How To Protect Your Data and Stay GDPR Compliant
What do a search engine, an affordable clothing retailer, an airline, a huge hotel chain and a social networking giant all have in common?
They all were fined for violations of GDPR.
What is GDPR?
What is GDPR? Some tax law? An accounting practice? Why do we need to worry about it?
GDPR stands for the General Data Protection Regulation. It is a set of regulations that went into effect in the European Union (EU) on May 25, 2018 to protect the personal data of citizens and residents of EU member countries. Today, it affects businesses worldwide by setting new standards for protecting personal data. Data such as phone numbers, passport numbers, and health records are considered personal data. Personal data is highly valuable as it can be used to identify a person, resulting in a data breach incident.
Data Breaches and GDPR Fines in 2020/2021
Companies hold personal data about employees, contractors, clients, suppliers, and other individuals for a variety of business purposes.
Any damage to personal data –for example, it is lost or stolen, changed without the individual’s knowledge, or destroyed — is treated as a data breach. Breaches take place all the time and once detected, are severely penalized. GDPR noncompliance fines range up to $23 million or 4% of annual revenue (whichever is higher) – and this is per incident! For US-companies doing business in the EU or UK or with European partners, GDPR compliance is vitally important.
Since GDPR went into effect, EU-based businesses have paid $329 million in penalties for non-compliance.
Why Should US-Companies Care About GDPR?
US-companies doing business in the EU or with EU-based partners, must pay close attention to compliance, since non-compliance can result in substantial financial and reputational damages. GDPR compliance is already advertised as a competitive advantage in some industries, a trend which is expected to grow in 2021 and beyond.
GDPR compliance requirements impact multiple aspects of a business. Finance, Sales, Marketing, HR, and Customer Support departments, along with any departments working with EU-based partners should all assume they need to comply with the regulation’s requirements.
To minimize risk, organizations need to establish policies, rules, and standards for how personal data is processed, how long data needs to be retained, and how to report potential data breaches to supervisory authorities when they do occur.
The path to GDPR Compliance follows the steps as outlined below:
|Question To Ask||Action To Take|
|What data do we have?||Map your Business Process Flow|
|What data do we need?||Identify and categorize Personal Data|
|What data must be kept and what can be deleted?||Data Processors act on Data Controller’s instructions|
|How long does data need to be retained?||Define policies for processing, retaining, and discarding data.|
|Who else has access to the data?||Review 3rd party Processors compliance.|
|With whom is data shared?||Define Subject Access Procedures and audit partners for compliance.|
|How is data stored and secured?||Review Security practices, Staff Awareness, and Training materials to identify potential gaps.|
|Is data security tested?||Conduct Data Protection Impact Assessments.|
|Does the organization need to appoint a Data Protection Officer?||A DPO can coordinate and disseminate Privacy Policies and Notices both internally and externally.|
Olenick, A Qualitest Company,’s Chapter
Olenick Global Ltd, a company registered in Northern Ireland, has been leveraging the UK expertise on US-based projects when it comes to data privacy and confidentially. Based on equal categorization and objectives, Olenick has an established internal training, procedure, and practices to ensure the GDPR rules and regulations are always followed on client sites and are 100% compliance. Practices are continuously reviewed and updated, adjusting to major changes in the industry such as the recent separation of the UK from the EU (aka Brexit).
At Olenick, the data auditing and categorization have been conducted, and the policies such as “Data Subject Access Request Procedure,” “Data Subject Disclosure,” and “Data Protection Policy” have been established to ensure that that all personnel understand the rules governing their use of the personal data to which they have access in the course of their work. The auditing of service providers conducted routinely and includes reviews of the agreements with 3rd party services providers who collect and process employee’s personal data, contracts, or data storage.
All personal residing in Europe or engaged in the projects where the client requires compliance are required to take the “GDPR EU: ESSENTIALS” training and pass a certification exam. This course explains the characteristics of a data processor and data controller and their obligations towards GDPR compliance for US companies. Based on a nature of conducted business, Olenick operates as a data controller and a data processor working with customers and employee’s data. The data protection is the main focus of our company’s attention.
What must be done to protect the data and avoid penalties and fines? There are several ways to approach data protection and security.
We will talk about two of them – the Vulnerability Assessment and Multi-Factor Authentication
Multi-Factor Authentication (MFA)
There is no privacy without security. Personal data (also referenced as PII – Personal Identifiable Information) is the most critical data requiring protection. One of ways to protect data is Multi-Factor Authentication (MFA). It is also sometimes referred to as Two-factor Authentication (2FA.) The two terms are synonymous.
In a nutshell, the MFA is addressing who you are (e.g. fingerprints), what you know (e.g. password), and what you have (cellphone).
MFA ensures that if your Login credentials are stolen, there will be no breach to your account as long as your mobile device (phone) is with you. The rate of compromise of the accounts using MFA is less than 0.1%.
Some types of multi-factor authentication are stronger than others, and all authenticators are vulnerable to attacks involving takeover of communication channel or intercept of authentication messages.
Samples of MFA types are:
Referenced as the gold standard in two-factor authentication, an RSA token secures internal and remote network access and offers easy-to-use, “zero footprint” options. It is available in multiple form factors including hardware and software tokens, as well as on-demand authenticators.
Google 2-Step Security
Step 1: Sign to a Google account by typing a password
Step 2: Enter a verification code which is sent to a phone, mobile app or a voice call
MS Azure Multi-Factor Authentication
Azure MFA uses an application called Microsoft Authenticator, which is registered on a device, like a cell phone or tablet. The registration process is secure and requires a public key. This mechanism is channel independent, has great usability and is free to deploy.
“Olenick has implemented Microsoft solutions for multi-factor authentication (MFA) for its employees and clients in order to enhance security and reduce risk. MFA enablement is part of a portfolio of services offered to Olenick’s customers”- Scott Christensen, Vice President
VA is systematic review of security weaknesses, a testing process designed to identify vulnerabilities and risks in all parts of the IT systems such as networks, applications, and hardware. It is a critical component of the IR risk management helping to protect data from unauthorized access and breaches.
Examples of vulnerability assessments include penetration testing, system monitoring, external and internal scans, database assessments, and host-based scanning.
Olenick has successfully implemented and is leveraging the Microsoft SQL Vulnerability Assessment within the Azure cloud across all categories such as:
- Authentication and Authorization
- Auditing and Logging
- Data Protection
- Installation Updates and Patches
- Surface Area Reduction
The vulnerability assessments are running outside and inside of firewall, focusing on port scans, fingerprinting the underlying operating systems, identifying running services or testing SQL injection vulnerabilities. The tests are careful not to affect the target system.
“The SQL servers and their databases are being routinely tested to identify security vulnerabilities and any best practice discrepancies. The assessment monitors misconfigurations, improper permissions, and the protection of sensitive information. Rule violations or any altercation of approved baseline values results in a failing risk summary report. The vulnerability assessment ensures existing and future threats are monitored. These steps decrease remediation time while also being proactive to reduce future issues.” – West Peterson, Senior Managing Quality Engineer
It is imperative to minimize the attack vectors that put your company at risk. Implementing cyber security best practices will ensure you will not be the next company to receive a fine because of violating GDPR regulations.