In this blog post we will provide you with an overview of the different aspects of the General Data Protection Regulation, as well as how Sweepatic can help your organization to comply before the enforcement day and stay compliant afterwards. Let's get started!
On the by now historical day, 14 April 2016, the EU Parliament approved the GDPR. It’s enforcement date is the 25 May 2018, so brace yourself companies in non-compliance as heavy fines (up to 20M € or 4% of total worldwide annual turnover) are coming.
The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business on an EU level. That’s all nice and good - but the question really is:
What does your company need to do?
By consulting the Official website of the European Commission we summarized the major aspects in the section below. Additionally, we added how Sweepatic managed solutions can help you comply going forward.
GDPR Key Aspects
Communication: "Use plain language. Tell them [the users] who you are when you request the data. Say why you are processing their data, how long it will be stored and who receives it."
Consent: "Get their clear consent to process the data. Collecting from children for social media? Check age limit for parental consent."
Access and portability:
"Let people access their data in order to use it with another company."
"Inform people of data breaches if there is a serious risk to them."
"Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research."
"If you use profiling to process applications for legally-binding agreements like loans you must:
- Inform your customers.
- Make sure you have a person, not a machine, checking the process if the application ends in a refusal.
- Offer the applicant the right to contest the decision."
"Give people the right to opt out of direct marketing that uses their data."
Safeguarding sensitive data:
"Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs."
Datatransfer outside the EU:
"Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities."
compliance for GDPR covers many different puzzle pieces. Usually companies need support from several different third parties to completely be sure they covered every aspect. Find out more on the official EU Commission website or check out our short overview of aspects Sweepatic can cover for you.
Where Sweepatic can help
The company must take fitting measures to minimise the risks of disclosure of personal data. (Article 32, GDPR)
In this context, metadata represents a huge risk, considering the huge volume of unauthorised, potentially sensitive information that is leaked through files’ metadata. Breaches can always be fueled by available the latter, as cyber attackers use it for contextualising their spear phishing targets. This increases the underlying risks and it forces companies to assess their security exposure levels at appropriate times.
In order to dig deeper, you could read our blog post on the dangers of metadata, or you can check out our Sweepatic solutions.
Data Protection Impact Assessment:
In certain cases one must proceed to a Data Protection Impact Assessment for which, by means of technical controls, risks must be assessed and corrective measures must be proposed. (Article 35, GDPR)
With our managed reconnaissance solution, we are able to map out your external data and associated risks that are connected to the digital footprint of your organization, including (of course) your metadata exposure represented in a sectorial context (i.e. Sweepatic benchmark report).
The company must prove they are not liable for an inflicted breach. To refute that liability it must prove, with evidence, that there is no presumption of liability. Now, if users can proof their personal data leaked online (e.g. through metadata), they will have a strong case to recover breach/damages from that company. (Article 82, GDPR)
So better make sure your start to understand your dynamic digital footprint, how exposed and revealing it is, right?
By activating the managed reconnaissance solution for your organization’s digital footprint, you will be enabled with a simple way to identify and neutralise risky data and thus protect your company from lawyers knocking at your door.
In an automated way, our solutions discover your organization's internet-exposed assets, which collect and host personally identifiable information (PII), including but not limited to a name, e-mail address, pictures, GEO data, and their IP address.
Additionally, Sweepatic creates and maintains a file inventory of all your public accessible files and map out risks of unauthorised available information. Actions are then defined to reduce the exposure of your exposed sensitive data to an acceptable level.
The intake to get started on our side is simple: we need your name, your company email and the internet domain(s) to be checked. Through activation in the Sweepatic managed reconnaissance solution, we will then get back to you and provide:
- A footprint inventory i.e. all your exposed web applications residing in your digital footprint.
- A file inventory i.e. a full list of all publicly accessible files residing in your digital footprint.
- An indication of the files leaking sensitive data (e.g. PII, usernames, file path information, host information, e-mail addresses, software version information).
- The option to help you stay compliant by continually monitoring your digital footprint from the outside. Sweepatic will alert you if your security posture is changing. After all your digital footprint is dynamic by nature and you need to be aware of its evolution!
- Instead of hiring expensive consultants every now and then to conduct high level whiteboard exercises with half of your organization, you'll have access to a highly automated solution feeding you with pragmatic reports and real time alerts if something is wrong. This approach will save you money.
- After everything is set up, we manage the solution and inform you when required so you can focus on your business activities. A convenient solution that will save you time.
We wish you a good continuation in preparing for the GDPR regulations and even beyond the deadline. Remain vigilant by spending your money on the right set of solutions ;-)
Don't hesitate to contact us - we are always eager to listen to your needs and help out!
You can contact us via the following channels:
info [at] sweepatic.com