GDPR
Changes
Valid Consent (itgovernance.com)
Data breach
How data is used,processed and what they are collecting must be stated.
13 to 16
Inactivity no longer considered consent.
Pre-ticked boxes not consent
Can be removed at any time
Under 16,s need parental consent to share data with internet services.
Uni of Cork security analyst - age increased to 16 for safety reasons.
Must be documented in clear, plain language.
72 hours to report incident to regulator ICO (UK) if individuals privacy is at risk.
Obliged to have data processor to maintain best practices.
Breaches such as Myspace account details, Yahoo, Acer etc.
Loss, alteration or destruction of individuals data must be reported to ICO under GDPR.
Individual must be informed of incident.
Description of technical safety measures stating why data is collected, processed and how long data is stored for.
DPA
Not fit for purpose
Valid consent
DPA allowed 13 year olds to share sensitive data with internet services without parental consent. Can be unsafe.
Jargon policies not read by children.
Ticked boxes counted as consent
Companies could exploit data from children for marketing.
Could not withdraw consent
26% of 8-11 year olds have Facebook account (NSPCC assessment)
No age restrictions on Instagram
data breach
Data processor was not required. No one to report data breach and ensure best practices.
No clear structure on how to report incident.
Individual did not have to be informed.
Does not consider big data, more internet services, accounts and devices.
IBM security 75% of surveyed companies say they lack a formal security incident response plan.
Higher chance of breach impacting business performance.
Did not protect individual from accessing data if used for another purpose.
How organisations should prepare
IBM Cindy Compert CTO
Data risk manager can:
Follow ISO-27001 on best security practices (risk assessment, auditing, accredited certification, assurance, continual improvement, staff training etc.
76% of 3rd sector companies not fully complaint with GDPR.
All IBM receive online training to remain informed on security prevention/response plan
75% of companies lack formal security incident response plan (IBM security)
Review policies on consent and data processing.
Sustainable audit trail - incident response assessment
Automate processes like logging in, password assigning to protect data subject.
Vertias survey - 91% of surveyed companies say they lack data security culture. 88% stated that using rewards, training, fines will provide incentive to comply with GDPR.
IBM's critical data protection program can:
Identify most valuable data
Perform gap analysis
Create risk prevention plan
Analyse and classify important info.
Monitor security framework
Help identify risks to personal and sensitive data impacting business processes/operations and competitiveness.
Helps with data transfer requirements as it shows location
Data system alerts officer when breach happens.
Review access rights to apps and data
Plan to identify and mitigate e.g. staff moves department - change data access rights for job role. Prevent fraud - accessing medical info with single password.
Use KPI's to measure incident response times - tests to meet 72 hour deadline.
click to edit