Following the news about GDPR, IT security experts commented below.
Jes Breslaw, Director of Strategy, EMEA at Delphix:
“In a digital age, data privacy is a basic human right. With the clock counting down to the deadline for compliance with the EU’s General Data Protection Regulation (GDPR), businesses should be putting the final processes in place to provide the best, most efficient way of protecting customers’ most valuable assets – their data and identity.
Regulators have given businesses enough time to get their house in order. They will now be itching to make an example of companies that have failed to show due diligence. And what’s worse is that the regulator now has teeth.
If we look at the CEX data breach where the details of two million customers were compromised, the company could have faced fines in excess of more than £5.5 million under the GDPR regime.
In order to move fast and survive, global businesses need rapid and secure access to data. However, it can’t be at the expense of consumer privacy. What’s needed is a new approach that brings together those data operators responsible for managing, securing and distributing the data with those data consumers that are using it to run the business.
The DataOps movement offers such an approach attempting to make data operators and consumers work together to ensure sensitive data is secured and the right data is made available to the right people. At the heart of DataOps, is the ability to intelligently mask personal data at scale. With 90% of data held as copies in test, reporting and analytics systems, dynamic data platforms will protect individuals and accelerate project delivery. It will also remove the compliance requirements for these systems as the data will no longer be personally identifiable.
With the right approach and tools in place, it will be much easier for organisations to keep track of all sensitive information, mask it where necessary, and control who has access to data and for how long. However, businesses must act fast to ensure these processes are in place within the next six months. In a data driven world, how companies handle security and privacy issues will define the winners and losers.”
Chris Olson, CEO at The Media Trust:
“As delineated in GDPR there is a difference between website analytics and unnecessary collection of consumer data. Among other things, the valid use of session replay scripts helps website operators understand how users navigate the websites with the aim of streamlining or improving the user experience. As with any third-party code, these analytics scripts can be compromised without the website operator’s knowledge and can cause security and data privacy problems, which happened to Hotjar in December 2015. These reasons should compel companies to continuously monitor not only their own website code, but that of third parties to ensure that best practices are adhered to and that data privacy of customers are ensured.”
Lee Munson, Security Researcher at Comparitech.com:
“The days of private car parks fleecing motorists for maximum gain, even for a very short overstay, may be of huge concern to Christmas shoppers, but there is light at the end of the tunnel.
“While the DVLA is perfectly within its rights to sell personal data to private firms at this point in time, the incoming General Data Protection Regulation (GDPR) has the potential to close that lucrative side-line overnight, if motorists are aware of their rights.
“From 25 May next year, companies will have to show compliance with the new regulation, one of the requirements of which is the need for informed and unambiguous consent to be in place before data can be shared with third parties.
“As a government agency, I would expect DVLA to be completely transparent about requesting that consent anew from all motorists. Failing that, drivers will of course have the right to withdraw any pre-supposed consent at any time. In either case, the agency will not be able to pass data on in the manner in which it is currently doing so.”
Paul Edon, Director at Tripwire:
“The first area of concerns here is the legality of recording peoples keystrokes without first informing them of the fact. Second is whether the data is protected in line with PCI standard requirements.
There are many valid use-cases for keystroke logging; training aids, presentations, auditing, and even security. However, keylogging is also a tool associated with nefarious activities such as hacking. The non-nefarious use-cases will almost always include an onscreen notice informing the user that their keystrokes are being recorded, the nefarious will definitely not. If these websites do not alert the user to the fact that they are recording keystrokes, then I would class this under “nefarious activity” as it is being less than honest, and the information is being collected without the user’s knowledge.
Many web forms collect personal and financial data from potential customers. Critical Information such as: Name, Address, D.O.B., Credit/Debit card details, including 3 digit CVV. If this information is being collected regardless of whether the potential customer submits the form or not, then this raises another question beyond the legality of the practice; is the information stored, secured and protected in line with the requirements of the DPA, PCI DSS etc.
The collection and storage of information not submitted by a potential customer will definitely be a breach of the EU GDPR, as permission to collect, store and process the data has not been given.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.