Getting ready for the General Data Protection Regulation.

Make sure you have all the information you need to ensure your business is ready for the General Data Protection Regulation. Download our free whitepaper if you want to know more about GDPR regulations or scroll down if you're more interested in solutions aiding GDPR compliance.

Download free whitepaper

GDPR compliance: what you need to know before May 25, 2018

Businesses are running out of time to determine whether and how the GDPR applies to them. If it does, they will then need to implement certain changes in their IT processes to comply. Here is a checklist of the steps you need to take to ensure better GDPR compliance:

shutterstock_770638702
  • Data identification and classification tools

  • Data encryption solutions

  • Identity and access management

  • Network security and preventing data breach

  • Email security

  • Security monitoring and incident response

  • Audit trails and reporting


Quick look: GFI Software products which aid GDPR compliance

GDPR is a comprehensive legislation which covers various aspects of data protection. Using a combination of technologies and solutions will help your company better comply with GDPR and avoid unneccessary fines.

Malicious email

Next Generation Unified Threat Management (UTM)

Kerio Control
USB threats

Network security scanner with vulnerability and patch management

GFI LanGuard
Cyber attacks from the web

Server archiving for emails, files, folders and calendar entries

GFI Archiver
Cryptolocker

Active network monitoring and log data analysis

GFI EventsManager

Data breach prevention - Hardware

Kerio Control provides a secure network perimeter with comprehensive protection securing data in multiple ways (secure connections for data transfer (VPN), intrusion protection, application filtering and control, gateway antivirus, and more). Kerio Control also provides detailed and custom reporting for compliance and alerts of suspicious behavior on the network.

Ransomware damage costs
Ransomware damage costs

Data breach prevention - Hardware

Kerio Control provides a secure network perimeter with comprehensive protection securing data in multiple ways (secure connections for data transfer (VPN), intrusion protection, application filtering and control, gateway antivirus, and more). Kerio Control also provides detailed and custom reporting for compliance and alerts of suspicious behavior on the network.

Data breach prevention - Software

With GFI LanGuard you can protect data within the network by identifying vulnerabilities and ensuring all assets within the network have all security patches in place. GFI LanGuard also provides centralized analysis and auditing with detailed reporting to evaluate the level of protection on the network.

Ransomware incidents graph
Ransomware incidents graph

Data breach prevention - Software

With GFI LanGuard you can protect data within the network by identifying vulnerabilities and ensuring all assets within the network have all security patches in place. GFI LanGuard also provides centralized analysis and auditing with detailed reporting to evaluate the level of protection on the network.

Audit trails and reporting

GFI Archiver retains complete records stored in their original form in a secure, tamper-proof store for a predetermined period of time. Companies can create archiving rules and retention policies, determine access policies and use the advanced search features to quickly and easily find and retrieve data. GFI Archiver also includes audit-trail functionality that monitors database and user activity.

Ransomware damage costs
Ransomware damage costs

Audit trails and reporting

GFI Archiver retains complete records stored in their original form in a secure, tamper-proof store for a predetermined period of time. Companies can create archiving rules and retention policies, determine access policies and use the advanced search features to quickly and easily find and retrieve data. GFI Archiver also includes audit-trail functionality that monitors database and user activity.

Identity and access management

GFI EventsManager aggregates log data across the network for complete visibility of the infrastructure and compliance reporting. Additionally, GFI EventsManager can identify security and data breaches.

Ransomware incidents graph
Ransomware incidents graph

Identity and access management

GFI EventsManager aggregates log data across the network for complete visibility of the infrastructure and compliance reporting. Additionally, GFI EventsManager can identify security and data breaches.

What is the GDPR regulation?

The General Data Protection Regulation (GDPR) was passed into law by the European Union Parliament in April 2016 , with enforcement date beginning May 25, 2018. With the deadline quickly approaching, organizations are running out of time to determine whether and how the regulation applies to them and if so, how to implement changes in their IT processes that may be necessary to comply with the requirements.

The GDPR supersedes the Data Protection Directive (Directive 95/46/EC), which had been the basis of European privacy laws since 1995. Like most governmental regulations, the GDPR is a complex document and in some respects, is open to interpretation. The intent of the legislation is to protect the privacy of EU citizens and standardize the laws across all EU countries.

The good news is that organizations have many tools at their disposal to help them carry out and document the steps that must be taken to meet the GDPR requirements, from identifying the personal data that must be protected, to securing it properly, managing it effectively, and tracking its flow and where, when and by whom it is accessed. It is important to note that this regulation applies to all businesses be they small to medium sized businesses or at an enterprise level. 


GDPR impact on business

Because of the expansion of applicability mentioned above, many companies outside the EU that did not fall under the Data Protection Directive will have to comply with the GDPR. For example, “behavior monitoring” can include using cookies to profile EU citizens on websites.

Many organizations will be forced to change the way they collect, store, process and protect customers’ information. Companies who fall under the GDPR must assess their options and develop a compliance strategy. For example, you must decide whether to implement the same data protection measures for all personal data, or have separate data protection processes for EU citizens.

Some organizations will be required to appoint Data Protection Officers (DPOs). This applies to both controllers and processors when their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. It also applies to those who collect or process special categories of data or data relating to criminal convictions and offences. The DPO must be a qualified expert in data protection law and practices. The tasks of the DPO are laid out in Article 39.

The consequences of non-compliance with the GDPR can be severe; penalties vary depending on the nature of the infringement, but the maximum fine is the greater of 4% of annual global turnover or €20 million. To avoid this, companies worldwide are spending millions of dollars to meet the GDPR privacy regulations.


GDPR requirements

Before IT professionals working for controllers and processors can implement solutions that will help the organization meet GDPR requirements, it’s important to know what those requirements are. The GDPR requirements can be broken into a few broad categories, although these may also overlap. Here is our quick guide to GDPR requirements:

  • Identifying and classifying personal data

  • Implementing a governance plan for personal data

  • Establishing procedures for personal data management

    • Obtain consent prior to processing personal data (when consent is the basis for processing).

    • Provide data subjects with specific information at the time the personal data is collected.

    • Discontinue processing of personal data.

    • Restrict processing of personal data upon request.

    • Provide data subjects with a copy of their personal data upon request.

  • Protecting personal data through security measures

    • Take general and specific security measures to protect personal data.

    • Conduct testing, assessment and evaluation.

  • Notification, Records maintenance, and reporting

    • Provide notification of personal data breach to a competent supervisory authority.

    • Maintain a record of processing activities.

    • Carry out Data Protection Impact Assessments (DPIA).

What is sensitive personal data?

The GDPR’s purpose is the protection of personal data, and unlike the previous Directive, it strictly defines the term instead of leaving it up to individual EU countries to do so. The GDPR’s definition is very broad; it defines personal data as :


“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”


This includes but isn’t limited to basic identity data (name, address, phone number, ID numbers), biometric data, health and genetic data, web data (IP addresses, location, cookie information, and RFID tag data). Racial or ethnic data, sexual orientation, trade union membership, political opinions and religious beliefs are classified as special categories, or “sensitive personal data,” and are subject to additional protections. Data rendered completely anonymous so that individuals cannot be identified, directly or indirectly, is
excluded from the scope of the GDPR.


Pseudonymisation


Pseudonymous data is different from anonymous data. Pseudonymisation may be a new word for many IT professionals; it means:


“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”


Pseudonymous data is still considered personal data, but may require lower levels of protection.


Summary

Complying with the new data protection regulations that will go into effect in May 2018 under the GDPR is a huge and complicated task. However, for organizations that collect, control and process the personal data of EU citizens, compliance is not optional.

The timeline has been established, and time is running out for companies to create a roadmap for identifying, classifying, managing, securing, and documenting the protection of such data by implementing solutions that can accomplish each of the GDPR’s requirements. 

GDPR requirements may seem daunting but using a combination of standard protocols and technologies along with features and functionalities built into your operating systems and included by the cloud provider in your cloud services, as well as third-party solutions such as those offered by GFI and Kerio, you can more easily implement measures that will help you meet the swiftly-approaching deadline for GDPR compliance.

Download FREE whitepaper

gdpr whitepaper web

Our whitepaper “Understanding and Implementing GDPR Compliance Measures” will give you a good foundation at better complying with GDPR requirements. Please note that whilst we are confident that the information contained in this whitepaper is accurate, it should only be used as guidance and not as legal advice.

Thank you for downloading our "Understanding and Implementing GDPR Compliance Measures" whitepaper.