CEOs unaware of GDPR non-compliance

CEOs unaware of GDPR non-compliance

data - gdpr non-complianceA new investigation by Delphix has uncovered some worrying information about GDPR non-compliance in the UK, with many businesses unaware of their failings to meet their obligations under GDPR.

Despite the fines and penalties involved in GDPR non-compliance – as can be seen from the recent British Airways fine – many organisations seemed unaware of the need to be careful with personal data.

Employees revealed that they are often unaware of whether they are GDPR compliant or not, with some showing little concern about the matter. One chief information security officer (CISO) even admitted to lying to their CEO about the company’s compliance levels.

As reported by DataCentreNews:

“These confessions should come as a wake-up call to the C-suite,” says Delphix CTO Eric Shrock.

 

“It is clear that the vast majority of top-level execs are blissfully unaware of how easily accessible their highly sensitive data is,” he adds.

 

“Pair that with growing frustration amongst developers looking to acquire data quickly and we have the perfect recipe for disaster.”

You can read the full article from DataCentreNews here: https://datacentrenews.eu/story/ceos-falsely-led-to-believe-company-is-gdpr-compliant-delphix

That data protection awareness is not better at the very highest levels of business should be a major concern. It’s often at these levels that people have the most access to personal data.

Data protection and awareness of GDPR should always be incorporated into business processes by design and default. By implementing this philosophy, the kinds of lapses that Delphix uncovered are much less likely to occur.

It’s also important that data protection training be carried out across the entire organisation, from both the lowest level employee to the highest. Anybody within an organisation can be responsible for a data breach; improving awareness of a company’s GDPR non-compliance starts by educating the workforce.

Here at Activa Consulting, we offer a range of staff training options, both in-person and online, to help minimise the risk of data breaches and the resulting fines. If you’re concerned about your compliance levels, get in touch with us today!

Facebook “Like” button could be GDPR risk

Facebook “Like” button could be GDPR risk

facebook like button imageIt’s common to see the Facebook Like button on websites these days, but it may be a danger to those sites as a result of a new ruling from the European Court of Justice

The court has decided that the website owners themselves are responsible for the data collected through the button. They are therefore also liable in cases where this data could be breached.

Given the social media giant’s infamous history regarding data protection issues, there’s good reason to be worried about the Facebook Like button. As reported by The Drum:

In their ruling the judges say the use of such widgets by any organisation amounts to being a joint data controller, meaning that websites “must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the [data] processing.”

 

The darker side of Facebook’s Like button has come to prominence in recent months on the back of a series of privacy scandals to rock Facebook, with analysts pointing out that its primary function isn’t as a digital show of support but a tool to track individuals and permit data collection beyond Facebook’s products.

 

This was brought to light in a case involving German retailer Fashion ID which was sued by consumer rights group Verbraucherzentrale NRW over its use of the Facebook widget which escalated to the ECJ, which has now determined that Fashion ID must be considered a data controller in terms of both the collection and transmission of data.

You can read the full article here: https://www.thedrum.com/news/2019/07/30/facebook-s-button-poses-gdpr-risks-host-websites

Becoming complicit in Facebook’s data protection failings is an extremely dangerous thing to do – and considering its track record, could potentially bring certain companies to their knees. Many websites would therefore do well to completely remove the Facebook Like button.

This demonstrates how important it is to be aware of not only your own data protection processes, but also those of third-party developers and services.

You may believe your organisation to be GDPR compliant, but if you are using the services of one which isn’t, you will still be liable for any data breaches that occur as a result of their failings.

If you think this is a concern at your company, we can help. Contact us today – our GDPR consultancy services can help improve your compliance levels and reduce the data protection risks businesses face.

UK websites failing to comply with GDPR

UK websites failing to comply with GDPR

website - failing to comply with GDPRA new report has found that the majority of the UK’s most popular websites are failing to comply with GDPR.

The study from ImmuniWeb found that 86 of the top 100 sites visited in the UK did not meet their obligations, with all of them handling user data via insecure cookies.

Furthermore, 17% either had no privacy policy or one that was difficult to find. These are basic requirements that should have been met.

As IT Pro reports:

The stats reveal that sites operating across the rest of Europe are more likely to be compliant with GDPR. A study of popular sites in France found 83 of its top 100 were non-compliant, while in Germany this fell to 50. The reasons for this are noticeably different, however, as sites in France and Germany are far more likely (50% and 40% respectively) to have missing or hard to reach privacy policies.

 

“We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements amid European companies,” said Ilia Kolochenko, CEO and founder of ImmuniWeb. “However, there is a long road before the majority of organisations value actual security above paper-based compliance thereby providing their users with the privacy and security they truly deserve.

You can read the full article from IT Pro here: https://www.itpro.co.uk/policy-legislation/33726/most-of-the-uks-top-websites-fail-gdpr-claims-immuniweb

With GDPR now over a year old, these are worrying statistics. Compliance should have been met before it even came into force; failing to comply with GDPR now is inexcusable.

That the UK is lagging behind other countries (although only just behind some of them) would seem to indicate that GDPR is less of a concern for British organisations than it is for the rest of the EU.

Yet even with uncertainties over Brexit, GDPR will remain as the framework for Britain’s data protection laws. Failing to comply with GDPR is unacceptable no matter what happens when the UK leaves the EU.

If you’re yet to ensure GDPR compliance at your organisation, Activa Consulting is here to help. Our Gap Analysis service will identify the potential risks to your business and recommend what changes you need to make. Click here to contact us now!

GDPR and emergency services

GDPR and emergency services

ambulance - GDPR and emergency servicesThe initial launch of GDPR may have initially caused difficulty for emergency services, but there are indications that it might end up being a force for good. GDPR and emergency services need not be at odds with one another.

As recently reported by The Next Web, the use of personal data is crucial in ensuring that emergency services perform to the best of their abilities. As a result, GDPR had quite an impact on the way they operate.

For example, uncertainties around GDPR complicated the launch of heart-attack detecting AI for emergency calls, developed by Corti – but none of its features were actually problematic in the end.

According to the article:

Andreas Cleve, CEO of Corti, agreed that GDPR brought about a lot of confusion and hindered the implementation of the heart attack-detecting AI. But in the end, none of the features or data gathering that Corti had planned was banned by GDPR.

 

 

The new law is far from perfect, but it’s made emergency services and their partners actually understand how we should handle data to ensure everyone benefits.

 

“The more they understand the data they have, the more likely they are to use it to improve,” Cleve explains. “They’ll be more likely to get tools to actually correlate that data, which is a big thing for machine learning projects. Data by itself is seldom very interesting, but as soon as you can correlate it, it makes all the difference.”

You can read the full article here: https://thenextweb.com/tech/2019/05/20/emergency-services-gdpr-data-benefit-ai/

Although much of the focus has been on the potential fines and penalties associated with GDPR, this demonstrates that it can also have a positive effect.

Having a strong understanding of data processes, and implementing data protection by design and default, can improve efficiency and lead to better business practices.

GDPR and emergency services seem to be on the right track; private organisations now need to realise the same benefits of GDPR compliance.

Here at Activa Consulting, we’re experts in data protection and can help your data protection programme at your organisation. Contact us now to find out how!

Verizon head of global security warns of data breaches

Verizon head of global security warns of data breaches

data breaches - gdprA stark warning has been issued by Bryan Sartin, Verizon’s head of global security services, about how data breaches are a “time bomb”.

The BBC has reported Mr Sartin as saying that he was surprised that more data breaches had not become public, after the release of the Verizon Data Breach Investigations Report analysed thousands of attacks.

Since GDPR, however, relatively few of these attacks have resulted in any public ramifications.

BBC News reported of Mr Sartin:

“There’s probably some big situations queuing up right now,” he said.

“Compromises happen in minutes and then extend out to hours, days, weeks and some times months,” said Mr Sartin. “Yet we are still looking at months for them to be discovered.”

“When it comes to account takeover, senior executives are getting hit hard right now,” Mr Sartin said. “Humans are the weakest link in the chain especially when they are on their mobile device.”

On a more positive note, said Mr Sartin, the report showed only 3% of those targeted fell victim to booby-trapped emails. In the 2018 report, the click rate was about 12%.

You can read the full article here: https://www.bbc.co.uk/news/technology-48215075

Under GDPR, the penalties for data breaches can be severe – up to 4% of a company’s global turnover per breach. Given the findings in Verizon’s report, it’s likely only a matter of time before an organisation incurs a major fine.

Mr Sartins’ warning should therefore be taken extremely seriously. It’s impossible to say what the “big situations” he predicts will be, but it seems that they’re inevitable.

Data breaches can occur at any organisation. If you’d like to minimise the risk of such breaches at your company, our consultancy services can help; get in touch with us today.