On 28th May 2018, the European Union (EU) General Data Protection Regulation (GDPR) will come into force with harsh fines and onerous implications. The primary goal of GDPR is to harmonize the protection of personal data across all EU member states. It will have an impact in the EU and around the world, affecting any organization that handles the personal data of EU residents. Don’t let that seemingly distant date delay you from starting to prepare.
Archive for ‘Compliance’
As a Brit who thinks our country is great, but also a European who spends a large part of his time travelling around the continent, I was shocked to find that the UK electorate voted to leave the European Union! If I’m honest with myself, I didn’t see it coming. My general impression of the British public is that, on the whole, we are conservative with a small “c” and typically vote to maintain the status quo. – the grass is very rarely greener…
I think that I communicate with my colleagues almost as much via email as through verbal communications – even those I share an office with. In fact, probably about a third of the verbal communications are social interaction rather than direct business discussion. In email, however, most of the communication with my colleagues contains business information, sometimes including large attachments containing sensitive strategic plans. And unlike a verbal conversation which is lost to the ether, email endures. So, while talking about business plans outside the office where someone might overhear has some risk to the company, sending an email to the wrong recipient can be significantly more damaging. Yet, organizations are still not protecting themselves from these accidental breaches.
As a case in point I offer you this example from the National Football League (NFL). It is reported that on July 1st, the New Orleans Saints intended to send an email to the NFL head office regarding their plans to pick up a player who was just put on waivers (released) by the Cleveland Browns. The email, however, was accidentally addressed to the entire league. In other words, they broadcast their plan to all of their competition.
I was speaking at an event in Stockholm recently, and was preceded by an eminent lawyer in the field of data protection. He was telling the audience how, after years of discussion, the European Union’s new data protection framework, the EU General Data Protection Regulation, has finally been agreed upon. He gave lots of detail on the specific obligations organisations will now have to comply with to ensure the protection of personal data, but in essence his message boiled down to three things:
• You are accountable and need to be able to demonstrate compliance coherently across your processes, employees and systems
• If you get it wrong, it’s really going to hurt
• You need to start thinking about how to become compliant before it’s too late (more…)
Data privacy in the cloud continues to be a hot topic for regulators. This week, I’d like to cover two important data privacy developments that have a tie-in to concerns about US surveillance programs and cloud data. The first is the US Email Privacy Act, and the second is the revocation of the US-EU Safe Harbor agreement.
Email Privacy Act
The Email Privacy Act is a proposed US Federal law that would require the government to obtain a warrant before accessing email, text messages, and other private content stored in the cloud by Internet Service Providers.
If your organization is a bulk power system owner or operation in North America, then you probably already know that you need to be compliant with NERC CIP v5 by April 1, 2016.
For readers who are not familiar with the topic, North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system in North America. NERC develops and enforces Reliability Standards, including Critical Infrastructure Protection (CIP) standards to secure cyber assets essential to the reliable operation of the electric grid.
It’s time to start getting serious about Controlled Unclassified Information (CUI) and the implementation of a solution that ensures compliance. It is expected that the 32 Code of Federal Regulations (CFR) 2002 will be completed in the November-December 2015 time frame. With the rules and markings in place, the National Archives and Records Administration (NARA) will release the official Marking Handbook to kick off the phased implementation process.
TITUS Classification software can help any department easily comply with these regulations. By using the TITUS classification and marking solution, organizations can enhance their overall security program and realize the following benefits: