[ad_1]
Now that we have seen the deadline of May 25 for the EU General Data Protection Regulation (GDPR), all personal data will be secure and consumers will no longer have to worry leaks, exposures and violations of their information. Not true?
Maybe things are not so utopian. Still, GDPR has surely heightened consumer safety expectations and encouraged many organizations to reconsider their security position, particularly those that are not otherwise bound by sector-specific privacy regulations such as PCI-DSS and HIPAA. It is likely that security improvements in response to GDPR will continue to accumulate over time, even if there are few visible changes in the short term. So, is the world now a safer place, and what else do we need to do to ensure public opinion on the use of their personal data?
Here we will examine the short-term results of the GDPR. the current and future immediate actions that individuals can take to secure their data and reduce the amount of personal information held by businesses. We also recommend short-term and long-term strategies for organizations that want to publicly guarantee their commitment to data protection, taking into account the current availability of third-party certification and certification programs, and advise professionals of confidentiality and audit firms. 19659004] Short-Term Struggle
With such a short time under GDPR, it is difficult to say whether there has been a real reduction in security incidents involving personal data. When Australia put in place new regulations on reporting data breaches in February 2018, the number of reports exploded. During the first six weeks of the new law, 63 violations were reported, compared with only 114 for the whole of the previous year. This increase is almost certainly due to an increase in reporting rather than an increase in the absolute number of violations, and it will take time to see measurable improvements in effective security.
In the short term, many factors hinder GDPR-related security changes. . Many organizations are overwhelmed or confused by the demands and feel defeated. Others want to avoid being the most blatant in terms of non-compliance to avoid penalties, but are reluctant to sacrifice profitable practices ahead of their competitors, creating a kind of dilemma among prisoners. Others have mostly taken advice from a legal advisor, who can focus on the contractual requirements rather than on the vague safety principles briefly covered by Article 32, which do not include 39, measurable objectives. The recently established European Data Protection Council or the Article 29 Working Party that it has replaced have little concrete guidance.
Individuals are quickly finding new options to access, modify, and export their personal data, which could revitalize property and control of the public. However, in a hurry to formulate a process to comply with the rights of data subjects in sections 15 to 22, inexperienced organizations may find it difficult to recognize and process such requests in a consistent manner, particularly when these procedures are manual (privacy @ acme.com). What is the impact? If the organization fails to meet customers' expectations by poorly processing requests or forcing them to go through a tedious and difficult process, customers will lose confidence in the safety of the organization and the protection of customers. data. In addition, these extended consumer rights open up new avenues for malicious phishing attacks that can inadvertently result in a data breach when companies attempt to return personal data to those affected or to other organizations to honor. requests for access and portability.
There is still no certification framework under Article 42, nor any formal mapping or recommendation of another framework to follow such as ISO 27001. Finally, without fines successfully applied so far, many organizations choose the school of fish. Common Strategy When Gramm-Leach-Bliley Law (GLBA) was implemented in 1999. Astute Governance, Risk and Compliance (GRC) managers can go through some general requirements while saving most of their energy and budgets up to
Long-Term Potential
Despite these challenges, the GDPR is likely to have Organizations have adopted responsive security measures based on precedents in law enforcement and law enforcement. certification frameworks. If supervisors focus on security in certification requirements and punitive enforcement, the risk appetite organizations will adapt to the new environment. Like Australia, the court of public opinion may have even more weight because of the reputational risk badociated with the data breach notification. The B2B ecosystem will also progressively advance security, as vendor purchasing and monitoring programs will incorporate GDPR compliant security expectations.
This requirement also puts strong pressure on the strategic plans of organizations to increase the trust of their customers, partners and shareholders. . Organizations will need to consider their financial investments in solutions to manage risk appetite more than ever before. This may include implementing industry best practices in security, upgrading security features and continuing training of staff. For publicly traded organizations, the budget and level of effort in terms of confidentiality and data security will be a frequent and expected subject
Initially, consumer confidence may decline during the period when Data breach becomes more common. However, organizations with strong monitoring technology and thoughtful intervention plans can retain some of the trust lost after a violation. Consumers are waiting for communication and transparency after the leak of their data, and an excellent after-sales service can save some of the damage. Let's learn from the useless Equifax data trade-off verification tool debacle or from the official Equifax Twitter account directing users to a spoofed site. Organizations that have implemented incident response plans will be prepared to accept responsibility and provide consumers with information about the reasons for the breach, the possible consequences and the actions taken. by the company to mitigate the damage.
Although much of this potential progress only materializes for months or years, proactive organizations can use the GDPR as an opportunity for greater engagement with their communities of users and their business clients right now. Annual privacy notices and program updates can improve consumer confidence, while soliciting user feedback for a privacy-by-design program could strengthen relationships with the organization. This is also the right time for consumer education campaigns to teach users privacy rights and good security practices. Organizations can develop a user relationship and a reputation for transparency by educating consumers about data collection and processing, providing clear and detailed information about data sharing arrangements or legal disclosure requirements. ] Individual Actions
By putting so much emphasis on organizational compliance and the adoption of privacy, it is easy to forget the important role that individuals can play as their own. advocates for privacy and security. Educated consumers understand their rights as individuals and can play a vital role in advancing GDPR-compliant security practices. Motivated individuals can use their rights of rectification, opposition, portability and deletion to "vote with their data" by removing access to their information from careless organizations. Individual privacy activists can also act as whistleblowers and submit complaints to supervisors or even prosecute companies in violation of the GDPR. When industry certifications and codes of conduct become available, consumer pressure can encourage executive adoption. By exercising their rights, those affected can create a safer world for themselves, even if the basis of organizational security takes some time to reflect the progress of the GDPR.
What Now?
Recognize the long track for observable security changes, what can organizations do right now to guarantee consumers their commitment to security practices that make privacy possible? Until supervisory authorities put in place certification frameworks, GDPR attestation of conformity by a qualified independent audit firm, badociated with relevant security certifications such as SOC or ISO 27001 will have to suffice. It is essential that organizations only work with competent and qualified evaluators to avoid costly mistakes or bad advice. Look for professionals with both security certifications such as CISA or CISSP badociated with CIPP / E. Avoid waiting for technical advice from a legal advisor and involve the security team. in the planning of the GDPR correction. Provide consumers with transparent information about your security program and accept comments or criticism from individuals.
GDPR enforcement actions will soon begin to be disseminated in the news, and organizations should use this information to focus on critical vulnerabilities. Those who are prepared and on the front line to complete the certifications as soon as they become available will gain excellent public relations and build their reputation with consumers. Do not forget about upcoming legal developments such as the impending privacy regulations. Consider public perception of incident response planning and maintain open lines of communication so that consumers can submit their safety concerns. You have done it right here, but it is not yet time to relax about GDPR security.
Source link