IambOO’s services cover a wide variety of needs, from IT…
GDPR: Which changes will affect the IT world?
May is coming, bringing forth the entering into force of the EU Regulation 2016/679, better known as GDPR (General Data Protection Regulation).
To sum up the content of this Regulation, that enters into force on the 25th of May:
- New, clearer rules regarding Reports and approvals;
- Limits are set regarding the automated treatment of personal data;
- New foundations are laid in order to exercise new rights;
- Rigorous standards are established in order to transfer data ouside UE;
- New rigorous laws are set up regarding data breaches.
The new EU Regulation will help the creation and the development of new, more efficient, intrusion monitoring systems, thanks to the ever expanding spread of AI. Due to this fact, the information flow of data breaches will grow in intensity and it will bring positive news in the cyber security field.
During this past year (thanks to some well known cases - such as the doubts that have arisen regarding Russian involvement in the US Donald Trump election or the exposition of hundreds of personal data of Unicredit customers, apparently due to the breach of some commercial partner systems), the Cybersecurity theme slowly crawled out of the woodwork of the specialists environment to the light of a public daily debate either for companies and single citizens.
We asked Luca Guidi, IambOO's Business Manager, the company's opinion about the entering into force of this EU Regulation:
<<It's a particularly sharp regulatory intervention because it's about a Regulation that every Nation would need to be compliance with, with no possibility of amendments. Nowadays it's easy to say that society produces more services than products, and data's importance needs be taken into consideration. IambOO, through its products, has always stressed on this subject, data's security, and GDPR will make companies aware of the almost complete lack of knowledge on this subject. We will reach what Niccolò Cusano used to define "una dotta ignoranza"... GDPR isn't the arrival point, but a starting point towards a greater attention towards Data and a greater need of services>> said Guidi.
Which are the main news brought by GDPR for the Cyber Security world?
The faster technological evolution we have seen in the last few years and the advent of the new industry 4.0 concept, lead a lot of companies to think about cyber security in relation to their own operative processes's protection, not only about being compliance towards some new Regulations.
We will never get tired of saying that we don't have to question ourselves about if our data are in danger of a cyber attack, but when it will be the case.
The wavy motion has certainly had a renewed push thanks to GDPR, especially regarding the companies attention towards their data management and security, for two main reasons.
1.Data Breaches notification theme
The main aim of the new EU Regulation is, besides limiting the sanctions, to create within the companies the need to measure and notify Data Breaches to the Warrantor through efficien monitoring systems of vulnerabilities that could potentially put data at risk (more info on IambOO Vulnerability Assessment). This ability to monitor will lead small and medium companies too, to always bee more and more aware of the need of securing their own systems and infrastructures.
The Data owner will need to notify to the people whose data were exposed to the data breach and to discuss the measures that he will have to take in order to repair the damage and to erase the possibililty that a similar situation could happen again. A company will have the authority to decide not to inform those whose data were exposed to the data breach, if this violation isn't a high risk for their rights or if he demostrates that he has already taken all the necessary security measures. It might also be considered as an exception the fact that informing those concerned by the data breach could entail a bigger effort compared to the risk.
A public announcement of what has happened is mandatory no matter what the path chosen by the Data Owner is.
Either way the Responsible Authorities will make an evaluation about all the risks connected to the breach that has been made and he could also force the owner to inform those concerned by the Data Breach.
2. A greater info availability of security incidents
The second news in GDPR cybersecurity field will be the greater info availability of security incidents, since new sanctions provided for by EU Regulation 2016/679 if the Warrantor doesn't notify the data breaches are a risk companies aren't willing to take. This is also an explanation of why companies are going to be incentivized to invest in cybersecurity.
The Mobile Payment field will be a focus for the companies attention too. If 2017 has been Bitcoin official acceptance year, and it put subjects such as blockchain under the spotlight, 2018 will surely be the year in which there will be new needs of original and secure online means of payment, building a greater awareness among their final users.
In the end, a absolute news that comes with GDPR is about the right to oblivion that you can find in the article 17: the cancellation request made towards an owner that has made public some data forces him to transmit this request to those who use them too.
No matter how much one could misunderstand the law, it doesn't refer to browsers nor to press or speech freedom in general. The theme doesn't involve cybersecurity either, but it's interesting from the point of view of the effort that conpanies need to make in terms of monitoring and infrastructures: companies must know how to retrieve and delete date if needed, but they will have to worry about removing data that, with time, were outsourced to third parties.
In conclusion, GDPR reach, even just in relation to cybersecurity, is remarkable, but it is just about the regulatory aspects on this subject because the world is already moving towards this direction, even if companies aren't aware of it yet.[kiwi-social-bar]