Tag Archives: gdpr

From 1980 to 2018: How We Got to the GDPR

In 1980, the Organization for Economic Cooperation and Development, or OECD, established frameworks to protect privacy and personal data. From then until now, we have experienced several profound changes in legislation, notably the EU Data Protection Directive. Now in 2018, the General Data Protection Regulation, or GDPR, will begin to take on its true value, as May of this year will be when the adaptation period will be over.

The first moves toward a data protection law

The development of the OECD Guidelines, stemming from the need to adapt the already obsolete OEEC, was the first step to committing the thirty-five participating countries to mutual respect and clarity in the transfer of information.

As the importance of the Internet and data grew and became global, the OECD guidelines established the first comprehensive personal data protection system in all its member states.

These guidelines were based on eight principles to ensure that the interested party was notified when their data were collected; that this data was used for the stated purpose and for nothing else; that, in addition, these purposes were defined at the time of collection; that your data would not be disclosed without your consent; that the data record be kept secure; that the interested party be informed of everything; that they could access their data and make corrections; and, finally, that the interested party had at their disposal a method to hold the data recorder accountable for not following said principles.

And then came the data protection framework

In 1995, it was time to update the regulation of personal data and its management. Directive 95/46/EC of the European Union, also known as DPD, or Data Protection Directive, was a step forward that included the eight OECD guidelines and extended the application in a context where privacy was much more important.

But the fundamental change was in the legal section. Specifically, the OECD guidelines consisted of the Council’s recommendations regarding the guidelines that govern the protection of privacy and the cross-border flow of personal data and, therefore, non-binding.

Directive 95/46/EC changed this aspect, providing more concise definitions and specific areas of application. Although the directive itself is not binding for citizens, the member states had to transpose the local directives before 1998. This modification was also intended to create an administrative homogeneity and an equal legal framework for all member states.

Adopting the GDPR

Despite the considerable efforts involved in the implementation of the Data Protection Directive, in just a decade the progress proved to be insufficient. One of the main criticisms of the previous directive was the limited control of the interested parties over their data, which includes their transfer outside the European area.

This directly involves multinationals and large companies that were able to take advantage of the deficient framework of the previous directive for their own interests. To resolve this, in 2016 the adoption of the General Data Protection Regulation, or GDPR, was approved.

Since then, and until May 2018, everyone has had time to adapt to the regulations. The most remarkable thing about the GDPR is that, unlike the previous directives, it does not require local legislation, homogenizing, once and for all, legislation regarding protection within the member states and companies that work with EU citizens’ information, inside and outside of this region.

Is your company ready?

The European Union foresees that the application of the GDPR will suppose sanctions of up to twenty million euros or 4% of turnover of the previous period for non-compliance. Now that we are in the final stretch, it is convenient to determine whether our company is prepared to meet the challenges.

All companies that collect and store the personal data of their employees, customers and suppliers residing in the EU are affected. This is important if we take into account that 80% of the data handled by the organizations is unstructured.

The increase of confidential data stored in an array of databases puts protection in the spotlight. Cyberattacks could lead to a serious sanction. Good practices in Data Security Governance are the key to mitigating these risks and ensuring compliance.

Luckily we have tools such as Panda Adaptive Defense and Panda Adaptive Defense 360, which have a Data Control module to help with such tasks. This tool is specialized in simplifying the management of this personal data since it discovers, audits and monitors in real time the complete life cycle of these files. And do not forget that keeping up with the GDPR is an active and meticulous process, but one which can be simplified and automated if with the right help. Don’t wait until May!

The post From 1980 to 2018: How We Got to the GDPR appeared first on Panda Security Mediacenter.

Read More

Debunking the Myths of the GDPR, Pt. 2

The date is approaching when the new GDPR (General Data Protection Regulation) will replace the 1995 data protection legislation and, as time passes, its application is taking relevance in the conversations of security experts and responsible for all the companies. Remember that the GDPR will help strengthen the protection of the user’s fundamental rights in the online environment and will give them back control of their personal information. Therefore, companies must be prepared to adopt mandatory measures.

We’ve already explained the fundamental changes to the legislation. We also went over some of the most widespread myths regarding the GDPR: its scope of application, the timeframe for reporting incidents, or requirements related to data encryption. Today we are going to analyze more myths that enshroud this new regulation.

Myth number 4: “The personal data already contained in our database is not subject to the GDPR”

One of the most overwhelming issues for companies is the massive amount of information they already have in their possession. Does the new legislation apply to these databases collected before its entry into force? The answer is, “Yes. Definitely.” All user data of a personal nature must comply with the regulation, regardless of the date of collection of said data. The only exception to this rule is in the case of deceased persons, since in this case the regulation would not apply to their personal data.

Myth number 5: “The data is stored by my cloud provider, so the GDPR is their problem, not mine”

Some have contended that since companies that use third party cloud storage are not technically responsible for directly storing data, we are not responsible for applying the measures imposed by the GDPR. However, whenever you deal with a user’s information, you will most likely fall into the controller or processor category. If you hire an external company to store the data, your company would become the controller, or controller and processor, while the cloud service would be solely in a processor role. But both are within the scope of the new regulation. So even if the controller uses a third-party service to store their data, it will still be responsible for complying with the GDPR.

Myth number 6: “The GDPR is restricted to personal identification information”

It is advisable to take extra precautions when approaching the changes indicated by the GDPR. That’s because, to date, the definition of what we consider to be personally identifiable data has fallen short. As the GDPR explains, the EU has substantially expanded this definition of personal data to efficiently reflect the types of data that is ordinarily collected. The new regulation expands the definition to include online identifiers or even IP addresses, since these are now considered to be personal data. Other data, such as economic, cultural, genetic or mental health information, are also considered to be personally identifiable information.

Panda Security can help you make the change

The GDPR will bring along with it a series of profound changes in the way a company operates. To help get things up and running, Panda Security has prepared this “Preparation Guide to the New European General Data Protection Regulation”. We respond to important issues related to the GDPR, such as: how does it affect my business? What obligations does this regulation require? What happens if I do not comply with these obligations?

We also work on solutions, so that the data and systems remain completely safe and in full compliance with the GDPR. For example, Adaptive Defense, with its state-of-the-art protection tools (NG EPP) and detection and remediation technologies (EDR), serves as a critical means of ensuring compliance. The GDPR is not to be underestimated, and understanding its finer points will be a differentiating factor in every sector that handles personal data.

The post Debunking the Myths of the GDPR, Pt. 2 appeared first on Panda Security Mediacenter.

Read More

Debunking the Myths of the GDPR

The GDPR (General Data Protection Regulation) is a hot topic among experts in cybersecurity and privacy. For consumers, the GDPR will strengthen the protection of basic rights on the internet and give control of personal data back to the user. But what does this mean for companies?

As the date for its entry into force approaches, and having explained the most important changes the regulation will bring about, in this article we will have a look at some of the myths surrounding the GDPR.

Myth 1: “The GDPR only affects companies in the European Union”

This is far from being the truth. The GDPR rules will apply to all companies that offer goods or services to people from the EU, regardless of where their offices or servers are located. Therefore, the GDPR applies to all companies that process information from EU citizens, making this the first global data protection law. For example, if an EU citizen uses a US-based social network, makes an ecommerce transaction in Japan, or uses an Argentinian platform for vacation rentals, all those companies must comply with the GDPR.

Myth 2: “All security incidents must be reported within 72 hours”

This is one of the most widespread myths and has been accepted as a general rule, but there is some nuance to it. First, only personal data leaks need to be reported — it is not required in the case of security incidents or data breaches that do not involve personal data. This means that any breach that affects the confidentiality or integrity of personal information must be reported.

Moreover, the countdown for the 72 hour deadline does not start when the incident occurs, but rather when the company becomes aware that it has suffered a personal data breach. If for some reason it is not possible to report the breach to the authorities within this time period, the limit can be extended provided that the organization justifies the delay.

Myth 3: “All data must be encrypted in order to be in compliance with the GDPR”

This is false for several reasons. The GDPR requires that measures be implemented to provide an appropriate level of security, based on an assessment of the risk involved in any action that requires, for example, the processing or storage of personal data.

Although encryption is a recommended measure, it is not a must. Everything depends on the risks associated with not encrypting said personal data. Thus, in the case of sensitive data, such as patient medical information, the GDPR recommends encryption and other robust security measures, such as secure algorithms.

Panda Security Can Help Ease the Transition

These are just three of the myths shrouding a regulation that will mark a before and after in the protection of personal data. To help all types of companies adapt and comply with the GDPR, at Panda we have prepared the “Preparation Guide to the New European General Data Protection Regulation”. In this guide, we respond to major issues related to the GDPR: How does it affect my business? What obligations does this regulation bring about? What happens if I do not comply with these obligations?

With this whitepaper, and using tools included in our Adaptive Defense solution, Panda can help meet the requirements imposed by the new regulation. Although the law will not come into effect until 2018, it is vital to understand the implications of the GDPR and to implement a plan of action.

The post Debunking the Myths of the GDPR appeared first on Panda Security Mediacenter.

Read More

GDPR offers new protections for young adults


From May 2018, a new data protection law – the General Data Protection Regulation (GDPR) – will come into force, designed to better protect the privacy of European citizens. GDPR gives consumers a number of rights over the personal data that companies collect, and forces those businesses to better protect the information too.

If a company does breach the GDPR, penalties can be quite severe. For the most serious incidents, fines could reach €20m, or 4% of their global revenue. For a company the size of Google or Apple, that may be billions of Euros.

Here’s what GDPR will mean for young people.

A right to be forgotten

Modern companies collect a lot of personal data that is used to help them design new products and services, and to create marketing messages tailored to your preferences. Under existing laws, this data can be held almost indefinitely so long as it is used properly.

The new law gives back control of personal data to the individual. Under GDPR you will have the right to contact any company and ask them to delete any of your personal data that they hold. The company then has 30 days to remove all trace of you from their systems.

Say you decide to leave Facebook. Currently you can “delete” your account, but all the posts and photographs you’ve ever uploaded are kept (and used) by Facebook – it’s just not publicly available. Once GDPR comes into force, you can ask Facebook to delete this “invisible” data too, leaving no trace you were ever a member.

Marketing opt-out

Typically, websites do offer an opt-out for marketing telephone calls and emails when you register. Hidden away at the bottom of the sign-up form will be some checkboxes that need to be ticked or unticked to indicate you don’t want to receive advertising.

Sometimes simply accepting the Terms of Service (the long, legally complex page that most people don’t read) is accepted as confirmation that you do want to receive sales calls. Your consent is implied by the company.

GDPR demands that consumers give explicit consent to having their personal data used for marketing. If you don’t click the relevant permissions box, the company cannot contact you for sales purposes.

Deleting childhood social media posts

Although GDPR is being implemented by every EU member, each state is permitted to make additions to the regulation. In the UK, young people will gain an additional right. From May next year they will be permitted to ask social networks like Facebook, Twitter and Instagram to delete any updates posted before their 18th birthday.

Because many young people share inappropriate content without fully thinking through the implications, they may be making it harder to find a job. This is certainly the case where employers routinely check the social media history of applicants.

With the right to request these embarrassing/rude/stupid be removed, young adults may be spared their blushes – at least when it comes to what they do outside the office in the evenings.

Obviously teenagers and young adults should still be trained to use social media properly, but GDPR offers one final chance to remove their most embarrassing and immature thoughts from the public arena.

The post GDPR offers new protections for young adults appeared first on Panda Security Mediacenter.

Read More

The Three Primary Regulatory Changes of the GDPR

The recent increase in number and impact in cyberattacks to steal information has made it necessary to change the legislation on data protection in Europe. The GDPR (General Data Protection Regulation), which will be implemented in May 2018, aims to protect the data of European citizens and monitor how organizations process, store and use this data. Broadly speaking, with this new regulation, the European Commission has sought to give Europeans control over their data, removing the ambiguities of the previous legislation (dating back to 1995), as well as to unify the specific legislation of each country.

What changes with this new regulation?

The GDPR contains almost 100 articles which, in short, guarantee access to data for individuals and detail in clearer terms the responsibility companies will bear. Here are the main changes from previous regulation that the GDPR will bring about:

  • Scope of the regulation: The GDPR affects all organizations that store EU citizen data, even if they do not have a physical presence in Europe.
  • Obtaining explicit consent: Organizations have an obligation to obtain explicit and active consent from the individual following a fully transparent explanation of how the data will be treated (processing, storage or use of data). It is no longer enough to inform the user, but the person must actively express their agreement.
  • Right of access: all citizens will have the right to obtain confirmation of whether or not a company is using their personal data. If so, they have the right to access this data and the organization will be required to provide a copy, as well as explain the purposes of the data processing, the criteria used, and the time frame of its storage. The GDPR also includes the right to rectify the data.
  • Right to be forgotten: this is probably the most salient of the rights included in the new regulation. This article allows the user to request the erasure of their personal data for various reasons: if the data is no longer necessary for the purpose for which it was collected, if the consent has been withdrawn, if the data was obtained in an illegal way, etc.
  • Right of portability: the user will have the right to request that the organization that stores their personal data provide a copy or transfer this data to another organization.
  • Company responsibility: in general terms, the responsibilities of companies and institutions have been compounded with the GDPR. Organizations will be required to implement monitoring systems, document the procedures for collecting, storing and using personal data (in companies of more than 250 employees), reporting any breaches of security or attack to the authorities within 72 hours, and even hire a data protection officer (DPO) in companies that handle large amounts of sensitive information.

What can companies do to be prepared?

  • Protect the data. It may seem obvious, but this is the basis of any adaptation plan to the GDPR: it is necessary to actively reinforce information security throughout the life cycle of the data you store. To help companies in this process, Panda Security offers Adaptive Defense, which includes the tools necessary to implement these prevention measures.
  • Implement an explicit consent program for clients. With the new regulations, all companies will have to offer their customers the option to actively express their consent for the treatment and use of their data.
  • Develop an action plan. To avoid being overwhelmed by the application of the GDPR, the first thing is to have a plan, starting with an analysis of the current situation of the company in terms of obtaining, processing, storing and using personal data. In our “Preparation Guide to the New European General Data Protection Regulation”, we offer some useful guidelines for making the transition to GDPR compliance.

The post The Three Primary Regulatory Changes of the GDPR appeared first on Panda Security Mediacenter.

Read More