Webinar Recording

Best Practices and Essential Tools for GDPR Compliance

Log in and watch the full video!

Join this KuppingerCole webinar to get practical, straightforward advice on how to prepare for GDPR, including:

  • Devising and maintaining a plan to detect a data breach,
  • Properly documenting evidence of compliance for auditors,
  • Evaluating the effectiveness of your security practices,
  • Minimizing costs by reducing the number of tools and processes needed,
  • Selecting the right technology platform or managed service

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Okay, good morning, good afternoon, or good evening, wherever you are. And welcome to this company, Cole webinar supported by alien vault and today the subject is best practices and essential tools for GDPR compliance. And this is being given by me, Mike Small, and I'm a senior Analyst at KuppingerCole and also by Javad Malick, who is a security advocate at alien vault. So, first of all, a, a few words about KuppingerCole. We are an independent Analyst that was founded in 2004, and we focus on areas related to security identity and access management, governance, risk management, and compliance and everything to do with digital transformation.
And what we offer is research, which is vendor neutral and kept up to date. And he provides independent advice to people. We run a series of events and we also offer advisory services. And here are some of the upcoming events. In fact, we've just had a very successful digital finance world in Frankfurt. In may, we have the European identity and cloud conference, which is the 12th of this, this series, and that will be held in Munich. And we have the consumer identity world world world tour, which goes from the us to Europe, to Asia Pacific and new this year is the cybersecurity leadership summit in November, held in Berlin. So make a note note of those dates for yourself. So I'm just going to have a cough, excuse me.
So in terms of the controls of the webinar, everyone is muted centrally. The webinar is being recorded and there is a questions and answer session, which will be run afterwards. And if you have a question to ask, then you can ask that question, using the questions panel that should be part of the control panel that you can see for the webinar. And I will then make sure that these questions are talked about and answered. So the webinar will be divided into two basic halves. I will start off by talking about what GDPR is in its broad scope together with a set of six imperatives that we believe every organization should be following in order to prepare for this. And in part two, Javad Malik will focus specifically on the challenges of mid-sized organizations with regard to compliance and in particular to do with GDPR.
So to begin with the challenges that although GDPR has been some years in the making, it is over two years since it was finally signed off by the European parliament. Nevertheless, there are still organizations when you mentioned GDPR will say, what is that? So the challenge is being prepared for this new regulation. And this is a data protection regulation that was adopted in May, 2016. It applies to all EU members and unlike the previous system, which was based on directives that were translated by individual countries into their own laws, this being a regulation means it is the same for all of the EU states. It also applies to anyone who holds data, which relates to anyone who is resident within the EU.
And it has a very, very wide definition of personal data. Whereas previously it was not absolutely clear and consistent what comprised personal data. There is no doubt. This ranges from biometrics, IP addresses as well as anything which can be used to identify a natural living person who is resident in the EU. So it doesn't just apply to EU residents, but it applies EU citizens. It applies to anyone who is resident and it provides a clear and concise definition of what personal data means. It also defines quite clearly what processing is and processing is very widely defined. And it ranges from the collection of data, the storage of data, the processing of that data, the analysis, the retrieval, the dissemination, the transmission. And so basically anything that you are doing with data, which is defined as being personal data falls within the scope of this. And although I have used PII PII, isn't really the, the right way personal data is the, is, is the key definition.
It provides a set of principles for the processing of this data and these principles around fairness and transparency that the data should be processed fairly, and that it should be transparent to the data subject, what processing is taking place. And a lot of the definition of this surrounds what is lawful processing. And this varies from being able to say, it's lawful, if you need to do that processing in order to perform a contract. So for example, if you buy something, then it's quite clear that in order to deliver that thing that you have bought, there may be a need to store your name and address for that purpose. It also allows for processing given the consent of the, the person that we talk minute about consent. It also allows processing to be law lawful under legitimate interest. And it may well be that there's going to be a lot of discussion amongst lawyers and other people as to what comprises legitimate interest.
But all of this is defined within the regulation. Now in this regulation, there are a number of data, subject rights, which include quite specific control through consent. So if someone wants to use your data, and this is not simply for the processing of a contract or the other reasons, then you are required to give explicit consent for that processing. And that is explicit consent per purpose. And this has to be not hidden in a 15,000 word, check the box at the end of this, which allows you to give away all your rights. Hidden flight must be for a very clear and concise statement of what you're going to use it for. And if you're going to use it for more than one thing, then you have to give consent for each of those things. In addition, the data subject rights include the transparency. They can ask to know what data you hold about them, and they can also ask for their data to be removed.
And both of those things may well cause some organizations, some kinds of problems. And finally, for the large organization that takes the view of, well, we can afford the lawyers, but you can't. Then the burden of proof for compliance lies with the organization that collects or processes the data that is the data controller or the data processor. So it is not up to you as the data subject to prove that they have processed it in a way that is not fair and transparent or lawful. It is up to them, the data controller or the data processor to prove to either the regulator or the data subject that their processing does comply. And that is a big change.
So in terms of penalties, and everybody's talked about these penalties, there are potentially eye watering penalties that are intended to get organizations to take notice in terms of what those penalties really will be. The answer clearly depends upon a view taken by the courts. And we won't really know until the first cases arise. However, in the late part of 2017, the article 29 working party provided a set of criteria against which a penalty should be judged. And this is shown by a link which you can see at the bottom. And this depends upon the nature, the gravity and the duration of the breach. So clearly a more severe breach is going to be one that will attract a more significant penalty. Whether in fact, the breach was purely intentional that they, the organization had decided they were not going to comply, or whether it was simply negligent that they made a mistake, what action they took to mitigate the damage and what the responsibility is based on the organization and technical measures that they had put in place and whether or not they are a repeat offender.
In addition, there are things like whether or not there was cooperation with the regulators, what kinds of data were affected, whether it was more sensitive or less sensitive and whether or not there'd been compliance with previous orders. So it is not clear that anyone committing any kind of offense under this is going to be fined the same. There is going to be a proportionality in the penalties. However, nevertheless, this is both an opportunity as well as a risk. And one of the opportunities is that it starts to level the playing theme. Many organizations have been able to rely upon living in another jurisdiction, which was more liberal to be able to benefit from the use of personal data that was not possible. It allows organizations to get a grip on their customer data. And interestingly, some of the organizations we talk to have seen as a really massive opportunity to make their security and control over person data, more consistent.
It becomes much clearer as to whether or not people have consented on whether or not data is being processed under consent. And hopefully that will allow people and organizations to build a more trusted and sustainable relationship with their customers. So in order to do that, you need some kind of an action plan. And this action plan is the key thing. Now, many organizations have not done anything, but some have already been employing consultants to look at their processing. Some have gone to vendors here is what we believe are the six critical steps that need to be taken. And the first thing is simply that you cannot control what you don't know you have. And the first and most important step every organization needs to take is one of discovery. You need to discover what data you have. And it may be that you have what you think you have all your data in some kind of CRM system.
But if you have multiple applications in multiple geographies, many organizations have for reasons related to the way in which the regulations and laws were different in different countries have repeated copies of data in different places in order to ensure compliance with that. There is also the major problem of unstructured personal data held in spreadsheets that were bought by marketing departments and are passed around willy-nilly. You need to know where it is, why it's held and why, where the copies of it are. And if you, this is data that you have bought, then you also need to make sure that you have proof of consent. It's a good idea also to check that is accurate and up to date. And there are a number of tools that can help you in discovering this many of which come under the guise of data leak prevention, but also there are specialized tools for privacy people.
When you know where it is, you need to bring, bring it under control. And in effect, what that really comes down to is reviewing your policy and existing systems for their access governance. Have you got, and have you got a good system which controls access to data that you can prove relates back to its legitimate processing? And does this work for both structured and unstructured data? Does it work and is it connected with the system for giving consent and how do you manage control over date data aggregation, which is one of the major things that unless you've consented to your data being put together then with other data, then perhaps it isn't lawful to process it. And you need to have all of this documented and audited in a way which allows you to prove that you are complained.
Now this informed consent per purpose is one of the interesting things, because for many cases, what this means is that your control systems, which shall we say traditionally have been put together in a way, which says that control of access is assigned by managers, to people who have a business need for it. You now potentially have a situation where control of access to data is being controlled by data subjects, almost on a field by field data field, by field system. And that this is made further complex by the need to deal with family consent and also to take in account age so that you may be able to withdraw consent for your children if they have lied about their age and given it. And then of course there is the issue of subject access requests and return of data. And unless you have a good process, that's already existing to be able to satisfy these, then you will not be compliant.
And many organizations struggle with that. And there could well be a raft of requirements from data subjects. Once the law and the regulation comes into force, if you are using the cloud, then you need to make sure that the way that the, the data is being held in the cloud is compliant. And this means making sure that you understand that you have a policy for cloud usage related to personal data, and can, you know, what is held in the cloud? Have your employees moved stuff without your knowledge into Dropbox or personal accounts, how do you bring control over what is uploaded to the cloud so that it meets your policy? Can you be sure that you know where that data is being held and over where it's being processed and what do all these cloud certifications mean? And it's noticeable that there's been that there are three different, shall we say, codes of conduct that have arisen.
There's a C I S P code of conduct from one group of cloud providers. There's another one which has come from another group and there is a CSA one. Now, if you are going to use the cloud, you need to be able to prove if required that your use of that cloud is compliant in terms of data protection. For many organizations, you will need to appoint a data protection officer. And you also need to think about where you would need data protection, impact assessments. If you have sensitive data, then you need to be able to show that you have considered what the risks to the data subject of your processing of that data is. And that's the important thing, not the risks to you, it's the risks to the data subject. So for example, if you hold medical information or financial information and it's leakage could harm the data subject by the money being stolen or their medical records being published, then that is clearly a serious thing and tracing where that data goes in order to be able to make that assessment is in fact, one of the big challenges, you know, you may think it's just gone into your CRM system, but it may have from there being transferred out into other kinds of systems to do with servicing and, and to do with things like guarantees and so forth.
And you should be looking to future systems to certainly implementing privacy by dult and design and working out where you're going to implement this. Now, everybody, a lot of people, a lot of organizations have been out talking about detecting and notifying data breaches. Well, any organization that is holding sensitive and personal data should already have some kind of a process for detecting and notifying pro data breaches. Unfortunately, the evidence that we have is that many organizations are ill prepared. They don't actually test the systems. And often the first first thing that happens is that they discover that they have a data breach when the TV vans are set outside the HQ, as the people come into work and inquiring from the CEO, what they're doing about it. So unless you have a good plan that has been tested, then you you're, you're already on the back foot and you need to make sure that that plan is updated to implement the changes that you need to ensure compliance in, in particular to do with notification of regulators and notification of data subjects.
And this means using the right tools and also being able to show that you can prove compliance. So in summary about GDPR, proper planning will prevent pain and penalties. And so planning and preparation is essential. And you need to take action now to discover control, protect, and ensure compliance. And remember the burden of proof is on you to show that you have taken the appropriate measures, not upon the regulator to prove that you haven't. And so with that, I'm now going to hand over to J bannock from alien vault. Who's going to give his part of the presentation.
Okay. Thank you so much for that, Mike. I was struggling with the mute button there for a second. So hopefully we haven't lost too many people in, in that gap who only came for you, but to all the attendees, thank you so much for, for attending. I hope you found Mike's part of the presentation, thoroughly educational as, as I just found it. And hopefully I can sort of like keep up to, to that standard. So I'm ARD Melik I work at volt and let's jump straight into it. Yeah. Let's be honest. There's a lot of FUD, like fear, uncertainty and doubt around GDPR. The actual legislation itself regulation is, is fine, but you know, around it these days, everything is being marketed as helping new GDPR. There's a lot of fear like, oh, there's penalties, there's fines and everything. So, you know, it's, it's on this chart, it's very high ground.
So you could make the, the, the case that it might even be extreme or critical, but I think we can all agree that there's a lot of fight out there. So let, let's try and like get rid of some of that. There's a few steps we can take. I think the first step is absolutely don't panic. It it's been, it's, it's an important regulation, but I think if you are familiar with previous data privacy laws or, or you, you know, the data protection act or, or wherever you are, your local one is, you know, there's not, it's more of, of an evolution. It's not a massive revolution. It's not something that's completely brand new. So if you've been following a lot of those principles, you can keep on following a lot of them and they will, they will still apply.
You know, there's, there's a lot of talk about GDPR and perhaps there's a bit there's some of the understanding is lacking there. The good thing is that GDPR is very accessible. You know, you can just go to the, the, the privacy regulations, privacy have and regulations.eu website. And it's got all the articles and recitals and everything really clearly laid out. And it, it's not that difficult, even if you're not a legal person, you can kind of like go through it and figure out what the intent is. And, and that's what is it's, it's not a, it's not a prescriptive sort of, it's not like PCI saying, Hey, you must have files or you must protect cardholder data. It's like, Hey, put in place things that are appropriate and, you know, interpret it and then convince us if something went wrong that you'd done it to the best of your ability.
I think this is kind of like what might might touch on as well. But I, I think it's really important that we repeat here is have a data inventory. You know, what data do you collect? Where do you store it? And where do you process that data? And, and I'd say, especially for midsize organizations, just keep it very simple. You might not even need a, a, a fancy tool for this part. Just get a spreadsheet and, and just capture, here are some examples of some of the bare minimum kind of data you should try to capture, like what department is capturing the data, the system they're capturing is who the administrators, what's it about the type, you know, where's it located? Who provided, why did you collect the data? And then that gives you a really good picture of what to do. And I, I mean, we, I say here, keep it simple that the process is simple, but as many of you would, would've probably found out once you actually start going through and start discovering this, it becomes quite complex quite quickly.
I, I, I, I usually look at my personal life as an example. And I think if on my phone, I take a photograph of, of selfie. If I take a selfie, how many places does that photo end up? Well, it it's, it's locally on the, on the phone. It gets synchronized to a cloud backup somewhere. If I send it on WhatsApp to my wife saying, Hey, look at me, I'm, I'm on holiday. You know, she's got a copy on her phone. It gets replicated to her cloud backup. If I post it, you know, you get, you get the idea. So, so you, it finds out very quickly, which is why, although it's not a necessarily a difficult process, it can be a, a time consuming process. So it's better to start sooner rather than later. And then once you have that inventory, you can make decisions or, or go to an outside council for some advice and guidance. If you're not sure yourself, once you've got your data, it's important to identify the risks that with it. And this is where risk register comes in, in really handy.
It doesn't, again, it doesn't need to be a fancy tool or, you know, SAS application or anything. You can just use a spreadsheet for this, but just identify the data that is high risk and critical risk. You know, what, what is the real data that, that is so, so this is high and critical risk. And in, in the context of GDPR, not necessarily that to your business, so your customer data might not be critical for your business, but if that gets breached, that might be critical for GDPR. So, so keep it in, in with that risk in mind. Again, if you know, here are some examples of some of the data you want to capture in a spreadsheet, you know, what the data set is, any vulnerabilities associated with that data, maybe using, you know, some, some on, on on-prem types in-house solution to, to, to capture that all in, maybe, maybe this it's vulnerable, it's web facing, what have you, you know, threat like lead impact and recommended controls that, you know, pretty box standard risk assessment stuff.
You can also go to legal counsel to give you some guidance. So based on, and the reason that it it's quite useful is because it, there is a lot of, well, there is an aspect of legal sort of legal requirements within the regulation and which, you know, you're not always familiar with, but there is a lot of free and great guidance on the internet. One of my favorites is this Taylor wedding website. And it's got some really useful guides all listed on this URL on your screen. Now, third party consultants can be really helpful that, so once you understand your data and you have the risks done, and I'd recommend you do that part yourself, if you have even like one person to spare, rather than getting an expensive consultant and letting them spend all their time or majority of their time doing all that data discovery and inventory for you, but what, what they should come in that your consultants are best doing is like, well, here's, my data is all the risk associated with it.
Here are my controls. Can you tell me where there might be some gaps and you know, what, what should I do? So, so as an example, and you know, I'm not affiliated with Coalfire or anything, I I've just seen their work in the past. So, so it's an example. They, they, they have a methodology of like, you know, how, how to get ready for GDPR, similarly, and, and nine, see, that's the problem. A lot of these companies, you read them all the time, but you never say em out loud. So you dunno how to pronounce anonymity. They've got a, a download of a accountability roadmap for GDPR compliance, which is also really useful.
So other areas of concern or other commonly questions that we, we hear asked by companies, especially like mid-size companies, like, you know, I don't have a data protection officer, do I need to assign one? Do I need to conduct a data protection impact assessment? So the DPO it it's, and I'm gonna sound like a consultant here when I'm gonna say, well, it depends. And it really does, because it just depends on the, the, the nature of your company, you know, what, what, what you need and not. So this is a decision tree, the IPP have it on their resources one, and it can help you figure out what, whether you need one or whether you don't need one. If, if you are like a, on the smaller side where, you know, you have like a handful of people managing all your it and security and everything, I'd say probably not. You could probably absorb that within, within your function. But if you're like, sort of like security compliance technology teams are, are significant, then maybe you could assign one of those or get in a separate role for that. But, you know, it will, there's no easy way, unfortunately, of, of saying it, whether you do or don't data protection, impact assessment, it's kind of like a risk assessment, but it's like tailored for data protection of individual.
So the key thing is like, you, you only need to do the data protection impact assessment on the high or critical risk data. So hopefully that should be a much smaller subset of your total organization data. So, you know, where do you need to perform the, the impact assessment, you know, ask why you collecting and storing the data and then make sure you understand the environment. So it, it, it's kind like simple. It's like the first part is more of a business process question. And then the second side is like, you know, technology wise, how you protecting it, continually reduce your risk. And this is like one of those I should put in one of those plan, do check, act diagrams in here. It's a never ended circle of, of like money that's getting thrown into it. But ultimately what, what the regulators are looking for is for yourselves like the controllers, or are to, to put in place appropriate controls to the risk and appropriate. Again, it's one of those really wishy, wishy consultative type of terms, but, but just think of it like this, like, you know, if, if, you know, if your data was breached, could you say with a straight face that you've done everything you could to reasonable measures to prevent it from, from happening?
So the risk register is, again, comes really important with this. It's like, you know, it helps you keep track of all your risk over time and all the controls you're implementing and what, what are you doing with it? And then you've got the likelihood and impact after you've implemented recommended or, or the residual risk. So you start off with your original rescue, implement a control, and then what's the residual risk after that, that, that can also help you work out whether that control's actually needed or not, or, or whether you should be looking for, for a better control altogether phase three, detect and prevent. So really paraphrasing GDPR, just find and stop bad stuff, affecting your personal data. That that's the kind like the, the summary of, of article four.
Now the, the kind like fundamental thing in, in insecurity, at least around detection and, and prevention is defense in depth. And this kind of like diagram just shows like all the different layers that, you know, we often talk about, but if you've ever gone out, try and look for a technology or security solution, this is kind of like a good representation of what the landscape looks like. And the problem is, I think, I least off these vendors will say, yeah, we can get you GDPR compliant in totality. And you know, that's probably not entirely true.
So the defender's dilemma when it comes to detecting and responding to threats is that there are too many security products or GE sharing technologies out there and not enough like Analyst or, or just staff available. There's this threat monitoring and perception, response report done by the LinkedIn information security group. And as you can see on here, there's a variety of different concerns. So it could be lack of budget, lack of staff, lack of awareness, inadequate tools, all those things that really impact their ability to, to be confident in their security ability. Similarly, the, the threats that they're most concerned about are, are, are, you know, they, they vary, so no one tool or, or one product set can really help you protect against fishing and data exfil and run somewhere and malware. And it's like, you know, it's, it's just not gonna happen.
So actually let's just go back there for a sec. So, so the thing is like, this is where your risk assessment that you'd conducted earlier becomes even more important that you look at where your critical assets are and what are the threats to them, what are the likelihood to it and what best, what controls are best placed to help you mitigate the most number of them. If, if you started looking at individual threat vectors outside of the context of GDPR or, or the overall business, you could end up with, you know, a big map of like, you know, a whole plethora of technologies that are, are great on their own, but, you know, does it help you achieve your objective? So I'd say, look at the outcomes as opposed to the, the, the features, excuse me. So be prepared for breach notification and breach notification is, is another big thing in GDPR.
It's like, you know, once you become aware of a breach, you need to notify the authorities within 72 hours, or if it's critical data and it impacts individuals, you should notify the, the data subjects as well. And, and this is a really challenging one. And I, I, I think this will be really interesting to see how it goes forward, because when, when we look at a lot of breaches, they don't go detected for a long time. You know, sometimes the news has to appear in well, or the breach has to appear in the news before the company even knows that they were affected. But, you know, the, you, you need to have some form of like processes in place to say, okay, what we gonna do when an instant occurs, how are we gonna investigate it, how we're gonna respond to it, and do we have all the templates in place that we need? Do we know even I do, you know, if, if you were breached today, who your regulator is and how do you report it to them, or do you have a standard email template later to communicate to your customers? Do you maybe have a PR agency that can help you communicate the, the messaging app externally, these are all like really important things to, to consider.
So with alien vault, USM, anywhere we, we believe we can help you accelerate compliance in, in, in at least the security and the threat detection and incidents response aspect, excuse me, one second. I forgot to bring a glass of water with me to the webinar today. So there, there are some core capabilities built into the product, so it has asset discovery. So, you know, what is connected to, you know, your, or who is connected both in the cloud or on prep environments, there's a vulnerability assessment capability built into it, intrusion detection, behavioral monitorings, and there's also a SIM with collaboration and log management. And, and this, this goes across both your OnPrem and cloud environments. So we like to think it's, it's, it's that it's a very comprehensive all in one solution for, for, for that purposes. And, and in that regard, it can really help with answering those security aspects of GDPR and instant response and breach notification.
Here are some examples of some of the articles, which mentioned security and how involved USM anywhere actually helps address those. So, so these are the specific articles that it does anything outside of it. You know, clearly we can't help with that because a lot of that's not security it's records management or legal and so on. And once you do that, I mean, if, if you, once you are compliant, you know, the challenge is how do you continually stay compliant? And it's not really feasible to every quarter go through. We like, okay, let's do the whole exercise again. Let's discover our data. Let's do a risk assessment. So the, the, the best idea is to just stay on top of it, define your controls, admin controls, technical controls, and set up the policies so that, you know, you can monitor things a as they change. So if you have new services added on, just add it on, document it there and, and, and, you know, add it to your response plan and, and move it on. Okay. So thank you very much for your time, and we'll now be open for questions over to you, Mike.
Okay. Thank you very much, Jenna. And now we have the questions and answers session, so, oh, no, really should leave it like that. So let me have a look now and see if there are any questions. So there's no questions at the moment on the question board. So if any of the participants have any questions, then please will you type them into the question panel and we will answer them as soon as we can in the meanwhile, I think perhaps I've got some questions that I'd like to ask you, Kevin. So first of all, you talking about small to medium sized businesses. Do you, from your experience, how well prepared do you think small to medium sized businesses are?
So I think there's, there's two, two aspects to, to, to SMEs. On one hand, they are not as prepared because they haven't spent the time or they don't have the time or the resources or the focus to put into something like GDPR. On the other hand, they are infinitely better prepared than larger enterprises, because a lot of the times they quite, you know, the, the overall business flows and systems are relatively smaller in scale. So everything's, Hey, we just put this app on AWS and we use this on, on on-prem solution for our customer records. And it's a very simple diagram that although they might not have everything in place, I think within the organization, you find a lot of individuals who have intimate knowledge of how everything works and what the risks are. So the challenge mainly for a lot of these companies is like just, just spending a bit of time to discover that the data extract that knowledge from, from the experts and document it so that if something does happen, they at least have proof that they were aware of these and they made an informed decision to accept risks or, or to mitigate them with some controls.
Yeah, that's interesting. So it's the simplicity of the business model. That is the savior. So they, they don't have the multiple departments with multiple complex ways of processing data. That's interesting. I don't know. What about local government? Have you any, any experience in local government of this
In, in which regard like, or how, how well those departments are? Well,
I, I was thinking that local government is in a way sort of, kind of a lot of little small to medium sized enterprises that, that really have quite complicated things to do and hold a lot of very sensitive data. And I wondered whether this was part of your market and whether you were doing anything good there.
Yeah. So, so at least I can, I can speak to the UK market cause that's where I'm based. And I, I'm very familiar with the local government here and you're, you're absolutely right. It is run like a, a lot of small businesses in, unfortunately it is also run like a series of very small, very underfunded, small businesses in most cases. And so I think for a lot of the presentation that was taken from companies just like local government, whereby you, you say, okay, you don't have money to buy lots of tools or, or even if you did, you got outdated infrastructure that won't, you won't be able to run it on. So just collect the data in spreadsheets or, you know, manually go through it and, and record your risk data. And then if you do have budget two to spend on a tool, spend it on those controls that will give the most return on, on that investment. So there's no point in, in buying something that solves a very niche sort of like problem. It might do it very, very well, but it, it won't necessarily cover the, the breadth. So for small businesses, I'd say, look for breadth of coverage before you go for depth to, to a high degree.
That's, that's interesting because certainly the substitution of spreadsheets and quick fixes for thought out and architected applications is one of the things that was discovered when SARS Oxley came in, that whilst a lot of people were busy looking at their major systems, what in fact, most auditors found was the proliferation of uncontrolled spreadsheets, which could lead to all kinds of problems, for example, right. To be forgotten data, subject access request, and so forth. Is that, is that your experience as well?
Yeah, I, I, I mean like you, you, you bring back some memories. I spent a couple of contracts many years ago actually reviewing some U and, and user developed applications for a couple of banks. And, and you're absolutely right. I mean, there's this one trading department and, and their basically their entire trades were all built around a spreadsheet for lack of a better term. It started off as, as a small thing. And then they sort of like developed it and new guy came on, they added some more functionality to it. And until it was the heart of the operation and it had a hardly any controls around it. So yeah, you, you, you want to avoid all, all of those scenarios. So I'm not advocating putting sensitive into spreadsheets. It's, it's really about trying to understand the process and where things go. I mean, I mean, I say spreadsheets and, you know, but there are lots of online or, or like synchronized or secure share sharing, sort of like alternatives, so that it's a lot easier to collaborate and share the information.
So you only have one record of it that the whole team or department uses. So rather than having different versions floating around everywhere, you, you can use something that's a collaborative online tool to, to help ease some of those requirements. And as long as it's not, you're, you're, you know, you're just recording, like your system data in it, like, you know, that your data flows and what have you, you're not actually, you know, storing any sensitive information as far as GDPR is concerned. It, it won't necessarily be, you know, fall foul of any regulation from that regard.
Okay. Thank you. Thank you. That's that's good. So I've got a, an interesting question here, which I think it it's specific, but it actually is, is a question that I think many non EU companies must be asking. There is a temptation to say, well, Hey, you know, I'm not in the EU. So if I hold anything about EU people, however, are they going to find out and find me, in fact, the question actually says that that this is a company Indonesia. And it's saying, how can the EU check whether Indonesian companies comply with GDPR? Do we need to wait for a breach? Or what, what, what, what, what would happen? What would lead to this? Do you, do you have a, an answer for that J
Oh, that's a very, very good, good question. And, you know, thank you for your honesty in asking the question. I suppose, whoever asked that question. So I, I suppose I don't have a definitive answer for that, but let, let's try and work through it. If, if, if, if we may as an exercise, so our companies outside of the EU, how would they acquire European resident data? And, you know, primarily they would either directly be dealing with the company with, with the public. So they'll have a website maybe, and they'll be collecting the data there, which is a visible place, or there'll be a processor for a controller based in the EU. And that will be visible in the sense that the, the controller should be documenting that. And, you know, having visibility and pushing the, and, and pushing the processor to say, Hey, you, you are collect.
I'm giving you my, my, my citizen data demonstrate to me that you are, you know, abiding by the, the, the security requirements or, or whatever the regulations requirements. Now, the, the reality is though, and, and, and this is where it's a really good question in the reality is though this, a lot of this is relying on the Goodwill or the, or the proactiveness of companies to do the right thing. Even if they're not in Indonesia. I mean, you could think about it. An EU company could be holding citizen data, and, you know, there's lots of ways to slip under the radar. You know, it's not always gonna be publicly declared, which is why it's interesting in the sense that GDPR is a, is it doesn't give anything prescriptive, but rather in the event offer breach, it will go and say, Hey, demonstrate to us approved to us that you, you, you were doing everything in, in, in accordance to how you should have.
And I think that's where those penalties and that's where those, those fines really come into their own in that, Hey, if you were willfully willingly hiding the fact that you were processing data and you were processing it in an insecure manner, and you had a breach, and maybe you didn't even wanna report the breach, but then somehow it got linked back to you. Then you're really looking at that like high end of, of, of penalties and, and fines there. But, but yeah, I mean, but that's a, it's, it's not something that's a very clear cut and I think it is not something you can either completely eradicate either.
No, I, I think it's a very good question. And I don't think there is a simple answer to it. And, and you've Jared, you've kind of explained the, the, the nuances here that if you are a large global company with a presence in the EU and money, large amounts of money flowing out of the EU, then regulators in the EU can take direct action against subsidiaries in that, that are within the EU. And there is no, no doubt about that, but if you are an organization that does not have a presence in the EU, but in fact, it is processing a lot of data. So say for example, you are in some odd country where you sell things to EU citizens, and you, you, you hold their data in a very Dary way. Then the process that would have to be undertaken in order to make a penalty stick on that company, if it didn't have a, a presence in the EU would be through whatever legal interchange agreements you have, and it would be down to perhaps citizens within the EU to complain about what they were doing for an EU regulator to then try and implement some kind of controls and fines through that.
And that, that, that may be more difficult. So once again, often the problem with these regulations is that it is the most honest and the weakest that, that, that get caught unnecessarily, certainly within the UK, which you you've spoken about. And one of the reasons why I mentioned local government is that there is a disproportionate number of local government, local authorities that seem to get caught by the information commissioner, because a, they do hold a lot of data. And B there, honest, they say, they're holding that data. And they're also honest about what happens. So hopefully it will not prove to be as difficult as we've found, but the, you know, Indonesia is not the only place. And, and perhaps one of the areas that is seen as particularly a problem by the regulators is us companies. And so what Joey do you think is the situation with us companies and, and GDPR, especially with the subsidiaries and so forth.
So I, I, I think the, with GDPR, the, the biggest change for us companies to get around is, or to get their heads around, sorry, not them get around it is, is, is the whole accountability on the processor. So previously, like data protection act and everything, it will still be the controller that, that was responsible. They were based in, in, in the EU by if they were processing it in the us. Then, you know, there wasn't the accountability there that, that, that there is now. And so I, I think it's still, it, it's, it's kind more like a cultural difference because in the us privacy probably doesn't have the same sort of like hasn't, hasn't the same history or the same requirements as it has in the, in the EU. So I think when, when you have tech tech companies, or just any companies that have been set up in, in that environment for, for so many years, and then all of a sudden they're told by a whole big section of their customers or, or, or partners that, Hey, now we need to do things differently because privacy is, is a really important thing that cultural shift takes time to, to actually filter through.
We, we are seeing a lot of companies jump, you know, go, go through the process and adopt it. Some of them have sort of like, say, like move data centers into the, you know, chosen for EU based data centers. Others have like, you know, implemented stricter controls around it. But I think again, because of the non-prescriptive nature of, of the GDPR, we, we are gonna probably wait, sorry, excuse me. My apologies for that. We're, we're, we're probably wait until some breaches occur and some action is taken before. There's true clarity around, you know, how far the regulators will go and how, how, how seriously us companies take it.
Okay. Thank you. I've got one more question. We are running out of time. So in fact, if there are any questions that you feel haven't been answered, we will certainly pass them on to alien vault who will try to respond directly. And this question, is it a legal requirement to document the initial start state and the process undertaken to get an SME compliant? Would the risk register cover this? So in, in summary, you have to be able to prove to the regulator that you have taken appropriate steps, but would you like to add a quick comment onto that JT?
I, I think it, yeah, it just comes down to, again, like appropriate steps. If, if it's something you believe is appropriate and you, you, you believe it's a defensible position, then yes. If you think that you could do better or, or, or like, you know, some your consultants say you should be doing some other way, you could, you know, it's not really the most fantasy solution or the most technical thing that that will work. It's really like what the intent was. You know, what was, is the intent just to tick the box and move on, or is the intent really to, to fix something. And I think that's what the regulators will be looking a lot at if you know, they, they come investigating.
Okay. Well, thank you. So another question came up, which was to do with, will the slide to be available. Well, the slides themselves will not be available, but the, a recording of the webinar will be available from tomorrow. So if anybody wants to rerun through it, you will be able to see it posted on the Kuppinger called website from tomorrow. But with that, I'm, I'm going to say, thank you very much to Javad for this. Thank you very much to all of the attendees for attending and asking the questions, and please keep, keep an eye on our website and come and come and join our future webinars and think about our future events as well. So with that, I'll say thank you very much to everyone and close the webinar down.
Thank you.
Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

You Can Only Protect and Govern the Data You Know About

Data is widely recognized as the lifeblood of the modern enterprise. However, the exponential rate at which it is being generated means that it is crucial that organizations have the capability to manage it effectively to ensure its confidentiality, integrity, and availability. These…

Webinar Recording

What Does the Future Hold for Passwordless Authentication and Zero Trust?

Enterprises of all types face a growing number of cyber threats today. Studies show that most data breaches begin with compromised passwords. Moreover, password management is expensive and not user-friendly. Enterprise workforce users are driving the consumerization of IT. They want the…

Webinar Recording

Complying With PSD2: Everything You Need to Know

With the Revised Payment Service Directive (PSD2) coming into full effect this fall, banks and online retailers need to adapt to changes that carry with them many regulatory and technical challenges. Acknowledging these extensive changes, Germany’s Federal Financial Supervisory…

Webinar Recording

Leverage Enterprise Architecture to Achieve GDPR Compliance

Several measures have been undertaken by Organizations at various levels to comply with GDPR, most of which remain reactive, fragmented and largely ad-hoc. These controls are also not continuous in nature and therefore fail to satisfy ongoing compliance requirements. Organizational leaders…

Webinar Recording

The Foundation for GDPR Compliance and PI/PII Protection: Understand Where Data Resides and Who Processes It

The EU GDPR requires covered organizations to be able to account for and document how personal data is collected, processed and shared.  What many companies often fail to realize is that this data is not only stored in specialized and appropriately secured silos such as…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00