The purpose of Poetslife is to promote the art and discipline of American Tactical Civil Defense for families and small businesses and to contribute practical American civil defense preparedness guidance for all Americans through my articles in the The American Civil Defense Association (TACDA.ORG) Journal of Civil Defense and leadership as the volunteer Vice President of TACDA.

Showing posts with label GDPR Security Holes and More Shie Paper. Show all posts
Showing posts with label GDPR Security Holes and More Shie Paper. Show all posts

5/31/2018

GDPR Security Holes and More White Paper

Despite the many rules and regulations, there are still security holes int he GDPR regime. For example, how does it handle the multitudes in any company's BYOD (Bring Your Own Device) platform? I analyse that security hole and others in my white paper below.

European Union General Data Protection Regulation (GDPR) Security Holes and More White Paper

GDPR Security Holes

Here is what a former Senior Solutions Architect at Perficient has to say about GDPR Security Holes. “Every place that I have worked at since the early 2000’s has had a BYOD (Bring Your Own Device) policy with set reimbursement based on role. Very occasionally we would purchase tablets on the company dime and they were usually replacing laptops. What has happened is that these tablets have negatively impacted security, because consumer-based cloud solutions were used when it was convenient for the users. 
This reality of a mobile, disconnected workforce has outweighed security concerns of their use. And we have gotten lazier: Neither mobile devices nor laptops were encrypted and there was no effective way to prevent leakage of data either due to lost devices or departing employees.”
How do we address this security hole? Perhaps use Airwatch to protect the data?

Cleaning Up Redundant, Obsolete or Trivial Databaseshttps://www.ibm.com/blogs/think/nl-en/2017/03/20/upside-gdpr-potential-remedy-dark-data/

Think of all the data in production systems that nobody uses anymore. And what about dark or unstructured data, fragmented in crumbs throughout emails, presentations, phone notes, spreadsheets, and so much more? Keeping data you don’t need for business or regulatory purposes can be unhealthy in terms of IT cost and it can also put your company at greater risk in a data breach – and on top of that, you may be basing your business decisions on data that is incorrect or no longer relevant. Getting your organization ready for GDPR might sound difficult, but it’s actually the perfect opportunity to take on this issue as well. 
Very likely, some of data we store is what we would call ROT: redundant, obsolete or trivial. It has no business value, but may still cost money to store and maintain. However, when it comes to its unstructured data, we are usually looking at a totally different picture. Personal information may have been shared in emails between the company and physicians. Sensitive customer and client information may have been extracted from production systems for analytical purposes.
And spreadsheets containing confidential customer and client information from our organization may have been saved locally. Most organizations don’t have insight into their unstructured data stores — which is why it’s often referred to as dark data.
Under GDPR, we must assess what personal information we have, where we keep it and what we are using it for. We can create business value from our data by leveraging new insights based on reliable information. We can improve our decision-making processes to serve customers better and more efficiently — and gain their trust by securing their data at the same time.
So, we can add value for our customers and clients while complying with GDPR regulations if we adapt this strategic approach.

IBM Security, Outthink security threats with intelligence, integration, and expertise, Written Sep 26, 2016, Christina Thompson, IBM Portfolio
I've been reading a ton lately on GDPR and find it a fascinating topic, considering the amount of impact it will have on businesses, not just in the EU but all over the world (because if you market to, and process information of, EU data subjects then you will be impacted).Note: I don't believe — at this time — that you can actually receive "certification" for GDPR compliance. But in my findings, there are many things you can be doing to prepare for the privacy regulations, such as the ones below.
Here are 2 GDPR webinars:
Webinar: The Journey to GDPR: Your Guide to Data Protection Technology, Tools and Key takeaways are:
·         How does the new technology landscape factor into the GDPR?
·         How do you get started with your compliance program?
·         What kinds of tools and assistance are available?

Webinar: Don’t Let the GDPR Blow You Away:  5 Tips to Help you Set Sail
Key takeaways are:
·         Get started on the path to ‘know your data’, which is a key prerequisite to moving forward.
·         Learn how to navigate knowing your data and then protecting personal data can help you with your GDPR obligations.
·         Get pointed in the right direction with 5 top tips to help you smoothly sail as you get ready for the GDPR.

Two helpful GDPR articles include:

GDPR Training and Certification


EUR-Lex — Access to European Union Law

THE NEW EU DATA PROTECTION REGIME FROM AN HR PERSPECTIVE

By Stefan Nerinckx, Tim Van Canneyt and Gaëtan Goossens, Fieldfisher

INTRODUCTION

Just before Christmas and after years of negotiations, the EU institutions agreed on the text of the EU's successor privacy legislation: the General Data Protection Regulation (GDPR).
The GDPR will replace the 'patchwork quilt' of 28 different EU Member States' laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonization throughout the EU.
In addition to harmonizing the EU data protection legal framework, its main objectives are threefold:
·         First, the GDPR increases the rights for individuals.
·         Secondly, it strengthens the obligations for companies.
·         Thirdly, the GDPR dramatically increases sanctions in case of non-compliance. Data protection regulators will have the powers to impose fines up €20,000,000 or 4% of the total worldwide annual turnover. Add to that the possibility for the regulators to impose a ban on processing or the suspension of data transfers, the risk of class actions, criminal sanctions and reputational damage, and it becomes clear that not complying with the GDPR will not be an option.
For these reasons, it is fair to say that the GDPR is the most important change in data privacy law in the last twenty years. 
Moreover, it will affect all businesses, all over the world - as every organization has employees and contacts, even if they don't have individual customers.
In this article, we will provide a recap of the most significant changes that the GDPR will bring from an HR perspective. Employers process lots of HR related personal data on a daily basis. How will they be affected by the GDPR and what steps should they take to become compliant with this new set of rules?

WHERE DO PRIVACY AND HR MEET ON THE WORK FLOOR?

Maintaining the balance between the protection of the privacy of the workers and the prerogatives of the employer can be tricky in several circumstances such as in the case of body searches on workers, camera surveillance, geolocation, interrogation of workers, hotlines, the use of internet, email and social networks, etc…. There are many laws that apply to this matter.
It starts with article 8 of the European Convention on Human Rights, which lays down rules concerning the protection of private and family life, the home and correspondence. Case law based on this article stipulates employees have the right to privacy, even in the workplace.
On a national level, article 22 of the Belgian Constitution deals with privacy, whereas article 29 relates to confidentiality of the mail. Article 314 bis of the Penal Code addresses the tapping of telecommunications. Interception of e-mail is covered by this legislation too.
Also the Employment Contracts Act, which lays down, particularly in articles 16 and 17, the rights and obligations of the employer and the employee as well as Collective Labor Agreement (CLA) 81 on the protection of the privacy of employees with respect to the monitoring of electronic online communication data in the workplace in the private sector are of importance. This list is not exhaustive.
Furthermore, employers also process private information about their employees. In this area some major changes are to be expected very soon. Below you will find an overview.
Processing of HR-related data: harmonization but look out for additional local rules in the HR context
The main objective of the GDPR is to harmonize data protection laws throughout the EU. Where a group of companies is established in several EU Member States, the rules applicable to the processing of HR-related personal data will now be the same. This is an important improvement for big multinationals, which are quite often struggling to comply with the 28 local flavors of EU data protection law.
There is, however, an important caveat to be made with regard to personal data in the employment context. The GDPR expressly authorizes individual Member States to implement more specific rules in respect of the processing of HR-related personal data.
This carve-out means that specific rules regarding the processing of personal data for the purpose of recruitment, the performance of the employment contract, diversity, health and safety, etc. may still be adopted on a national level.
For HR professionals, it will therefore remain important to continue to follow national law developments in the field of privacy in the workplace, in addition to the more generic GDPR.

A BROADER SCOPE AND A GLOBAL IMPACT

The GDPR will not only apply to employers processing the personal data of their employees, but also to HR service providers that process such data on behalf of the employer ("data processors"). This is an important change compared to the current legal framework, where HR service providers (e.g. social secretariats, providers of HRIS solutions) only have a contractual obligation vis-à-vis the employer but are not directly accountable for complying with the data protection regulations.
The GDPR will also affect non-EU affiliates of a multinational if all HR data is stored in a central system, accessible to affiliates worldwide. While the mechanism for cross-border transfers of personal data has not been materially changed compared to the existing rules, it will become more important for companies to have a good understanding of the different HR data flows within and outside of the group in view of implementing the required mechanisms to legitimize these cross-border data transfers, especially since the European Court of Justice ruled that the EU-US Safe Harbor can no longer be relied on.
For intra-group cross-border transfers, Binding Corporate Rules (BCR) will become a more important and attractive means of achieving compliance under the GDPR. BCRs are now expressly mentioned in the GDPR as a lawful means of transferring personal data to group companies outside the EU, and the process for getting them approved has been further streamlined.

MORE DIFFICULT TO RELY ON CONSENT

This is a highly relevant topic in the context of HR-related data processing. Today, a lot of companies process personal data of employees on the basis of their consent. Over recent years, this approach has been increasingly criticized.
People questioned the validity of consent given by an employee, on the basis that the latter did not really have a choice due to the hierarchal relationship and the imbalance resulting therefrom. The GDPR wants to reinforce the value of consent given by a data subject. It therefore requires that consent be given unambiguously.
This means the consent must be given freely, specifically and on an informed basis. For the consent to be given freely, the refusal to give the consent should not be detrimental to the data subject. Moreover, when the consent is given through a declaration that also regulates other matters, the consent to the processing of data has to be clearly distinguishable from other matters to be valid.
This means that employers will need to carefully re-assess the legal ground on the basis of which they process HR-related data. Where they rely on consent, they will need to check whether they meet all the requirements imposed by the GDPR and bear in mind that free consent implies that it may be revoked at any time.
In most cases, companies will need to move to one of the other legal grounds to (continue to) process HR-related personal data. This could be the contractual necessity (e.g. for the processing of employee payment data), a legal obligation (e.g. for the processing of employee data in relation to social security) or the legitimate interest of the employer (e.g. in the context of employee monitoring).
However, the latter legal grounds all have their restrictions and must be narrowly construed. It may well be that a company will have to stop processing the data or limit the range of data processed, where it cannot rely on any of the legal grounds for processing laid down in the GDPR.

RESPECT THE INCREASED RIGHTS OF YOUR EMPLOYEES

The GDPR significantly enhances the rights of data subjects.
Firstly, with regard to the right to information, employers will need to provide more detailed information as to the how and why of the processing of HR-related personal data. This long list of information to be provided aims at giving more transparency to the processing of data and by doing so enhancing security.
Secondly, employees have a right of access to their data and a right to have inaccurate data rectified. These existing rights have been modified in order to bring more clarity but they are not extended that much.
Finally, under the new so-called right to be forgotten, employees will be entitled to require the employer to erase personal data about them in certain circumstances. This may be the case where the data are no longer necessary for the purpose for which they were originally collected, or where the employee has withdrawn his/her consent.

ACCOUNTABILITY – COMPANIES MUST BE ABLE TO DEMONSTRATE COMPLIANCE

The GDPR introduces a number of new obligations for companies, which should trigger a shift from paper-based compliance to actual and demonstrated compliance in the field. As a result, the obligations to notify processing activities to the data protection authorities will be abolished.
Instead, the GDPR expects companies to implement a number of measures such as: appointment of a (mandatory) data protection officer, carrying out (mandatory) privacy impact assessments and (mandatory) consultation with the data protection authorities before new data processing activities are commenced, as well as keeping records of all their processing activities. These new obligations will have a significant impact on how companies approach projects that involve the processing of personal data.

IMPLEMENT A DATA BREACH NOTIFICATION PROGRAM

On top of the accountability package, the GDPR introduces a general obligation to notify data breaches. While most US-based companies are already familiar with the concept, this will be an important change for many EU businesses and one that they do not particularly look forward to.
Where a company suffers a data breach, as a rule it must notify the data protection regulator within 72 hours. If the notification is not done within 72 hours, there has to be a justification for this delay.

If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms. To avoid notification fatigue, the GDPR contains a few exceptions to this rule, e.g. if the data was encrypted.

CONCLUSION

It is difficult to overstate the importance of the GDPR and it is clear that it will significantly affect all businesses. Employers will need to very carefully assess their current HR-related processing activities and identify the gaps with the GDPR. On the basis of this gap analysis, they will need to update their existing procedures and implement the required mechanisms to comply with the new obligations. Failure to do so may result in significant fines or other enforcement measures that could materially impede their business.
While the GDPR will only become effective in about two years from now, it is critical to start preparing the transition to new regime as soon as possible. Indeed, the sheer scale and breadth of the changes will require a significant investment of time and resources to ensure a company's data processing policies and IT landscapes are compliant with the new rules.
Belgian State Secretary for Privacy Bart Tommelein has stated that, prior to the entry into force of the GDPR, Belgium will make changes to the current Privacy Act. This means that a number of the obligations under the GDPR will become effective under Belgian law before its official entry into force. Other EU countries may take a similar approach.
To make it simple Varonis provide some really simple infographics to understand GDPR.
The GDPR significantly enhances the rights of data subjects.
Firs, for the right to information, employers will need to provide more detailed information as to the how and why of the processing of HR-related personal data. This long list of information to be provided aims at giving more transparency to the processing of data and by doing so enhancing security.
Second, employees have a right of access to their data and a right to have inaccurate data rectified. These existing rights have been modified in order to bring more clarity but they are not extended that much.
Finally, under the new so-called right to be forgotten, employees will be entitled to require the employer to erase personal data about them in certain circumstances. This may be the case where the data are no longer necessary for the purpose for which they were originally collected, or where the employee has withdrawn his/her consent.
The GDPR introduces a number of new obligations for companies, which should trigger a shift from paper-based compliance to actual and demonstrated compliance in the field. As a result, the obligations to notify processing activities to the data protection authorities will be abolished.
Instead, the GDPR expects companies to implement a number of measures such as: appointment of a (mandatory) data protection officer, carrying out (mandatory) privacy impact assessments and (mandatory) consultation with the data protection authorities before new data processing activities are commenced, as well as keeping records of all their processing activities.
These new obligations will have a significant impact on how companies approach projects that involve the processing of personal data.
On top of the accountability package, the GDPR introduces a general obligation to notify data breaches. While most US-based companies are already familiar with the concept, this will be an important change for many EU businesses and one that they do not particularly look forward to.
Where a company suffers a data breach, as a rule it must notify the data protection regulator within 72 hours. If the notification is not done within 72 hours, there has to be a justification for this delay.
If the data breach relates to HR-related data, the employer must notify the affected employees without undue delay if the breach is likely to result in a high risk to his/her rights and freedoms. To avoid notification fatigue, the GDPR contains a few exceptions to this rule, e.g. if the data was encrypted.
For HR professionals, it will therefore remain important to continue to follow national law developments in the field of privacy in the workplace, in addition to the more generic GDPR.
The GDPR will not only apply to employers processing the personal data of their employees, but also to HR service providers that process such data on behalf of the employer (data processors).
This is an important change compared to the current legal framework, where HR service providers only have a contractual obligation vis-à-vis the employer but are not directly accountable for complying with the data protection regulations.
But how companies are taking GDPR so far?
According to Help Net Security, 97 percent of companies don’t have a GDPR plan. Explanation of this survey can found on the provided link.
Also go through the best practices to address GDPR requirement from Help Net Security According to them the main practices are:
·         Hire a data protection officer (DPO)
·         Deploy an access governance solution
·         Control access managemen
·         Protect the Network
·         Facilitate secure mobile access
·         Ensure email security

And these are definitely adding value for any organization for their data security strategy. As there are lots of data protection challenges and issues for the organization and one must need to take it very seriously to avoid any legal consequences and high penalties.
Another interesting aspects are the data protection issues and it is always a wise choice to look after over the data protection issues from the beginning and plan accordingly. What are the Top Data Protection issues for HR Professionals? According to SQUIRE SANDERS, an international law firm here are the top ones.

Data Breach Response
EU Data Protection Rules impose specific requirements for storing, processing and transferring personal data about EU employees – employer’s liability exposure is increased by failure to prepare for data breach incidents.
  
Bring Your Own Device (BYOD)
EU Data Protection Rules impose obligations on data controllers (employers) to ensure the security of personal data they hold about their employees.
User devices can easily pass malware and viruses onto company platforms and impact security levels. Combining personal data of employees with company data may complicate compliance with EU data protection rules.
  
HRIS Platforms
Employers must abide by EU data protection rules when rolling out a global HR information system involving the processing of EU employee data outside of Europe.

Employee Monitoring and Cross-Border Investigations
EU rules limit the ability of EU legal entities to process personal data within Europe, and to transfer it to foreign affiliates and third parties, including non-EU governmental authorities.

Data Subject Access Requests
EU data protection rules give employees the right to access personal data about them that is held by their employer, and also to correct inaccurate information or request its deletion.

Proposed EU Data Protection Regulation
A new and highly controversial Regulation on data protection is currently being debated by the EU institutions and, if adopted, will become directly enforceable law in all EU Member States.
There are many more and companies definitely need to take them seriously. It’s important that employers understand their responsibilities and potential liabilities under data protection law.

Employers that ignore their legal obligations risk reputational damage and potential prosecution in the courts. However, our research shows that, where employees feel they are under excessive monitoring or surveillance, they have more negative attitudes to their employer and are more likely to suffer from stress.

Employers should therefore develop policies in this area that take a compliant, but balanced, approach and ensure that employees are aware of, and understand their rights and obligations under data protection law.

For more info please follow EU Data Protection. 

GDPR and the UK (Brexit Question)

https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/eu-data-protection-regime.aspx
Europe's new data protection legal framework is set out in the General Data Protection Regulation (GDPR), which will come into force in all EU Member States on May 25, 2018, including the U.K. Key points follow.

Key Points

1. A new EU data protection regime came into force on all EU Member States on 25 May 2018.
2. The GDPR will apply to the U.K. and is likely to apply after the U.K. leaves the EU. The U.K. will still be a Member State of the EU on 25 May 2018. The GDPR comes into effect for all Member States, and so will come into force in the U.K. The U.K. will retain the GDPR following Brexit. 
3. The GDPR is evolutionary rather than revolutionary. The GDPR does not mark a radical departure from the current data protection regime (i.e., in the U.K. under the Data Protection Act 1998 (DPA)). There are, however, certain key changes that will focus attention in the pensions industry.
4. There are four key developments that will affect the pensions industry the most. The GDPR contains four key developments that trustees, employers and the pensions industry will need to grapple with. These are:
More detailed privacy notices, while still being concise and easily understood.
·         Overlapping controller and processor obligations, especially around security.
·         Mandatory breach notification to regulators and members.
·         More severe sanctions for noncompliance.
·         What's Happening on Data Protection?
Regardless of the progress of Brexit negotiations, it is very likely that the U.K. will still be a Member State of the EU on May 25, 2018. The GDPR will therefore apply to data controllers and processors in the U.K. on and from this date and the Great Repeal Bill will translate the GDPR into national law.
The Information Commissioner has also made it clear she expects that the U.K. will want to keep in step with European data protection standards after we leave the EU in order to facilitate cross-border transfers but also as many U.K. controllers and processors will process personal data of European citizens and are therefore caught by the GDPR in any event as it has extraterritorial effect.
Pension scheme trustees will, therefore, need to comply with the GDPR from May 25, 2018.
With just over one year to go until the GDPR goes into force, it is now time to map your data flows and start reviewing current policies, procedures, systems and practices and ensuring you understand your data protection obligations.
The new law is not as radical a departure from the old law as might have been feared. Broadly speaking, data processes that are lawful under the U.K.'s DPA are likely to remain lawful under the GDPR. This should provide some comfort to trustees to the extent they are compliant with the current legal requirements. This is, however, subject to four important changes that are particularly relevant to pension schemes.
What Are the Key Changes for Pensions Under the GDPR?
1. More detailed privacy notices. The requirements relating to privacy notices under GDPR are more detailed and specific than under the DPA and place more emphasis on making them understandable and accessible. Privacy notices will need to contain additional information, such as details of the legal basis for the processing of the personal data that is held.
Existing privacy notices will therefore need to be reviewed and updated accordingly.
2. Overlapping controller and processor obligations, especially around security. Under the GDPR, data processors (i.e., those who process personal data on behalf of a data controller, such as a scheme administrator) will, for the first time, be subject to direct legal obligations. This significant exposure to additional legal liability will make compliance a higher priority among actuaries, employee benefit consultants and other advisers.
In addition, the GDPR will require agreements between trustees and these parties to cover various data protection issues. Data controllers (such as trustees) are not relieved of their obligations under the GDPR even if they have delegated to a third-party data processor.
3. Mandatory breach notification to regulators and members. Under the GDPR, breaches of the data protection requirements must be reported to the national supervisory bodies (i.e. the Information Commissioner's Office in the U.K.) within 72 hours. If breaches are likely to result in a high risk to the rights and freedoms of data subjects (i.e., pension scheme members, employees etc.), the breach has to be communicated directly to the affected persons without undue delay.
4. More severe sanctions for noncompliance. The GDPR imposes significantly greater fines for non-compliance, up to the greater value of €20 million and 4 percent of global annual turnover for the majority of data processing that is relevant for the pensions industry.
Author: Jason Coates is an attorney with Gowling WLG in London. ©2017 Gowling WLG. All rights reserved. Reposted with permission of Lexology.