After a year of researching, interpreting and understanding the GDPR compliance, the day of action has come and passed. However, many companies are still struggling to gain compliance requirements, and this is a top concern for many security experts.
If the words, ‘GDPR’ is still new to you, it’s still not too late to jump on this moving train and seek compliance. Businesses will need to continue to evolve and change their data protection practices for not just compliance, but to remain ethical and inline with customer’s wishes.
Like we said, it’s never too late to seek compliance. We reached out to cyber security experts in the field to ask them for tips on GDPR compliance. Below are the answers we received.
Meet our Panel of Cyber Security Experts:
|Dr. Ratinder Paul Singh Ahuja||Mark Hickman|
|Rodrigo Montagner||Salvatore Stolfo|
|Kevin Conklin||Jeff Capone, PhD|
|Christopher Gerg||Stephane Charbonneau|
|Sophie Miles||Neil Thacker|
Read their responses below.
RATINDER PAUL SINGH AHUJA
Dr. Ratinder Paul Singh Ahuja leads ShieldX and its mission as its central pivot point, drawing from a career as a successful serial entrepreneur and corporate leader, bringing with him his unique blend of business acumen, industry network and deep technical knowledge. His knowledge of innovation and emerging trends in networking, network security and data loss prevention are derived from years of industry experience.
Response: Compliance is like alcoholism; either you’re in denial or you’re dealing with it forcefully. The only way to succeed with compliance is to turn it into a competitive advantage and do it better than others. Compliance applies to everyone–embrace it and turn customer privacy and security into an advantage.
Rodrigo Montagner is an Italian-Brazilian IT Executive with 20 years of experience managing multiple IT environments internationally. He currently works as CEO of OM2 TECH Consulting.
Response: After doing your cyber security homework, pretty tough these days, and keeping all your managed data and equipment in constant cleaning and “in a most updated possible mode’, as well as keep your best possible cyber security production environment up, you should follow many of these providers “compliance kit’s”, bearing in mind to collect multiple evidences and pay attention to all your partners, providers and collated technical associates, as GDPR also encompasses data breach risks for multiple partner companies managing users’ data.
Kevin Conklin leads Ipswitch’s product and content marketing practices. Conklin is a serial startup marketing executive having worked for Prelert, VKernel, Mazu Networks and Smarts, Inc. He is recognized for strengths in B2B market development for IT and is supportive of enterprise, hybrid and inbound sales and marketing models, sharing best practices and providing a voice of expertise to help IT professionals with their technology challenges.
Response: Start the process of weaning your organization from interrupt based marketing in the form of email and phone blitz programs. Embrace the new reality that if people want your product or service, they will decide so on the web and contact you. The old myth that you can ‘sell them’ through email or a phone call is dead.
Christopher Gerg is the CTO and CSO of Datica.
Response: No matter what else you do, you need a strong inventory of all of the data you collect, process, and store. You need to know the source of that data, and how it lives its life in your organization (and wherever it is shared). This all needs to be documented along with appropriate retention guidelines (can’t keep it longer than you have a business need if it is personal data). Lastly – examine pseudonymization. Similar to tokenization schemes in the payment card industry, it limits your scope and makes getting rid of the data very easy.
Sophie Miles is the CEO of CalculatorBuddy.com and leads the company expansion in the USA, Canada, and South Africa.
Response: Clean Up first. This is the best strategy you could apply to reduce the costs of a high standard of service. You cannot filter information or reveal data that you do not have. We have realized that the first step is to know if your information is useful or not. Before encrypting or buying any software to protect your data itself; delete your not needed data. It is really important to know if your available information will be used at any time and if it will be required to achieve the goals of the company. We did this after a deep analysis of all the areas of our company.
Patrick McGrath currently leads marketing and thought leadership for Commvault’s solutions that support content and unstructured information, particularly in the context of archiving, search and advanced analytics. McGrath previously led thought leadership for digital transformation and Product Marketing at EMC’s Enterprise Content Division.
Response: While education is helpful, automation is key due to the scale and complexity of data. With the rapid adoption of cloud and SaaS application services, data has become further distributed and it demands holistic data protection coverage. Even if breached data was not stored on-premises under your direct control, it is still your responsibility to determine whether or not personal information could have been compromised, and if so, to enact notification procedures. They are your customers, prospects, donors, employees.
Ameesh Divatia is the co-founder and CEO of Baffle, Inc.
Response: Protect Data While Hoarding. We’re in a data-driven society, and organizations have reacted to the big data explosion by hoarding data to be mined for potential business value. Many don’t even know what data they have, and what data they have sits idle. Companies are not going to wake up on May 25 and start erasing data or immediately change their mindset about the need for data for auditing purposes. Managing data will be a behavior change. But moving forward in the age of GDPR, they must be more selective, understand what constitutes personal data and know where their data is located. In addition, companies that collect data will need to seek methods to continue collection, aggregation and analytics on the data, but work to protect it simultaneously. At one time, the focus was to be able to show compliance, but now companies must prove they are being proactive and selective about collecting and using personal data. To be GDPR compliant, information must be protected while it is being processed.
Ian McClarty holds an MBA from Thunderbird School of Global Management. McClarty has over 20 years executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of Phoenix Data Center, LLC. Phoenix Data Center, LLC employs a staff of over 600.
Response: Don’t be overconfident in your readiness for GDPR. Conduct a thorough data analysis. Look for all personal data stored in every system everywhere. As part of the analysis, determine the basis for the consent of all data. Once you know what data you have, figure out why you store it in the first place. This is not just an exercise to justify why you “want” to store data. Instead, this ensures you have a legal, justifiable reason to keep that data.
As Chief Operating Officer at WinMagic, Mark Hickman is responsible for direct and channel sales, marketing, professional services, and global business development. Prior to joining WinMagic, Hickman held senior sales management positions with Computer Associates (CA), BEA Systems Inc., and RightNow Technologies.
Response: One of the key areas for making GDPR a success in your organization is managing the data that you have, not just in terms of consent to use it for different activities, such as marketing, but the way in which it moves around the organization. In modern IT infrastructures that span on-premises and cloud services, as well as a whole host of end-point devices, the spread of personally identifiable information must be controlled to ensure compliance. The findings of WinMagic’s March 2018 survey of close to 500 IT decision makers found that an average 20% of respondents lack continuous encryption for personally identifiable information across their cloud and on-premises servers, despite appropriate levels of encryption and anonymization being a requirement for GDPR compliance. Encryption also acts as a last line of defense in the event of a data breach, making data illegible when in the hands of unauthorized parties. Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption will be a critical component in meeting the GDPR legislative requirements and minimizing the risks to consumers.
Salvatore Stolfo is the founder and Chief Technology Officer of Allure Security, tenured Columbia University professor
Response: The prudent CISO should be considering a new way to protect their data from third-party data losses, also known as the second hop problem. That is, where does your company’s data go when it leaves your hands and gets passed on to partner, vendor, contractor, etc.? Under GDPR, you are still liable for what your partner does with your data and the buck stops with you. Some control is possible using IRM technologies with your partners when sharing data, but this may not be enough. Consider incorporating tracking mechanisms into your sensitive data and documents as an added measure of safety when interacting and sharing with third parties. These will alert you when a document has traveled to a geographic area they shouldn’t and when an unsanctioned party has opened or tried to access a document.
Jeff Capone, PhD, is CEO of the security startup, SecureCircle, which he founded in 2015. An award-winning executive leader with expertise in enterprise software development, network and storage solutions, and IoT applications, Jeff has a track record of founding and selling successful software companies.
Response: GDPR requires companies to identify a data protection (DPO) officer, and we recommend companies hire DPO as a new role in the organization and not just give the title to an existing CIO/CISO/etc. However, hiring for that role is no small feat, so enterprises can also outsource the DPO to a third party security firm or global system integrator (GSI) such as Deloitte or PwC, etc.The ideal DPO should have in-depth IT knowledge as well as data protection law experience. GDPR article 39 lists specific duties of the DPO.
Stephane Charbonneau is one of the original founders of TITUS, and serves as Chief Technology Officer. As CTO, Charbonneau is responsible for TITUS’ s technology strategy and plays a key role in driving new initiatives to help strengthen the security and application of TITUS’ products and services against evolving threats.
Response: One of the biggest opportunities to organizations to get ready for GDPR is to help employees be part of the solution. This means employees need to know the kinds of data that need to be protected across the organization, because information security is everyone’s responsibility. And the key to success is to take steps to ensure people understand exactly what they need to do to protect personal data they deal with as part of their job.
Neil Thacker is a veteran information security professional and a data protection and privacy expert well-versed in the European Union General Data Protection Regulation (EU GDPR). He holds more than 20 years of experience in the information security industry with 15 years experience as a leading security practitioner for organizations like Deutsche Bank, Swiss Re and Camelot Group before spending the past five years as Deputy CISO for Forcepoint. He is also co-founder and board member of the Security Advisor Alliance, a not-for-profit organization formed to help security leaders in their role, engage and support interest in the infosec industry and offer advice and tools to move organizations towards improved risk and data-centric strategies.
Response: Automation is essential. Maintaining an accurate record of processing (Article 30) is a critical requirement of the GDPR ruling that all personal data processing activity must be recorded, managed and updated to a granular level – a significant task in today’s cloud-first world. Human error in data processing will continue to be a problem, and the only way to effectively eliminate this is to automate maintaining this record where possible. Automation will help to create consistency in how data is safely collected, processed and ultimately retained until being destroyed.
Click below to learn more about Teramind.