logo

Award-Winning Dallas-Fort Worth IT Services.

Questions? Call (817) 859-7140

You are here: Learning Center / Blog / The 7 Things You Need to Know About GDPR Data Compliance

VersaTrust Blog

VersaTrust has been serving the Texas area since 1997 , providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses.

The GDPR brings a new set of data regulations: Here’s what to know and if you need to do anything.  

GDPR Data

Over the past several months, conversations have arisen concerning the new GDPR, or General Data Protection Regulation created by the EU. It’s quickly moving from a casual bit of IT news to an important issue for companies creating long-term data strategies: In other words, it’s time to make some decisions about this new regulation. To help out, here’s what you need to know about the GDPR and why you should consider a response.

1. The GDPR Is More Far-Reaching Than You May Expect

Yes, the GDPR is an official EU standard, and it does not apply outside of the EU. However, this gives it a lot more reach than you might expect. Yes, it’s a European “regulation” (which is somewhat behind a “directive” but still very important), but it’s one that applies to the data of all EU citizens – including pre-Brexit Britain). That means if you have any customers, partners, or supply chain links in the EU (or want some in the future), you need to be aware of what the GDPR requires and of whom.

That’s part of the intent of the legislation: It’s designed to encourage data privacy and security practices among businesses across the world that want to deal with EU customers. And unless your company is highly separated into divisions, it’s also a good opportunity to update your data systems for all customers. On the downside, this may mean that it is no longer feasible to use data in the same ways that you did in the past. On the upside, the GDPR is broadly considered a win for customer privacy.

2. Controllers and Processors Are Targeted

The language of the GDPR makes it clear that “controllers” and “processors” are required to follow the new regulation. So what does that mean? Well, a controller is any entity that’s making decisions about what data is collected and how that data is used. A processor is any organization directly involved in collecting, storing, and transferring that data. Sometimes the controller and processor are the same organization, and sometimes one is just using the services of the other. Both must follow the GDPR

3. “Personal Data” Is a Key Phrase

Most of the GDPR is focused on protecting what it calls personal data – so naturally, everyone is curious about exactly what personal data means. The definition can change over time, and in fact one purpose of the GDPR was to expand that definition so that more types of data are protected. Under this regulation, personal data includes basic identification and contact information, but also IP addresses, economic data, health data, and cultural data – basically, anything that’s been collected about a specific person.

There are different ways of making personal data more or less anonymous by collecting it in aggregate or limiting how it is collected. The GDPR has more specific regulations for these cases, but basically, if the data can be traced back to an individual, there’s a good chance that the rules will apply.

4. The Heart of the GDPR Is Lawful Use and Consent

All right, so now we have covered personal data: What are companies supposed to do with it to meet the GDPR? There are several restrictions that businesses must follow:

  • Data collected must be for a specific purpose.
  • Data must be processed with consent, which is an affirmative action by the subject regarding specific data. That means limited autofill and no auto-acceptance for web forms. If consent isn’t really possible for the subject (for a variety of reasons), then the data processing must comply with any legal obligations or meet other standards (preventing fraud, etc.).
  • Individuals can ask to see what data a controller holds on them.
  • Individuals must be able to withdraw consent and have their data deleted at any time. They can also demand that their data be moved somewhere else, which means holding data in a compatible format.
  • Once the specific purpose of the data processing is finished, the held data must be deleted. It cannot be held onto or passed onto any other organization not connected with the original purpose.

5. The Regulation Also Pertains to Data Attacks

If a data breach occurs, the organization must inform the proper authority (what body governs data security in the countries of the individuals whose data is held) within 72 hours, or face steep fines (fines greatly increased in the GDPR). This poses a bit of a challenge: As noted above, data must be kept in formats that are relatively easy to transfer to other organizations, but that data must also be protected against data threats.

6. IT Professionals Aren’t Prepared

study by Imperva indicates that, for example, less than half of cyber security workers in the UK are even evaluating the requirements of the GDPR thus far. The number no doubt drops much further for the United States and other countries outside of the EU, which means organizations may be caught off guard. It’s important to find out if you need to conform to any part of the GDPR and what changes may need to be made in your systems to make sure that they are compliant.

Fortunately, not everyone is taken by surprise. Companies like Microsoft are working to make sure that their systems are GDPR compliant: It’s important to know if your vendor or software provider is doing the same.

7. The Deadline Is Currently in 2018

Specifically, the GDPR requires that companies be ready for the new regulations by May 25th, 2018. This isn’t much time, but remember that the EU has been working on their regulations for several years, so it seems reasonable to them.

It’s also important to note that when it comes to compliance, dates are rarely entirely in stone: They tend to get pushed back or allow organizations to file for more time. However, that doesn’t mean you should get lazy!

Not sure if the services you use will be compliant? Find out! We can help {city} companies learn more about the services they need and the latest solutions to data dilemmas. Contact {company} to learn more, either at {phone} or by sending us a message at {email}.

Help protect yourself from identity theft online by asking yourself these six questions.

protect yourself

Young girls (5-6) lying on floor using laptop, contemplating

I feel safe in assuming that if you met a stranger on the street who wanted you to disclose your personal banking information, you would tell him to go take a long walk off a short pier or keep you would keep your mouth shut at least. Then why do so many otherwise intelligent business owners fall for scams online?

When I speak to my clients about phishing scams and protecting their identity online, they nod their heads and assure me they would never fall for a Nigerian banking scam or open an attachment from an unknown person. Yet, every month, successful business owners contact me to ask for help reclaiming their lives after cyber criminals steal their identities.

The hard truth is recovering from identity theft is a long, painful process. It is much easier and way less expensive to prevent identity crimes from occurring in the first place by protecting yourself from an identity scam.

Protecting Your Identity Online

Help keep your identity more secure online by asking yourself these six questions to help prevent yourself from becoming another victim of identity scammers.

Are you expecting to hear from the person or business contacting you? Unless you have an ongoing relationship with the sender of an email or message, any inquiry for personal information you receive is most likely an attempt to defraud you. Even if you have business with the company supposedly contacting you, is there a legitimate reason for the business to communicate with you now?

It is now common for a fraudster to choose the name of a large company like PayPal, Amazon or local utility company which most people use. So just because you are a customer of a company, doesn’t mean the email is real. If you are ever in doubt about whether a request from a company is legitimate or not, open a new web browser and visit the company’s website by typing the full domain name directly into the address bar. Never click on any links from the email which may take you to a copy of the company’s site.

Does the email look professional? Carefully examine any email you receive which asks for sensitive information. Compare the questionable email to other emails which you have received in the past from the same company and know are legitimate. Look at details like the logo, the salutation, and the way the email is written. The majority of phishing scams originate outside the United States in countries where English is not the official language. Many scam emails contain multiple spelling and grammar mistakes.

When an email contains language which encourages a quick response to prevent being locked out of your account or losing your benefits it is most often a red flag.

Do I really know who sent you that? Online scammers are great at making their emails and social messages appear to be coming from a friend or associate you know. Manipulating the source of a message, or the header is ‘spoofing.’ Spoofing causes US businesses to lose billions of dollars in fraud.

Before you respond to an unexpected message requesting by sending any form of personal information, always double check that the sender’s email matches the person or company you think sent the message. If the sender is using an email address which is different, don’t respond. The safest approach is calling and speaking with the sender by telephone to verify the legitimacy of the request.

Why is the person asking for that particular information from me? Many scammers use a spoof email to ask users to confirm personal information relating to the individual’s account. Most of the time, the information these scammers ask for is something which a real business would not need to confirm a user’s identity.

Banks and financial institutions never request users to confirm passwords or user names through email. A legitimate business won’t ask for you to send sensitive information over an unsecured server.

Is the payment page secure? The majority of purchases in the US are made online. But before you input your credit card information, you need to make sure you are not about to send your credit card information to a scammer. Help keep your bank account safe by always checking that the payment page is secure and authentic.

Never access a payment page directly from an off-site link. It is common for a cyber criminal to send a spoof email which contains an embedded link to a special offer. But when you click on the link, it redirects you to a copy of the site designed by the scammer to steal your credit card information. Never pay on a page which doesn’t have a “https://” before the domain name and look for an icon of a padlock in the address bar. If you are unsure about the security of a site’s payment page, don’t make a purchase.

Am I revealing too much personal information on social media? A profile on a social media service like Facebook, Instagram, LinkedIn, and Twitter is a treasure trove for identity thieves. Many users of these social media services do not understand just how much of the information they publicly share can help scammers to gain access to their accounts. Avoid sharing sensitive information such as birth dates, anniversary dates, names of children, pets, friends, and spouses. Don’t post pictures scammers can use to create fake accounts. Never reveal your home or work address.

Always use the highest level of privacy available from a social media service and never accept strangers as friends.

Regrettably, it is impossible to guarantee you will never be a victim of online identity theft, but when you remember to ask yourself these questions, you will lower the chances you will.

Short on resources but still need to improve data security? Here are the steps you should consider.

IT Security

A very typical attitude exists among growing companies that are upgrading their data security systems. It goes something like, “We would love to improve our IT security – but we don’t have room in our budget for anything big.” Given how sensitive data security currently is to business survival, we’re not sure that’s the right attitude to have, but the fact is that many companies just don’t have many resources available to invest in new security licenses or services. That’s fine: Here are key steps you can take without making significant budget changes.

1. Use Available Biometrics and Manage User Identities

Biometrics may sound like a high-tech field, but biometric devices have fallen in price and become commonplace, removing budgetary concerns about upgrades. In fact, if you have a device made within the last couple years, it probably comes with a fingerprint scanner or similar device without any extra charge (how long has it been since we’ve been logging into our phones with fingerprints?). Even if you are using older desktops or laptops, biometric devices are a quick, affordable purchase that will allow your company far more efficient login tracking and device protection. Passwords have problems – especially when they are poorly chosen or never changed. Biometric logins don’t have these problems and are generally more employee-friendly to use.

2. Maintain a Dedicated Security Administrator

Services like Microsoft’s Office 365 Threat Intelligence use automatic threat detection services to sift through data and watch for any signs of malware or hacking. Threat Intelligence can alert companies about suspicious behavior or logins, as well as keep businesses updated on the latest threats and necessary precautionary steps to take. The good news is that Threat Intelligence is typically offered as a free security perk. However, it requires an experienced security administrator who can receive regular alerts and who knows what to do about them. Creating an entirely new position is unlikely with budget constraints, but consider shuffling responsibilities if necessary so that a trusted IT hire or manager can hold this responsibility for the long term.

3. Practice Consistent Access Management

All data systems come with ways to manage access: Unfortunately, not all companies use access control to the proper extent. Some sensitive data simply cannot be available to everyone without inviting serious security risks. Even data held behind authorization walls can be compromised if that authorization is handed out too quickly, or at the wrong time during workflow. For a low-cost way of shoring up your data security, take a look at access management practices and how easy it is for people to improperly access sensitive data. This isn’t just a systems question, either – it’s also an environmental and practices issue. No business should leave computers open in lobbies or common areas with access to sensitive data enabled.

4. Fix Compatibility Issues and Implement Security Updates ASAP

Security updates and patches are designed to counter malware or close vulnerabilities that could later be exploited. It may seem like Security 101 to apply these patches, but many companies struggle with this simple step. It’s best tackled in two stages:

  • Go through operations and check to see if updates will cause any compatibility problems. This is an IT specialty, and IT experts should have no problem finding any potential problems.If any software or systems run into issues when you try to update, then fix them first or find alternatives that are up to date. Do this regularly with security patches, and you will end up with flexible, fast systems that can be updated in a day or two. Don’t do it, and you’ll be stuck with compatibility issues that will keep getting worse.
  • Set your update schedule, and make updates on work devices automatic so that no one has the choice to just ignore the patch. Remember, time is of the essence, so even if you need to wait on vendor updates or switch to a different app, think in terms of days or weeks instead of months.

5. Change to Mobile-Capable File Servers

This is probably the most cash-heavy option on the list, but if you already have the right server hardware or flexibility in switching hosting services, it doesn’t cost much to make a server upgrade, especially if you are already paying for a license/service. Today’s mobile-friendly business world benefits far more from adaptable, streamlined, and mobile-capable systems that eschew external hard drives (another cost-saver) for cloud sharing and virtualization. Cut back on hardware, revamp your data services, and the company may come out the other end with fewer long-term costs.

6. Enable All Two-Step Verification

Everything from Gmail to O365 offers multi-factor authentication. All businesses should allow this type of the audit: It makes data theft far more complicated and doesn’t come with any associated costs (other than a bit of your time).

7. Make Employee Education Part of Your Daily Meetings

Educating employees isn’t always easy, but it’s very cost effective! The problem is that a single education or training session has minimal impact. Over time, without reinforcement, employees tend to get lazy about security, so you can’t just tell them once.

A better idea is to devote a portion of your daily or weekly meetings to talking about general data security. You can give tips about how to treat mobile devices before a business trip, updates on new security initiatives, and reminders about logging off computers in public areas. As long as you make it part of the continued conversation, it will stay in employee’s mind and become a part of the workplace. However, always try to explain the impact on the company itself, and why security rules exist so that employees understand what’s at stake. A short news brief about data attacks in your industry can make a compelling point if there are any good recent examples. There are also online resources available to help out.

Do you have more specific questions about your {city} business? We can help! Contact {company} at either {phone} or {email} to learn more about our services.

Large, sophisticated corporations and government agencies have been mercilessly attacked by ransomware. Here is a look at some that have been hit around the world.  

Ransomware Attack

Ransomware attacks have become increasingly prevalent throughout the world. At one time, only small companies were the only ones at risk. This may be because they were not savvy about the real dangers, and didn’t put cyber security in place. Now, even large, sophisticated corporations and government agencies have been mercilessly attacked. Here is a look at some of the firms and agencies that have been hit around the world.

Russia’s Largest Oil Company

In 2016, Russia’s largest oil company, with a majority owned by the Russian State, was named the 51st largest corporation in the world. Sales are estimated at over $64 billion annually.

On June 27, 2017, this company disclosed that it had been hit by the most recent ransomware attack, said to closely resemble the devastating “Wannacry” attack that was carried out just last May of 2017. With that much sales in jeopardy, the Russian oil company probably does wanna cry. A Russian-based cyber security firm estimated that roughly eighty companies in Russian and Ukraine were affected. However, the damage wasn’t limited to Eastern Europe, as seen by the following other companies that were affected.

Corporate Snack Brand

A corporate giant and traded stock company that owns famous snack brands was forced to take its systems offline in response to a “serious global cyber incident.” It’s likely that the perpetrators of this were not just having a “snack attack,” but are in hot pursuit of something far darker than the darkest chocolate.

Global Pharmaceutical Firm

One of the world-renowned pharmaceutical firms that are worth untold billion was also hit by a ransomware attack. Corporate executives announced Tuesday that their firm, too, had been somehow breached by this latest attack. Unlike a pharmacy break-in, a lot more than prescription drugs are at stake.

Global Shipping Company

One of the subsidiaries of a global shipping company was another victim of the latest ransomware attack on June 27, 2017. The subsidiary’s deliveries were disrupted, leaving over 200 countries affected by undelivered packages.

What is Ransomware?

Ransomware is malicious code that holds company files and data hostage until a certain sum of money is paid to the perpetrator. Just like in a real world ransom scenario, the “goods” won’t be handed back until the ransom is given over. Also as in real world ransom scenarios, there’s a risk that the “goods,” or the data in the case of ransomware, will be harmed while in possession of the “kidnappers.”

When the extorted party gets the files back, there is no way of telling what other kinds of breaches have occurred. Since there are usually billions or more lines of code, it would be nearly impossible to tell if the files were infected with spyware, or some other kind of future ransomware virus, ready to defer to a date in the future.

Another risk with the ransomware scenario is that the files won’t actually be returned, even after the money is paid. In the case of the recent attack, logic would seem like the perpetrators would return the files. If one company paid and didn’t get their date back, word would quickly spread and other companies wouldn’t pay the ransom. For that reason, in many ways, it behooves the hackers to return the files in the same condition in which they stole them; however, the “operating code” of hackers is obviously not ethically bound.One thing is sure. If any of these companies do end up paying the ransom, it won’t be widely reported in the press, if at all. It’s unlikely that a giant corporation would want to admit that it a) hadn’t backed up its systems, and b) went against all professional advice to not pay, and c) paid out millions to criminals.

Will Major Firms Pay the Ransom?

Whenever something is taken for ransom – be it a person, property or, as in this case, digital data – authorities strongly advise against paying the ransom. Paying ransom does perpetuate the problem. When hackers see that they can steal data and profit by it, they are thus encouraged to rinse and repeat. The prevailing advice is that corporations back up their data, plug holes and monitor for suspicious activity. But this is like telling someone who just had their wallet stolen that to get their wallet back they should put extra money someplace else, hide their wallet and look out for suspicious characters lurking in alleyways. That advice doesn’t actually help get the wallet back. Basically, if a large corporation hadn’t taken those precautionary steps before the ransomware attack, and the lost data would put them out of business, they are going to pay the ransom. Hackers know this, and that’s why ransomware works.

The Only Answer is in Prevention

The only solution to a ransomware attack is to live and learn and spread the word. The more willing these corporations are to admit that they got hit, the better prepared other companies are likely to be. While it’s embarrassing for a giant pharmaceutical firm to admit that they were fooled, it’s ultimately better for the rest of us to learn that even the big guys are not infallible to cyber threats.

Prevention measures must include redundancy, as a number one priority. That one step would, 1) prevent the loss of critical operating data, and 2) enable overwriting of any malicious code that might have been introduced into the data while it was in the hands of the hackers. Backing up files so there is a minimum of one extra copy is good. Two backups is even better.

The next prevention measure involves making sure virus software is up to date with plug-ins. Literally, the company’s IT department should be checking daily, if not hourly to install available updates that are designed to plug security holes.

Finally, monitoring activity must be done continually. These ransomware attacks leave prints, and they are detectable by watchful IT experts. If vigilance is practiced, future attacks could be kept to a minimum, or even prevented.

Contact {company} in {city} at {email} or {phone} to learn more about protecting your company.

GDPR regulations for Europe go into effect very soon, but is your organization ready for the rigor required by these standards?

GDPR

Recent cyber attacks have technology leaders throughout the world reviewing their security requirements, but the European Union is already a step ahead. Their upcoming GDPR, or General Data Protection Requirement, defines data security and risk requirements for organizations doing business in the EU. Businesses with customer interactions in the EU are scrambling to ensure that they meet or exceed the stringent data protection requirements before the Spring 2018 deadline for compliance, especially since non-compliance brings stiff fines and penalties to your business. The GDPR seeks to hand control of their data back to individuals, requiring organizations to be more proactive in proving that they have total control over the consumer data in their safekeeping. Understanding the key GDPR compliance requirements for your business is a critical step to continuing to do business in Europe, but business owners may be confused about which regulations apply in their specific instance.

More About GDPR

In April 2016, the European Parliament made a landmark decision that will have a far-reaching impact on how organizations store and manage customer data throughout the world. The GDPR (General Data Protection Regulation) regulates how companies protect the personal data of European citizens. Lack of compliance by Spring 2018 can have a serious impact on your bottom line, with stiff fines and penalties imposed by the EU. The regulation aims to provide a more uniform and consistent approach to the storage and security of data across nations in the European Union through required consent, data breach notifications, anonymization of data, safe data transfers and additional regulatory agencies. Since the regulation targets all organizations that do business in the European Union and includes a variety of requirements including the hiring of a specific data protection officer who is expected to be fully independent both of upper management and IT.

Steep Non-Compliance Penalties

While organizations in the U.S. are used to the potential of opting out of specific legal requirements, the GDPR guidelines are required or a business faces the consequences of their actions. The fines are significant — up to 4 percent of a company’s global annual turnover or up to 20 million Euros. The recent malware attacks on large organizations have left whole industries feeling vulnerable to attack, making it even more important that the GDPR requirements be followed precisely. With a recent cybersecurity report from Cisco, average organizations today are facing tens of thousands of security events each week, with large and vicious attacks potentially reaching around the world in only a few hours. There are a variety of activities that could be considered non-compliant, including breaches of the data protection principles, customer or employee rights, conditions for consent and even international data transfers.

Compliance Oversight

Penalties can be imposed by data protection authorities, who have the power to physically obtain access to your company’s premises to carry out audits. Organizations of all sizes will be required to provide information upon request. Part of what the audits are looking for is a clear trail of freely-given consent, such as a written statement from an individual stating their agreement to the processing of their personal information. Individuals are able to easily withdraw their consent, and the burden of proof rests with the organization to prove that consent has been provided. This more aggressive approach to customer data is likely to cause challenges for businesses in the U.S. that are used to relatively freewheeling marketing practices.

Data Breach Response

There are expanded rules around the reporting of data breaches, requiring that all incursions be reported within a maximum of 72 hours. Employees must be trained in responding to a serious data breach, with the designation of specific responsibilities and roles within the organization. Fortunately, GDPR allows encryption as an appropriate way to achieve the goal of compliance. This relatively inexpensive option is very powerful and widely available and may allow your organization to skip notification to data subjects if it is determined that the personal data is unintelligible. Having clear policies and tested procedures in place is critical to ensuring that your organization can quickly react in the event of a data breach.

Required Documentation

Part of ensuring that you have full compliance from all individuals with the data your organization gathers is to tightly document approvals. Personal information that is shared across international lines is subject to additional audits. With the updated ruleset, organizations carry the entire burden of proving how personal data is processed and stored, and that it is documented as being fully compliant with GDPR requirements. Since consent can be quickly and easily withdrawn, organizations are looking for ways to ensure a clear path to legitimizing processing activity. One portion of these regulations that organizations will not be pleased with is the absolute right to prevent direct marketing. Businesses have long relied on direct marketing to communicate directly to individuals with only a passing familiarity with the business, but these more stringent rules require that individuals who have opted-out of marketing be aggressively added to an in-house suppression list or risk non-compliance fines.

Mixed Reactions

While the stringent new regulations may seem overwhelming to a business, there are some definite benefits to this direction. The EU has effectively consolidated the processing rules of each member-nation to form one set of standards, reducing variation. Additionally, having only one organization in charge of audits and compliance with the NDPA is considered to be a positive move. On the negative side, businesses are picking up more responsibility and may need to invest in organizational and technical measures that may require the redesign of systems and processes — and will almost certainly require additional staff to assure full compliance with requirements.

Understanding the new GDPR compliance requirements for your business can be challenging. Fortunately, at {company} in {city}, we have been studying the effects of these new regulations. We stand ready to help with execution — contact us today via email to {email}, or call {phone}.