AVST Presents GDPR at Enterprise Connect 2018

AVST Presents GDPR at Enterprise Connect 2018

General Data Protection Regulation (GDPR) is a set of digital rights, recognizing the value and commoditization of personal data in the global digital economy. This regulation significantly increases data protection laws concerning information security. GDPR elevates personal data protection to the same importance of legal and financial data. Personal data needs to be protected, it’s not up to those who have access to it.

GDPR: Impact on Security from EU to US

AVST General Manager, Tom Minifie, held an educational session, GDPR: Impact on Security from EU to the US, at Enterprise Connect last month. Although this regulation stems from the European Union, businesses all over the world will be affected by it. Is your enterprise prepared for the compliance changes effective May 25, 2018?

Some security procedures are most likely in place; others will have to be implemented. Learn how your organization can prepare for this regulation through the XMedius white paper, Understanding GDPR Compliance.

Video Transcript Highlights

Thanks everyone for joining today. I’m Tom Minifie, with AVST. From a GDPR perspective, I am a data controller and a data processor. I also have my very own personal data that I care about.

We have experience with the largest companies around the world that use our technology. We sell to smaller companies as well. But from a GDPR and security perspective, it’s not size-oriented. This isn’t a regulation that only applies to large companies. It applies to everybody, because every company around the world manages or has access to, and saves personal information. That’s what it’s all about.

I’m pleased to say I am not going to walk you through all 99 articles. We’re going to try to simplify this, and really talk about what it means to you as you’re representing your companies. What do you need to do to be in compliance with GDPR? What are the things you need to focus on? You’re probably doing a bunch of them today. There’s probably some that you aren’t doing, so we’ll discuss those.

Important Terms to Know

A couple of terms that you need to understand with GDPR, is processor and data controller. Essentially, any cloud provider is a processor. Anyone that’s processing data, may not be holding on to that data or doing anything with it for their own purposes, but if it’s flowing through their resources, then they’re a processor.

AVST is a processor. We’ve got a number of cloud solutions for our customers. We host some communications solutions, and we have a security solution that people can use. As they’re using our hosted service, we are a processor when it comes to those companies. The data controller is the company itself.

Who actually has access to that data and can do things with it? Within our organization, the relationships we have with vendors and customers, we may have personal information associated with them.

Processing and Storing Personal Data

If you look at article five, organizations shall collect data lawfully, fairly, and in a transparent manner. And for specified, explicit, and legitimate purposes, shall be processed in a manner that ensures appropriate security of the personal data using appropriate technical or organizational measures.

This is really a two-part deal. Firstly, what are we collecting and why are we collecting it. Is that transparent to the individuals that we’re collecting it from? You’ve got to be extremely open about this. It’s not that you can grab personal information from somebody, and use it for your own purpose, and they have no idea that you’ve done that. That is absolutely illegal in the eyes of GDPR.

Then once you have that data, it’s all about storing it securely. If you have been given authority to have this data, you better be able to prove that you can handle it securely, or the person can request to get it back.

Right to Portability

If in certain situations, the individual is depending on a data controller or a processor to manage much of their data, since they own it, they should be able to move that somewhere else. A cloud provider cannot say, “Nope, sorry, we don’t move that data anywhere else. And we’ll delete it for you, but we’re not going to give it to you so you can go to our competitor.” That’s not allowed. It’s, “I’ve provided you access to my data. I own the data. I get to move it around if I want to.”

Right to portability, data subject shall have the right to receive the personal data they provided to an organization, and have the right to transmit that data to another organization, without hindrance. As I mentioned, this is protection of the one guy saying, “I don’t want to help you go to my competitor.”

Top 5 Questions to Ask Your GDPR Leadership Team

  1. Do you know what personal data is stored, where it is stored, and who has access?
  2. Do we have a privacy policy that explains the above?
  3. Does the enterprise have suitable business continuity and disaster recovery plans in place?
  4. Does the company understand its responsibilities in the case of a data breach and have a plan of action in place?
  5. Have you ensured third-party suppliers are following your data protection policies?

Some of the things that you need to ask your company, or if you have a leadership team, what are the things you really need to take a look at.

Firstly, evaluate. What personal data do you actually have? What personal data are you storing and what’s the purpose of that? Do you have a privacy policy so that any individual that you’ve got access to their personal data, do they understand through your privacy policy why you have that data? What data do you have, and why do you have it? What’s your use for that? Do you have High Availability/Disaster Recovery business continuity practices in place? Can you stand up, and say, “Look, we’re the protector of this data, and we’re not going to lose that data?” Even with an IT failure where you’ve lost a server, that data that was stored there, it’s not good enough to say, “Well, it’s gone.” That’s not okay. You have to be able to recover that data as well.

Does the company understand its responsibilities in the case of the data breach? In terms of what is the procedure, what do we have to do? In the horrible event that there is a breach, what are we going to do about it? What is the policy? What do we have to do to adhere to the 72-hour requirement? Then, your downstream suppliers or vendors, can they stand up to the same regulation as well?

Privacy Policy

From a privacy policy perspective, this is one of the things everyone should do immediately, because it really does solve a number of other things, which says, “This is the data we collect. This is why we collect it. This is what we do with it, ongoing, so that anyone coming to your organization is aware of that already.” Privacy policy is important.

When you go through this evaluation process, you’re going to take a look at the data. You’re going to look at how you’re protecting it today. Then you’re going to come to software companies like AVST, and say, “I’ve got your communications system, but I need to introduce encryption into the solution, so I want to make sure that I’m encrypting all message data associated with your system.” Through that evaluation, you’re going to go to your software vendors, your product vendors, and say, “I need to improve this. Can I do that through you? Do you have an option to introduce this security improvement?” Encryption is a great example of that.

Then you have to introduce those. As a company, it’s up to us to do that. It’s not up to our software vendors, or our product vendors, or our IT vendors to do that for us. We have to drive that as companies, because we own the problem. We’re the ones responsible for it.

Important Security Controls

Important security controls, some of it’s all security policy oriented, IT policy, and then others are more technical in nature. Introducing encryption, introducing two-factor authentications. Is it an access issue? Is it protecting it once the data is there? Is it policy oriented? Who has physical access to data centers? Who has access to various data? Is it really a least privileged type approach? All of those things are important.

You have to evaluate your organization. Evaluate the data that you’re maintaining, and come up with the best approach to protect your company, and protect the customers whose data you have access to.

Takeaways

Just a few quick takeaways here, firstly, understand your business. Every business is a little different. We all maintain different data. We all have different relationships with our customers, our partners, our vendors, whoever it may be, that interacts with our organization, so really evaluate that. Determine what you need to protect from a policy perspective and from a regulation perspective. Then deploy the appropriate security measures to do exactly that. Protect the data and then implement all the processes around that as well.

With that, I did mention that AVST, XMedius, we’re in the business of doing this for our customers. Our applications are all very secure and can help our customers move through this process, from a data protection perspective. I appreciate you joining us today. Thank you.

To learn more about how to prepare for GDPR, XMedius has 5 tips for getting your organization ready.