It is worth investing in the implementation of even a small change


In November blog, Juha wrote about the importance of planning and control as guarantors of data protection level – both important things. Well-designed means that services and systems are also easy to use. The vast majority of employees of companies and communities have little to know or care about the GDPR; This is quite normal, and even a fanatical security manager or data protection officer can’t hope for more.

This is why it is essential to consider how GDPR requirements are communicated, trained, and implemented internally at the design stage.

Communication should start at the stage of the project where it is known what and what kind of data is stored and used, i.e., right after the data’s status and mode has been mapped. Unfortunately, communication is often left in a couple of e-mails anointing that the legislator has given us an announcement and which must be complied as it is. The guidelines then use a few French lines to tell what not to do, and that’s it.

In my experience, at this point, there is a risk of making the first mistake and a rather expensive one. Coercion is a lousy motivator: if the staff is even explained in outline what it is about and how abuses can affect business, the human mind is more effortless to embrace and motivated to work on privacy. The GDPR is an indigestible legal text to interpret without direct guidance on how people should handle the requirements. Still, in capable hands, conditions can be used to identify necessary practical actions designed to be usable in an organization.

Employee training should always be tailored to the client’s needs and situation and not cut corners by directly copying what has been done in the past. A well-planned training will consider the rationale for the data protection work, making it easier for employees to understand and accept the requirements. Of course, data protection is the company’s responsibility, but blundering in your job usually slows down the career development or may even be the end of it. Ignorance is no longer a valid justification.

Unfortunately, usability is often left at the level of beautiful presentations and diagrams, which are not listened to in the staff’s experience and expertise. Who knows better than the team how the company handles things? The inherent sin of service design, on the other hand, is the lack of testing already at the design stage; in practice, processes are often copied, and so, not necessarily designed for concerned needs.

To end up with, a GDPR or data mapping project designed and implemented in collaboration with an expert is always better than a Google search generated list(s) of measures that are primarily left to staff to interpret and enforce. In the worst case, it remains partly undone.

At GDPR Tech, we have expertise in the planning of communication, training, and service usability. A reasonable additional investment in implementing the change will pay for itself when the project results are evaluated afterward. The mere order from management to act one way or another is likely to remain a shorthanded performance leaving the secure processing of personal data not to become part of the organizations operating culture.

The author is an all-rounder in business information security who has recently foul into the intricacies of service design and experienced enlightenment about usability as an integral part of the whole.

Put your infrastructure risks in control with analytical tools

As in modern world, business is under constant change and outsourcing is new black, it is challenging to analyse risk status reliably. Data should be available in all situations – also during exceptional times – as demanded by business, and by compliance rules like NIS-D and GDPR. For business, data availability and infrastructure are keys for success.

In 2020 it is common to have infrastructure solutions from on-premises, service providers and cloud sources. These combinations can easily establish an environment which is difficult to observe as whole. This is a concern not only for costs, but also for data availability and business continuity. Happy is the CIO or CTO, who is in charge of services and hardware provided by one or two companies. With booming business, a growing number of providers and environments is the rule.

  • Cloud IaaS from there, BaaS from there. Outsourcing from another service provider. All from a bit different vendors – Rubrik, Veeam, EMC Isilon, HP Data Protector, IBM TSM, VMware, Hyper-V, AWS, Windows, HP-UX, Red Hat, to start with.

Dashboard view? Is all this needed anymore? Which version are we running? Are all versions up-to-date or on planned level? Are all servers under backup routines? Is our possible restore under recovery time objective (RTO), which is set by that critical business unit? Is there a growing number of new virtual services and servers – and are they at all under control or even under backup?

These should be routine checks and therefore hardly any problems at all. Still, headlines “Organisation down and hackers took the environment down – no backups to restore operations” pop up in media. If there is no control of the whole, fundamental risks can come true. 

Therefore, risk mitigation trends and mitigation analysis should be key visuals for those in charge.

For organisations operating internationally, the current status-quo is capacity scattered and under-used in many platforms. Scattered, under-used but definitely overpaid.

Compliance, directives, regulations and standards (like PCI-DSS, NIS-D, GDPR) often demand data availability. Naturally and typically this is a demand by business unit too. 

Cloud, no-cloud or hybrid-cloud overview dashboard to all environments?

With this kind of tool, it is easier to answer to those difficult questions: Are there risks that have not been traced? Is all capacity under control? Is there an environment that is a historical leftover? (You know those “use this only during the migration” or ”temporary”. We know.)

Reports presented in this blog are consistent and standardised even though the data sources and vendors are not. These reports are automatically created with a tool, which generates correlation over the set of products. All data is imported from sources without installed agents and securely, generating correlations and corrective actions for your usage. 

With this tool it is easy to drill-down deeper, e.g. to a very technical level or go to higher cost or charge-back level.

The tool is Veritas APTARE IT analytics. We use this tool also for infrastructure assessments, which analyse an adequate number of infrastructure core components. Based on this data, corrective actions and risk mitigation plans are created for you to support your decision making. Ask more or schedule a demo.

Was there any common sense in GDPR in the year of 2019?

GDPR Tech had it’s third year and anniversary in December 2019. Now it is good time to look back what has been accomplished. There are always things to do, also from our side.

Since the beginning of the company our motto has been: “In GDPR related issues, common sense is allowed”. With that motto we mean that GDPR covers a large area, and you shouldn’t overact or underestimate it. There are many elements for being “GDPR compliant”, but don’t overdo. Especially don’t focus only on e.g.  documentation, and forget to accomplish actual corrective actions.

GDPR has been considered to be complex and difficult to implement. To simplify GDPR compliance, risk-based approach is the easiest way on the way to compliance. Sweet and simple. We control and/or process living individuals’ data. GDPR sets the frames how we can use that data. One of the goals is and has been to harmonize national legislation to GDPR, thus rules being the same all over the Europe. Intention is to support individuals, not to stop normal business operations.

Why has this regulation been introduced as everybody follows the law and takes such good care of all data?

Well. There are several reasons for that, e.g. data breaches, companies selling our personal data, and political influencing based on personal data.  Many companies make good profits with selling our personal data to third parties, be it for sales, marketing or illegal purposes. Some of the companies really believe that they do own YOUR and my personal data. Yep, that is your data, not Googles or Facebook’s.

In Europe GDPR is a reality and that reality is here now

But is it here? After 25th May 2018 nothing happened, and scaremongering consults apocalypse vanished to void? In reality it has taken more time as cases are complex.

Think about these examples: has there been any “privacy by design/default” or common sense involved?

  • Airline carrier in UK left webpages without patches (technically, those boring cybersecurity and updates to components). About 500 000 (0,5M) individuals’ personal data was copied to third party, possible giving data to hackers in big time. Would you feel comfortable to be one of the many?
  • Municipality in Norway and its school stored without protection pupils’ passwords and login information in one file, which contained also access data of under-age. Would it be happy to realize, that many of the other pupils have had access to your kid’s data?
  • Hospital in Germany mixed patients when invoicing them, and many patients got treatment bill with somebody else’s patient data. Your kid, who’s an exchange student in Germany, is she one of the winners of being involved?

Yap, we also think that this kind of things should not happen. Local authorities in these countries were thinking the same way, and when the gentle nudging did not help, they sanctioned the orgs with tens of thousands to millions of euros, depending on the case and its level of severity.

What to do to be compliant in 2020? Can we do a project, one-off, lift-and-shift and off we go?

Our approach to GDPR readiness is divided to four sections, which the following pie presents. (those who have met me, have seen my horrible pie presentations in whiteboard, sorry).

  • Regulation, legal affairs, responsibilities, typically things like contracts, due diligence, data processing agreements and so on. (in many cases paperwork only, but this is also required)

But the legal advisory is not enough. Not at all, as GDPR also demands risk-based approach and “technical and organizational measures” as well as regarding “state of the art tools”. Therefore, we need three more parts of the pie to make it complete.

  • Guidance, trainings, applications, awareness, changes to status-quo
  • Security – technical and organisational aspects
  • Data management – both for structured and unstructured data (those M: drives with common directories, we know)

Project is a good start. But it’s only the beginning. Being compliant means keeping your new practices up-to-date and in good shape. It’s easier after you have taken the initial step. Things change, so remember impact assessments and updating your documentation.

Have a safe year 2020. Let’s make this year more secure than the previous one. And keep up with the good work you have done!

Juha Sallinen

Data relating to individuals in images – a risk in your unstructured data?

Do you store information of individuals in scanned images (e.g. driving license, passport) and is there a risk of this information not being genuinely protected? By default, this is an acceptable method to store data, but is the information really protected as well as it should be? How to be sure and how to identify possible risks in your unstructured data environment?

The challenge: We have been doing Dark Data Assessment since 2016, and from time to time we have faced situations where it would have been useful to know the potential risks of images. Challenging files may quite possibly account for over 8% of all of your data. In the case of terabytes or millions of files, it can be a taunting task to track down challenging content. How to identify images in large scale or from millions of files, which contain patterns relating to personal information (which is under EU GDPR or other regulations or guidelines)? Let’s look at an example.

On the left, we have a Finnish driving license, which also contains the social security number of the individual. On the right, we have a sample of the new Irish passport.

So, let’s take under consideration a typical large or medium-sized enterprise, having millions of files in the fileserver, intranet and emails. Are all those files protected? Is there a possibility, that there is data containing personal information that is stored in the wrong place? The answer almost certainly is yes. Since we started our assessment service, we have basically every single time found data that is in risk. How can we identify these files? Simply, we run our assessment service and identify the risks in the particular environment. Typically, most worrying targets are file servers and intranet servers, as they hold most of the data and are basically unstructured. We are now talking about that infamous M: disk and that shared folder labelled “common”.

Our assessment starts by carefully defining the scope and patterns to use. Then we scan the metadata and content. To content scanning we can also include optical character recognition (OCR) and examine the found data.

Regarding the images above, standard assessment would find and pinpoint them like this:

As we can see from the sample image of scanning results, in doing OCR for images, the quality of the image is important. While this might not be a 100% accurate method, manual search of images would be significantly less so.

Our standardized assessment, Dark Data Assessment – DDA 4D can help you with finding and securing your image files. Ask for more information on how to identify possible risk areas in your unstructured data environment and lower risks! Keep in mind, that DDA 4D moreover offers other benefits such as saving storage and backup capacity.

Keep your data safe – Order Dark Data Assessment now!

#DDA #DarkDataAssessment #GDPR

About Rigacomm, people & robots

Off we went with Juha to Rigacomm, the biggest business and IT technology fair in Baltics arranged this year on Oct 11 to 12. Our stand was strategically located between coffee area demonstrating InOut cloud-based queueing system and Diatom stand occupied by interactive robot, near digital marketing stage. So we received our fair share of visitors which was nice.

In quite a few conversations I ended up explaining the significance of GDPR legitimate interest and balancing test. There is no legal requirement to ask for marketing consent from customer on customer list when certain (broadly set) conditions are met. Of course regular explicit opt-our is still mandatory.

There were also many questions about what our technical solutions for GDPR are and do we develop those ourselves (answer being yes, but no for software). So, more discussions about dark data assessment in different environments (fileserver, SharePoint, O365, other cloud-based environments). There is no single patent solution for all cases. We are offering solutions based on Veritas, Varonis and Micro Focus software.

As there were vivid discussions on our SMB start package content and implementation and the effort and commitment it takes from customer organization as well (we go deep inside to verify), there was not as much time for discussions about data flow modeling ”beef” as I would have liked.

As contrast for GDPR discussions in our booth, there were two generally available robots around in the fair. I overheard someone asking the lobby robot: ”Do you like Robocop?” That confused the robot more or less (and amused me). I wonder if the robots were set to collect and store questions made by people this time. That could be really interesting machine learning data as I assume human imagination in the end is still supreme to what any machine could possibly produce.

I also had a really nice discussion with a lady who was tired of all that information available and GDPR in particular. It’s no surprise GDPR doesn’t have a good echo as so many misunderstandings and even disinformation about it around. She was open about her frustration and then we ended up talking about chocolate and ice cream. That’s what we humans are like and I appreciate it.