Category Archives: Data Regulation

NTT Data partners with Privitar to make customers GDPR compliant

Lady JusticeNTT Data UK has announced a partnership agreement with Privitar to provide data protection solutions built on new requirements set out by the EU General Data Protection Regulation.

The GDPR requires companies to process and use the personal data of any European customers in a justifiable and ethical manner, whilst also giving increased control of the data back to the customers themselves. As the role of data increases within the business world customers have become increasingly interested in how their personal information is stored and used. Insight delivered from this data can be used to drive additional revenues for a business, though once GDPR comes into legislation in 2018, there will be strict guidance on how the data is used.

NTT Data believe this dynamic will create complications for various organizations, and claim combining the NTT Data’s data and process capabilities, with Privitar’s privacy software, will create a proposition which will comply to all GDPR data requirements.

“By combining NTT DATA’s sector-specific domain knowledge with Privitar’s software we can now deliver programmes that make our clients champions of both privacy and innovation,” said Steve Mitchener, CEO of NTT Data UK. “I’m excited that this partnership will allow our clients to fully utilise their data assets without fear of reputational and financial damage, or regulatory action.”

Let the countdown to GDPR begin

Location Germany. Red pin on the map.The road to data protection has been a long and confusing one. Despite being one of the biggest concerns of consumers and corporates throughout the world, progress has hardly been moving at breakneck speed, but as of today (May 25th), companies now have exactly two years to ensure they are compliant with the EU’s General Data Protection Regulation.

The general objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Data protection is a complicated business throughout the EU mainly due slight differences from country to country, and then again, with overarching EU regulations, or directives which haven’t even made it to regulation.

Conversations surrounding the new regulations have been ongoing since 2012, though companies now have until 25th May 2018 to ensure they are fully compliant. For this would seem an adequate amount of time, however a recent YouGov and Netskope survey highlighted only one in five are confident they will be compliant in this time period. For Eduard Meelhuysen, VP at Netskope, decision makers need to take a step back to get a better understanding of the current state of their data, before concentrating on any company app.

“If they are to comply, IT teams will need to make the most of the two-year grace period which means that both cloud-consuming organisations and cloud vendors will need to take active measures now,” said Meelhuysen. “As a starting point, organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation.

“The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees’ interactions with the cloud carefully as a key tenet of GDPR compliance.”

a safe place to work“As cloud app use continues to increase within businesses, data will become harder to track and control. But with the GDPR instigating a maximum possible fine of €20 million or 4% of global turnover (whichever is higher) in certain cases, there is now more incentive than ever for companies to focus on data protection. Getting a handle on cloud app use will be a crucial part of ensuring compliance for any organisation, and IT teams will need to start work now to meet the May 2018 compliance deadline.”

One area which has been given attention within the GDPR is that of data residency. New regulations will require organizations do not store in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards. The list of countries that meet these standards is short, 11, with a notable absentee, the United States of America, which could pose problems for numerous organizations.

While this may be considered one of the headline areas for the GDPR and one which will likely be heavily scrutinized, for Dave Allen, General Counsel at Dyn, concentrating too much on this area could lull companies into a false sense of security.

“As the EU GDPR comes into effect, businesses will need to take a hard look at their current methods of sharing and storing data,” said Allen. “While some Internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance.

“Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.

“Although no silver bullet exists for compliance with the emerging regulations which govern data flows, businesses which rely on the global Internet to serve their customers should be seriously considering visibility into routing paths along both the open Internet and private networks. As we enter an era of emerging geographic restrictions, businesses with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.”

Anonymous unrecognizable man with digital tablet computerOverall, the GDPR will ensure companies take a greater level of responsibility to safeguard the personal data they hold from attacks. Recent months have seen a number of highly publicised attacks significantly impact the reputation of well-known and respected brands, making consumers nervous about which of their personal information is being held. Previously, attacks on such organizations would not have been thought possible; surely they have the budgets to ensure these breaches wouldn’t happen?

Another headline proposition from the GDPR is the consumer’s right to access data which is stored on them, and also the right to have this data ‘forgotten’. For Jon Geater, CTO at Thales e-Security, this will create numerous challenges and changes to the way in which data is stored and accessed.

“The new rules also make clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility,” said Geater. “If organisations use a third party provider to store and manage data – such as a cloud provider, for example – they are still responsible its protection and must demonstrate exactly how the data is protected in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

“In addition, organisations will now have to provide citizens with online access to any their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’.

“This is a very significant change and securing this access will represent a significant challenge to many organisations – especially while still complying with the new tighter rules – and will require robust cybersecurity technology across the board.”

What is clear is there will be complications. This shouldn’t be considered a massive surprise as any new regulations are fraught with complications on how to remain or become compliant, but the European Commission isn’t messing around this time. With fines of €20 million or 4% of global turnover (whichever is greater), the stick is a hefty one, and the carrot is yet to be seen.

New EU data regulations receives warm reception from industry

EuropeThe European Union finally rubber-stamped a refresh of the General Data Protection Regulations (GDPR) that offers greater protection for individuals but at cost of a greater burden on businesses, reports

In customary EU fashion this is the culmination of four years of to-ing and fro-ing since the refresh was first proposed. Even the final sign-off took four months to complete, with the text having been agreed last December. Furthermore the new regulations won’t come into law until May 2018, giving all businesses who keep data on European citizens, which must include pretty much every multinational, two years to comply.

“The new rules will give users back the right to decide on their own private data,” said Green MEP Jan Philipp Albrecht, who led the drafting process. “Businesses that have accessed users’ data for a specific purpose would generally not be allowed to collect the data without the user being asked. Users will have to give clear consent for their data to be used. Crucially, firms contravening these rules will face fines of up to 4% of worldwide annual turnover, which could imply € billions for the major global online corporations.

“The new rules will give businesses legal certainty by creating one unified data protection standard across Europe. This implies less bureaucracy and creates a level playing field for all business on the European market. Under the new rules, businesses would also have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many consumers.”

Industry reaction has been broadly positive, but with caveats mainly concerning how easy it will be to comply and some concern about the high ceiling for potential fines. Compounding this is a requirement for companies to disclose data breaches within 72 hours of them happening, which is a pretty small window.

“This will be a technical challenge for those businesses unaccustomed to such stringent measures,” said David Mount of MicroFocus. “They will need to identify the breach itself and the information assets likely to have been affected so they can give an accurate assessment of the risks to the authorities and consumers.

“While this may seem like a positive step towards improved data protection, the US example shows that in reality there can be an unintended consequence of ‘data breach fatigue’. Consumers become accustomed to receiving frequent data breach notifications for even very minor breaches, and as a result it can be hard for them to distinguish serious breaches requiring action from minor events which can be safely ignored. The effect is that sometimes consumers can’t see the wood for the trees, and may start to ignore all warnings – which somewhat negates the point of the measure.

“It is now up to European data privacy regulators to work together to ensure that the GDPR rules are implemented in a way that supports economic growth and improved competitiveness,” said John Giusti, Chief Regulatory Officer of the GSMA. “Regulators will need to exercise particular care in interpreting GDPR requirements – around consent, profiling, pseudonymous data, privacy impact assessments and transfers of data to third countries – to avoid stifling innovation in the digital and mobile sectors.

“All eyes are now on the review of the e-Privacy Directive. The right balance needs to be struck between protecting confidentiality of communications and fostering a market where innovation and investment will flourish. To this end, the GSMA calls on legislators to address the inconsistencies between the existing e-Privacy Directive 2002/58/EC and the GDPR.”

The e-Privacy Directive covers things like tracking and cookies and seems to focus specifically on telecoms companies in the way they process personal data. So for the telecoms sector specifically this refresh could be even more important than the GDPR. The European Commission initiated a consultation on ePrivacy earlier this week and will conclude it on 5 July this year.

William Long, a partner at Sidley Austin, warned that individual countries may view the new GDPR differently. “There are still a number of issues where some member states have fought successfully to implement their own national law requirements, for instance in the area of health data, and this will no doubt lead to certain complexities and inconsistencies,” he said.

“However, organisations should be under no doubt that now is the time to start the process for ensuring privacy compliance with the Regulations. The penalties for non-compliance are significant – at up to 4% of annual worldwide turnover or 20 million euros, whichever is the greater. Importantly, companies outside of Europe, such as those in the US who offer goods and services to Europeans, will fall under the scope of this legislation and will face the same penalties for non-compliance.”

“Our own research shows that globally, 52% of the information organisations are storing and hoarding is completely unknown – even to them, we call this ‘Dark Data’,” said David Mosely of Veritas. “Furthermore, 40% of stored data hasn’t even been looked at in more than three years. How can companies know they’re compliant if they don’t even know what they’re storing? This is why GDPR represents such a potentially massive task, and businesses need to start tackling it now.”

“In order for data to remain secure, there are three core components that are now vital for EU businesses,” said Nikki Parker of Covata. “Firstly, encryption is no longer an optional extra. It provides the last line of defence against would-be snoopers and companies must encrypt all personally identifiable information (PII).

“The second component is identity. True data control involves knowing exactly who has access to it and this can be achieved through encryption key management. Enabling businesses to see who has requested and used which keys ensures a comprehensive audit trail, a requirement of the new regulation.

“Finally, businesses must set internal policies that specifically outline how data can be used, for example, whether data is allowed to leave the EU or whether it can be downloaded. Applying policies to each piece of data means access can be revoked at any moment if the company feels it is in violation of the ruling.”

All this is happening in parallel with the overhaul of the rules governing data transfer between Europe and the US, known as the Privacy Shield. By the time the GDPR comes into force pretty much all companies are going to have to tread a lot more carefully in the way they handle their customers’ data and it will be interesting to see how the first major transgression is handled.