Was there any common sense in GDPR in the year of 2019?

GDPR Tech had it’s third year and anniversary in December 2019. Now it is good time to look back what has been accomplished. There are always things to do, also from our side.

Since the beginning of the company our motto has been: “In GDPR related issues, common sense is allowed”. With that motto we mean that GDPR covers a large area, and you shouldn’t overact or underestimate it. There are many elements for being “GDPR compliant”, but don’t overdo. Especially don’t focus only on e.g.  documentation, and forget to accomplish actual corrective actions.

GDPR has been considered to be complex and difficult to implement. To simplify GDPR compliance, risk-based approach is the easiest way on the way to compliance. Sweet and simple. We control and/or process living individuals’ data. GDPR sets the frames how we can use that data. One of the goals is and has been to harmonize national legislation to GDPR, thus rules being the same all over the Europe. Intention is to support individuals, not to stop normal business operations.

Why has this regulation been introduced as everybody follows the law and takes such good care of all data?

Well. There are several reasons for that, e.g. data breaches, companies selling our personal data, and political influencing based on personal data.  Many companies make good profits with selling our personal data to third parties, be it for sales, marketing or illegal purposes. Some of the companies really believe that they do own YOUR and my personal data. Yep, that is your data, not Googles or Facebook’s.

In Europe GDPR is a reality and that reality is here now

But is it here? After 25th May 2018 nothing happened, and scaremongering consults apocalypse vanished to void? In reality it has taken more time as cases are complex.

Think about these examples: has there been any “privacy by design/default” or common sense involved?

  • Airline carrier in UK left webpages without patches (technically, those boring cybersecurity and updates to components). About 500 000 (0,5M) individuals’ personal data was copied to third party, possible giving data to hackers in big time. Would you feel comfortable to be one of the many?
  • Municipality in Norway and its school stored without protection pupils’ passwords and login information in one file, which contained also access data of under-age. Would it be happy to realize, that many of the other pupils have had access to your kid’s data?
  • Hospital in Germany mixed patients when invoicing them, and many patients got treatment bill with somebody else’s patient data. Your kid, who’s an exchange student in Germany, is she one of the winners of being involved?

Yap, we also think that this kind of things should not happen. Local authorities in these countries were thinking the same way, and when the gentle nudging did not help, they sanctioned the orgs with tens of thousands to millions of euros, depending on the case and its level of severity.

What to do to be compliant in 2020? Can we do a project, one-off, lift-and-shift and off we go?

Our approach to GDPR readiness is divided to four sections, which the following pie presents. (those who have met me, have seen my horrible pie presentations in whiteboard, sorry).

  • Regulation, legal affairs, responsibilities, typically things like contracts, due diligence, data processing agreements and so on. (in many cases paperwork only, but this is also required)

But the legal advisory is not enough. Not at all, as GDPR also demands risk-based approach and “technical and organizational measures” as well as regarding “state of the art tools”. Therefore, we need three more parts of the pie to make it complete.

  • Guidance, trainings, applications, awareness, changes to status-quo
  • Security – technical and organisational aspects
  • Data management – both for structured and unstructured data (those M: drives with common directories, we know)

Project is a good start. But it’s only the beginning. Being compliant means keeping your new practices up-to-date and in good shape. It’s easier after you have taken the initial step. Things change, so remember impact assessments and updating your documentation.

Have a safe year 2020. Let’s make this year more secure than the previous one. And keep up with the good work you have done!

Juha Sallinen

Data relating to individuals in images – a risk in your unstructured data?

Do you store information of individuals in scanned images (e.g. driving license, passport) and is there a risk of this information not being genuinely protected? By default, this is an acceptable method to store data, but is the information really protected as well as it should be? How to be sure and how to identify possible risks in your unstructured data environment?

The challenge: We have been doing Dark Data Assessment since 2016, and from time to time we have faced situations where it would have been useful to know the potential risks of images. Challenging files may quite possibly account for over 8% of all of your data. In the case of terabytes or millions of files, it can be a taunting task to track down challenging content. How to identify images in large scale or from millions of files, which contain patterns relating to personal information (which is under EU GDPR or other regulations or guidelines)? Let’s look at an example.

On the left, we have a Finnish driving license, which also contains the social security number of the individual. On the right, we have a sample of the new Irish passport.

So, let’s take under consideration a typical large or medium-sized enterprise, having millions of files in the fileserver, intranet and emails. Are all those files protected? Is there a possibility, that there is data containing personal information that is stored in the wrong place? The answer almost certainly is yes. Since we started our assessment service, we have basically every single time found data that is in risk. How can we identify these files? Simply, we run our assessment service and identify the risks in the particular environment. Typically, most worrying targets are file servers and intranet servers, as they hold most of the data and are basically unstructured. We are now talking about that infamous M: disk and that shared folder labelled “common”.

Our assessment starts by carefully defining the scope and patterns to use. Then we scan the metadata and content. To content scanning we can also include optical character recognition (OCR) and examine the found data.

Regarding the images above, standard assessment would find and pinpoint them like this:

As we can see from the sample image of scanning results, in doing OCR for images, the quality of the image is important. While this might not be a 100% accurate method, manual search of images would be significantly less so.

Our standardized assessment, Dark Data Assessment – DDA 4D can help you with finding and securing your image files. Ask for more information on how to identify possible risk areas in your unstructured data environment and lower risks! Keep in mind, that DDA 4D moreover offers other benefits such as saving storage and backup capacity.

Keep your data safe – Order Dark Data Assessment now!

#DDA #DarkDataAssessment #GDPR

GDPR Start Package

GDPR Start Package released

GDPR (General Data Protection Regulation) Start package has been released now in English too! Our GDPR Start Package solution is targeted for small to midsize companies to help them with the start of their GDPR journey.

The package helps the company to understand the requirements of GDPR and offers helps with the first steps towards GDPR compliancy. GDPR Start Package offers also training and certification for GDPR Awareness.

Prepare your organization for the EU General Data Protection Regulation (EU GDPR) with easy to implement steps

Prepare your organization for the GDPR with easy to implement steps

EU General Data Protection Regulation, GDPR, will come into effect on 25th of May 2018 after two-year transition time. All the organizations and companies that handle personal data of EU residents are under the regulation.  

The path to GDPR compliance is different in every organization. We want to support our customers to understand the requirements of EU General Data Protection Regulation and make possible to meet the requirements in practice. We offer data management tools, information security and variation of courses and trainings so meeting the requirements is as easy as possible. 

Following these three simple steps, you can easily ramp up your readiness for being GDPR compliant:

Knowledge of GDPR is a key

From awareness for the key persons to deeper knowledge – educate your staff of GDPR in any level via e-learning or classroom courses.

Regulation is about data

Know where your data is. So get a grip of your data flow with “Data Flow Mapping Tool”.

Assure your GDPR readiness

Document your efforts and plan for the possibly required changes to being compliant – organized documentation toolkit accelerates your effort.

Data flow mapping tool

Gain full visibility over the flow of personal data through your organization to meet the terms of the EU General Data Protection Regulation (GDPR).

The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes and why, where it is held and how it is transferred. The Data Flow Mapping Tool is a Cloud-based application, licensed for up to five users and can be accessed via any compatible browser.

GDPR Documentation Toolkit

Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:

• A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.

• Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.

• Direction and guidance from expert GDPR practitioners.

• Includes two licenses for the GDPR Staff Awareness E-learning Course.

Certified GDPR Foundation Distance Learning Training Course and Exam

Be ready for the GDPR by developing your knowledge of it with an accredited qualification. Learn in your own time and at your own pace about the Regulation and the implications and legal requirements for organizations. The GDPR Foundation qualification is a prerequisite for the GDPR Practitioner course.

• Duration: Six modules with a total course length of three hours – learn in your own time as your schedule allows.

• Format: Distance learning – save time and costs by accessing this recorded session from anywhere in the world whenever it suits you.

• Includes a complimentary copy of EU GDPR – A Pocket Guide.

GDPR Staff Awareness E-learning Course

This simple-to-use interactive modular e-learning programme for employees introduces the new GDPR and the key compliance obligations for organisations.

A key component of any organisation’s GDPR compliance framework is staff awareness and education. With significant fines for non-compliance from May 2018, it is essential that your staff have an understanding of the compliance requirements under the new regulation. The course includes:

• Web based course of EU GDPR

• Assessment module for testing your knowledge, which can be retake until passed

• Printable certificate for all learners who pass the test.

You may ask for customization options and volume discounts.

Please do not hesitate to ask about our other GDPR services! We are always happy to help you!