Story image

GDPR: the new Notifiable Data Breach on the block

29 May 2018

Article written by Sophos general manager Australia and New Zealand Ashley Wearne

Australian organisations have already made the necessary adjustments (or at least they should have), to ensure they are compliant with NDB (Notifiable Data Breach) laws introduced in late February this year. But if locally-based organisations control, collect or share any personal data belonging to EU citizens, they will also need to be compliant with the soon-to-be-introduced GDPR (General Data Protection Regulation).

GDPR officially came into effect on Friday and any business that now finds itself not in compliance could be hit with big fines (up to €20m or 4% of an organisation’s annual global turnover). However, it’s not just the monetary consequence that organisations should be concerned with – the severity of reputational damage has the potential to far outweigh the financial cost.

The idea behind GDPR is to protect EU citizens’ privacy by giving them greater control over how their personal data is obtained, processed and shared, as well as visibility into how and where that data is used; placing greater accountability on the organisations holding it. This may require that some organisations review their processes and policies around data management as well as assessing whether or not the data they have is still business critical.

Organisations can no longer collect user data haphazardly; GDPR requires that they only collect user data where there is a ‘lawful basis’ to do so, and that basis must be documented. This means that the value of data will shift from being an asset to a potential liability if it is not handled or managed properly. An effective way for organisations to reduce the risk is by permanently deleting data which is no longer needed and to ensure they protect the rest of it.

While reducing the risk of a breach is undoubtedly important for reaching compliance, organisations also need to look at what can be done to stop incoming breach attempts. A three-pronged approach is essential when it comes to protecting an organisation from a breach. This includes;

1. Stop hacking and malware – invest in security software that blocks malware from making it into your system

2. Secure lost or stolen devices – take control from a central location and remove sensitive data if something happens to the device

3. Reduce impact of human error – work with employees to ensure they’re on the lookout, GDPR compliance is everyone’s responsibility

Data handlers will also need to implement more informed consent processes when obtaining customer or user data, so EU citizens are fully aware of what they are opting into when an organisation is entrusted with their PII (Personally Identifiable Information). This is to ensure full disclosure between both parties and avoid any ‘nasty surprises’.

EU citizens can request information on the data held about them, via a subject access request – a written report that must be sent upon request that explains what data is held about them, why it is being used and who it has been shared with. Citizens can also request that any data held on them is deleted.

Finally, GDPR requires that organisations become much more proactive in disclosing a data breach, should one occur. It mandates that any person affected by a data breach be notified within 72 hours of the breach’s discovery, allowing the person/s affected to take any necessary action i.e. notifying their banks. This means that data protection is not just an IT issue, but a board-level issue too. It’s something that all employees should take a level of responsibility of, to ensure they have a sound understanding of the regulations.

GDPR implementation isn’t a technological box to check, it’s largely a matter of creating and formalising processes to meet the new mandates’ requirements. The new regulation has been put in place for the safety and privacy of consumers – something that organisations should keep in mind.

Over the years, we’ve seen the frequency of hacking and data breaches on the rise with a number of organisations trying to cover up their mistakes by keeping silent. Organisations will now be required to do the right thing by their customers in the event of a data breach.

The good news is that GDPR laws have come at an arguably good time for Australian organisations, as over the past 6-12 months they’ve been reviewing and updating processes and policies to ensure they’re NDB compliant. For those that maintain data on EU citizens, the same must be done now to ensure they are GDPR compliant.

Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
SAS partners with NVIDIA on deep learning and computer vision
“By partnering with NVIDIA, we combine our strengths to augment human intelligence and realise the true potential of AI.” 
Why businesses must embrace automation to ensure success
“For many younger workers, the traditional view of a steady job at one company, perhaps for life, simply doesn’t reflect reality."
Dropbox invests in hosting data inside Australia
Global collaboration platform Dropbox has announced it will now host Australian customer files onshore to support its growing base in the country.
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
How Cognata and NVIDIA enable autonomous vehicle simulation
“Cognata and NVIDIA are creating a robust solution that will efficiently and safely accelerate autonomous vehicles’ market entry."