Five trends to pay extra attention to in the year of the GDPR

You can't have failed to notice: the GDPR (General Data Protection Regulation, in Dutch 'de Algemene Verordening Gegevensbescherming') has come into effect. There are stricter rules in place regarding the protection of personal data. The penalties for violating the privacy rules are a lot higher.

That a lot is changing this year in the area of the protection of personal data is therefore beyond dispute. So it is all the more important to focus your attention on the changes that really matter! Which trends regarding the protection of personal data must you not ignore in 2018?

 

1. Ransomware attacks - What to do?

In 2017, the world was shocked by ransomware attacks. Ransomware is software that blocks access to data. The rightful owner of the data only gets access to the data again after he or she has paid a 'ransom' to the criminals behind the ransomware. One of the biggest attacks in 2017 was carried out using the Wannacry ransomware. Among other things, this program affected a large number of hospitals in Great Britain.

It is expected that more of these types of attacks will take place in 2018, and that they will be more destructive. Criminals will threaten to publish unlawfully obtained data. There may also be attacks in which the ransomware only becomes active after a while. As a result, the ransomware could also affect backups. Ransomware will also start using 'machine learning'. This 'smart ransomware' will be able to reprogram itself, for example. This will make it more difficult for virus scanners to detect the ransomware.

Under the GDPR, organisations are required to take technical measures in line with the state of the art. Your organisation will also have to use machine learning, for example, just to keep ransomware outside. Organisational measures in this area are mainly about raising awareness among employees. Do they know how to recognise ransomware and do they know what to do?

 

2. Customers are aware of their rights - What will you have to deal with?

A study by KPMG has shown that many people do not know what the GDPR is exactly. As soon as they do know, they turn out to be interested:

  • 51% of respondents want to make use of the right to be forgotten;
  • 60% of them want the right to access;
  • 56% of them want the right to data portability;
  • 59% of them want the right to rectification.

This has quite some significance for your organisation! Apart from data incidents which receive a lot of media attention, requests can be received from customers who wish to exercise their rights. How do you organise this?

Each organisation therefore needs strict processes to handle these requests. For the right to access and the right to data portability, it is important to be able to quickly retrieve data from different applications. This data must be readable for people and/or computers (in case of transfer). And how do you ensure that all data are removed on a customer if he/she requests this? Is this not possible due to technical or administrative reasons, such as an obligation to retain? Be clear and transparent about this.

 

 3. Two-factor authentication is becoming the standard - How do you use this?

Security based on a password alone is no longer sufficient. Most user passwords are weak, and many users have the same passwords for multiple systems. In the worst case, colleagues know one another’s' passwords. Sometimes these are even written on notes left on the desk. At the same time, people find it annoying when they have to log in again each time.

You solve both problems by using two-factor authentication (2FA). This involves something that the user knows (the password) being supplemented with an extra layer of security by means of something that the user has (for example a mobile device) or what the user 'is' (such as a fingerprint or an iris scan).

Thanks to advancing technology it is easier to secure systems with multiple methods. 2FA is being used in increasing numbers of organisations. You would expect that this would lead to more hassle. On the contrary – it ensures that the users have fewer passwords to work with, because a single sign-on in combination with 2FA is secure.

 

 4. Prevention is becoming more important than cure - How can you be 'demonstrably' in control? 

Even in the unlikely event that there are never data leaks or other incidents in your organisation, this does not mean that you are automatically in compliance with the GDPR. You must demonstrate that you, as an organisation, are doing everything to exclude unauthorised access to personal data.

This means that you must actively take measures that reduce the risk of data leaks. You must also document these measures to show that your organisation is set up to prevent an incident. Also ask yourself what the answer is to the following questions:

  • How have you trained your employees to make them aware of the risks?
  • Have you taken technical measures, such as a separate Wi-Fi network for guests, which is shielded from other devices?
  • What warnings do employees receive when they send emails to wrong addresses?

Finally, it is important that there are protocols in place, so that it is clear what needs to be done if an incident nevertheless occurs.

 

5. Humans as the weakest link in the protection of personal data - What can you learn from this?

Much can be achieved through technical measures, but the human aspect of data protection remains important. After all, a large number of data leaks are the result of human error. Consider, for example, the accidental sending of a file to a wrong email address or the sharing of sensitive information via a public service.

The key to success is to come up with a personal approach, to create awareness among employees. This ensures that the employees who come into contact with personal data within your organisation are aware of the new privacy rules and your (amended) privacy policy.

  • Make sure your employees are aware of the new rules that apply. For example, organise an internal event with an external speaker who explains the new rules of GDPR, and then explain about your new policy.
  • Designate a project manager in each department or team who is responsible for the implementation of this policy.
  • Have each department or team carry out an assessment of what is and is not permitted.
  • Ask employees to think about changes which will be necessary to guarantee the optimum protection of personal data.
  • The project leader coordinates the process as a whole, and draws up a progress report.

Companies that want to take the lead in privacy are putting great emphasis on awareness among all employees. It is sensible to use software that, in the background, actively assists employees in making the right choices. Only if this software does not get in the way of the user and does not make the work unnecessarily complex will it contribute to a safe working environment.

 

How do you get through the Year of the GDPR intact?

Raising awareness surrounding privacy and the GDPR/AVG is a layer that includes the necessary organisational and technical measures. This is so important because 46% of data breaches occur because employees do not handle sensitive data with awareness. But how do you tackle this? In this ebook, we will give an answer to this question and provide you with practical tips.

Go to the GDPR Checklist

RELATED
Sending_or_receiving_credit_card_data_via_email_while staying_PCI_compliant

Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more