As businesses are being impacted by the European Union’s (EU) enactment of the General Data Protection Regulation (GDPR), many are asking themselves questions around the ownership of their privacy program. Do I need a Data Protection Officer (DPO)? Can I get by assigning this to my CISO, Director of Compliance, or my General Council?

The GDPR requirements for a DPO, their duties and reporting structure, are spelled out in Section 4 of the regulation, which encompasses Articles 37-39.

According to Article 37, you must assign a DPO if:

• You are a public authority processor
• You regularly and systematically monitor data subjects on a large scale
• You are processing on a large scale any special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10

This article goes on to state that public authorities are able to designate a single resource that can aggregate the responsibility across multiple organizations. This decision needs to take into account the bandwidth of the DPO and how scalable the policies and processes are across the organizations.

It is also important to note that the DPO can be an employee of the organization or a contracted resource. In either case, the controller must publish the contact details of the DPO and ensure the EU supervisory authorities have this information.

While there are parts of the GDPR that are considered unclear or grey, the requirements for a DPO are very clear. The DPO role is new for many U.S. based companies, but it should bring a strong sense of certainty around privacy to any company where EU citizen/resident data needs to be managed.

If you have questions about whether or not you need a DPO, please contact us at: https://www.americancsm.com/services/privacy-by-design/

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

 

 

As the deadline for GDPR, May 25, 2018, nears, many companies are still struggling with their implementation and some are complete. This MeetUp brings together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/ . Our next meeting will be focused on an overview of GDPR, allowing the group to determine future topics and the level of detail desired. Carlin Dornbusch from American Cyber Security Management will present the GDPR Overview and lead the group through Q&A.

This informative meeting will be held on Tuesday, February 27th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/

As the deadline for GDPR, May 25, 2018, nears, many companies are still struggling with their implementation and some are complete. American Cyber Security Management would like to bring together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/ . Our first meeting will be a collaboration of the attendees to define our future meetups and put a framework for the meetings in place that will be designed to aid in information sharing.

Our first meeting will be held on Wednesday, January 17th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts.

Who was breached today? This is the common question. Days are gone where we wonder if a business was breached or if our data was stolen from a public system. But what happens after May 25th, 2018 when GDPR is in full effect?

With the European Union’s (EU) enactment of the General Data Protection Regulation (GDPR), if breached systems contain European citizen information then specific steps and the timing of those steps are now mandated.

How many cases have we seen where U.S. companies are taking weeks, months, to even a year to disclose to their customers that their data has been inappropriately accessed, lost or stolen? In the recent case of Uber’s announcement, it took them more than one year to notify their customers of a massive data breach. Uber announced that over 57 million people were affected by their data breach and that 2.7 million were located in the UK.

How would this look under GDPR and the EU’s new watchful eye and powerful penalties? The EU wants to ensure communications of data breaches are accurate and timely. According to GDPR Article 33, any business who is suffering a breach of EU citizen information must notify the EU authorities within 72 hours. And the notice must contain, at a minimum; Nature of the breach, Name and contact details of the company’s Data Protection Officer (DPO), Description of the likely consequences, and a description of the corrective steps being taken. Secondarily, the business must also notify the EU citizens under Article 34 definitions. This article requires that notice is given “without undue delay” and the content of the breach notice to be a subset of the information sent to the EU authorities.

These few rules will change how many global U.S. companies handle breach notification and it will undoubtedly impact their processes for incident management. The good news is that we are seeing many companies implement GDPR in a holistic way whereby they are including all customer data, regardless of citizenship, in their data classification strategy when approaching GDPR. This means that these companies will treat all customer data the same way as they need to under GDPR, and not silo EU citizen information, which would require a duplication of many business processes. GDPR is also helping these larger multinational businesses understand the value and role of the DPO, the one responsible for the assurance of the new privacy controls.

The GDPR may be one of the largest privacy regulations the world has ever seen, but it may be just in time. In a world of constant data breaches, we all need to be more diligent and concerned of how companies collect and use our data, share that information with their third party suppliers, and keep us notified of the access to our information.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.

Where is the best website for breach data history? This has been a common question and one that everyone seems to have a personal answer to. In the spirit of Cyber Security Awareness Month, here are some good resources to consider.

As breaches to our privacy continue on a daily basis, they can be hard to keep up with. These resources can help you justify and improve your preventative, detection, and responsive investments.

https://www.privacyrights.org/data-breaches – This site allows you to search on the data based on 8 Type categories (i.e. Payment card), 7 Organizational categories (Education, Military) and Year (back to 2005).

http://breachlevelindex.com/ – This site has good visuals and shows summarized data over time. It also allows for data compilation over Type, Industry, and Source.

http://www.idtheftcenter.org/Data-Breaches/data-breaches – The Identity Theft Resource Center has compiled breach data since 2005, and allows access to their summarized graphs and charts.

http://www.verizonenterprise.com/verizon-insights-lab/dbir/ – If you want a thorough and well-written report, then I suggest the Verizon at the Data Breach Investigations Report.

https://dashboard.healthit.gov/quickstats/quickstats.php – For good summarized information on healthcare, the Office of the National Coordinator for Health Information Technology provides up to date dashboards and data sets.

The recent Equifax breach shows what a massive and destructive force not learning from our mistakes can be. If you need any help in understanding how to put these lessons into practice, contact us at American Cyber Security Management.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels