Printer Friendly

GDPR outlook.

"We can expect a lot of teething problems and some significant compliance failures coming to light over 2018/19."

Organisations are heading into the 'wild west' as UK hits peak GDPR frenzy.

Organisations must take greater care in choosing General Data Protection Regulation (GDPR) compliance partners and must make sure that the right balance of legal and technical delivery skillsets are in place, according to ST2 Technology. A failure to do so will inevitably lead to significant compliance failures after the new regulations take hold.

The non-prescriptive nature of the regulations has created uncertainty and a lack of clarity in the market. As such, there has been a sharp rise in assessment kits and non-specialist consultants offering advice to organisations on how they can ready themselves, despite not necessarily having the relevant and appropriate experience.

Richard Hannah, Head of Consulting at ST2 Technology, said: "Organisations are running headlong into GDPR to get prepared for when it comes into effect on 25 May 2018. However, there is an equal and opposite rush from consultancies to fill the market void, leading to untested and potentially incorrect approaches to ensuring compliance. We can expect a lot of teething problems and some significant compliance failures coming to light over 2018/19.

"For many consultancies, customers looking for partners to help them become compliant with GDPR is the equivalent of a new gold rush--however, less speed and more haste should be the mantra as we all work with the new data landscape now coming into view.

"Organisations must recognise that GDPR is not just about company records, data and processes, it is also about the law as it affects an organisation's commercial arrangements, technology, risk management and a company's ability to transform operations to maintain compliance."

ST2 Technology has built its Assessment, Compliance and Transformation (ACT) framework--which provides comprehensive analysis, planning and implementation of technology--in order to help organisations identify and address any GDPR compliance gaps.

The framework starts with a comprehensive analysis of an organisation's readiness against the new legislation. This assessment covers contractual elements, process, technology and legal readiness. A gap analysis is then created and delivered to management. This is followed by a compliance roadmap that provides a detailed plan to eliminate the risk within the organisation, encompassing contracts, operations, legal and technology.

The ST2 framework then identifies any technology performance issues that may require additional safeguards. Finally, the plan is executed, led by ST2 consultants who work with in-house teams to deliver the transformation phase.

"The ACT framework manages every aspect involved when it comes to achieving compliance; we provide, planning, implementation and optimisation of technology, and even the provision of tools, training and software solutions to ensure companies can maintain compliance with this tough piece of legislation. We firmly believe that no other GDPR portfolio service is as comprehensive as this, not only in delivering compliance, but also when it comes to the tools required to maintain compliance," concludes Richard.

www.st2.tech

New Data Protection Bill looks to go further than GDPR.

The new Data Protection Bill, which plans to overhaul the UK's data protection regulations, has been welcomed by managed services provider (MSP) EACS. As organisations prepare for the General Data Protection Regulation (GDPR), they need to be aware that the new Bill will likely go further than the EU regulations, as they currently stand, particularly in terms of the introduction of new criminal offences and the unlimited fines they may incur.

Keeping in line with the European Union's (EU) GDPR, the new bill aims to increase trust and confidence in the economy and offers enhanced benefits in terms of data protection. However, there are some potential changes that will bring other financial repercussions for companies that fail to demonstrate compliance.

For example, the bill states that The Government will "create a new offence of altering records with intent to prevent disclosure following a subject access request". The scope of the offence would apply not only to public authorities but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland.

For Paul Wilford. Cyber Security Architect at EACS, although this suggests that there may be greater financial repercussions, there will be long term benefits to the UK's digital economy.

He comments: "This is a welcome piece of legislation and one that will make the UK a much more attractive place to do business with. However, organisations need to be savvy to certain elements that differ from GDPR. By way of example, an organisation could potentially be fined for a breach, or they could be fined for lack of compliance even if it hasn't actually been breached. But there are also some new additions as well, such as a new offence for 'intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data'. Offenders who knowingly handle such data will also be guilty of an offence and the maximum penalty will be an unlimited fine. Elements like this are beyond the original message of GDPR and suggest that that the UK is actually bolstering the legislation.

"The UK government has put out a very bold statement in that its vision is 'to make the UK the safest place to live and do business online'. In order for this goal to come to fruition, organisations must view these new laws as an opportunity to get ahead of the game, as opposed to a burden that will hold back their business. Essentially, every organisation is in the same boat and must demonstrate compliance. But forward thinking companies can actually embrace this as a USP by using this grace period to get their houses in order and to reassure both customers and partners that they are ahead of the game and that they are taking data protection seriously.

"There will no doubt be growing pains on the road to compliance but it will be good for the UK's digital economy in the long term. As the digital economy continues to grow, having clear safeguards in place will help the UK deliver on its promise to make the UK the safest place to live and do business online," concludes Wilford.

www.eacs.com

New Data Security Network Launches to Champion and Promote Data Sanitization Best Practices.

Participating Members Include Top Technology and IT Security Experts from Information Governance Initiative, Blancco Technology Group, Ingram Micro ITAD, Kroll Ontrack and More

Nearly 12 million records have been exposed since the beginning of 2017, according to Identity Theft Resource Center (ITRC). Although data sanitization is an important step in preventing sensitive data from being accessed or breached, it's still relatively unknown and often misunderstood within the technology and IT security industry. Now, a new independent network, known as the International Data Sanitization Consortium (IDSC), has launched to champion and promote data sanitization best practices.

Founded in July 2017, the organization's mission is to eliminate ambiguity around data sanitization, including terminology, standards and guidelines. This is an area that requires serious attention, as a recent survey of IT professionals worldwide found. When asked to identify the correct definition of data sanitization, 64 percent failed to choose the correct answer. On top of this, media reports and data recovery studies have repeatedly proven just how easy, common and dangerous it is for data to be recovered--all because devices had not been sanitized before they were discarded, recycled, traded in, resold or reused.

Data sanitization is defined as the process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. This includes traditional IT equipment with data storage and mobile devices, along with internet-connected devices, such as wearables, medical devices and infotainment systems in automobiles. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data can never be recovered. There are three methods to achieve data sanitization: physical destruction, cryptographic erasure and data erasure.

IDSC's members include influential technology and IT security experts across academic institutions, analyst firms, software providers, hardware manufacturers, IT Asset Disposition vendors and enterprise businesses. Richard Stiennon, Chief Strategy Officer of Blancco Technology Group and former Gartner analyst, is a founding member and acting Director of the IDSC.

"I am astounded by how little is known and understood about data sanitization," said Richard Stiennon, Chief Strategy Officer, Blancco Technology Group and acting Director of the IDSC. "This stems from confusion about the definition of data sanitization and the varying methods for achieving it. For example, many businesses mistakenly implement certain data removal methods, such as a factory reset, reformatting, data wiping and data clearing, because they believe these methods are capable of achieving data sanitization, when in fact they are not. As a result, the vast majority of organizations today aren't undertaking the necessary steps to implement a data sanitization process and are leaving themselves vulnerable to a potential data breach. This is both disappointing and alarming--and something we at the IDSC hope to change through ongoing education and guidance."

IDSC's Participating Members include:
Information Governance Initiative         Barclay Blair
Information Security & Forensics Expert   Paul Henry
Blancco Technology Group                  Richard Stiennon
Ingram Micro ITAD                         Rohini Khanduri
Kroll Ontrack LLC                         Henrik Andersen
Morgan Privacy Consulting                 David Morgan
Financial Industry Veteran                Craig L. Koon
Consulting/Technology Industry
Veteran                                   Steve Martin


"Failing to govern data is an endemic problem that can inflict serious damage on an organization--and it can happen at any time from the instant a piece of digital data is created right to the very end of its lifecycle," said Barclay T. Blair, founder and executive director of the Information Governance Initiative. "Time and time again across the hundreds of organizations we speak to each year, we see the consequences of this governance failure in litigation, security breaches, loss of customer trust, regulatory sanctions and other completely unnecessary incidents. Data sanitization is an essential part of a holistic and mature approach to governing information, and it is our hope that this initiative will play a major role in driving clarity and adoption on this critical part of the information governance lifecycle."

The consortium hopes to educate technology and IT security professionals about data sanitization by creating and sharing useful content that will help businesses better manage and protect their data through data sanitization. This educational content will be contributed by each of the IDSC's participating members and available on a dedicated website: www.datasanitization.org.

Organisations are heading into the 'wild west' as UK hits peak GDPR frenzy.

Organisations must take greater care in choosing General Data Protection Regulation (GDPR) compliance partners and must make sure that the right balance of legal and technical delivery skillsets are in place, according to ST2 Technology. A failure to do so will inevitably lead to significant compliance failures after the new regulations take hold.

The non-prescriptive nature of the regulations has created uncertainty and a lack of clarity in the market. As such, there has been a sharp rise in assessment kits and non-specialist consultants offering advice to organisations on how they can ready themselves, despite not necessarily having the relevant and appropriate experience.

Richard Hannah, Head of Consulting at ST2 Technology, said: "Organisations are running headlong into GDPR to get prepared for when it comes into effect on 25 May 2018. However, there is an equal and opposite rush from consultancies to fill the market void, leading to untested and potentially incorrect approaches to ensuring compliance. We can expect a lot of teething problems and some significant compliance failures coming to light over 2018/19.

"For many consultancies, customers looking for partners to help them become compliant with GDPR is the equivalent of a new gold rush however, less speed and more haste should be the mantra as we all work with the new data landscape now coming into view.

"Organisations must recognise that GDPR is not just about company records, data and processes, it is also about the law as it affects an organisation's commercial arrangements, technology, risk management and a company's ability to transform operations to maintain compliance."

ST2 Technology has built its Assessment, Compliance and Transformation (ACT) framework--which provides comprehensive analysis, planning and implementation of technology--in order to help organisations identify and address any GDPR compliance gaps.

The framework starts with a comprehensive analysis of an organisation's readiness against the new legislation. This assessment covers contractual elements, process, technology and legal readiness. A gap analysis is then created and delivered to management. This is followed by a compliance roadmap that provides a detailed plan to eliminate the risk within the organisation, encompassing contracts, operations, legal and technology.

The ST2 framework then identifies any technology performance issues that may require additional safeguards. Finally, the plan is executed, led by ST2 consultants who work with in-house teams to deliver the transformation phase.

www.st2.tech
COPYRIGHT 2017 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2017 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:SECURITY REVIEW
Publication:Database and Network Journal
Geographic Code:4EUUK
Date:Aug 1, 2017
Words:2145
Previous Article:Gartner says digital transformation and IoT will drive investment in it operations management tools through 2020.
Next Article:World's largest open source cloud computing summit to be hosted in Sydney.
Topics:

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |