Five trends to pay extra attention to in the year of the GDPR

You can't have failed to notice: the GDPR (General Data Protection Regulation, in Dutch 'de Algemene Verordening Gegevensbescherming') has come into effect. There are stricter rules in place regarding the protection of personal data. The penalties for violating the privacy rules are a lot higher.

That a lot is changing this year in the area of the protection of personal data is therefore beyond dispute. So it is all the more important to focus your attention on the changes that really matter! Which trends regarding the protection of personal data must you not ignore in 2018?

 

1. Ransomware attacks - What to do?

In 2017, the world was shocked by ransomware attacks. Ransomware is software that blocks access to data. The rightful owner of the data only gets access to the data again after he or she has paid a 'ransom' to the criminals behind the ransomware. One of the biggest attacks in 2017 was carried out using the Wannacry ransomware. Among other things, this program affected a large number of hospitals in Great Britain.

It is expected that more of these types of attacks will take place in 2018, and that they will be more destructive. Criminals will threaten to publish unlawfully obtained data. There may also be attacks in which the ransomware only becomes active after a while. As a result, the ransomware could also affect backups. Ransomware will also start using 'machine learning'. This 'smart ransomware' will be able to reprogram itself, for example. This will make it more difficult for virus scanners to detect the ransomware.

Under the GDPR, organisations are required to take technical measures in line with the state of the art. Your organisation will also have to use machine learning, for example, just to keep ransomware outside. Organisational measures in this area are mainly about raising awareness among employees. Do they know how to recognise ransomware and do they know what to do?

 

2. Customers are aware of their rights - What will you have to deal with?

A study by KPMG has shown that many people do not know what the GDPR is exactly. As soon as they do know, they turn out to be interested:

  • 51% of respondents want to make use of the right to be forgotten;
  • 60% of them want the right to access;
  • 56% of them want the right to data portability;
  • 59% of them want the right to rectification.

This has quite some significance for your organisation! Apart from data incidents which receive a lot of media attention, requests can be received from customers who wish to exercise their rights. How do you organise this?

Each organisation therefore needs strict processes to handle these requests. For the right to access and the right to data portability, it is important to be able to quickly retrieve data from different applications. This data must be readable for people and/or computers (in case of transfer). And how do you ensure that all data are removed on a customer if he/she requests this? Is this not possible due to technical or administrative reasons, such as an obligation to retain? Be clear and transparent about this.

 

 3. Two-factor authentication is becoming the standard - How do you use this?

Security based on a password alone is no longer sufficient. Most user passwords are weak, and many users have the same passwords for multiple systems. In the worst case, colleagues know one another’s' passwords. Sometimes these are even written on notes left on the desk. At the same time, people find it annoying when they have to log in again each time.

You solve both problems by using two-factor authentication (2FA). This involves something that the user knows (the password) being supplemented with an extra layer of security by means of something that the user has (for example a mobile device) or what the user 'is' (such as a fingerprint or an iris scan).

Thanks to advancing technology it is easier to secure systems with multiple methods. 2FA is being used in increasing numbers of organisations. You would expect that this would lead to more hassle. On the contrary – it ensures that the users have fewer passwords to work with, because a single sign-on in combination with 2FA is secure.

 

 4. Prevention is becoming more important than cure - How can you be 'demonstrably' in control? 

Even in the unlikely event that there are never data leaks or other incidents in your organisation, this does not mean that you are automatically in compliance with the GDPR. You must demonstrate that you, as an organisation, are doing everything to exclude unauthorised access to personal data.

This means that you must actively take measures that reduce the risk of data leaks. You must also document these measures to show that your organisation is set up to prevent an incident. Also ask yourself what the answer is to the following questions:

  • How have you trained your employees to make them aware of the risks?
  • Have you taken technical measures, such as a separate Wi-Fi network for guests, which is shielded from other devices?
  • What warnings do employees receive when they send emails to wrong addresses?

Finally, it is important that there are protocols in place, so that it is clear what needs to be done if an incident nevertheless occurs.

 

5. Humans as the weakest link in the protection of personal data - What can you learn from this?

Much can be achieved through technical measures, but the human aspect of data protection remains important. After all, a large number of data leaks are the result of human error. Consider, for example, the accidental sending of a file to a wrong email address or the sharing of sensitive information via a public service.

The key to success is to come up with a personal approach, to create awareness among employees. This ensures that the employees who come into contact with personal data within your organisation are aware of the new privacy rules and your (amended) privacy policy.

  • Make sure your employees are aware of the new rules that apply. For example, organise an internal event with an external speaker who explains the new rules of GDPR, and then explain about your new policy.
  • Designate a project manager in each department or team who is responsible for the implementation of this policy.
  • Have each department or team carry out an assessment of what is and is not permitted.
  • Ask employees to think about changes which will be necessary to guarantee the optimum protection of personal data.
  • The project leader coordinates the process as a whole, and draws up a progress report.

Companies that want to take the lead in privacy are putting great emphasis on awareness among all employees. It is sensible to use software that, in the background, actively assists employees in making the right choices. Only if this software does not get in the way of the user and does not make the work unnecessarily complex will it contribute to a safe working environment.

 

How do you get through the Year of the GDPR intact?

Raising awareness surrounding privacy and the GDPR/AVG is a layer that includes the necessary organisational and technical measures. This is so important because 46% of data breaches occur because employees do not handle sensitive data with awareness. But how do you tackle this? In this ebook, we will give an answer to this question and provide you with practical tips.

GO TO THE GDPR CHECKLIST

RELATED
All_it_takes_is_one_human_error_to_compromise_your_organizations_reputation_blog_zivver

All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
All_it_takes_is_one_human_error_to_compromise_your_organizations_reputation_blog_zivver

All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
The User Representatives - Always here to help you!

The User Representatives - Always here to help you!

  At ZIVVER the success of our customers is paramount! For that reason, we have a dedicated Customer Success team to help our customers maximize their value from our product. Part of the Customer Success team are the User Representatives. Their ultimate goal is to create happy ZIVVER users, by solving all issues, providing information and representing their voice […]

Read more
Your_Success_our_primary Mission_The Customer Success team_ZIVVER_EN_blog

Your Success, our primary Mission! - The Customer Success team

At ZIVVER the success of our customers is paramount! Our purpose is to add real value to your organization. That’s nothing new, but now we even have a dedicated Customer Success team to help you achieve your desired goals with our product.  […]

Read more
gdpr_it’s_gonna_be_fines_zivver_en_blog

GDPR: IT’S GONNA BE FINES!

With the inception of the GDPR in May 2018, several companies and their offices were not, and many are still not ready to be compliant with the enhanced European privacy rules and were scared for the potential high penalty payments. This fear was not without grounds. […]

Read more
Introducing-open-conversation-starters-A powerful-new-feature-live on ZIVVERs-platform-blog-eng

Introducing open conversation starters! A powerful new feature from ZIVVER.

One of ZIVVER's most convenient and unique features is the conversation starter. It allows people who don't have an account (guest users) to take the initiative for a conversation with a ZIVVER user, in the same secure email environment. It protects both senders and recipients from possible data leaks caused by guest users. […]

Read more