There’s a lot of preparation to do before GDPR comes into force, but organisations can save themselves time by stopping to assess the value of the data they hold.
Is the data being used? Does holding on to it serve a purpose? At the moment, organisations can ask permission to collect personal data. They can then use this data for a variety of internal purposes. The data we give to set up an account can be used for marketing, analytics, and product development, really anything that it could be useful for. GDPR will put an end to this catch-all permission system. Organisations will need to acquire permission from individuals for each use of their data. Organisations not only need to modify their data collection practices; they need to assess what data they currently hold. What’s it being used for? Who has access to it and why? Where is it being stored (is it all in one database? How do you know if multiple employees have downloaded the data and have it sitting on spreadsheets across multiple devices?) What questions do organisations need to ask themselves about their data management processes before GDPR comes into force? 1. Do you really need the data? Once you know what data is being collected and stored, you need to ask what the data is being used for. Is data collected to form the customer database also being used by the marketing team to send newsletters to email and marketing material through the post? Maybe your loyalty card database is also being used by product development to analyse the social status of your customers? After GDPR comes into force, organisations will need explicit permission for any use of customer data outside its original purpose. So it’s important to know exactly what data you’re using. Do you really need the data of a client that hasn’t done business with you for ten years? Is that data being used for anything? If so, what and why? Keeping unnecessary data around will only be a drain on the organisation’s resources after May 2018, so it’s a good idea to cull any excess data before the deadline. 2. How does the organisation control access to data? GDPR compliance will mean a tightening of access controls. The permission-based system introduced under GDPR will give individuals more control over what their data is used for. All organisations will need to put systems in place that enable them to monitor who is accessing the data, how long they spend looking at the data and record any changes they make to the data. Some people may simply need ‘read only’ access – in which case they should be prevented from downloading the data or taking screenshots of it. 3. Can you be sure that your data is accurate? Is the data you hold on individuals accurate and up-to-date? Do you have permission to use it in the way you do? Of course, inaccurate data is useless to organisations anyway, so identifying and eliminating this information shouldn’t be an issue. 4. What training does your team need? It’s likely that many of us have picked up working habits that wouldn’t be able to continue under GDPR. Whether it’s emailing ourselves spreadsheets to work on at home, or sharing data with our colleagues over unsecured wifi, there will be some practices that need to change. People usually take the easiest and quickest route to completing a task. So any software or solution that organisations introduce will need to be efficient. Employees will also need training and support in using any new systems and in changing the way that they’ve worked for years. They need to be fully informed of the legislation. They need to be aware of the rights individuals have over their data, and of their right to be forgotten. They need to know that they can’t just use data as they see fit, they need to check that permission has been give freely and that they have a genuine need to access and use the data. In training teams to cut down on excessive data collection and use now, you can make sure that all employees are fully prepared for the changes GDPR will require by the time these practices become a legal obligation. Only after organisations have assessed their current data practices, can they create a plan and train their employees in the new best practice for data collection, processing and secure access and storage. By Dharmendra Patel, Head of strategy and Finance, Pushfor. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses Originally published on GDPR:Report
0 Comments
The General Data Protection Regulation has meant that the age-old debate about the adequacy of security in the cloud has reared its head again, with a recent eperi study of 250 IT security professionals indicating uncertainty when it comes to cloud security in relation to the regulation. It found that 53% of respondents felt GDPR data security requirements would keep them from putting sensitive data in the cloud. For the majority (85%), this was due to their lack of confidence in the protection of sensitive data. igaming professionals and tech professionals Fines under the regulation seem to be the main driver for meeting compliance and have companies running scared from the cloud, as it’s likely to be an organisation killer for the worst offences. In fact, 72% noted that they would have to re-evaluate their data security requirements in the cloud because of the regulation that comes into force in May 2018. But with all of this hype, organisations must not forget that if they first and foremost secure the data that goes into the cloud through encryption or tokenisation and remain in control of the encryption keys, the scope of GDPR can be significantly reduced. Encrypting Data The enterprise’s legal, risk and compliance teams must essentially become the custodians of the business and apply corporate governance. Where once IT security controlled the IT and data security, the scales have tipped in favour of compliance and it is becoming a massive driver for any business decision involving sensitive data. IT departments now need to become the implementers of solutions that meet these data compliance requirements. Encrypting or tokenising data means that it is scrambled by an algorithm to such an extent that it is rendered unusable to any unauthorised party attempting to access it. The only way to decrypt the data is to use a key, which ideally should be under the control of the organisation who owns the data. Currently, this is where many companies fall down in relation to GDPR, as 54% admitted that they rely on their cloud or Software as a Service (SaaS) provider to encrypt data and just over half (51%) think that it is acceptable for the solution provider to control all or part of the encryption keys. Where 54 % rely on the SaaS vendor for encryption, this is usually for 'data at rest', which under GDPR is only a subset of the 'comprehensive security' guidelines and recommendations which specifies the protection of PII and sensitive PII 'data in motion', 'at rest' and 'in use'. The key here, and something that is very well laid out in GDPR principles, is data control. Specifically, if sensitive encrypted data was intercepted or compromised - can it be reversed? If the answer is yes, then it is still regarded as data and therefore it is treated as data and is subject to GDPR principles. In the past, this has been interpreted as a general Data Residency requirement on a country by country basis, with different mandates depending on location and jurisdiction. With GDPR, the guesswork is taken away and the onus is very much on the organisation as a data controller to assume the ultimate responsibility for its PII and sensitive PII data when using third-party data processor systems. In the event of data compromise or loss, if the organisation is in full control of its own encryption keys, it can avoid the notification step altogether if the data is unreadable to the world outside the organisation. In contrast, if the cloud or SaaS provider controls the keys and they are breached, then there is no way to be certain the organisation’s data is safe - and notifications and fines ensue. Tips for businesses as Data Controllers For modern business, the emphasis is shifting and it’s not a question of how safe is my cloud SaaS data centre, but rather about the data itself. A responsible and well-organised enterprise will understand all of its legal compliance requirements and take the appropriate steps to meet these requirements - perhaps now motivated by fines of up to 4% of global revenues and data breach notification naming and shaming and resulting brand damage. This can be covered in three basic steps:
Bear in mind, too often historic tools for managing compliance, such as Data Leakage Prevention (DLP) or now Cloud Access Security Brokers (CASB), act as barriers and block information before it enters the cloud and that is unhelpful to modern business. Instead, organisations should focus on technology solutions such as Cloud Data Protection (CDP) solutions that can encrypt or tokenise the PII data itself, even in motion to the cloud, at rest and in use, and make it useable to organisations by offering advanced search and sort functionality. Importantly, the control – for example, encryption key management – should always be fully retained by the organisation and not the SaaS vendor in order to meet compliance and data control standards. Forrester recently released its Cloud Security Solutions Forecast that shows the cloud services market is set to soar from $114 billion in 2016 to $236 billion by 2020. Its rapid growth is also driving the market for cloud security tools, which Forrester estimates will increase from $1 billion in 2016 to $3.5 billion in 2021. Furthermore, the report notes that businesses are starting to recognise a lack of adequate key management among cloud providers, making key management a bigger priority for time and resource allocation. Only by realising that data control is the biggest issue for GDPR compliance, and taking steps to classify and then implement advanced cloud data protection solutions before the PII and sensitive PII data moves outside the organisation’s control and introducing a system for controlling the data, can compliance and security live in harmony. If managing corporate risk means there will be no need for data breach notification in the event of data compromise, assuming the principles of data pseudonymising have been met, it reduces the scope of GDPR and becomes a sure a step in the right direction. By Ravi Pather, senior vice president, eperi Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses Originally published by GDPR.Report In less than a year’s time, a radical change to data protection and legislation will come into effect in the EU – the General Data Protection Regulation (GDPR). With GDPR almost here, the data protection and privacy landscape of the EU is set to change in big ways. But how can the iGaming industry ensure that it is compliant with the regulation, and how would they go about becoming compliant? Below are six steps businesses should undertake: Step one – Get to grips with GDPR’s legal framework The first step that a business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant. Step two – Create a Data Register Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data. Step three – Classify data While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place. Step four – Identify the top priorities Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”. Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed. Step five – Document and assess any additional risks and processes Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect. Step six – Revisit and repeat Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four. Moving forward, every decision, plan and application a business makes needs to have security at its forefront. This is process is known as “privacy by design”, and ensures that any data that enters a business is located and protected from the moment it arrives. Any business that fails to demonstrate they have the right measures in place, or have at the very least begun the process of introducing them, will face severe fines and damage to its reputation. In less than a year, when businesses lose the ability to hide their data breaches, we’ll get a realistic picture of the state of cybersecurity in the EU. By Jan Smets, Data Security Expert at Gemalto, and qualified Data Protection Officer. Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses Originally published on GDPR.Report New research by leading information security company Clearswift shows how attitudes to cyber security have changed in the boardroom and among staff in the wake of the recent WannaCry attack, surveying 600 business decision makers and 1,200 employees across the UK, US, Germany and Australia. Within a day the WannaCry attack, which affected major organisations including the National Health Service (NHS), was reported to have infected more than 230,000 computers in over 150 countries, once again bringing the issue of cyber security into focus for business and consumers alike. The scale of the WannaCry attack was evidenced none more so than the sheer awareness amongst the general public, with more than three quarters (77%) of people surveyed having knowledge of the attack, with the number even higher (88%) in the UK. With 58% of firms in the UK expecting another attack over the next few months, it is clear that the attack has sent ripples through the industry and brought cyber security front of mind for both employees and businesses. Following the events, 29% of UK businesses will now add cyber security to the boardroom agenda and 29% of firms worldwide have pledged to implement stronger cyber security measures. With 80% of UK employees increasingly worried about how companies hold their data and an identical number (80%) worldwide sharing those concerns it’s no surprise that 38% of employees that were aware of the attack worldwide are now reading more about cyber security in the aftermath of the events. Additionally, 33% have changed their passwords, formally enrolled in courses (24%), or are taking steps to ensure their companies raise their game in cyber security (26%). Dr. Guy Bunker, SVP Products at Clearswift Said: “UK employees are worried about the practices of the custodians of their data, however the gulf between front line security professionals and Board members may at last be bridging, with close to a third (29%) now recognising cyber security has a place at the boardroom table. “Organisations need to answer the clarion call we are hearing from employees to learn from these events and start to raise their game and update their policies, procedures and technology to mitigate against future attacks as well as preparing for the introduction of new data regulations that are on the horizon.” Those in the public sector took a slightly more relaxed attitude to how their data is held with more than a quarter (28%) not being worried by the attacks compared to 17% in the private sector. With one of the UK’s most well-known organisations, the National Health Service (NHS) being front and centre of the attack it may be surprising to learn that UK employees who were aware of the WannaCry attack, were less likely than those in the USA, Australia and Germany to change their passwords, read more about cyber security or even ask their company for advice. The US (49%) proved most likely to action change, followed by Australia (43%), Germany (37%) and then the UK (35%). The future may be brighter however as more than half (55%) of those aged 18-24 that were aware of the WannaCry attack, have taken the initiative to read more about cyber security with 29% enrolling in courses or certifications. Dr Bunker added, “An educated workforce that is well briefed on policies and procedures will go some way in limiting the effects of a breach, however Boards need to take a proactive stance on this. Having the latest security technology enables organisations to stop attacks at the boundary, before they enter a network, by removing the source of an attack from documents and attachments shared into an organisation.” Essential compliance knowledge for iGaming professionals. Conference: Compliance Briefing London, 12 October 2017 Courses: igacademy.com/courses The European Commission has reprimanded EU member states for failing to take a harsher stance on the anti money laundering (AML) directive. Brussels has implemented the new AML regulations, known as the “fourth anti-money laundering directive”, which was due to take full effect on June 26th across the EU.
European Commissioner for Justice, Věra Jourová said she has sent 14 letters to EU member states addressing her concerns about the failure to add the new requirements to their national statute books. Three other countries have also received letter from Jourová about how they have only implemented the measure partially. The European Commission decided to take a tougher stance as they believe EU member states have failed to introduce more adequate measures to prevent criminal and terrorist organisations from concealing money used for illicit activities. As a result, they may force bookmakers to implement ID checks on customers that wager more than €2000. The EU Council previously warned industry stakeholders in a number of published consultations that they would make the AML regulations much harsher. The UK Gambling Commission (UKGC) issued an industry update last June to warn stakeholders that failure to implement ID-checks would breach conditions of UK licensing. The Malta Gaming Authority (MGA) also published an industry consultation with the Financial Intelligence Analysis Unit (FIAU) stating that industry stakeholders ‘must get smart on new EU-wide AML regulations’. The EU aims to implement its new AML directive as quickly as possible and it has been outlined an important business/commercial requirement for member states. Tickets are now available for the Compliance Briefing: London, with early-bird discounts on offer for a limited time. VISIT OUR COMPLIANCE BRIEFING: LONDON OVERVIEW TO LEARN MORE |
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017 COUNTY HALL, LONDON |