GDPR – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Wed, 13 Mar 2019 00:23:37 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png GDPR – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 Privacy and Security by Design: Thoughts for Data Privacy Day https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/#respond Mon, 28 Jan 2019 14:00:56 +0000 https://securingtomorrow.mcafee.com/?p=93986

Data Privacy Day has particular relevance this year, as 2018 brought privacy into focus in ways other years have not. Ironically, in the same year that the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect, the public also learned of glaring misuses of personal information and a continued stream of personal data […]

The post Privacy and Security by Design: Thoughts for Data Privacy Day appeared first on McAfee Blogs.

]]>

Data Privacy Day has particular relevance this year, as 2018 brought privacy into focus in ways other years have not. Ironically, in the same year that the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect, the public also learned of glaring misuses of personal information and a continued stream of personal data breaches. Policymakers in the United States know they cannot ignore data privacy, and multiple efforts are underway: bills were introduced in Congress, draft legislation was floated, privacy principles were announced, and a National Institute of Standards and Technology (NIST) Privacy Framework and a National Telecommunications and Information Administration (NTIA) effort to develop the administration’s approach to consumer privacy are in process.

These are all positive steps forward, as revelations about widespread misuse of personal data are causing people to mistrust technology—a situation that must be remedied.

Effective consumer privacy policies and regulations are critical to the continued growth of the U.S. economy, the internet, and the many innovative technologies that rely on consumers’ personal data. Companies need clear privacy and security expectations to not only comply with the diversity of existing laws, but also to grow businesses, improve efficiencies, remain competitive, and most importantly, to encourage consumers to trust organizations and their technology.

If an organization puts the customer at the core of everything it does, as we do at McAfee, then protecting customers’ data is an essential component of doing business. Robust privacy and security solutions are fundamental to McAfee’s strategic vision, products, services, and technology solutions. Likewise, our data protection and security solutions enable our enterprise and government customers to more efficiently and effectively comply with regulatory requirements.

Our approach derives from seeing privacy and security as two sides of the same coin. You can’t have privacy without security. While you can have security without privacy, we strongly believe the two should go hand in hand.

In comments we submitted to NIST on “Developing a Privacy Framework,” we made the case for Privacy and Security by Design. This approach requires companies to consider privacy and security on the drawing board and throughout the development process for products and services going to market. It also means protecting data through a technology design that considers privacy engineering principles. This proactive approach is the most effective way to enable data protection because the data protection strategies are integrated into the technology as the product or service is created. Privacy and Security by Design encourages accountability in the development of technologies, making certain that privacy and security are foundational components of the product and service development processes.

The concept of Privacy and Security by Design is aspirational but is absolutely the best way to achieve privacy and security without end users having to think much about them. We have some recommendations for organizations to consider in designing and enforcing privacy practices.

There are several layers that should be included in the creation of privacy and data security programs:

  • Internal policies should clearly articulate what is permissible and impermissible.
  • Specific departments should specify further granularity regarding policy requirements and best practices (e.g., HR, IT, legal, and marketing will have different requirements and restrictions for the collection, use, and protection of personal data).
  • Privacy (legal and non-legal) and security professionals in the organization must have detailed documentation and process tools that streamline the implementation of the risk-based framework.
  • Ongoing organizational training regarding the importance of protecting personal data and best practices is essential to the continued success of these programs.
  • The policy requirements should be tied to the organization’s code of conduct and enforced as required when polices are violated.

Finally, an organization must have easy-to-understand external privacy and data security policies to educate the user/consumer and to drive toward informed consent to collect and share data wherever possible. The aim must be to make security and privacy ubiquitous, simple, and understood by all.

As we acknowledge Data Privacy Day this year, we hope that privacy will not only be a talking point for policymakers but that it will also result in action. Constructing and agreeing upon U.S. privacy principles through legislation or a framework will be a complicated process. We better start now because we’re already behind many other countries around the globe.

The post Privacy and Security by Design: Thoughts for Data Privacy Day appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/feed/ 0
Creating Ripples: The Impact and Repercussions of GDPR, So Far https://securingtomorrow.mcafee.com/business/data-security/creating-ripples-the-impact-and-repercussions-of-gdpr-so-far/ https://securingtomorrow.mcafee.com/business/data-security/creating-ripples-the-impact-and-repercussions-of-gdpr-so-far/#respond Tue, 28 Aug 2018 14:00:35 +0000 https://securingtomorrow.mcafee.com/?p=91106

“GDPR is coming, GDPR is coming!” For months this was all we heard – everyone was discussing GDPR’s impending arrival on May 25th, 2018, and what they needed to do to prepare for the new privacy regulation. GDPR – the General Data Protection Regulation – first came to fruition on April 14th, 2016, as a replacement […]

The post Creating Ripples: The Impact and Repercussions of GDPR, So Far appeared first on McAfee Blogs.

]]>

“GDPR is coming, GDPR is coming!” For months this was all we heard – everyone was discussing GDPR’s impending arrival on May 25th, 2018, and what they needed to do to prepare for the new privacy regulation. GDPR – the General Data Protection Regulation – first came to fruition on April 14th, 2016, as a replacement for the EU’s former legislation, Data Protection Directive. At its core, GDPR is designed to give EU citizens more control over their personal data. But in order for that control to be placed back in consumers’ hands, organizations have to change the way they do business. In fact, just five months after the implementation date, we’ve already seen GDPR leave an impact on companies. Let’s take a look at the ramifications that have already come to light because of GDPR, and how the effects of the legislation may continue to unfold in the future.

Even though the EU gave companies two years to ensure compliance, many waited until the last minute to act. Currently, no one has been slapped with the massive fines, but complaints are already underway. In fact, complaints have been filed against Google, Facebook, and its subsidiaries, Instagram and WhatsApp. Plus, Max Schrem’s None of Your Business (NOYB) and the French association La Quadrature du Net have been busy filing complaints all around Europe. “Data Protection officials have warned us that they will be aggressively enforcing the GDPR, and they watch the news reports. European Economic Area (EEA) residents are keenly aware of the Regulation and its requirements, and are actively filing complaints,” said Flora Garcia, McAfee’s lead privacy and security attorney, who managed our GDPR Readiness project.

However, the ramifications are not just monetary, as the regulation has already affected some organizations’ user bases, as well as customer trust. Take Facebook for example – the social network actually attributes the loss of 1 million monthly active users to GDPR, as reported in their second quarter’s earnings. Then there’s British Airlines, who claims in order to provide online customer service and remain GDPR compliant, their customers must post personal information on social media. Even newspapers’ readership has been cut down due to the legislation, as publications such as the Los Angeles Times and Chicago Tribune stopped allowing European readers access to their sites in order to avoid risk. “This is the new normal, and all companies need to be aware of their GDPR obligations. Companies outside of the EEA who handle EEA data need to know their obligations just as well as the European companies,” Garcia says.

GDPR has had tactical repercussions too; for instance, it has changed the communication on the way the IT sector stores customer data. A consumer’s ‘right to be forgotten’ means organizations have to clearly explain how a customer’s data has been removed from internal systems when they select this option, but also ensure a secure backup copy remains. GDPR also completely changes the way people view encrypting and/or anonymizing personal data.

What’s more — according to Don Elledge, guest author for Forbes, GDPR is just the tip of the iceberg when it comes to regulatory change. He states, “In 2017, at least 42 U.S. states introduced 240 bills and resolutions related to cybersecurity, more than double the number the year before.” This is largely due to the visibility of big data breaches (Equifax, Uber, etc.), which has made data protection front-page news, awakening regulators as a result. And with all the Facebook news, the Exactis breach, and the plethora of data leaks we’ve seen this so far this year, 2018 is trending in the same direction. In fact, the California Consumer Privacy Act of 2018, which will go into effect January 1st, 2020, is already being called the next GDPR. Additionally, Brazil signed a Data Protection Bill in mid-August, which is inspired by GDPR, and is expected to take effect in early 2020. The principles are similar, and potential fines could near 12.9 million USD. And both China and India are currently working on data protection legislation of their own as well.

So, with GDPR already creating ripples of change and new, similar legislation coming down the pipeline, it’s important now more than ever that companies and consumers alike understand how a piece of data privacy legislation affects them. Beyond that, companies must plan accordingly so that their business can thrive while remaining compliant.

To learn more about GDPR and data protection, be sure to follow us at @McAfee and @McAfee_Business, and check out some of our helpful resources on GDPR.

 

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

 

The post Creating Ripples: The Impact and Repercussions of GDPR, So Far appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/data-security/creating-ripples-the-impact-and-repercussions-of-gdpr-so-far/feed/ 0
Reaching GDPR: A Partner Approach https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/reaching-gdpr-a-partner-approach/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/reaching-gdpr-a-partner-approach/#respond Mon, 11 Jun 2018 16:35:58 +0000 https://securingtomorrow.mcafee.com/?p=89531

As Raj Samani, Chief Scientist and Fellow at McAfee says, “It’s critical that businesses do everything they can to protect one of the world’s most valuable assets: data.” Whether your organization achieved compliance with General Data Protection Regulation (GDPR) by the enforcement date on May 25, or still has a way to go, data will […]

The post Reaching GDPR: A Partner Approach appeared first on McAfee Blogs.

]]>

As Raj Samani, Chief Scientist and Fellow at McAfee says, “It’s critical that businesses do everything they can to protect one of the world’s most valuable assets: data.” Whether your organization achieved compliance with General Data Protection Regulation (GDPR) by the enforcement date on May 25, or still has a way to go, data will continue to play a large and evolving role in every sector and at every company. Samani explains, “The good news is that businesses are finding that stricter data protection regulations benefit both consumers and their bottom line. However, many have short-term barriers to overcome to become compliant, for example, to reduce the time it takes to report a breach.”

With the high cost to achieve compliance standards and even steeper fines if the rules are not met, complying with GDPR can seem daunting. If your organization is still working on meeting the base level regulation, McAfee and our partners have a wide range of materials to assist, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and a site with all you need to prepare for GDPR requirements. Additionally, McAfee Skyhigh has a detailed action guide to help organizations interpret the legislation and provide guidance on actions that need to be taken regarding data in the cloud.

McAfee doesn’t work alone in our commitment to GDPR and data security. Thanks to McAfee’s Security Innovation Alliance (SIA), we can quickly and effectively help more customers protect their data. These 125+ SIA vendors are committed to working together with our integrated ecosystem to help businesses reach and maintain GDPR standards.

While reaching compliance is the important first step, going beyond the data security fundamentals will quickly become critical to every organization, from commercial to healthcare. It is important to keep in mind that complying with GDPR does not mean you will not be breached. A genuine culture of privacy needs to be created as a core value within each organization. Consumers are increasingly aware of how companies are keeping their data secure and businesses cannot afford to lose customer confidence in relation to data security. Securing consumer’s personal data in a transparent manner can serve as a differentiating factor for any company.

As cybersecurity professionals, it is up to us at McAfee and our Partners to provide the most pertinent GDPR information to each of our customers and help instill the culture of data privacy. The advent of GDPR is the best opportunity in a generation to bring data security up to every customer’s C-Suite and introduce meaningful and lasting change in data security. Together, we can support our customers to achieve GDPR compliance and beyond!

The post Reaching GDPR: A Partner Approach appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/reaching-gdpr-a-partner-approach/feed/ 0
GDPR Planning and the Cloud https://securingtomorrow.mcafee.com/business/cloud-security/gdpr-planning-cloud/ https://securingtomorrow.mcafee.com/business/cloud-security/gdpr-planning-cloud/#respond Mon, 16 Apr 2018 03:50:05 +0000 https://securingtomorrow.mcafee.com/?p=88491 Data protection is on a lot of people’s minds this week. The Facebook testimony in Congress has focused attention on data privacy. Against this backdrop, IT security professionals are focused on two on-going developments: the roll-out next month of new European regulations on data (the General Data Protection Regulation, or GDPR) as well as the […]

The post GDPR Planning and the Cloud appeared first on McAfee Blogs.

]]>
Data protection is on a lot of people’s minds this week. The Facebook testimony in Congress has focused attention on data privacy. Against this backdrop, IT security professionals are focused on two on-going developments: the roll-out next month of new European regulations on data (the General Data Protection Regulation, or GDPR) as well as the continued migrations of data to the public cloud.

GDPR is mostly about giving people back their right over their data by empowering them. Among other rights and duties, it concerns the safe handling of data, the “right to be forgotten” (among other data subject rights) and breach reporting. But apparently it will not slow migration to the cloud.

According to a McAfee report being released today, Navigating a Cloudy Sky, nearly half of companies responding plan to increase or keep stable their investment in the public, private or hybrid cloud, and the GDPR does not appear to be a showstopper for them. Fewer than 10 percent of companies anticipate decreasing their cloud investment because of the GDPR.

Getting Help for GDPR Compliance

What is the practical impact of all this? Say your CISO is in the early stages of setting up a GDPR compliance program. In any enterprise it’s important to understand the areas of risk. The first step in managing risk is taking a deep look at where the risk areas exist.

McAfee will feature a GDPR Demo1 at the RSA conference in San Francisco this week that will help IT pros understand where to start. The demo walks conference attendees through five different GDPR compliance scenarios, at different levels of a fictional company and for different GDPR Articles, so that they can start to get a feel for GDPR procedure and see the tools which will help identify risk areas and demonstrate the capabilities for each.

Remember, with GDPR end-users are now empowered to request data that they are the subject of, and can request it be wiped away. With the latest data loss prevention software, compliance teams will be able to service these requests by exporting reports for given users, and the ability to wipe data on those users. But a lot of companies need to learn the specific procedures on compliance with GDPR rules.

GDPR could be looked at as another regulation to be complied with – but savvy companies can also look at it as a competitive advantage. Customers are increasingly asking for privacy and control. Will your business be there waiting for them?

The cloud, GDPR and customer calls for privacy are three developments that are not going away – the best stance is preparation.

1 McAfee will be in the North Hall, booth #N3801 (the “Data Protection and GDPR” booth) and also in the South Hall at the McAfee Skyhigh booth, # S1301.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post GDPR Planning and the Cloud appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cloud-security/gdpr-planning-cloud/feed/ 0
Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection https://securingtomorrow.mcafee.com/business/financial-services-gdpr-200-professionals-told-us-data-protection/ https://securingtomorrow.mcafee.com/business/financial-services-gdpr-200-professionals-told-us-data-protection/#respond Thu, 12 Apr 2018 15:00:14 +0000 https://securingtomorrow.mcafee.com/?p=88293

When the European Union’s (EU) General Data Protection Regulation (DPR) comes into full force May 25, European citizens will receive greater privacy protection and regulators will have a strengthened authority to take action against businesses that breach the new laws. Fines of up to 4% of annual global revenue or €20 million, whichever is greater, […]

The post Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection appeared first on McAfee Blogs.

]]>

When the European Union’s (EU) General Data Protection Regulation (DPR) comes into full force May 25, European citizens will receive greater privacy protection and regulators will have a strengthened authority to take action against businesses that breach the new laws. Fines of up to 4% of annual global revenue or €20 million, whichever is greater, can be levied against any organization that processes personal data of EU residents, regardless of where they are based. Stories with doomsday predictions and generous helpings of fear can be found in many publications.

McAfee recently published an executive summary of our report, Beyond GDPR: Data Residency Insights from Around the World, that focuses on responses from the 200 professionals surveyed in the financial services sector. While there remains work to be done, it’s not all doom and gloom for the financial services industry. More than one quarter (27%) of financial services firms surveyed are already set up to comply with the GDPR requirement for controllers to report a breach to the appropriate authorities within 72 hours of becoming aware of a breach, when compared to just 20 percent of other industries. This is most likely the result of greater preparation, as the financial sector has a higher proportion of firms (28%) that have been working on compliance for three to four years, compared to the global average of just two years.

We believe that the looming threat of GDPR fines is an opportunity to communicate the seriousness of these regulations to your board and executives, and to position the firm as one that cares about personal privacy. And that could help boost the bottom line according to survey respondents – some 80% of financial services respondents believe that organizations that properly apply data protection laws will attract new customers.

Knowing what data is stored where is one of the most important steps of this data protection activity, but here are a few more that we recommend.

Step 1. Know Your Data.

Not only where it is, but what it is, why you are collecting it, and what levels of security and encryption are used to protect it. If you are collecting personal data that is not essential to your service offering, you may want to reconsider what you collect to better manage your risk of exposure, and comply with data-minimization principles.

Step 2. Enforce Encryption.

Effective encryption protects data by making it useless to hackers in the event of a data breach. Use proven encryption technologies, such as Triple Data Encryption Standard (DES), RSA, or Advanced Encryption Standards (AES) to ensure the safe storage of both your employees’ data and customers’ data.

Step 3. Pseudonymize personally identifiable information (PII).

Modifying data prior to processing so that it cannot be tracked back to a specific individual provides another layer of data protection. Pseudonymizing your data allows you to take advantage of Big Data and do larger scale data analysis, and is viewed as an appropriate technical and organizational measure under article 32 of the GDPR.

Step 4. Get Executive Management Involved.

The necessary changes to your data storage, monitoring, management, and security systems can require more human and financial resources than are currently budgeted. The potential of significant fines is an excellent opportunity to get the required support from the highest levels of your organization.

Step 5. Appoint a Project Owner.

Staying compliant with various data protection laws is not something that can be done by an IT staffer in their spare time. Consider appointing a data protection officer or equivalent, to take ownership of both implementation and ongoing management of this project. A data protection officer may be required in any event, depending on the nature of the processing carried out.

Step 6. Review Data Security with Cloud Vendors.

With cloud computing and storage touching most business processes in some fashion, consider conducting an audit of all your vendors’ systems, procedures, and contracts, and the data that they are handling and storing on your behalf. After all, each organization will be held responsible for meeting the GDPR requirements.

Step 7. Foster a Security-Aware Culture.

Human errors are often responsible for data and security breaches. It doesn’t matter that your business follows the strictest security protocol —one error made by one uninformed person could lead to irreparable damages. Consider making sure that all your employees and contractors receive proper and regular training on data security and the handling of customer information.

Step 8. Have a Response Plan.

No system is 100% bulletproof. You need an incident response plan in place to make sure that you can recover as quickly as possible in the event of a data breach. Under GDPR law, you are required as a controller to alert the appropriate authorities within 72 hours of becoming aware of a data breach, and you also need to notify any individuals whose personal data has been compromised.

Step 9.  Go with a Privacy by Design Approach.

The GDPR places a requirement on organizations to take into account data privacy during design stages of all projects.  Companies will want to consider data-protection technologies such as data loss prevention (DLP) and cloud data protection (CASB) from the very beginning of the development. Implement data-protection policies that would help prevent both accidental and malicious data theft by insiders and cybercriminals – doesn’t matter where it resides.

While no one can guarantee that you will not suffer a data loss, following these steps will help you understand where you stand, identify any gaps, and improve your organization’s responsiveness. Loss of customer confidence was the most common concern of financial services organisations (64%), and rapid containment and response is one of the best ways to protect your firm’s valuable reputation. So keep calm, and prepare for GDPR.

Read the full report, Beyond GDPR: Data Residency Insights from Around the World, and learn more about the top data-protection concerns and strategies of more than 800 senior business professionals from eight countries and a range of industries.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/financial-services-gdpr-200-professionals-told-us-data-protection/feed/ 0
The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day https://securingtomorrow.mcafee.com/business/tortoise-hare-part-ii-may-25th-friday-great-data-protection-rocks-even-memorial-day/ https://securingtomorrow.mcafee.com/business/tortoise-hare-part-ii-may-25th-friday-great-data-protection-rocks-even-memorial-day/#respond Thu, 29 Mar 2018 17:00:31 +0000 https://securingtomorrow.mcafee.com/?p=88105 At one point in my career, I was responsible for launching massive websites.  We’d talk about when and how we flip the switch to launch the new website.  At least once during every project someone would ask me who got to flip the switch, as though we would have a dignitary (or them?) do it.  […]

The post The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day appeared first on McAfee Blogs.

]]>
At one point in my career, I was responsible for launching massive websites.  We’d talk about when and how we flip the switch to launch the new website.  At least once during every project someone would ask me who got to flip the switch, as though we would have a dignitary (or them?) do it.  But depending on the year, the flipping on of a website was handled through technology and not very dramatic and not with the fanfare the non-technologists hoped for. (Dimming lights? Fireworks?  It was New York and it was publishing, so there was often beer and wine and maybe T-shirts after, but everyone went home and slept.)

And now we have May 25th coming around the corner. The other day, I got a picture in a text from a colleague of a can of sardines.  It took me a minute to realize the expiration was May 25.  So, other than the sardines, what happens?  Are we done?

First the bad news:  We won’t ever be done.  GDPR requires constant diligence for its principles, recurring reviews of the processes we’ve built; ongoing use of Data Processing Impact Assessments; vigilance on how we process, store, transfer, use personal data; communications with our customers; new contractual language and new things to negotiate; ongoing discussions around security and what is appropriate.  And of course, the biggest question: What will the data regulators do?  Will there be an immediate fine? (My bet is no.)

But now the good news: If you’ve been doing this right and have managed to focus on the concepts of Great Data Protection Rocks and a culture of security, the following things may have happened:

  • You have a much better idea of what data you have, where it is stored, who can get to it, and how it gets used. Hopefully you have deleted some data and have additional automated processes to delete data when it ceases to be needed.
  • You have processes in place to replace things that were being done on the fly. Maybe there’s some documentation and someone officially designated to help with the processes.
  • You know who your vendors are, and more about your high-risk and cloud vendors.
  • You have determined what needs securing and made sure you are securing it “appropriately.”
  • You’ve got a team of people who understand data protection and GDPR – maybe some new friends and some new project partners. A few of them may not have bought in completely (the people who were “voluntold” to help), but just wait.  Something often  seems to happen in the doubter’s personal life that makes them get it – and big time.  Real examples:  Mortgage application reveals massive identity theft that needs to be fixed or they lose the house; soccer coach sends kid’s medical condition info to the whole team’s parents; intern (not at McAfee!) sends spreadsheet of fraternity members’ contact info, but it also contained everyone’s grade-point average.

Perhaps most importantly, your company now has momentum around doing the right thing regarding data protection.  And May 25th will come – too soon, not soon enough, or both! – and the lights won’t dim but there might be T-shirts.

It would be easy to forget GDPR’s lessons. In the United States, Monday, May 28th, is Memorial Day, and we pull out summer clothes, take off to mark the start of summer, and remember our heroes.  But on that Monday and Tuesday and every day after, Great Data Protection will still Rock, and we will still need to look at data, how it’s used, and how our culture can protect it. Just maybe throw out the sardines if they don’t get eaten beforehand (or leave them on the doubter’s desk as a joke).

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/tortoise-hare-part-ii-may-25th-friday-great-data-protection-rocks-even-memorial-day/feed/ 0
The Tortoise and the Hare of GDPR, Part I: Don’t Panic https://securingtomorrow.mcafee.com/business/data-security/tortoise-hare-gdpr-part-dont-panic/ https://securingtomorrow.mcafee.com/business/data-security/tortoise-hare-gdpr-part-dont-panic/#respond Thu, 15 Mar 2018 15:00:49 +0000 https://securingtomorrow.mcafee.com/?p=85294 In preparation for May 25, data-driven companies (and really, that’s most of us) have started doing business differently, bracing for the enforcement date of the General Data Protection Regulation (GDPR). And all companies with customers and employees who are residents of the European Union should be handling personal data carefully after that: Violations can result […]

The post The Tortoise and the Hare of GDPR, Part I: Don’t Panic appeared first on McAfee Blogs.

]]>
In preparation for May 25, data-driven companies (and really, that’s most of us) have started doing business differently, bracing for the enforcement date of the General Data Protection Regulation (GDPR). And all companies with customers and employees who are residents of the European Union should be handling personal data carefully after that: Violations can result in fines of up to 4% of annual global revenues or €20 million (whichever is greater).

When we reached the milestone of 100 days until May 25, one of our McAfee legal interns put up a countdown clock on an internal website. Lots of words have been spent on hair-on-fire, panic mode fretting about the fines – and anyone who tells you that they know exactly what to do to avoid getting fined is selling you a false promise.

As we get to this homestretch, I think it’s important to pause a minute and make sure we are looking at the forests as well as the trees.  GPDR doesn’t tell us to encrypt this but not that, but it does tell us we need a cultural change around data protection. An attitude of Great Data Protection Rocks (GDPR – get it?) works together with McAfee’s concept of a culture of security  to introduce better and constantly improving practices.

But the 100 days are flying by, and things aren’t perfect – what to do? First, take a deep breath, you can’t get anything done if you’ve fainted.  Second, remind yourself of the strategic principles and the core intent of the GDPR: honoring the fundamental rights of the data subject to have control over their information and to have it properly cared for when it is outside their control.  Questions to ask your organization, including:

  • Is there a current data-loss prevention project in place or planned for this year? Data-loss prevention too often gets thought of as a security project, but the best implementations have security folks partnering with privacy and legal team members as well as business stakeholders.
  • Does your cloud service provider have a privacy policy? Do you know who your cloud providers are, even?  The cloud-hosting providers like AWS and Azure are obviously to be considered, and don’t forget Box and Google Drive and other file storage, but you also need to consider the human resources applications, the recruiting vendors, and the other companies that help support your businesses from the cloud.
  • What key security and business processes should be reviewed for applicability and current state of capability? Mo reminds us to stop and define “key.”  This is the sort of soul-searching that every company needs to do for itself, and make hard decisions (that you should check back on) as to what is most important.

There are a lot of things I like about Mo’s series, including the calm tone, but what I like most is that it basically says if you aren’t sure what to do, start somewhere, and here are some ideas that will help you with the larger picture.  Some folks with lots of resources (and yes, the Data Protection authorities) might be horrified that some places haven’t started on GDPR compliance, but this is a journey and we all have different starting points.  I bump into a lot of people who are still finding their way in the GDPR fog when I get outside McAfee.

And even for those of us who have been working on GDPR readiness for a long time (and it feels like a really, long time to me right now – I’m much more of a hare), we must think about the long haul.  Changing culture takes time, and it’s a big shift to a culture of security and data protection for many organizations.  We need champions, new language, new processes, new policies, and procedures.  If we keep breathing and keep thinking about the big picture, and keep working together on the hard questions, we’ll get there.

You can find much more free GDPR educational material on our website.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post The Tortoise and the Hare of GDPR, Part I: Don’t Panic appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/data-security/tortoise-hare-gdpr-part-dont-panic/feed/ 0
The GDPR Basics: What Consumers Need to Know https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/gdpr-basics/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/gdpr-basics/#respond Fri, 02 Feb 2018 19:33:18 +0000 https://securingtomorrow.mcafee.com/?p=79316 To ensure all companies are being held responsible for the way they handle consumer data, the European Union took action and created something called the General Data Protection Regulation (GDPR). Passed in April of 2016, GDPR was created to protect the personal data handled by companies – but what exactly does GDPR entail for consumers? Let’s take a look. 

The post The GDPR Basics: What Consumers Need to Know appeared first on McAfee Blogs.

]]>
What companies do with consumer data has always been a hot topic – and becomes hotter after every security breach, when consumers learn more about what can go wrong with their data and worry about the implications of their personal information in the wrong peoples’ hands. In the United States, most states and several cities now have laws about data breaches and many have laws regarding some form of consumer data protection. Europe has had a data protection law covering its residents for more than twenty years.

But the past twenty years have seen lots of changes in technology and in the way data can help consumers, so the European Union has refreshed the former law – the Data Protection Directive – with a more robust law, the General Data Protection Regulation (GDPR). But what exactly does GDPR entail for consumers? Let’s take a look. 

What is GDPR?

The General Data Protection Regulation (GDPR) updates EU law to consider the internet, e-commerce, online advertising, and the increase in data driven marketing.  Many of the provisions of the prior law are restated in the GDPR, but now companies face tougher fines for non-compliance.  The new Regulation also requires companies to report breaches to their regulators and often to consumers, and allows people to ask what companies they work for and they do business with do with their data. Replacing the Data Protection Directive, GDPR is more of an evolution of existing rules rather than a revolution, but it brings in important changes and reduces the number of country-specific laws that will be allowed. These changes have been introduced due to the changing nature of the world we live, the volume and prevalence of data, and the value of personal data in an increasingly connected world.

Who Does It Affect?

With enforcement of the Regulation starting on May 25th, 2018, it’s important to know what this legislation specifically impacts. The scope of “personal data” is broad, ranging from online identifiers such as IP addresses to social identities in addition to the usual names and contact information (both personal and work in the EU), but basically GDPR will cover anything that can be traced back to you as a specific individual, aiming to better enforce the protection of personal data as a basic human right. It protects the data of EU residents– in fact, it is irrelevant where a company collecting data is based in the world as long as they have EU customers. GDPR places a requirement on companies to “implement appropriate technical and organizational” measures to ensure the security of the personal data.

The Regulation requires companies to look at how they collect and store consumer data, keep records of certain kinds of consent, and be transparent about how they use personal data.  The Regulation allows EU residents to ask companies questions about how their data was obtained, to opt out of marketing, and – in some cases – to ask that their data be deleted.

How to Prepare for It

With GDPR enforcement fast approaching, the most important thing both companies and European Union consumers can do is be educated and prepared. Companies have to review their practices and make sure they are complying with the Regulation. Consumers need to know their rights and how GDPR will enable them to ask questions about what happens to their personal data. They’ll likely see more “consent” requests attached to any data collection – and notices about data breaches.   But like any new law, the true meaning of the GDPR regarding consumer data may take years of court cases to truly unravel.

Stay on top of the latest consumer and security news by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post The GDPR Basics: What Consumers Need to Know appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/gdpr-basics/feed/ 0
GDPR: Great Data Protection Rocks – Especially on Data Privacy Day https://securingtomorrow.mcafee.com/business/gdpr-great-data-protection-rocks-especially-data-privacy-day/ https://securingtomorrow.mcafee.com/business/gdpr-great-data-protection-rocks-especially-data-privacy-day/#respond Thu, 25 Jan 2018 16:00:31 +0000 https://securingtomorrow.mcafee.com/?p=83900 International Data Privacy Day might seem like an odd holiday, especially for businesses to observe. That’s what we thought about Earth Day, launched in 1970, and today companies around the world announce their public support every year. International Data Privacy Day marks the day – back in 1981 — that the Council of Europe recognized […]

The post GDPR: Great Data Protection Rocks – Especially on Data Privacy Day appeared first on McAfee Blogs.

]]>
International Data Privacy Day might seem like an odd holiday, especially for businesses to observe. That’s what we thought about Earth Day, launched in 1970, and today companies around the world announce their public support every year. International Data Privacy Day marks the day – back in 1981 — that the Council of Europe recognized the importance of the right to privacy with a treaty. *

This Data Privacy Day, Jan. 28, finds Europe looking ahead to major new privacy rules in the form of General Data Protection Regulation (GDPR) to be enforced starting on May 25. And this has given us an opportunity to address privacy the way we have come to respect environmentalism. It’s everywhere, it’s everyone’s business, and it’s good business.

As I have worked to ready McAfee for GDPR, one thing I have learned is that it truly takes everyone to focus on the protection of data.  I’ve been privileged to meet and work with hundreds of my McAfee colleagues to sort out what GDPR prepared means to us, from security architects, lab folks, the product teams, and great messaging people.  It takes a city, not just a village, to get ready for GDPR.

This year, most data protection professionals will celebrate Data Privacy Day on Thursday, January 25th, just four months before the official enforcement date for GDPR.  One of my favorite things to come out of the many conversations about GDPR is a new slogan: Great Data Protection Rocks.  The slogan, compliments of our senior writer Jeff Elder, captures my thoughts perfectly — Great Data Protection is not just good digital hygiene and good technological maintenance. It’s an admirable, even cool, ideal, and it’s part of McAfee’s Culture of Security, described by chief executive Chris Young in December in New York. “Ten years ago, if I were to ask a CEO about cybersecurity, he might say, ‘Yeah, I’ve got some guy in IT that’s working on this.’ Now everybody cares and I think that’s going to make a big difference,” Chris told CNBC’s Jim Cramer.

He’s right: Security in general and data protection are not big, monolithic initiatives achieved with one initiative, but rather require the whole city to have a Culture of Security – and you don’t get that by writing checks, or by formulating one list of best practices. We won’t be washing our hands of data protection and putting a bow on top on Data Privacy Day, on May 25 when GDPR goes into effect, or ever. If that sounds ominous, you may be looking at it the wrong way.

My colleague Mo Cashman, Director Sales Engineering, Principle Engineer lays out the journey to real culture change: “First think of security strategy in terms of governance, people, processes and technology. Then consider the security outcomes you need to be GDPR-ready, and the relevant solutions.”

Great Data Protection means all of us being advocates for good practices. It means making sure you know where you are putting your data, and knowing what protections exist when you use cloud applications… It means saying no to an organization that wants to bypass privacy, security, or vendor practices and do a quick-and-dirty connection to your database or even your brand’s social media accounts. That’s not cool. It’s the equivalent of your company disposing of waste in environmentally harmful ways.

It’s also bad business because winging it every time you handle data is a waste of time and energy. Nailing down good practices that everyone can adhere to every time is economical in many ways. Making that effort a real and admirable value of your company is a beautiful thing.

I confess to being a bit of an International Privacy Day geek (my mother has it written on her calendar and calls and wishes me a happy day).  I generally get a cake and try to touch base with far-flung data protection colleagues.  But the early companies that embraced Earth Day look good now. If Great Data Protection Rocks seemed a little dorky in 2017, I’m good with that. We’ll keep your data safe until you come around.

For additional information about GDPR please visit our Solutions Page, or join in on the conversation by following @McAfee or @McAfee_Business on Twitter.

*  The treaty, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,anticipated the cross-border transfers of data that we take for granted now.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post GDPR: Great Data Protection Rocks – Especially on Data Privacy Day appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/gdpr-great-data-protection-rocks-especially-data-privacy-day/feed/ 0