This document discusses the role of technology in data protection and GDPR compliance. It argues that technology has historically been both the cause of data protection issues as well as the solution, but technologies have not always been designed with data protection in mind. The GDPR will require organizations to critically examine their technologies and ensure they have the capabilities needed to comply with principles like data minimization, individual rights to access and erasure, and security. Organizations need to understand how personal data flows through their systems and assess technology risks in order to design systems that protect privacy by default. Failure to address technology issues could lead to regulatory fines and litigation under the GDPR.
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
The document summarizes an IBM breakfast briefing on data protection, security, and regulatory updates. The briefing covered the changing EU General Data Protection Regulations and implications for organizations, including increased fines for noncompliance. It also discussed privacy rights for individuals, such as the "right to be forgotten" and access to their own data. The briefing addressed how analytics can help adhere to new rules and regulations.
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
Cédric Laurant: Presentation at the SecureWorld Web Conference: "Incident Response: Clean Up on Aisle Nine" (29 Nov. 2012)
Presentation can be downloaded at http://cedriclaurant.com/about/presentations/, http://blog.cedriclaurant.org and http://security-breaches.com.
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
With the advent of the era of big data, the utilization rate of data in business activities is getting higher and higher, and the competition is also getting bigger and bigger, and the disputes about data among operators of e commerce platform are also increasing. At present, there is a relative lack of laws and regulations on data rights and interests of e commerce platform operators in China. E commerce platform operators do not have specific and in depth clarity on data collation, collection and processing, which is not comprehensive. With the rapid development of big data in European and American countries in the 20th century, the corresponding laws and regulations and theoretical academic research also appear. China can study the similarities, which has great reference significance for the development of big data and the improvement of laws and regulations in China. This paper will investigate and study the data rights and interests of e commerce platform operators, and deeply analyze the characteristics, attributes, protection mode and basic principles of data rights and interests, especially the legal regulation of e commerce platform operators data rights and interests. Combined with the law of e commerce, the law of data security, the law of network security, the law of personal information protection and other relevant legal theories, this paper analyzes the data rights and interests of e commerce platform operators, discusses the legal protection and implementation practice of the data rights and interests, and puts forward some countermeasures to improve the legislation, law enforcement and judicial protection. For the boundary coordination between operator data and user data of e commerce platform, this paper analyzes and divides the boundary, and puts forward relevant improvement countermeasures. China needs to speed up the improvement of e commerce platform operators data rights and interests protection legislation, improve the regulation of e commerce platform operators unfair competition behavior Improve the legal regulation of data monopoly of e commerce platform operators, bring enterprise data into the adjustment scope of anti monopoly law, and investigate the legal responsibility after data monopoly The data rights of the operators of e commerce platform should be given clearly Improve the allocation of data legal liability of operators of e commerce platform. Changjun Wu | Wenyu Wei "Research on Legal Protection of Data Rights of E-Commerce Platform Operators" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-5 , August 2021, URL: https://www.ijtsrd.com/papers/ijtsrd44955.pdf Paper URL: https://www.ijtsrd.com/management/law-and-management/44955/research-on-legal-protection-of-data-rights-of-ecommerce-platform-operators/changjun-wu
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
Large-scale socio-technical systems (STS) inextricably inter-connect individual – e.g., the right to privacy –, social – e.g., the effectiveness of organisational processes –, and technology issues —e.g., the software engineering process. As a result, the design of the complex software infrastructure involves also non-technological aspects such as the legal ones—so that, e.g., law-abidingness can be ensured since the early stages of the software engineering process. By focussing on contact centres (CC) as relevant examples of knowledge-intensive STS, we elaborate on the articulate aspects of anonymisation: there, individual and organisational needs clash, so that only an accurate balancing between legal and technical aspects could possibly ensure the system efficiency while preserving the individual right to privacy. We discuss first the overall legal framework, then the general theme of anonymisation in CC. Finally we overview the technical process developed in the context of the BISON project.
Project presentation @ DMI, Università di Catania, Italy, 25 July 2016
This document discusses several legal issues related to technology. It identifies data security, privacy concerns with big data, and evolving contract and licensing issues with cloud computing as significant concerns. It also notes challenges around compliance with open source licenses, liability for mobile payments, risks of social media use, regulation of virtual currencies, and responsibility for remote automation and control technologies.
The integration of legal aspects in Information Security: Is your organisatio...Rabelani Dagada
Paper presented during the Institute for International Research's IT Risk Management Conference - 10,11, & 12 November 2010, IIR Conference Centre, Rosebank, Johannesburg
Information governance a_necessity_in_toAnne ndolo
1) Information governance is becoming a necessity for businesses today as they operate in an environment dominated by information. IG helps businesses improve operations, compliance, risk management, and customer service.
2) Implementing IG presents challenges for businesses, including issues with roles and responsibilities, policy implementation, information security, and compliance. Flexible IG systems and automated information management can help address these challenges.
3) Measuring the effectiveness of IG policies through evaluation allows businesses to ensure objectives are met and policies remain up to date with changing needs. Flexible policies that involve employees lead to more effective long-term governance.
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
The document summarizes an IBM breakfast briefing on data protection, security, and regulatory updates. The briefing covered the changing EU General Data Protection Regulations and implications for organizations, including increased fines for noncompliance. It also discussed privacy rights for individuals, such as the "right to be forgotten" and access to their own data. The briefing addressed how analytics can help adhere to new rules and regulations.
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...Cédric Laurant
Cédric Laurant: Presentation at the SecureWorld Web Conference: "Incident Response: Clean Up on Aisle Nine" (29 Nov. 2012)
Presentation can be downloaded at http://cedriclaurant.com/about/presentations/, http://blog.cedriclaurant.org and http://security-breaches.com.
Research on Legal Protection of Data Rights of E Commerce Platform OperatorsYogeshIJTSRD
With the advent of the era of big data, the utilization rate of data in business activities is getting higher and higher, and the competition is also getting bigger and bigger, and the disputes about data among operators of e commerce platform are also increasing. At present, there is a relative lack of laws and regulations on data rights and interests of e commerce platform operators in China. E commerce platform operators do not have specific and in depth clarity on data collation, collection and processing, which is not comprehensive. With the rapid development of big data in European and American countries in the 20th century, the corresponding laws and regulations and theoretical academic research also appear. China can study the similarities, which has great reference significance for the development of big data and the improvement of laws and regulations in China. This paper will investigate and study the data rights and interests of e commerce platform operators, and deeply analyze the characteristics, attributes, protection mode and basic principles of data rights and interests, especially the legal regulation of e commerce platform operators data rights and interests. Combined with the law of e commerce, the law of data security, the law of network security, the law of personal information protection and other relevant legal theories, this paper analyzes the data rights and interests of e commerce platform operators, discusses the legal protection and implementation practice of the data rights and interests, and puts forward some countermeasures to improve the legislation, law enforcement and judicial protection. For the boundary coordination between operator data and user data of e commerce platform, this paper analyzes and divides the boundary, and puts forward relevant improvement countermeasures. China needs to speed up the improvement of e commerce platform operators data rights and interests protection legislation, improve the regulation of e commerce platform operators unfair competition behavior Improve the legal regulation of data monopoly of e commerce platform operators, bring enterprise data into the adjustment scope of anti monopoly law, and investigate the legal responsibility after data monopoly The data rights of the operators of e commerce platform should be given clearly Improve the allocation of data legal liability of operators of e commerce platform. Changjun Wu | Wenyu Wei "Research on Legal Protection of Data Rights of E-Commerce Platform Operators" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-5 , August 2021, URL: https://www.ijtsrd.com/papers/ijtsrd44955.pdf Paper URL: https://www.ijtsrd.com/management/law-and-management/44955/research-on-legal-protection-of-data-rights-of-ecommerce-platform-operators/changjun-wu
Privacy through Anonymisation in Large-scale Socio-technical Systems: The BIS...Andrea Omicini
Large-scale socio-technical systems (STS) inextricably inter-connect individual – e.g., the right to privacy –, social – e.g., the effectiveness of organisational processes –, and technology issues —e.g., the software engineering process. As a result, the design of the complex software infrastructure involves also non-technological aspects such as the legal ones—so that, e.g., law-abidingness can be ensured since the early stages of the software engineering process. By focussing on contact centres (CC) as relevant examples of knowledge-intensive STS, we elaborate on the articulate aspects of anonymisation: there, individual and organisational needs clash, so that only an accurate balancing between legal and technical aspects could possibly ensure the system efficiency while preserving the individual right to privacy. We discuss first the overall legal framework, then the general theme of anonymisation in CC. Finally we overview the technical process developed in the context of the BISON project.
Project presentation @ DMI, Università di Catania, Italy, 25 July 2016
This document discusses several legal issues related to technology. It identifies data security, privacy concerns with big data, and evolving contract and licensing issues with cloud computing as significant concerns. It also notes challenges around compliance with open source licenses, liability for mobile payments, risks of social media use, regulation of virtual currencies, and responsibility for remote automation and control technologies.
The integration of legal aspects in Information Security: Is your organisatio...Rabelani Dagada
Paper presented during the Institute for International Research's IT Risk Management Conference - 10,11, & 12 November 2010, IIR Conference Centre, Rosebank, Johannesburg
Information governance a_necessity_in_toAnne ndolo
1) Information governance is becoming a necessity for businesses today as they operate in an environment dominated by information. IG helps businesses improve operations, compliance, risk management, and customer service.
2) Implementing IG presents challenges for businesses, including issues with roles and responsibilities, policy implementation, information security, and compliance. Flexible IG systems and automated information management can help address these challenges.
3) Measuring the effectiveness of IG policies through evaluation allows businesses to ensure objectives are met and policies remain up to date with changing needs. Flexible policies that involve employees lead to more effective long-term governance.
The document summarizes key aspects of the upcoming EU General Data Protection Regulation (GDPR) as it relates to software development:
- The GDPR defines what organizations must do with personal data, but not how to implement it technically. Guidelines provide high-level principles like "privacy by design" but not specific tools or processes.
- To comply, developers must consider privacy throughout the design process using methods like data minimization, access controls, and encryption. Organizations must also be able to demonstrate and ensure ongoing compliance, such as through documentation and audits.
- The GDPR places new obligations on data controllers and processors around security, impact assessments, subcontractors, access requests, and accountability. While
Organizations face increasing privacy challenges in 2011 due to factors such as:
1) Stricter privacy regulations and enforcement globally, with regulators planning expanded reach and tougher penalties.
2) Additional data breach notification requirements being adopted worldwide, requiring organizations to adapt processes.
3) Growing emphasis on governance, risk and compliance initiatives to better integrate privacy monitoring and reduce redundancies.
4) Issues around use of cloud computing and mobile devices, requiring organizations to implement controls over personal data use by third parties.
Overall organizations need robust strategies to proactively address evolving privacy requirements across diverse jurisdictions.
n this webinar, GDPR expert, Richard Hogg, answers the following questions:
What will the GDPR mean for my organization?
Where do I start on the journey to compliance?
What tools and technology are available to help?
Attendees: Operations, Finance, Compliance, Governance, IT
https://www.integro.com/recorded-webinar/nov-17-2016-gdpr
The document discusses the General Data Protection Regulation (GDPR) which will replace data protection laws in the EU in May 2018. It will fundamentally change how companies manage personal data, imposing fines up to 20 million Euros for noncompliance. The document outlines key terms like personal data, sensitive personal data, data controllers and processors. It provides questions companies should ask themselves to assess readiness and an example roadmap for a company to implement a GDPR compliance program.
1. The document discusses the NIST Framework for improving critical infrastructure cybersecurity that was mandated by an Executive Order from President Obama. It outlines the development process for the Framework, which included input from various industries.
2. The Framework takes a risk-based approach and includes five cybersecurity functions along with implementation levels. It references existing cybersecurity standards and guidelines.
3. Privacy concerns were addressed through a subgroup that conducted the first SmartGrid privacy impact assessment. Recommendations included transparency, privacy impact assessments, and training for workers with access to personal information.
EU General Data Protection: Implications for Smart Meteringnuances
This presentation provides the reader with an insight into the politics of EU Data protection as well as an overview of the key stakeholders. We focus on the implication for the smart metering industry.
This document discusses Google's collection and use of personal data through its various products and services. While Google claims to "do no evil", its vast data processing raises legal and ethical concerns regarding individual privacy and rights. States have struggled to regulate corporations like Google to balance privacy protections with allowing for innovation. The author aims to analyze different regulatory models and how states and regional regimes have addressed issues around personal data protection during processing by large technology companies.
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
This is the slide-deck of the community event held on November 14, 2019 in Brussels, titled "Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019". It includes the presentations given by the speakers.
The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis
Paper presented at the Max Planck Institute's conference "Personal data in competition, consumer protection and IP law Towards a holistic approach?", held on 21 October 2016
The document discusses several issues related to e-commerce and ICANN's jurisdiction. It notes that e-commerce occurs above the infrastructure layer and can involve various online business and information activities. It also discusses why emerging legal and regulatory frameworks are important as they impact online operations and the continued development of e-commerce. Several specific issues are examined, including authentication, privacy/data protection, copyright, content regulation, and cybercrime. The document concludes that many industries, opportunities, and consumers are impacted and challenges exist to avoid inconsistent laws and policies while balancing technical realities.
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
The General Data Protection Regulation is the biggest change to the law on data in years. This webinar features Vicky Brown, Deputy General Counsel at WPP, and Paul King, Head of Data at OgilvyOne discussing what it is, why it matters and what companies are doing.
GDPR and personal data protection in EU research projectsLorenzo Mannella
This 20-minute presentation provides participants with a case study on data protection issues exposed by research partners awarded with a fictional Horizon 2020/Horizon Europe grant. Participants will follow the work of data controller and processors, committed to handle and store personal data of EU and Non-EU citizens for research purposes.
Participants will be engaged to evaluate the compliance of research activities with the General Data Protection Regulation (GDPR), which defines principles relating to processing of personal data, the lawfulness of such processing and modalities to ensure transparent information, communication and rights of the data subjects.
Rules and best practices in data processing are part of the essential toolbox for Research Managers and Administrators, answering the growing call of GDPR compliance along with Data Protection Officers. Beyond the understanding of accountability, privacy by design and by default principles, professionals are testing themselves with the constant update of data protection guidelines from the European Data Protection Board.
This session is targeted to an audience of intermediate level, aware of the topic of data protection/GDPR and willing to engage with other professionals on a case study analysis. The session will benefit from a short Q&A and a follow-up survey to gather best practices in data management put in place by participants in their day-to-day work.
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
1. The document outlines a presentation given in Moscow on the European Union's privacy and data protection legal framework.
2. It provides an overview of the key EU directives and regulations governing privacy, including the upcoming EU Data Protection Regulation, and discusses the regulatory approach of focusing on individuals' rights and informational self-determination.
3. The presentation also examines issues around implementing privacy compliance in practice and focuses on selected issues like secrecy of communications, user identification, and security requirements.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
For more information visit https://brightpay.co.uk
All organisations, regardless of size, will have had to introduce or update existing policies regarding personal data in order to comply with the new regulations.
This webinar will look at the GDPR, how it may affect your business and what we have learned from the GDPR 5 months on. We will also have a look at how BrightPay can help your organisation utilise the new regulations for the benefit of you, your customers and youremployees.
Essentially, GDPR is an overhaul of the way we process, manage and store individual’s personal data, and that includes your employee’s personal payroll and HR information. We will take you through the impact of GDPR on your payroll processing, highlighting the biggest areas of concern including emailing payslips, employee consent and your legal obligations with regards to payroll, HR and Employment law.
The webinar will include a demonstration of how our BrightPay Connect add-on can help you work towards GDPR compliance by offering remote online access to accountants, employers and employees. We will take a brief look at our Bright Contracts software, which as well as providing the user with the facility to create and customise Contracts of Employment and Company Handbooks, now has a new feature which enables the user to create an Employee Privacy Policy which is a requirement under GDPR.
We will also unveil our new timesheet rapid input feature. Our exciting new timesheet feature directly connects to the BrightPay payroll and allows clients to import timesheet hours from a CSV or directly input hours for each employee on the BrightPay connect employer dashboard. For accountants and payroll bureaus, clients can easily use the timesheet upload for rapid input of employee’s hours eliminating possible errors. The timesheet feature also allows bureaus to easily run the payroll before sending it back to your payroll client for final approval and validation.
The document discusses considerations for complying with the General Data Protection Regulation (GDPR) which takes effect in May 2018. It provides an overview of key GDPR aspects like penalties, timescales, and principles of lawful processing. An ideal approach is presented which involves understanding current gaps, prioritizing remediation, and maintaining compliance over time with tools and regular reviews. Common issues organizations face are also outlined, such as ineffective training and not properly identifying all data workflows. The last section discusses how technology from 3GRC can help streamline GDPR compliance through automated surveys, risk management, and progress monitoring.
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
This document provides an overview of the legal and ethical framework for the WITDOM project, which involves processing personal data in untrusted cloud environments. It discusses key European data protection and cybersecurity legislation and their application to new computing environments. Specifically, it examines the 1995 EU Data Protection Directive, the proposed General Data Protection Regulation, and the 2013 Network and Information Security Directive. It also assesses ethical guidelines to support human values like privacy, security and justice. The document identifies legal issues, principles and potential requirements or barriers to managing and protecting personal data in untrusted domains.
GDPR- Get the facts and prepare your businessMark Baker
The GDPR will become law on May 25, 2018 and requires any organization that collects or processes personal data from EU citizens to comply with new privacy regulations. It mandates breach reporting within 72 hours of discovery and fines of up to 20 million euros for noncompliance. It also introduces the principle of "data protection by design" which requires privacy to be built into new systems and processes from the start. To prepare, organizations need to review technologies and processes for breach detection and reporting, and make privacy protections a fundamental part of their operations and systems.
This document provides an overview of consumer healthtech and discusses the personal information it collects and processes. It notes that consumer healthtech includes wearable devices and apps that track health metrics. It states these technologies collect sensitive data like heart rate, sleep quality, and potentially biomarkers from tears or sweat. The document discusses how this data is initially collected locally by devices but then sent to cloud servers for further processing using AI. It notes potential privacy risks if this health data is leaked, used for unsuitable purposes, or to make inappropriate health decisions about individuals.
The document summarizes key aspects of the upcoming EU General Data Protection Regulation (GDPR) as it relates to software development:
- The GDPR defines what organizations must do with personal data, but not how to implement it technically. Guidelines provide high-level principles like "privacy by design" but not specific tools or processes.
- To comply, developers must consider privacy throughout the design process using methods like data minimization, access controls, and encryption. Organizations must also be able to demonstrate and ensure ongoing compliance, such as through documentation and audits.
- The GDPR places new obligations on data controllers and processors around security, impact assessments, subcontractors, access requests, and accountability. While
Organizations face increasing privacy challenges in 2011 due to factors such as:
1) Stricter privacy regulations and enforcement globally, with regulators planning expanded reach and tougher penalties.
2) Additional data breach notification requirements being adopted worldwide, requiring organizations to adapt processes.
3) Growing emphasis on governance, risk and compliance initiatives to better integrate privacy monitoring and reduce redundancies.
4) Issues around use of cloud computing and mobile devices, requiring organizations to implement controls over personal data use by third parties.
Overall organizations need robust strategies to proactively address evolving privacy requirements across diverse jurisdictions.
n this webinar, GDPR expert, Richard Hogg, answers the following questions:
What will the GDPR mean for my organization?
Where do I start on the journey to compliance?
What tools and technology are available to help?
Attendees: Operations, Finance, Compliance, Governance, IT
https://www.integro.com/recorded-webinar/nov-17-2016-gdpr
The document discusses the General Data Protection Regulation (GDPR) which will replace data protection laws in the EU in May 2018. It will fundamentally change how companies manage personal data, imposing fines up to 20 million Euros for noncompliance. The document outlines key terms like personal data, sensitive personal data, data controllers and processors. It provides questions companies should ask themselves to assess readiness and an example roadmap for a company to implement a GDPR compliance program.
1. The document discusses the NIST Framework for improving critical infrastructure cybersecurity that was mandated by an Executive Order from President Obama. It outlines the development process for the Framework, which included input from various industries.
2. The Framework takes a risk-based approach and includes five cybersecurity functions along with implementation levels. It references existing cybersecurity standards and guidelines.
3. Privacy concerns were addressed through a subgroup that conducted the first SmartGrid privacy impact assessment. Recommendations included transparency, privacy impact assessments, and training for workers with access to personal information.
EU General Data Protection: Implications for Smart Meteringnuances
This presentation provides the reader with an insight into the politics of EU Data protection as well as an overview of the key stakeholders. We focus on the implication for the smart metering industry.
This document discusses Google's collection and use of personal data through its various products and services. While Google claims to "do no evil", its vast data processing raises legal and ethical concerns regarding individual privacy and rights. States have struggled to regulate corporations like Google to balance privacy protections with allowing for innovation. The author aims to analyze different regulatory models and how states and regional regimes have addressed issues around personal data protection during processing by large technology companies.
Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019...IDC4EU
This is the slide-deck of the community event held on November 14, 2019 in Brussels, titled "Beyond Privacy: Learning Data Ethics - European Big Data Community Forum 2019". It includes the presentations given by the speakers.
The Case of Trade Secrets and Database Sui Generis Right in Marketing Operations, and the Ownership of Raw Data in Big Data Analysis
Paper presented at the Max Planck Institute's conference "Personal data in competition, consumer protection and IP law Towards a holistic approach?", held on 21 October 2016
The document discusses several issues related to e-commerce and ICANN's jurisdiction. It notes that e-commerce occurs above the infrastructure layer and can involve various online business and information activities. It also discusses why emerging legal and regulatory frameworks are important as they impact online operations and the continued development of e-commerce. Several specific issues are examined, including authentication, privacy/data protection, copyright, content regulation, and cybercrime. The document concludes that many industries, opportunities, and consumers are impacted and challenges exist to avoid inconsistent laws and policies while balancing technical realities.
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
The General Data Protection Regulation is the biggest change to the law on data in years. This webinar features Vicky Brown, Deputy General Counsel at WPP, and Paul King, Head of Data at OgilvyOne discussing what it is, why it matters and what companies are doing.
GDPR and personal data protection in EU research projectsLorenzo Mannella
This 20-minute presentation provides participants with a case study on data protection issues exposed by research partners awarded with a fictional Horizon 2020/Horizon Europe grant. Participants will follow the work of data controller and processors, committed to handle and store personal data of EU and Non-EU citizens for research purposes.
Participants will be engaged to evaluate the compliance of research activities with the General Data Protection Regulation (GDPR), which defines principles relating to processing of personal data, the lawfulness of such processing and modalities to ensure transparent information, communication and rights of the data subjects.
Rules and best practices in data processing are part of the essential toolbox for Research Managers and Administrators, answering the growing call of GDPR compliance along with Data Protection Officers. Beyond the understanding of accountability, privacy by design and by default principles, professionals are testing themselves with the constant update of data protection guidelines from the European Data Protection Board.
This session is targeted to an audience of intermediate level, aware of the topic of data protection/GDPR and willing to engage with other professionals on a case study analysis. The session will benefit from a short Q&A and a follow-up survey to gather best practices in data management put in place by participants in their day-to-day work.
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
1. The document outlines a presentation given in Moscow on the European Union's privacy and data protection legal framework.
2. It provides an overview of the key EU directives and regulations governing privacy, including the upcoming EU Data Protection Regulation, and discusses the regulatory approach of focusing on individuals' rights and informational self-determination.
3. The presentation also examines issues around implementing privacy compliance in practice and focuses on selected issues like secrecy of communications, user identification, and security requirements.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
For more information visit https://brightpay.co.uk
All organisations, regardless of size, will have had to introduce or update existing policies regarding personal data in order to comply with the new regulations.
This webinar will look at the GDPR, how it may affect your business and what we have learned from the GDPR 5 months on. We will also have a look at how BrightPay can help your organisation utilise the new regulations for the benefit of you, your customers and youremployees.
Essentially, GDPR is an overhaul of the way we process, manage and store individual’s personal data, and that includes your employee’s personal payroll and HR information. We will take you through the impact of GDPR on your payroll processing, highlighting the biggest areas of concern including emailing payslips, employee consent and your legal obligations with regards to payroll, HR and Employment law.
The webinar will include a demonstration of how our BrightPay Connect add-on can help you work towards GDPR compliance by offering remote online access to accountants, employers and employees. We will take a brief look at our Bright Contracts software, which as well as providing the user with the facility to create and customise Contracts of Employment and Company Handbooks, now has a new feature which enables the user to create an Employee Privacy Policy which is a requirement under GDPR.
We will also unveil our new timesheet rapid input feature. Our exciting new timesheet feature directly connects to the BrightPay payroll and allows clients to import timesheet hours from a CSV or directly input hours for each employee on the BrightPay connect employer dashboard. For accountants and payroll bureaus, clients can easily use the timesheet upload for rapid input of employee’s hours eliminating possible errors. The timesheet feature also allows bureaus to easily run the payroll before sending it back to your payroll client for final approval and validation.
The document discusses considerations for complying with the General Data Protection Regulation (GDPR) which takes effect in May 2018. It provides an overview of key GDPR aspects like penalties, timescales, and principles of lawful processing. An ideal approach is presented which involves understanding current gaps, prioritizing remediation, and maintaining compliance over time with tools and regular reviews. Common issues organizations face are also outlined, such as ineffective training and not properly identifying all data workflows. The last section discusses how technology from 3GRC can help streamline GDPR compliance through automated surveys, risk management, and progress monitoring.
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.
20150630_D6 1_Legal and EthicalFrameworkand Privacy and Security PrinciplesLisa Catanzaro
This document provides an overview of the legal and ethical framework for the WITDOM project, which involves processing personal data in untrusted cloud environments. It discusses key European data protection and cybersecurity legislation and their application to new computing environments. Specifically, it examines the 1995 EU Data Protection Directive, the proposed General Data Protection Regulation, and the 2013 Network and Information Security Directive. It also assesses ethical guidelines to support human values like privacy, security and justice. The document identifies legal issues, principles and potential requirements or barriers to managing and protecting personal data in untrusted domains.
GDPR- Get the facts and prepare your businessMark Baker
The GDPR will become law on May 25, 2018 and requires any organization that collects or processes personal data from EU citizens to comply with new privacy regulations. It mandates breach reporting within 72 hours of discovery and fines of up to 20 million euros for noncompliance. It also introduces the principle of "data protection by design" which requires privacy to be built into new systems and processes from the start. To prepare, organizations need to review technologies and processes for breach detection and reporting, and make privacy protections a fundamental part of their operations and systems.
This document provides an overview of consumer healthtech and discusses the personal information it collects and processes. It notes that consumer healthtech includes wearable devices and apps that track health metrics. It states these technologies collect sensitive data like heart rate, sleep quality, and potentially biomarkers from tears or sweat. The document discusses how this data is initially collected locally by devices but then sent to cloud servers for further processing using AI. It notes potential privacy risks if this health data is leaked, used for unsuitable purposes, or to make inappropriate health decisions about individuals.
The document discusses the GDPR requirements for data masking and pseudonymization. It provides context on the GDPR and how it aims to update privacy laws for a modern, digital world. The GDPR introduces legal definitions for pseudonymization, which refers to approaches like data masking that secure personal data in a way that indirect identities are still protected. It highlights how data masking technologies can help companies comply with the GDPR while maintaining data quality for analysis. Companies that fail to implement appropriate measures like pseudonymization could face fines up to 4% of global turnover under the GDPR.
Deloitte the case for disruptive technology in the legal profession 2017 Ian Beckett
1. The document discusses how disruptive technologies like artificial intelligence, big data, blockchain, and cloud computing are transforming the legal profession. These technologies increase efficiency, reduce costs, and create new areas of practice.
2. However, many legal professionals have been slow to adopt these technologies. For example, only 38% of lawyers currently use cloud computing. Those who do not learn to harness new technologies risk becoming obsolete as the industry changes.
3. The technologies are reshaping the business model of law firms. Jobs like basic document review that can be automated will disappear, reducing the need for junior lawyers. The firms of the future will have leaner workforces and draw talent from new disciplines like technology.
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDPMalikPinckney86
Running head: THE IMPACT OF GDPR IN IT POLICY 1
THE IMPACT OF GDPR IN IT POLICY 8
The Impact of GDPR In IT Policy
Submitted To
Dr. Donnie Grimes
University of the Cumberland’s
Submitted in Fulfillment of Research Paper
Information Technology in Global Economy (ITS-832-22)
Submitted By
Group # 7
Amarender Reddy Chada
Ramu Chilukuri
Mittal Patel
Manoj Kumar Peddarapu
Abstract
The current rapid transformation within the world of I.T., is posing a threat not only to personal information but all sectors associated with I.T. Managing management of essential data is the factor that organizations, business firms, and government agencies are struggling with daily. As the organizations strive to ensure that there is complete protection of data during the storage and sharing process, hackers are also working around the globe to create new ways through which they can breach the data protection servers. The dis-collusion of vital data from one point to another is a systematic process that must be regulated at all costs because if the data gets compromised, the outcomes are severe. This paper analyses all the impacts of GDPR on impacted I.T. policy around the world through an evaluation of several peer-reviewed articles on GDPR.
Keywords: GDPR, Privacy, Cybersecurity, emerging technologies.
Introduction
The process of disclosing data from various agencies ought to point the purpose of the data, state the duration for data use. When sharing critical data with a third party, it is vital to assess the channels through which the data follows. Business firms and public authorities that actively operate by systematic processing of data have to use DPO (data protection officer). Having control of personal data key in ensuring that the data is shared only with the relevant people. With the rising cases of cyber threat and selling of personal data through dark webs, keeping track of your personal information is your full responsibility. Relevant authorities only come in to assist when the case that is compromising data I critical and poses a security threat to other sectors. The primary obligation of GDPR is to ensure that people have control of their most essential data. GDPR achieves control of data by facilitating the crucial environmental data regulation environment.
Articles analysis on GDPR
In the article (Cornock, 2018), Cornock systematically analyzes the primary impacts of GDPR on various research institutions and the actual research activities within various sectors, such as the I.T. and medical sectors. According to the article, there are still several debates on how GDPR is going to affect research in various sectors, starting with the I.T. sectors to the business and marketing sectors on just with the European Union but around the globe. Most of the arguments on GDRP look at the regulation as a potential obstacle to a world of free information sharing. Many people are still not aware of the actual implications that both the E.U. and the world ...
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docxgemaherd
Running head: THE IMPACT OF GDPR IN IT POLICY 1
THE IMPACT OF GDPR IN IT POLICY 8
The Impact of GDPR In IT Policy
Submitted To
Dr. Donnie Grimes
University of the Cumberland’s
Submitted in Fulfillment of Research Paper
Information Technology in Global Economy (ITS-832-22)
Submitted By
Group # 7
Amarender Reddy Chada
Ramu Chilukuri
Mittal Patel
Manoj Kumar Peddarapu
Abstract
The current rapid transformation within the world of I.T., is posing a threat not only to personal information but all sectors associated with I.T. Managing management of essential data is the factor that organizations, business firms, and government agencies are struggling with daily. As the organizations strive to ensure that there is complete protection of data during the storage and sharing process, hackers are also working around the globe to create new ways through which they can breach the data protection servers. The dis-collusion of vital data from one point to another is a systematic process that must be regulated at all costs because if the data gets compromised, the outcomes are severe. This paper analyses all the impacts of GDPR on impacted I.T. policy around the world through an evaluation of several peer-reviewed articles on GDPR.
Keywords: GDPR, Privacy, Cybersecurity, emerging technologies.
Introduction
The process of disclosing data from various agencies ought to point the purpose of the data, state the duration for data use. When sharing critical data with a third party, it is vital to assess the channels through which the data follows. Business firms and public authorities that actively operate by systematic processing of data have to use DPO (data protection officer). Having control of personal data key in ensuring that the data is shared only with the relevant people. With the rising cases of cyber threat and selling of personal data through dark webs, keeping track of your personal information is your full responsibility. Relevant authorities only come in to assist when the case that is compromising data I critical and poses a security threat to other sectors. The primary obligation of GDPR is to ensure that people have control of their most essential data. GDPR achieves control of data by facilitating the crucial environmental data regulation environment.
Articles analysis on GDPR
In the article (Cornock, 2018), Cornock systematically analyzes the primary impacts of GDPR on various research institutions and the actual research activities within various sectors, such as the I.T. and medical sectors. According to the article, there are still several debates on how GDPR is going to affect research in various sectors, starting with the I.T. sectors to the business and marketing sectors on just with the European Union but around the globe. Most of the arguments on GDRP look at the regulation as a potential obstacle to a world of free information sharing. Many people are still not aware of the actual implications that both the E.U. and the world ...
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docxjeanettehully
Running head: THE IMPACT OF GDPR IN IT POLICY1
THE IMPACT OF GDPR IN IT POLICY8
The Impact of GDPR In IT Policy
Submitted To
Dr. Donnie Grimes
University of the Cumberland’s
Submitted in Fulfillment of Research Paper
Information Technology in Global Economy (ITS-832-22)
Submitted By
Group # 7
Amarender Reddy Chada
Ramu Chilukuri
Mittal Patel
Manoj Kumar Peddarapu
Abstract
The current rapid transformation within the world of I.T., is posing a threat not only to personal information but all sectors associated with I.T. Managing management of essential data is the factor that organizations, business firms, and government agencies are struggling with daily. As the organizations strive to ensure that there is complete protection of data during the storage and sharing process, hackers are also working around the globe to create new ways through which they can breach the data protection servers. The dis-collusion of vital data from one point to another is a systematic process that must be regulated at all costs because if the data gets compromised, the outcomes are severe. This paper analyses all the impacts of GDPR on impacted I.T. policy around the world through an evaluation of several peer-reviewed articles on GDPR.
Keywords: GDPR, Privacy, Cybersecurity, emerging technologies.
Introduction
The process of disclosing data from various agencies ought to point the purpose of the data, state the duration for data use. When sharing critical data with a third party, it is vital to assess the channels through which the data follows. Business firms and public authorities that actively operate by systematic processing of data have to use DPO (data protection officer). Having control of personal data key in ensuring that the data is shared only with the relevant people. With the rising cases of cyber threat and selling of personal data through dark webs, keeping track of your personal information is your full responsibility. Relevant authorities only come in to assist when the case that is compromising data I critical and poses a security threat to other sectors. The primary obligation of GDPR is to ensure that people have control of their most essential data. GDPR achieves control of data by facilitating the crucial environmental data regulation environment.
Articles analysis on GDPR
In the article (Cornock, 2018), Cornock systematically analyzes the primary impacts of GDPR on various research institutions and the actual research activities within various sectors, such as the I.T. and medical sectors. According to the article, there are still several debates on how GDPR is going to affect research in various sectors, starting with the I.T. sectors to the business and marketing sectors on just with the European Union but around the globe. Most of the arguments on GDRP look at the regulation as a potential obstacle to a world of free information sharing. Many people are still not aware of the actual implications that both the E.U. and the world in ...
What is GDPR, the EU’s new facts protection law? What is the GDPR? Europe’s new information privateness and safety regulation consist of heaps of pages’ really worth of new necessities for companies around the world. This GDPR summary can help you understand the law and determine what components of it follow to you. The General information Protection Regulation (GDPR) is the toughest privacy and safety regulation in the world.
How Does the ePrivacy Regulation and General Data ProtectionShield
Check out this slide to learn about ePrivacy regulation and General Data Protection Regulation. Is their implication brings more challenges to financial industries and Communications Compliance? Go through this slide for full info or visit this link: https://bit.ly/3nxlwLW
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed
to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
Can your organization afford to be fined €20 million for improperly removing customer data, as required by EU’s new General Data Protection Regulation (GDPR)? Seasoned legal and security experts from Blancco Technology Group and DLA Piper distil the legal terminology from the recently approved EU General Data Protection Regulation (GDPR) into 'how' and 'what' your organization needs to know to prepare for compliance by 2018.
The document summarizes key aspects of the General Data Protection Regulation (GDPR) taking effect in May 2018 and recommendations for organizations to comply. It outlines the GDPR's 5 main duties: rights of EU data subjects, security of personal data, lawfulness and consent, accountability of compliance, and data protection by design and default. The document recommends organizations assess risks, identify necessary policies, processes, and technologies, and leverage IBM's solutions framework and experience helping clients in various industries prepare for the GDPR.
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0ITCamp
The session will address GDPR compliance challenges in the context of industry 4.0 and will offer a deeper look into the convergence of data privacy with the digitalisation movement, where Big Data, IoT, AI and Cloud services are all depending on one thing: DATA.
For today’s digital businesses, being prepared to meet new compliance requirements when storing and managing consumer data will not only minimize risk, but also enable more valued and trusted customer experiences that drive increased loyalty, engagement and revenue. To gain better perspective on this important issue, it’s important to understand:
- The trends driving governmental regulatory shifts and the basic tenets of these new laws
- The challenges faced by executives across the enterprise when managing privacy compliance for consumer data
- The emergence of cloud-based solutions that help businesses manage privacy compliance by acting as end-to-end customer data storage and management solutions that are far more scalable and flexible than legacy systems
Similar to Technology’s role in data protection – the missing link in GDPR transformation (20)
Configuration management is still important for companies using multi-cloud environments to gain visibility, control, and compliance over their cloud resources. Some benefits of configuration management for multi-cloud include visibility over cloud configurations and services, control over cloud resources through policies and automation, and easier transition of workloads between on-premise and cloud environments. Micro Focus provides configuration management capabilities that can discover resources in major public clouds like AWS and Azure as well as private clouds.
Crittografia end to-end basata sui dati come volano della app economyat MicroFocus Italy ❖✔
Voltage SecureData provides next generation data security capabilities including format-preserving encryption (Hyper FPE), tokenization (Hyper SST), and key management. It protects data across systems and platforms with minimal impact. Hyper FPE encrypts data while preserving format and integrity. Hyper SST tokenizes sensitive data like payment card numbers. Voltage SecureData helps organizations comply with regulations, avoid breaches, and reduce audit costs through end-to-end data protection.
HPE SecureMail è una soluzione di email encryption utilizzata nei più grandi progetti si secure messaging del mondo. HPE SecureMail utilizza tecnologie di encryption avanzate già ampiamente testate, basate sui principi delle Next Generation PKI , in grado di fornire un livello di sicurezza eccezionale ed allo stesso tempo una facilità di utilizzo e configurazione che non ha rivali nel panorama di soluzioni mail encryption alternative. Con HPE SecureMail, le informazioni più sensibili e private possono essere trasmesse con sicurezza tramite posta elettronica con la stessa facilità d’uso delle email in chiaro che scambiamo quotidianamente.
Una soluzione unica per Desktop, Web, Mobile, Cloud, Applicazioni ed Automazione.
Last Thursday I have been to the CEOP: Child Exploitation & Online Protection Centre Workshop.
Today is Safer Internet Day 2017 and I want share with all of you the pdf I got from CEOP and keep you aware about Cyberbullying and Online Grooming.
We HAVE TO keep safe our kids.
The Best Articles of 2016 DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLO...at MicroFocus Italy ❖✔
Article: Crypto Wars II
By Luther Martin – ISSA member, Silicon Valley Chapter
and Amy Vosters
The debate over whether or not to give US law
enforcement officials the ability to decrypt encrypted
messaging has recently been revisited after a twentyyear
break. The results may be surprising.
The HPE SecureData Payments solution is intended to increase the security of card-present payments
without impacting the buyer experience. Solutions based on HPE SecureData Payments reduce
merchant risk of losing credit card data and potentially reduce the number of PCI DSS controls applicable
to the retail payment environment substantially.
HPE SecureData Payments implements encryption of sensitive credit card data in point-of-interaction
(POI) devices’ firmware, immediately on swipe, insertion, tap, or manual entry. Sensitive card information
can only be decrypted by the solution provider, typically a payment service. Even a compromise of the
point-of-sale (POS) system does not expose customers’ sensitive data.
Merchants can also realize reduction in DSS compliance scope by implementing their own HPE
SecureData Payments solution.
AUDIENCE
This assessment white paper has three target audiences:
1. First, merchants using HPE SecureData Payments to create proprietary encryption solutions for
card-present payments
2. The second is service providers, like processors, and payment services that are developing cardpresent
encryption services that utilize HPE SecureData Payments
3. The third is the QSA and internal audit community that is evaluating solutions in both merchant
and service provider environments using the HPE SecureData Payments solution
ASSESSMENT SCOPE
HPE contracted with Coalfire to provide an independent compliance impact review of the HPE
SecureData Payments solution. The intent of this assessment was to analyze the impact on PCI DSS
scope of applicable controls for merchants that implement an HPE SecureData Payments solution for
their card-present sales.
Discover HPE Software
Technology and business are changing at an unprecedented rate.
New ways of doing business from streamlining processes, fasttracking
innovation, and delivering amazing customer experience
all come from the convergence of IT and business strategy. But
you need to be fast to win. At HPE Software we can accelerate
your digital transformation.
Change is at our core. On 7 September, Hewlett Packard
Enterprise announced plans for a spin-off and merger of our
software business unit with Micro Focus, a global software
company dedicated to delivering and supporting enterprise
software solutions. The combination of HPE software assets
with Micro Focus will create one of the world’s largest pure-play
enterprise software companies. We will remain focused on helping
you get the most out of the software that runs your business.
Discover how HPE Software can help you thrive in a world of
digital transformation.
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...at MicroFocus Italy ❖✔
The UK is one of the world’s leading
digital nations. Much of our prosperity
now depends on our ability to secure our
technology, data and networks from the
many threats we face.
Yet cyber attacks are growing more
frequent, sophisticated and damaging when
they succeed. So we are taking decisive
action to protect both our economy and the
privacy of UK citizens.
Our National Cyber Security Strategy sets out
our plan to make Britain confident, capable
and resilient in a fast-moving digital world.
Over the lifetime of this five-year strategy,
we will invest £1.9 billion in defending
our systems and infrastructure, deterring
our adversaries, and developing a wholesociety
capability – from the biggest
companies to the individual citizen.
From the most basic cyber hygiene, to the
most sophisticated deterrence, we need a
comprehensive response.
We will focus on raising the cost of
mounting an attack against anyone in the
UK, both through stronger defences and
better cyber skills. This is no longer just
an issue for the IT department but for the
whole workforce. Cyber skills need to reach
into every profession.
The new National Cyber Security Centre will
provide a hub of world-class, user-friendly
expertise for businesses and individuals, as
well as rapid response to major incidents.
Government has a clear leadership role,
but we will also foster a wider commercial
ecosystem, recognising where industry
can innovate faster than us. This includes
a drive to get the best young minds into
cyber security.
The cyber threat impacts the whole of our
society, so we want to make very clear
that everyone has a part to play in our
national response. It’s why this strategy is
an unprecedented exercise in transparency.
We can no longer afford to have this
discussion behind closed doors.
Ultimately, this is a threat that cannot be
completely eliminated. Digital technology
works because it is open, and that
openness brings with it risk. What we
can do is reduce the threat to a level that
ensures we remain at the vanguard of the
digital revolution. This strategy sets out how.
This thesis aims to give a theoretical as well as practical overview of an emerging issue in the field of IT security named Format Preserving Encryption (FPE).
Although FPE is not new, it is relatively unknown. It is used in the full-disk encryption and some other areas. Nevertheless, it is to this day even unknown to many cryptographers. Another issue that is on everyone's lips is the Internet of Things (IoT). IoT offers a whole new scope for FPE and could give it possibly a further boost.
Format Preserving Encryption is - as the name says - an encryption in which the format of the encrypted data is maintained. When a plaintext is encrypted with FPE, the ciphertext then has the same format again. As illustrated for example on the cover page: If we encrypt the owner and the number of a credit card with AES we get an unrecognizable string. If we use FPE instead, we might get for example Paul Miller and the number 4000 0838 7507 2846. The advantage is that for man and/or machine nothing changes. The encryption is therefore not noticed without analysis of the data. The advantage can also become a disadvantage. An attacker has with the format of the ciphertext already information about the plaintext.
This thesis starts with an introduction to the Format Preserving Encryption. In doing so, different variants of FPE are shown. In a next step, a Java library is explained and documented, in which we have implemented some of these FPE variants. This library is designed to enable programmers to use FPE without the need for detailed knowledge about the functionality. Then we explain by means of a tutorial and step by step with a concrete and simple example, how a subsequent integration of FPE could look like. In a final part the integration into a more complex and already widely used application is shown, an Android app called OwnTracks.
With this combination of theoretical and practical information a broad basic knowledge should be provided on the topic, which then can serve as a basis on how FPE can be used and whether a use is reasonable.
The Business of Hacking - Business innovation meets the business of hackingat MicroFocus Italy ❖✔
Introduction
Attackers are sophisticated. They are organized. We hear these statements a lot but what
do they mean to us? What does it mean to our businesses? When we dig deeper into the
“business of hacking,” we see that the attackers have become almost corporate in their behavior.
Their business looks a lot like ours. Cyber criminals look to maximize their profits and minimize
risk. They have to compete on quality, customer service, price, reputation, and innovation. The
suppliers specialize in their market offerings. They have software development lifecycles and
are rapidly moving to Software as a Service (SaaS) offerings. Our businesses overlap in so many
ways that we should start to look at these attackers as competitors.
This paper will explore the business of hacking: the different ways people make money by
hacking, the motivations, the organization. It will break down the businesses’ profitability and
risk levels, and provide an overall SWOT analysis. From this, opportunities for disruption will be
discussed and a competitive approach for disrupting the business of hacking will be laid out.
The information in this paper draws on data and observations from HPE Security teams, open
source intelligence, and other industry reports as noted.
Whether building in enterprise security or applying security intelligence and advanced analytics,
we can use our understanding of the business of hacking and the threats to our specific
businesses to ensure that we are investing in the most effective security strategy.
Users are reaching for mobile devices numerous times every day specifically to use mobile apps. The power and
freedom of connected mobile computing continues to raise expectations but users have little patience for problematic
apps. Mobile device users heavily rely on peer reviews and star ratings to help them choose their apps. Once a
mobile app is installed, that app is judged for its speed, responsiveness and stability which define the user experience
and overall satisfaction. Yet this study finds that users are experiencing app issues regularly. Critically, this report
reveals that apps that exhibit issues are quickly abandoned after just a couple of occurrences.
For a company who creates mobile apps, while good performance can lead to satisfied user and app downloads,
poor performance will result in quick app abandonment. The findings indicate that the key to loyal customers from
mobile apps is directly related to the mobile app performance, stability and resource consumption. Metrics defining
the mobile app user experience must be measured from the customer’s perspective and ensure it meets or exceeds
expectations at all times. The consequence of failing to meet user expectations is not only app abandonment – it also
leads to a tarnished brand with lost revenue opportunities from both current and future users.
Ogni attività di recupero crediti deve avvenire nel rispetto della
dignità personale del debitore, evitando comportamenti che ne
possano ledere la riservatezza a causa di un momento di
difficoltà economica o di una dimenticanza.
Gli accertamenti del Garante hanno messo in luce l'esistenza di
prassi in alcuni casi decisamente invasive (visite a domicilio o
sul posto di lavoro; reiterate sollecitazioni al telefono fisso o sul
cellulare; telefonate preregistrate; invio di posta con l'indicazione
all'esterno della scritta "recupero crediti" o "preavviso esecuzione
notifica", fino all'affissione di avvisi di mora sulla porta di casa.
Spesso anche dati personali di intere famiglie risultavano inseriti
nei data base del soggetto creditore o delle società di recupero
crediti).
È per questo motivo che l'Autorità ha deciso di intervenire con un
provvedimento generale e prescrivere a quanti svolgono
l'attività di recupero crediti (le società specializzate e quanti -
finanziarie, banche, concessionari di pubblici servizi, compagnie
telefoniche - svolgono tale attività direttamente) le misure
necessarie perché tutto si svolga nel rispetto dei principi di liceità,
correttezza e pertinenza.
The 2015 Threat Report provides a comprehensive overview of the cyber
threat landscape facing both companies and individuals. Using data from 2015,
this report combines our observations on reported malware encounters with
threat intelligence, and identifies several key trends and developments.
The report introduces the Chain of Compromise as an analytical concept to
help readers, particularly those working in cyber security and information
technology roles, understand how attackers compromise security using
different combinations of tactics and resources. Some of 2015’s most prominent
threats, such as exploit kits, ransomware, and DNS hijacks, are discussed in
relation to this model, demonstrating how users become compromised by
modern cyber attacks.
Key findings discussed in the report include the establishment of worms,
exploits, and macro malware as trending threats; the increasing use of cryptoransomware
for online extortion; and an increase in the use and efficiency of
Flash vulnerabilities in exploit kits. The report also highlights the significance
of different cyber security events that occurred in 2015, including the discovery
of the XcodeGhost bug in Apple’s App Store, the exposure of the Dukes
advanced persistent threat group, and signs that the intersection between
geopolitics and cyber security is paving the way toward a cyber arms race.
Information on the global threat landscape is supplemented with details on
the prominent threats facing different countries and regions, highlighting the
fact that while the Internet connects everyone, attackers can develop and
distribute resources to selectively target people and companies with greater
efficiency
Anche se crescono nuove forme di comunicazione, come l'Instant Messaging, che dal consumer si espande nell'ambito business, la posta elettronica è innegabilmente un elemento critico nei processi aziendali. Di fatto, una pratica comune è quella di utilizzare la casella di posta elettronica come repository non solo delle corrispondenze importanti con colleghi, collaboratori, clienti e fornitori, ma anche di file e documenti che possono essere così recuperabili in qualsiasi momento, anche attraverso un dispositivo mobile. Non è poi passato così tanto tempo da quando la posta elettronica rappresentava la killer application per la diffusione dei dispositivi mobili in azienda e lo sviluppo della Unified Communication e Collaboration non fa altro che confermarne l'utilità. Questo, però, insieme allo sviluppo della mobility non fa che fornire continui grattacapi ai responsabili dei sistemi informativi e della sicurezza in particolare.
L'email è una delle principali forme di comunicazione verso l'esterno, cioè oltre il firewall. È quindi anche, se non adeguatamente protetta, la principale via per immettere nel sistema aziendale dei malware o, più in generale, dei kit software preposti a sferrare attacchi all'infrastruttura. Ma non basta entrare, bisogna anche uscire con i dati copiati ed è sempre l'email a rappresentare una delle vie d'uscita più vulnerabili e, come tale, utilizzata per portare le informazioni all'esterno dell'azienda.
Se guardiamo solo l'ultimo decennio, possiamo osservare come la posta elettronica sia stata utilizzata per realizzare varie tipologie di truffe o attacchi informatici. Vanno ricordati, per esempio, i "worm", cioè un particolare tipo di codice malware il cui scopo era di penetrare nel computer della vittima lasciando traccia del suo passaggio con un virus, praticamente impedendone l'uso. Per entrare utilizzava un messaggio email contenente un allegato infetto e, per diffondersi si "autoinviava" a tutti i contatti della vittima stessa. Il più famoso è "I Love You", il cui scopo era compiere il "giro del mondo" nel più breve tempo possibile.
Did you suffer a data breach in 2014? Even if you avoided
a breach, it’s likely that you saw an increase in the number
of security incidents — according to PwC research, since
2009 the volume has grown at an average of 66% per
year.1 It seems that it’s only retailers and entertainment
companies that make the headlines, but organizations
of all kinds are affected. In this report we look at how
well prepared companies are to withstand attacks and
mitigate the impact of breaches, and recommend how
you can improve.
Protecting your data against cyber attacks in big data environmentsat MicroFocus Italy ❖✔
This article discusses the inherent risk of big data environments such as Hadoop and how
companies can take steps to protect the data in such an environment from current attacks.
It describes the best practices in applying current technology to secure sensitive data
without removing analytical capabilities.
Preparing today for tomorrow’s threats.
When companies hear the word “security,” what concepts come to mind
— safety, protection or perhaps comfort? To the average IT administrator,
security conjures up images of locked-down networks and virus-free devices.
An attacker, state-sponsored agent or hactivist, meanwhile, may view security
as a way to demonstrate expertise by infiltrating and bringing down corporate
or government networks for profit, military goals, political gain — or even fun.
We live in a world in which cybercrime is on the rise. A quick scan of the
timeline of major incidents (See Figure 1, Page 9) shows the increasing
frequency and severity of security breaches — a pattern that is likely
to continue for years to come. Few if any organizations are safe from
cybercriminals, to say nothing of national security. In fact, experts even
exposed authentication and encryption vulnerabilities in the U.S. Federal
Aviation Administration’s new state-of-the-art multibillion-dollar air
traffic control system
Hewlett Packard Enterprise (HPE) ha pubblicato l’edizione 2016 dello studio HPE Cyber Risk Report, un rapporto che identifica le principali minacce alla sicurezza subite dalle aziende nel corso dell’anno passato. La dissoluzione dei tradizionali perimetri di rete e la maggiore esposizione agli attacchi sottopongono gli specialisti della sicurezza a crescenti sfide per riuscire a proteggere utenti, applicazioni e dati senza tuttavia ostacolare l’innovazione né rallentare le attività aziendali.
La presente edizione del Cyber Risk Report analizza lo scenario delle minacce del 2015, proponendo azioni di intelligence nelle principali aree di rischio, quali la vulnerabilità delle applicazioni, le patch di sicurezza e la crescente monetizzazione del malware. Il report approfondisce inoltre tematiche di settore rilevanti come le nuove normative nell’ambito della ricerca sulla sicurezza, i “danni collaterali” derivanti dal furto di dati importanti, i mutamenti delle agende politiche e il costante dibattito su privacy e sicurezza.
Se le applicazioni web sono una fonte di rischio significativa per le organizzazioni, quelle mobile presentano rischi maggiori e più specifici. Il frequente utilizzo di informazioni personali da parte delle applicazioni mobili genera infatti vulnerabilità nella conservazione e trasmissione di informazioni riservate e sensibili, con circa il 75% delle applicazioni mobili analizzate che presenta almeno una vulnerabilità critica o ad alto rischio rispetto al 35% delle applicazioni non mobili.
Lo sfruttamento delle vulnerabilità software continua a essere un vettore di attacco primario, soprattutto in presenza di vulnerabilità mobili. Basti pensare che, come nel 2014,le prime dieci vulnerabilità sfruttate nel 2015 erano note da oltre un anno e il 68% di esse da tre anni o più. Windows è stata la piattaforma software più colpita nel 2015: il 42% delle prime 20 vulnerabilità scoperte è stato indirizzato a piattaforme e applicazioni Microsoft. Colpisce poi anche un altro dato. Il 29% di tutti gli attacchi condotti con successo nel 2015 ha infatti utilizzato quale vettore di infezione Stuxnet, un codice del 2010 già sottoposto a due patch.
Passando ai malware, i bersagli sono cambiati notevolmente in funzione dell’evoluzione dei trend e di una sempre maggiore focalizzazione sull’opportunità di trarre guadagno. Il numero di minacce, malware e applicazioni potenzialmente indesiderate per Android è cresciuto del 153% da un anno all’altro: ogni giorno vengono scoperte oltre 10.000 nuove minacce. Apple iOS ha registrato le percentuali di crescita maggiori, con un incremento delle tipologie di malware di oltre il 230% anno su anno.
Protecting your data against cyber attacks in big data environmentsat MicroFocus Italy ❖✔
This article discusses the inherent risk of big data environments such as Hadoop and how
companies can take steps to protect the data in such an environment from current attacks.
It describes the best practices in applying current technology to secure sensitive data
without removing analytical capabilities.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Technology’s role in data protection – the missing link in GDPR transformation
1. Technology’s role in data
protection – the missing link
in GDPR transformation
April 2017
Sponsored by
2.
3. Contents
Executive summary 2
Responding to the fear of technology –
why data protection law exists 4
Transition to the GDPR –
technology under heightened scrutiny 5
Technology failure and consequences
for organisations 8
Technology capabilities required for GDPR
compliance scenarios 10
Moving from theory to reality –
understanding and utilising the consensus
of professional opinion 14
What should organisations do now? 16
4. Executive summary
The EU General Data Protection
Regulation (GDPR) delivers a
fundamental change in how data
controllers and data processors handle
personal data. Instead of an ‘add-on’ or
afterthought within business
operations, protections for personal data
will now have to be designed into the
very fabric of data processing systems,
meaning that entities will need to
re-examine how they approach the use
of technology in their organisations.
European data protection law has
always been concerned with how
technology operates. Indeed, the first
proposals for harmonised, pan-
European laws were a response to
technological developments. Legal
instruments such as Council of Europe
Recommendation 509 on human rights
and modern scientific and technological
developments (31 Jan. 1968) pinpointed
with precision the risks to privacy that
were posed by the technology revolution
of the 1960s. Data protection laws exist
because it is believed that, without
them, technology will enable or cause
data controllers and processors to
trample on fundamental rights
and freedoms.
Technology is, in other words, the
principal problem that data protection
law is trying to solve. As such, it is
obvious that, as well as being the
problem, technology must provide the
solution. If entities are storing too
much personal data, for example,
technology needs to deliver delete,
erase, de-duplication and
minimisation functionality.
However, the way that data protection
has operated in practice tells a different
story and PwC’s experience in this area
backs this up: despite technology being
both the problem and the solution,
technology systems have not been
designed and deployed from the
perspective of the requirements of data
protection law. This is why we see so
much debate over the retention and
storage of personal data, so much
confusion about the nature and
whereabouts of personal data and so
many technology-related cyber-security
failures. From this perspective it might
be said that the technology stack has
been the missing link in data protection
programmes over the years.
The underlying reasons for these issues
will no doubt continue to be a source of
debate, but one thing is certain: in the
new world of the GDPR, where tougher
and more penetrative forms of adverse
scrutiny are likely, instances of
technology failure will be harder
to excuse.
2 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
5. The principal contention of this White
Paper is that data controllers and
processors who are engaged in the
design, build and delivery of GDPR
programmes should re-examine and
rebalance their priorities, in order to
deliver the best possible technology
environment for personal data before
the GDPR comes into force in May 2018.
As part of this rebalancing exercise,
they should:
• Critically examine whether they
have enough time, space and
resources in their programmes to
deliver what is required in their
technology stacks by May 2018. As
part of this process they should
consider performing a technology
functionality gap analysis, whereby
the operational performance of
technology is tested against the
requirements of (1) the data
protection principles, (2) the data
subject rights and (3) the
programme build requirements
described in the GDPR.
• Perform a risk and cost-benefit
analysis, whereby the operational
risks to personal data and the legal
and reputational risks to the
controller or processor of data
protection failure are weighed
against the ‘feasibility issues’
associated with delivering
technology change, such as the lead
time required to source, procure,
install and test new technology.
Central to this exercise is an
understanding of the nature of the
technology market and the
consensus of professional opinion on
what ‘good’ looks like.
Stewart Room
Partner
Global Cyber Security Data Protection Legal Services
lead and Co-Global Data Protection lead
Mobile: +44 (0)7711 588978
Email: stewart.room@pwc.com
‘1995 was a long
time ago. In terms
of technology, a
different age’
Since 1995 ‘the internet has
blossomed, social networking has
boomed, cloud computing has
taken off, and these changes have
fuelled an explosion in data
process’.
Announcing her vision for EU data
protection reform, Viviane Reding,
former vice president of the
European Commission, said data
protection must deal with constant
technological change, more so
than many other legal areas, and
that advances in technology since
the 1995 Data Protection Directive
had overridden individuals’ rights.
1. Viviane Reding, The overhaul of EU
rules on data protection: making the
single market work for business,
04.12.2012;
2. Seven basic building blocks for
Europe’s privacy reform, 20.03.2012;
3. A data protection compact for Europe,
28.01.2014.
In weighing up the options, controllers
and processors should bear in mind that,
for the first time, data protection law
now contains real incentives for the
delivery of technology change. As well
as the obvious risk of regulatory
enforcement action, including the risk of
sizeable financial penalties, there is a
new ‘litigation risk’ built into the GDPR,
all underpinned by transparency
mechanisms that will shine a spotlight
on what is actually happening to
personal data, including when
security fails.
Conversely, there are also significant
gains to be made from taking a ‘good’
approach to the technology issues.
Issues such as efficiency and
productivity gains are not new to data
protection, but we are also now seeing a
stronger focus on data protection in B2B
procurement and contractual processes.
Businesses and their contracting
partners are starting to ask more
penetrative questions about technology,
meaning entities with a good story to
tell will perform better in a competitive
market. Likewise, consumers will
increasingly factor-in data protection
issues when choosing where to place
their business.
PwC | Technology’s role in data protection – the missing link in GDPR transformation | 3
6. 4 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
Responding to the fear of technology – why
data protection law exists
The first versions of European data
protection law emanated from the
Council of Europe, as part of its human
rights agenda. It is immediately obvious
from their titles that these laws were
passed in reaction to a fear of the
intrusive power of technology. A 1968
Council of Europe Recommendation
talks about ‘serious dangers for the
rights of the individual inherent in
certain aspects of modern scientific and
technological development’, for
example. It went on to describe the
technologies causing these dangers as
including ‘phone-tapping,
eavesdropping, surreptitious
observation, the illegitimate use of
official statistical and similar surveys to
obtain private information, and
subliminal advertising and propaganda’.
In many respects, the concerns of 2017
are the same as those of 1968. Fears
about phone-tapping and eavesdropping
played out dramatically in Edward
Snowden’s disclosures about mass
surveillance by intelligence agencies,
and contributed directly to the collapse
of the EU-US Safe Harbour data transfer
agreement, fears about surreptitious
observation regularly arise in official
warnings about the use of CCTV systems
from European data protection
regulators, and fears about subliminal
advertising and propaganda surface in
the regulatory agenda about profiling-
backed direct marketing.
These fears can be seen as a thread
running through all of the legal
developments since 1968, such as the
Council of Europe Data Protection
Convention 1981, the EC Data
Protection Directive 1995, the EC
Telecommunications Data Protection
Directive 1997, the Privacy and
Electronic Communications Directive
2002–2009, and the Data Retention
Directive 2006. The GDPR now
continues and sharpens this focus
on technology.
7. PwC | Technology’s role in data protection – the missing link in GDPR transformation | 5
Transition to the GDPR – technology
under heightened scrutiny
The GDPR’s focus on technology is much
more explicit than its predecessor, the
Data Protection Directive. If it is to be
properly effective, however, the GDPR
must assist in the delivery of business
transformation and legal compliance. It
does this in a number of ways. It
requires the use of Privacy by Design
techniques and the performance of risk
assessments. It also identifies data
management techniques, such as data
mapping, and techniques for how to
handle operational failure, such as
breach disclosure.
Technology goal #1
Driving data protection
principles into technology,
through appropriate technical
and organisational measures
The data protection principles set out
the core compliance goals of the law.
They have been at the heart of European
data protection regulation from its very
beginning in the 1960s. The principles
must be delivered in the technology
stack and organisations must take
‘appropriate technical and
organisational measures’ to do so. When
developing those technical and
organisational measures, organisations
must have full regard to the ‘nature,
scope, context and purposes of
processing’ and ‘the risks of varying
likelihood and severity for the rights
and freedoms of natural persons’. The
obvious implication of this requirement
is that risk assessments must be
performed in all cases. These risk
assessments require a deep
understanding of the effect that
technology can have on individual
rights and freedoms.
Technology goal #2
Ensuring the technology
environment can protect
individuals’ rights
If people are to have control over their
personal data, they need rights over that
data and transparency about what is
happening to it. But the exercise of these
individual rights is only truly effective if
an organisation’s technology stack is
fully responsive to them, and has the
right functionality embedded in it.
The core individual rights are the ‘right
of access’, ‘right to rectification’, ‘right to
erasure’ (or the ‘right to be forgotten’),
‘right to restriction of processing’, ‘right
to data portability’ and ‘right to object’.
In a functional sense, these rights
require the technology to:
• Connect individuals to their personal
data;
• Categorise personal data by type
and processing purpose;
• Map or trace the full information
lifecycle;
• Perform search and retrieval;
• Enable rectification, redaction,
erasure and anonymisation;
• Enable freeze and suppression;
• Enable the transmission of personal
data from one technology stack to
another.
All of this must be protected by
appropriate security.
Technology goal #3
Adopting a proper approach to
technology design and
deployment
One of the GDPR’s innovations is the
inclusion of requirements that provide
organisations with practical assistance
in how to flow data protection into
technology. These are:
• Accountability;
• Records of processing activities;
• Data protection by design and
default;
• Data protection impact assessments;
• Breach notification.
Collectively, these new requirements
provide a ‘user manual’ for delivering
operational success.
Article 24 (1) –
Responsibility of
the controller
Taking into account the nature,
scope, context and purposes of
processing as well as the risks of
varying likelihood and severity for
the rights and freedoms of natural
persons, the controller shall
implement appropriate technical
and organisational measures to
ensure and to be able to
demonstrate that processing is
performed in accordance with
this Regulation. Those measures
shall be reviewed and updated
where necessary.
8. 6 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
Accountability – proving
that technology works
properly
The key idea within accountability is
that organisations will be able to
demonstrate that their technical systems
operationally adhere to data protection
principles and citizen rights. It will
require organisations to maintain a
repository of the functional
requirements of their technology
systems. They will also need to
demonstrate how those requirements
are delivered through associated design,
plans, functional testing and assessment
documentation. Accountability also
means that the technology must be
properly tested for operational quality.
Records of processing
activities – understanding
the data lifecycle and what
technology does
The delivery of the principles and rights
in the GDPR will not be possible if an
organisation does not have a complete
understanding of its personal data and
its processing activities. The GDPR
tackles this head on, requiring
organisations to maintain records of:
the categories of individuals whose data
are processed, the categories of data
that are processed, the categories of
recipients of the data and their
geographical whereabouts, the retention
periods that apply to the data, and the
security measures that have been
applied. These records will be
disclosable to the regulators on request.
There are many techniques that can be
deployed to understand the data
lifecycle, but the challenge that many
organisations are now grappling with is
that their technology has not been
designed to deliver the required
information. In an attempt to get around
this technology problem, many
organisations are trying to build ‘data
maps’ manually, through question and
answer sessions with personnel. The
problem with this approach is that it can
be very labour intensive, disruptive to
the daily life of business and is rarely
complete and accurate. For these
reasons alone it makes sense to look for
technology solutions, such as software
that can identify and categorise
different types of data and track its use
and flow. The data protection by
design and default requirement
supports this outcome.
Data protection by design
and default – getting
technology right from
the start
Data protection by design and default
(sometimes called ‘privacy by design’ or
just ‘PbD’) is another innovation of the
GDPR. The problem that PbD sets out to
solve is a lack of forethought by
organisations when they start to collect
personal data. Far too often data
protection is an afterthought, and PbD
brings data protection thinking forward
to a much earlier stage in the data
processing continuum. It requires
organisations to think through data
protection issues during the planning
phases for data processing. As such, PbD
begins when data processing activities
are still in a theoretical state.
The idea of the data protection by
default component of PbD is that data
processing systems should process only
the minimum of amount of personal
data required to deliver the processing
purpose. This is about not only placing
limitations on the types and volume of
personal data that are processed, but
also reducing the number of times that
processing occurs, reducing the
retention period for the data and
reducing the number of people, the
number of entities and the number of
technology systems that can access
the data.
PbD requires organisations to be
intimately familiar with the way their
technologies operate and with the ways
that technology can be redesigned,
reconfigured or replaced to deliver
fewer and better data processing
operations. Clearly, this has implications
for legacy systems which have never
been considered from a data
protection perspective.
9. PwC | Technology’s role in data protection – the missing link in GDPR transformation | 7
Data protection impact
assessments –
understanding
technology risk
There is a significantly increased focus
on risk management in the GDPR.
Before an organisation can make
decisions about the technical and
organisational measures it should adopt
for data protection, it needs to
understand the data protection risk
posed by its data processing activities
and the wider environment in which it
operates. In special cases, the GDPR
requires a special form of risk
assessment, called a data protection
impact assessment (DPIA), which is
needed when the processing activities
are 'likely to result in a high risk to the
rights and freedoms of natural persons'.
The legislation points out that these
risks can emerge when 'using new
technologies'. Such risks might arise, for
example, during the profiling of
individuals (as happens in the insurance
sector, or in the retail sector for the
purposes of behavioural advertising),
during large-scale processing of
personal data (as may happen in large
clinical trials in the health sector, or in
criminal justice) and through large-
scale systematic monitoring of public
places (as may happen with CCTV and
other public surveillance systems).
In looking at the trigger points for
DPIAs, like the reference to 'new
technologies' and likelihood of 'high
risks', it becomes obvious that GDPR
programme owners need to be
intimately familiar with the nature of
their organisations’ technology stacks
and how they operate. Those
programme owners need to be plugged
into the technology refresh and upgrade
cycles, so they can capture anything
new within their methodologies.
Breach notification –
delivering transparency in
technology failure
The long history of security breach
failures has crystallised the need for
mandatory breach notification in
Europe. Under these rules, data
controllers have to inform the regulators
of any personal data breaches without
undue delay, and certainly within 72
hours of becoming aware of a breach,
while data processors must notify
controllers. In cases where a personal
data breach is likely to result in a high
risk to the rights and freedoms of
people, the controller needs to
notify those persons, again without
undue delay.
The security principle, and the
requirement for appropriate technical
and organisational measures, combines
with the rules on breach notification to
require technology that can prevent
breaches from happening, detect them
when they do happen, and help with the
restoration of systems and handling
after they happen. GDPR requires
end-to-end security.
On the prevention side, the GDPR
contains obligations for 'regularly
testing, assessing and evaluating the
effectiveness of technical and
organisational measures for ensuring
the security of the processing'. On the
breach notification side, the rules
require notification of the nature of a
breach, the volumes of data and people
affected, information about the likely
consequences, and measures taken to
address the breach and mitigate harm.
All this information should be recorded
in a register of breaches, which is a
disclosable document.
Again, these rules demonstrate the need
for the GDPR programme to operate
effectively inside the technology stack.
Conclusions for technology
– bridging risk
management, functionality
and data management
Looked at in this way, the GDPR’s
requirements for technology are about
risk management, functionality and
data management. These are the three
pillars on which data protection law for
technology is built. If any individual
pillar is overlooked, the organisation
will be at peril of operational and legal
failure. Organisations should ask
themselves whether their GDPR
programmes are properly addressing
these requirements in technology.
GDPR compliance:
where technology
is impacted
The need for technology
innovation arises across the GDPR.
Some requirements that demand
technology functionality include:
• Article 15 – Right of access by
the data subject
• Article 16 – Right to rectification
• Article 17 – Right to erasure
(right to be forgotten)
• Article 18 – Right to restriction
of processing
• Article 19 – Notification
obligation regarding rectification
or erasure of personal data or
restriction of processing
• Article 20 – Right to data
portability
• Article 21 – Right to object
• Article 22 – Automated
individual decision-making,
including profiling
• Article 25 – Data protection by
design and default
• Article 35 – Data protection
impact assessments
10. Technology failure and consequences for
organisations
Organisations that fail to translate the
requirements of the GDPR into their
technology run the risk of operational
failure, which can, in turn, lead to
reputational and legal damage. The key
legal consequences will include:
• Regulatory investigations and
inquiries, during which the
organisation can be required to
disclose its records, risk assessments,
technology designs, audit reports and
other assessments and incident logs.
• Regulatory enforcement orders,
which can extend to stopping the use
of personal data by an organisation,
and the redesign of business
processes and the technology
environment.
• Regulatory fines, subject to a cap of
4% of annual turnover.
• Exercise and enforcement of
individuals’ rights.
• Compensation claims by individuals
who feel their rights have been
impacted.
Examples of operational
failure leading to adverse
scrutiny of technology
The breach notification rules will of
course impact on security and
confidentiality problems outside the
technology stack, such as employees
leaving papers in public places. But most
cases will be concerned with technology
failure, whether in the sense of external
attack (from hackers, malware etc.),
poor configuration (e.g. too many
people with access rights, or a lack of
encryption), or poor operation (e.g.
emailing sensitive information to the
wrong recipient). When these cases are
reported to the regulators and the
people affected, they open up lines of
inquiry into all aspects of technology
design and delivery. A security breach
involving the emailing of personal data
to the wrong recipient might, for
example, develop into a case about data
storage and retention.
Data protection litigation penetrating the
technology stack
In 2013, an Austrian national filed a complaint to the Irish Data Protection
Authority with regard to data transfers from Ireland to the US under the Safe
Harbour framework. The complaint was aimed at prohibiting these transfers,
given the access to technology systems by the US Intelligence Agencies. The EU
Court of Justice struck down the Safe Harbour framework which was used by
about 4,500 companies.
8 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
11. Likewise, the exercise of individual
rights has the potential to open up the
entire technology environment to
investigation. If individuals try
unsuccessfully to prevent the use of
their personal data for marketing
purposes, they might take their case to
the regulator and trigger lines of inquiry
into how all of the individuals’ rights are
handled by the organisation in question,
which can bring technology into focus.
Is the GDPR a bad idea?
The enforcement and litigation risks
associated with the GDPR are such that
no organisation wants to be exposed to
them. However, tough enforcement
mechanisms are part and parcel of most
important pieces of regulatory law, and
it would be a mistake to regard the
GDPR as a bad idea just because it
exposes organisations to legal risk.
The GDPR can be seen in another light.
If questions of legal risk are set aside,
what is left is a legislative regime for
good data handling. The idea that there
should be principles in place for the
management of data, that risk
assessments should be performed, that
controls should be adopted to deliver on
the data protection principles and to
manage risk, are non-controversial from
the perspective of good data handling.
Good data handling can also be a driver
for other gains, such as competitive
advantages in the market, costs savings
and wider innovation. Conversely,
dealing with failure can generate
significant loss and damage.
‘Privacy and
innovation – not
privacy or
innovation’
In her first speech as the
Information Commissioner of the
UK, Elizabeth Denham highlighted
a key point for the future of
personal data protection: ‘It’s not
privacy or innovation – it’s privacy
and innovation’.
Businesses often see compliance as
an offset of their time and
resources, but the cost of non-
compliance will increase
significantly. Her advice to
businesses is that ‘the personal
information economy can be perfect
for everyone. Get it right, and
consumers and business benefit’.
Elizabeth Denham, Transparency,
growth and progressive data
protection, 29.09.2016
PwC | Technology’s role in data protection – the missing link in GDPR transformation | 9
12. 10 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
Technology capabilities required for GDPR
compliance scenarios
The role of technology in the GDPR, as
both the cause of the problem and as
the inevitable solution, leaves
organisations in a difficult position.
In many organisations, the
information management and
governance environment is an
underdeveloped part of the technology
stack. This is because these initiatives
regularly lose out to business-sponsored
projects with a more direct connection
and visible impact on core business
metrics, such as revenue, cost and
customer satisfaction.
The GDPR poses many operational
challenges that are difficult for
technology to deal with:
• Technology thrives on certainty,
rules and clear requirements, yet the
GDPR is both complex and open to
interpretation.
• The GDPR requires the enterprise to
manage all personal data, yet many
organisations do not know where all
their personal data resides.
• The GDPR requires the enterprise to
control the processing of all personal
information, yet the rise of shadow
IT takes control away from the IT
department and disperses it across
the business functions.
• Finding impartial reliable advice is
difficult with an explosion of
solutions on the market that
promise great things but have not
had the time to mature and prove
their credibility.
The GDPR however now provides the
incentive for business to address data
privacy through technology and the
technologist needs to understand the
range of capabilities that can be
deployed to achieve compliance.
PwC’s framework for
evaluating GDPR technology
PwC’s GDPR technology framework
describes the core technology
capabilities and components needed to
address the functional requirements of
the GDPR. It comprises five domains of
Govern, Identify, Act, Analyse and
Secure. These are further broken down
into 16 technical capabilities or enablers
that together would be required to meet
the full set of functional requirements
demanded by the GDPR across the
spectrum of both structured and
unstructured personal data. At its most
fundamental level, it is describing data
management best practice in the context
of the GDPR. Adopting such a model
should not be viewed as a burden or cost
but as a means of extracting the optimal
value from what is increasingly seen as
one of the most important assets of an
organisation – its data.
The GDPR technology framework is
intended to cater for all potential GDPR
technology requirements, and can be
used as a basis for assessing the
capabilities of a current technology
stack and determining core gaps in basic
functionality. In practice, a risk-based
approach may de-prioritise certain
components if the requirement can
realistically be catered for by a
combination of manual, policy or
procedure remediation strategies.
13. PwC | Technology’s role in data protection – the missing link in GDPR transformation | 11
Govern
Case management
Systems for managing data subject
requests, complaints and
communications surrounding
emergencies including personal
data breaches.
Controls management
Systems to manage the control
framework for all elements of
personal data.
Privacy compliance systems
Systems that manage data
protection impact assessments,
identify risk gaps, demonstrate
compliance and record
data purpose.
Training
Robust training solutions or systems
that can demonstrate staff GDPR
understanding and compliance.
Identify
Data discovery
Systems that analyse both
structured and unstructured data
across an enterprise to identify
personal data.
Data mapping and modelling
Systems that tag all data related to
an individual and can demonstrate
how all elements link together.
Consent management
Systems that manage, track, and
demonstrate all relevant GDPR
consent provisions.
Analyse
Activity monitoring driven by
analytics
Analyse how data is being accessed
and used, by whom, and how value
can be derived from it.
Omni-channel management
Systems to manage and coordinate
data coming in from multiple
channels.
Archive management
Systems to ensure archive data is
managed and deleted in
accordance with stated and agreed
retention policies.
Secure
Network security
Deployment of comprehensive and
integrated network and cyber-
security procedures, systems and
processes to provide enhanced
levels of network security.
Application security
Deployment of systems to ensure all
applications that store, process and
manage personal data are secure.
IT infrastructure security
Deployment of systems to protect
all IT infrastructure, including
cloud solutions, used for data
management, processing, storage
and archiving.
Act
Data security
Deployment of systems that
protect data through the use of
encryption, pseudonymisation and
other security technologies.
Data maintenance
Systems to manage data quality,
including update and amendment
of data throughout the data
lifecycle. This must include data
deletion and suppression as
a key function.
Breach response
The deployment of systems
which will in real time detect,
manage and resolve breaches (e.g.
identify breached data, identify
impacted users and notify all
relevant parties).
14. To understand what personal data is held
and where the data is being stored across
the technology stack.
This requires a combination of
capabilities across data discovery, data
mapping and consent management
tools, to identify and manage sources
and flows of structured and
unstructured personal data across the
technology stack and to ensure that
consent for specific purposes exists. It
also requires data maintenance tools to
maintain the accuracy, adequacy and
relevancy of personal data and a
security system to protect the personal
data managed by the organisation.
To do this at scale will require
automated PII analysis and tagging.
Personal data
assessment
GDPR compliance scenarios
To demonstrate how the technology
framework relates to the real world of
the GDPR, the following three
illustrative scenarios describe the
appropriate capabilities required to form
an end-to-end solution.
12 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
15. To dispose of personal data which is not
being stored for a legitimate purpose, is
not accurate, has exceeded its retention
period, or where consent from the data
subject does not exist.
This requires a combination of
capabilities across controls
management, privacy compliance and
consent management to determine the
legitimate use of personal data and the
internal policies for data management.
It also requires capabilities across data
discovery and data mapping to identify
personal data that breaches the
organisation’s rules, across data security
and data maintenance to rectify,
anonymise, delete, pseudonymise,
suppress or encrypt the data, and across
archive management to ensure personal
data is not being retained inadvertently
within archives and backups.
Maintaining an audit of activity is best
practice to support future investigations.
To take all reasonable measures to avoid
breach and notify the GDPR supervisory
authorities within 72 hours of a personal
data breach, take prompt remedial
action and notify data subjects without
undue delay.
This requires a combination of
capabilities across training to provide
employees with the understanding and
awareness to change behaviours and
reduce the risk of security breaches, a
robust cyber-security environment to
minimise the technical risk of a
successful malicious attack on data or
application vulnerabilities, and to
identify a breach when one has occurred,
and a breach response toolkit to manage
the response process, including breach
investigation, notification and
responding to enquiries.
Defensible
disposition
Breach detection, response
and reporting
Additional
scenarios
• Policy based governance –
Applying and enforcing policies
to manage personal data
throughout its lifecycle.
• Litigation management –
Responding to litigation and
legal requests.
• Encryption – Protecting
personal data through
encryption, pseudonymisation
and redaction technologies.
• Backup and recovery – Backup,
recovery and management of
personal data.
• Breach prevention – Deploying
cyber-security technologies
to identify vulnerabilities, close
security gaps and prevent high
value data loss through breach.
PwC | Technology’s role in data protection – the missing link in GDPR transformation | 13
16. Moving from theory to reality –
understanding and utilising the consensus
of professional opinion
No legislative text can provide
exhaustive instructions on how to deal
with every permutation of the issues
that may arise in its area, and in this
sense the GDPR is no different, despite
containing a built-in ‘user manual’ for
change. There is considerable ‘white
space’ that still needs to be filled.
Regulatory guidance on
technology issues
The regulatory system provides
considerable assistance on the detailed
requirements of the law. Organisations
that have been tracking developments in
regulatory guidance for technology will
be very much aware of the Article 29
Working Party, which brings together
the EU Data Protection Authorities and
representatives of EU Institutions, to
develop guidance on discrete points of
concern in the law.
This guidance shows that regulators are
up-to-date with technology issues. The
regulators will expect organisations to
be familiar with the Article 29 Working
Party’s guidance. It is required reading.
A wealth of
regulatory
guidance on data
protection and
technology
The European Data Protection
Authorities, as part of the
Article 29 Working Party, have
published numerous guidance
documents on the technology
issues covered by data protection
law, including: surveillance of
electronic communications in the
workplace, providing consent for
cookies and the use of online
behavioural advertising, social
networking, smart metering, and
the use of biometrics.
14 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
17. The technology landscape
– working with technology
experts
Delivering the data protection principles
and individuals rights in technology also
needs a strong awareness of the range
and nature of the technology options
available in the market.
This points the GDPR programme owner
in four directions: the expert functions
in their organisations that are
responsible for the technology
environment (CIO, CTO, CISO etc.),
technology professional services
providers, technology analysts, and
technology vendors. Regulators will
expect organisations to have a process
in place that takes account of the need
for expert advice and support.
Regardless of the domain of expertise
relied on, organisations will need to be
confident that their experts are
intimately familiar with the
requirements of the GDPR. A technology
vendor should map its products and
services to the requirements of the
GDPR in order to understand the extent
to which they can usefully support a
GDPR programme in a granular sense.
For example, two primary roles that
technology can play within a GDPR
programme are (1) classifying
information that is within the scope of
the GDPR, and (2) applying appropriate
policies to that information (e.g., move,
delete, quarantine, redact, notify,
encrypt) – technology vendors should be
able to describe where they fit into these
roles. Other characteristics to look for
include GDPR track record, market
reputation and the ability to provide
strategic support so that the technology
design is future-proofed.
PwC | Technology’s role in data protection – the missing link in GDPR transformation | 15
18. 16 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
What should organisations do now?
It will already be clear that many
organisations will need to elevate the
importance of technology within their
GDPR programmes. Technology needs
to be brought into planning and
decision-making processes early on
within change programmes – it must be
one of the key considerations for an
organisation in making decisions about
meeting its requirements and mitigating
the risks.
Organisations should reflect on the fact
that technology projects are lengthy
exercises, and even a straightforward
data management initiative with a
singular objective in a well-run, well-
resourced organisation can take 3 to 6
months to complete. When the clock is
ticking fast, a ‘wait and see’ attitude is
not an option. Action directed by a
Vision and Strategy needs to be taken
now. Indeed, when considering an
approach to the challenges of the GDPR,
we see too many enterprises rushed into
undertaking ‘purposeless activity’ or
‘activity for activity sake’. Setting the
Vision and Strategy for the GDPR based on
a mature assessment of an organisation’s
economic goals for personal data, its risk
positions and its full range of
obligations, is the first task. From that
foundation, there are four key activities
that organisations should initiate:
1. Call to action to engage a diverse and
senior stakeholder group to drive
GDPR change.
2. Assess the gap between functional
GDPR requirements and technology
capabilities.
3. Prioritise and sequence the change
required by executing a risk and
cost/benefit analysis.
4. Design and mobilise the GDPR
transformation programme for
change.
Call to action to engage a
diverse and executive
stakeholder group to drive
GDPR change
Organisations seeking to achieve GDPR
compliance will need to engage multiple
stakeholders across a range of functions
(IT, Compliance, Legal, HR, Customer
Service, Marketing, etc.) to gather the
organisational backing for the changes
required. In building this coalition, it is
important to note that, as well as
achieving GDPR compliance, the
consequent improvements of adopting
good data management and security
principles can deliver tangible benefits
back to the enterprise. These include:
• Driving commercial performance
through higher quality and more
accurate data.
• Greater insight into customer needs
leading to improved customer
satisfaction.
• Considerable cost reduction
opportunities by reducing IT
infrastructure footprint.
• Opportunity to simplify the
applications landscape.
The stakeholder group will be
instrumental in securing budgets,
resources, generating urgency and
clearing the path for a consolidated
programme with the backing of the
board and executive.
19. Assess the gap between
functional GDPR
requirements and technical
capabilities
Enterprises should undertake a
technology functionality gap analysis,
whereby the technology-driven
requirements of the GDPR are assessed
against the technology capabilities of
the organisation, covering the entire
data lifecycle management process and
its associated policies, infrastructure,
security and controls. The requirements
will be driven by the Principles, Rights
and Build requirements of the GDPR and
the gap analysis will expose
deficiencies, vulnerabilities, potential
threats, and areas of non-compliance.
Prioritise and sequence the
change required by
executing a risk and cost/
benefit analysis
In the world of technology just about
anything and everything is possible. It’s
simply a question of having enough time
and money. In the real world however,
both are limited resources, and is why
we view the only realistic way to address
the GDPR’s requirements is through a
risk-based approach, where the highest
risk areas are addressed first and most
comprehensively. Accordingly,
enterprises should use the findings of
their gap analysis, a cost/benefit
analysis and scenario testing to identify
and plan their priorities.
PwC | Technology’s role in data protection – the missing link in GDPR transformation | 17
20. 18 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
Design and mobilise the
GDPR transformation
programme for change
A GDPR programme will be complex
and transformational in nature, as it
will change the way the organisation’s
people, processes and technology
interact around the handling of personal
data. Simply treating the change as a
project is likely to end in failure.
Instead, an integrated transformation
programme structure should be
adopted. Aspects of this programme
approach will involve:
• Operating model for GDPR with
associated organisation change.
• Compliance implementation of
policy, procedure and control design
and implementation.
• Operational change and process
redesign.
• Technology programme consisting of
detailed design, build, test and
deployment.
• Management of change activities
including communications, training
and behaviour change.
• Programme and project management
to govern the programme.
As well as deploying expertise from
within an enterprise, a programme of
this nature will most likely also require
the involvement of external SMEs and
technology vendors to provide specialist
knowledge and experience.
The role of advisors and
vendors
While the GDPR technology framework
is intended to provide a comprehensive
view, organisations will have to make
difficult choices about when, where and
what to invest in to provide maximum
protection. While some will have the
scale and resources to deploy technology
covering the entire GDPR technology
framework, most will assess risks
differently and deploy resources in a
more focused manner.
The expertise to advise on and deploy
technologies will often not exist within
an organisation. Professional advisors,
software vendors, IT service companies
and the contractor market are resources
which can plug capability and capacity
gaps, especially where they bring proven
expertise and understanding about the
specific challenges of the GDPR.
21. PwC | Technology’s role in data protection – the missing link in GDPR transformation | 19
1
Council of Europe Recommendation 509 on human rights and modern scientific and technological developments, 31 January 1968
2
For example, see the Information Commissioner’s guidance on CCTV, ‘Business could face fines for ignoring CCTV data protection law’, 2 February 2017.
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/02/businesses-could-face-fines-for-ignoring-cctv-data-protection-law/
3
By 2019 47% of all technology spend is expected to be funded directly by non-IT functional units – IDC IT Spending Guide – https://www.idc.com/getdoc.jsp?-
containerId=prUS41026616
Selecting software with tailored
functionality to address the different
needs of the GDPR is one means of
addressing a capability gap. But with so
many new GDPR solutions in the
market, selecting a vendor can
sometimes feel like a shot in the dark. As
with any software selection, addressing
this question on the basis of strategic fit
to long-term strategic needs, as opposed
to addressing an immediate issue with a
tactical solution, is a key starting point.
Additional factors for vendor selection
of GDPR solutions may include:
• Breadth of an integrated portfolio
and interoperability with other
vendors’ solutions.
• Depth of analytics embedded into
the solution to drive effectiveness
and efficiency.
• Proven data privacy, data security
and sector domain experience.
• Simplicity in packaging, such as a
modular approach to procuring and
deploying solutions.
• Market reputation, longevity and
roadmap for product development
around the GDPR solution set.
The complexity of a GDPR programme is
significant and the time to act is now.
That means building the right team to
deliver GDPR compliance is critical.
Careful consideration should be given to
selecting the right partners to assist an
organisation in achieving the strategic
imperative of GDPR compliance.
22. 20 | Technology’s role in data protection – the missing link in GDPR transformation | PwC
About the authors
Stewart Room
Partner
Global Cyber Security Data Protection Legal
Services Lead Co-Global Data Protection Lead
M: +44 (0)7711 588978
E: stewart.room@pwc.com
Peter Almond
Director
M: +44 (0)7793 758029
E: peter.almond@pwc.com
Kayleigh Clark
Senior Associate
M: +44 (0)7841 468403
E: clark.kayleigh@pwc.com
23. PwC | Technology’s role in data protection – the missing link in GDPR transformation | 21