN) to identify the issuer of the card.
The acccount number
The number between the bank identification number and the check digit is 6 to 9 digits long and is used to identify the individual account number.
The check digit
The last digit is the check digit and is added to validate the authenticity of the credit card number (based on the Luhn algorithm).

Bank Identification Number (BIN) & Issuer Information Number (IIN) ranges

The first digit of the card represents the category of industry (IIN) that issued your credit card. For example if you use VISA or MasterCard, your card’s first digit should be either 4 or 5 as they are from the banking and financial industry. American Express is in the travel category and cards issued by them have 3 as the first digit. Below is the list of issuer category.

IIN numbers

Below are some BIN numbers associated to related brands. As you can see the length of a credit card will vary according to the brand. They are not all 16 digits.

Credit card brand

Bank identification number prefix

Credit card number length

American Express



Diners Club Carte Blanche



Diners Club International



Diners Club US and Canada



Discover Card





















Visa Electron



Luhn check or MOD 10 checksum

The final digit of your credit card number is a check digit, akin to a checksum. The algorithm used to arrive at the proper check digit is called the Luhn algorithm, after IBM scientist Hans Peter Luhn (1896-1964).
The LUHN Formula, known also as a Mod 10 calculation, can be used to validate primary account numbers.

How does it work using pen and paper?

➢ Write down the credit card number:

4417 1234 5678 9113

➢ Starting from the check digit and moving to the left, double every second digit

4(x2) 4 1(x2) 7 1(x2) 2 3(x2) 4 5(x2) 6 7(x2) 8 9(x2) 1 1(x2) 3

The doubled numbers result in: 8 2 2 6 10 14 18 2

➢ If the result of the doubling ends up with a 2 digit number then add those 2 digits together:

10 = 1+0 14= 1+4 18= 1+8

➢ Add up all numbers:

8+4+2+7 + 2+2+6+4 + 1+0+6+1+4+8 + 1+8+1+2+3 = 70

If the final sum is divisible by 10, then the credit card is valid. If it is not divisible by 10, the number is invalid or fake. In the above example, credit card number 4417 1234 5678 9113 has passed the Luhn test.

The LUHN formula was designed to protect against accidental errors, not malicious attacks. Most credit cards and many government identification numbers use the algorithm as a simple method of distinguishing valid numbers from random digits. The LUHN algorithm will detect almost any single-digit error.

There you have it, the anatomy of a credit card number.