Following the news about GDPR, IT security experts commented below.
Jes Breslaw, Director of Strategy, EMEA at Delphix:
Regulators have given businesses enough time to get their house in order. They will now be itching to make an example of companies that have failed to show due diligence. And what’s worse is that the regulator now has teeth.
If we look at the CEX data breach where the details of two million customers were compromised, the company could have faced fines in excess of more than £5.5 million under the GDPR regime.
In order to move fast and survive, global businesses need rapid and secure access to data. However, it can’t be at the expense of consumer privacy. What’s needed is a new approach that brings together those data operators responsible for managing, securing and distributing the data with those data consumers that are using it to run the business.
The DataOps movement offers such an approach attempting to make data operators and consumers work together to ensure sensitive data is secured and the right data is made available to the right people. At the heart of DataOps, is the ability to intelligently mask personal data at scale. With 90% of data held as copies in test, reporting and analytics systems, dynamic data platforms will protect individuals and accelerate project delivery. It will also remove the compliance requirements for these systems as the data will no longer be personally identifiable.
With the right approach and tools in place, it will be much easier for organisations to keep track of all sensitive information, mask it where necessary, and control who has access to data and for how long. However, businesses must act fast to ensure these processes are in place within the next six months. In a data driven world, how companies handle security and privacy issues will define the winners and losers.”
Chris Olson, CEO at The Media Trust:
Lee Munson, Security Researcher at Comparitech.com:
“While the DVLA is perfectly within its rights to sell personal data to private firms at this point in time, the incoming General Data Protection Regulation (GDPR) has the potential to close that lucrative side-line overnight, if motorists are aware of their rights.
“From 25 May next year, companies will have to show compliance with the new regulation, one of the requirements of which is the need for informed and unambiguous consent to be in place before data can be shared with third parties.
“As a government agency, I would expect DVLA to be completely transparent about requesting that consent anew from all motorists. Failing that, drivers will of course have the right to withdraw any pre-supposed consent at any time. In either case, the agency will not be able to pass data on in the manner in which it is currently doing so.”
Paul Edon, Director at Tripwire:
There are many valid use-cases for keystroke logging; training aids, presentations, auditing, and even security. However, keylogging is also a tool associated with nefarious activities such as hacking. The non-nefarious use-cases will almost always include an onscreen notice informing the user that their keystrokes are being recorded, the nefarious will definitely not. If these websites do not alert the user to the fact that they are recording keystrokes, then I would class this under “nefarious activity” as it is being less than honest, and the information is being collected without the user’s knowledge.
Many web forms collect personal and financial data from potential customers. Critical Information such as: Name, Address, D.O.B., Credit/Debit card details, including 3 digit CVV. If this information is being collected regardless of whether the potential customer submits the form or not, then this raises another question beyond the legality of the practice; is the information stored, secured and protected in line with the requirements of the DPA, PCI DSS etc.
The collection and storage of information not submitted by a potential customer will definitely be a breach of the EU GDPR, as permission to collect, store and process the data has not been given.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.