- Security TWENTY
- Women in Security
Friday, May 25 marks the biggest change to UK data protection law in a generation, says the Information Commissioner’s Office (ICO), the UK data protection regulator. The European Union-wide General Data Protection Regulation (GDPR) comes into effect replacing the UK’s Data Protection Act 1998.
According to the ICO, the new law gives people more control about how their data is used, shared and stored and requires organisations to be more accountable and transparent about how they use it. The ICO reports that it’s launching a long term campaign to help people understand why their data matters and how they can take back control. The public information campaign ‘Your Data Matters’ aims to increase the public’s trust and confidence in how their data is used and made available.
Information Commissioner Elizabeth Denham said: “Almost everything we do – keeping in touch with friends on social media, shopping online, exercising, driving, and even watching television – leaves a digital trail of personal data. We know that sharing our data safely and efficiently can make our lives easier, but that digital trail is valuable. It’s important that it stays safe and is only used in ways that people would expect and can control.”
For various advice and guidance documents visit the ICO website: https://ico.org.uk/for-organisations/making-data-protection-your-business/.
Like anything in the news the GDPR has been used by scammers sending phishing emails. Javvad Malik, security advocate at cyber threat detection product company AlienVault, said: “It is common for phishing scams to increase in the wake of any change, event or natural disaster. Therefore, unfortunately, it is not uncommon for scammers to take advantage of an event like the implementation of GDPR to come out in force to try and swindle unsuspecting users. Despite GDPR, the usual rules apply whereby users should remain vigilant of all emails and what is being requested. Most organisations like a bank will not communicate via email anything related to the account and will not ask for personal information or passwords in an email. If in doubt, users should contact their bank through their usual channels to validate.”
A report co-sponsored by cyber security product firms suggests only seven percent of companies were on track to achieve GDPR compliance by the deadline. A majority were citing lack of expert staff for their failure; the second and third most cited reasons for non-compliance were budgetary constraints and a limited understanding of the GDPR requirements, respectively.
The report comes from a survey of 531 information technology, cybersecurity, and compliance people. About one third of companies reported they will need to make substantial changes to data security practices and systems to comply with the GDPR. Identifying and mapping user data to protected GDPR categories was the top ranked initiative for meeting GDPR compliance—cited by almost three quarters of report respondents. This was followed by evaluating, developing, and integrating solutions that enable GDPR compliance.
Bob Lyons, CEO, Alert Logic said: “We are seeing a substantial increase in organisations with strained resources, especially cyber-security staffing, who need to comply with regulations like GPDR along with PCI DSS, HIPAA and HITECH, and SOX.”