GDPR

Changes

Valid Consent (itgovernance.com)

Data breach

How data is used,processed and what they are collecting must be stated.

13 to 16

Inactivity no longer considered consent.

Pre-ticked boxes not consent

Can be removed at any time

Under 16,s need parental consent to share data with internet services.

Uni of Cork security analyst - age increased to 16 for safety reasons.

Must be documented in clear, plain language.

72 hours to report incident to regulator ICO (UK) if individuals privacy is at risk.

Obliged to have data processor to maintain best practices.

Breaches such as Myspace account details, Yahoo, Acer etc.

Loss, alteration or destruction of individuals data must be reported to ICO under GDPR.

Individual must be informed of incident.

Description of technical safety measures stating why data is collected, processed and how long data is stored for.

DPA

Not fit for purpose

Valid consent

DPA allowed 13 year olds to share sensitive data with internet services without parental consent. Can be unsafe.

Jargon policies not read by children.

Ticked boxes counted as consent

Companies could exploit data from children for marketing.

Could not withdraw consent

26% of 8-11 year olds have Facebook account (NSPCC assessment)

No age restrictions on Instagram

data breach

Data processor was not required. No one to report data breach and ensure best practices.

No clear structure on how to report incident.

Individual did not have to be informed.

Does not consider big data, more internet services, accounts and devices.

IBM security 75% of surveyed companies say they lack a formal security incident response plan.

Higher chance of breach impacting business performance.

Did not protect individual from accessing data if used for another purpose.

How organisations should prepare

IBM Cindy Compert CTO

Data risk manager can:

Follow ISO-27001 on best security practices (risk assessment, auditing, accredited certification, assurance, continual improvement, staff training etc.

76% of 3rd sector companies not fully complaint with GDPR.

All IBM receive online training to remain informed on security prevention/response plan

75% of companies lack formal security incident response plan (IBM security)

Review policies on consent and data processing.

Sustainable audit trail - incident response assessment

Automate processes like logging in, password assigning to protect data subject.

Vertias survey - 91% of surveyed companies say they lack data security culture. 88% stated that using rewards, training, fines will provide incentive to comply with GDPR.

IBM's critical data protection program can:

Identify most valuable data

Perform gap analysis

Create risk prevention plan

Analyse and classify important info.

Monitor security framework

Help identify risks to personal and sensitive data impacting business processes/operations and competitiveness.

Helps with data transfer requirements as it shows location

Data system alerts officer when breach happens.

Review access rights to apps and data

Plan to identify and mitigate e.g. staff moves department - change data access rights for job role. Prevent fraud - accessing medical info with single password.

Use KPI's to measure incident response times - tests to meet 72 hour deadline.

click to edit