https://techcrunch.com/2018/01/20/wtf-is-gdpr/
GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out.
A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection. Also under GDPR, financial penalties for data protection violations step up massively.
GDPR aims to have every link in the processing chain be a robust one. Companies need to maintain up-to-date records to prove out their compliance and to appoint a data protection officer if they process sensitive data on a large scale or are collecting info on many consumers.
GDPR’s running emphasis on data protection via data security it is implicitly encouraging the use of encryption above and beyond a risk reduction technique. Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.
GDPR also encourages the use of pseudonymization — such as, for example, encrypting personal data and storing the encryption key separately and securely — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Data has to be rendered truly anonymous to be outside the scope of the regulation.
373 Comments
Tomi Engdahl says:
1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak
Borked FTP, SMB, rsync, and S3 buckets fingered
https://www.theregister.co.uk/2018/04/05/billions_files_exposed_aws_ftp_wide_open/
Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe’s General Data Protection Regulation comes into force.
During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), File Transfer Protocol (FTP) servers, misconfigured websites, and Network Attached Storage (NAS) drives.
Tomi Engdahl says:
https://www.itewiki.fi/blog/2018/03/suomalainen-tekoalysovellus-gdpr-ai-miner-sai-merkittavan-tunnustuksen-new-yorkissa/
Tomi Engdahl says:
How a password manager can help in your GDPR journey
https://www.zoho.com/vault/blog/how-a-password-manager-can-help-in-your-gdpr-journey.html
What is the GDPR?
The General Data Protection Regulation (GDPR) is the comprehensive overhaul of the data protection regulations that have already existed in the European Union (EU) for the last twenty years. The ultimate aim of this new regulation is to give EU residents more control over their personal data — what, how, why, where, and when their personal data is used, processed, or disposed of.
When will it come into force?
The European Commission brings the GDPR into force on May 25, 2018. That’s barely one month away from now. Any company that handles EU residents’ personal data, irrespective of the location of their headquarters, should become GDPR-compliant on or before the announced date, or face significant fines of up to €20M or 4% of their global annual revenue, whichever is higher, for GDPR violations.
What is personal data according to the GDPR?
Per the GDPR, personal data means any data that relates to “an identifiable natural person.” It covers a wide range of information including name, address and ID numbers, web data such as location, IP address, cookie data and RFID tags, health and genetic data, biometric data, racial or ethnic data, political opinions, sexual orientation, etc.
How can I comply?
Identify personal data scattered across your company
Control how personal data is used and accessed
Prevent, detect and respond to data breaches
Maintain comprehensive records of access to personal data
The role of a password manager in GDPR
The fundamental goal of the GDPR is to identify, control, and secure the personal data of EU residents. Here are a few areas where a password manager can help:
Store passwords and other confidential data (including personal data) in a centralized encrypted vault
Enforce the use of strong, unique passwords for each account and ensure periodic password rotation
Restrict access to organization accounts that gives access to personal data based on job roles and responsibilities
Include an additional layer of security with two-factor authentication and password request-release workflow for sensitive accounts
Audit who accessed what data and when
Revoke access to confidential data whenever needed
Grant access to sensitive accounts without revealing the password in plain text
Offer an option to securely share passwords with contractors and temporary workers
Safeguard confidential data from the hands of hackers and malicious insiders
Tomi Engdahl says:
Facebook urged to make GDPR its “baseline standard” globally
https://techcrunch.com/2018/04/09/facebook-urged-to-make-gdpr-its-baseline-standard-globally/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
Facebook is facing calls from consumer groups to make the European Union’s incoming GDPR data protection framework the “baseline standard for all Facebook services”.
In an open letter addressed to founder Mark Zuckerberg, a coalition of US and EU consumer and privacy rights groups urges the company to “confirm your company’s commitment to global compliance with the GDPR and provide specific details on how the company plans to implement these changes in your testimony before the US Congress this week”.
Tomi Engdahl says:
The EU’s GDPR regulations are well-meaning, but do not go very far. It will not deliver much privacy, because its rules are too lax. They permit collecting any data if it is somehow useful to the system, and it is easy to come up with a way to make any particular data useful for something.
The GDPR makes much of requiring users (in some cases) to give consent for the collection of their data, but that doesn’t do much good. System designers have become expert at manufacturing consent
Source: https://www.theguardian.com/commentisfree/2018/apr/03/facebook-abusing-data-law-privacy-big-tech-surveillance
Tomi Engdahl says:
EU’s general data protection regulation will affect your web services
https://relevant.fi/en/blog/eus-general-data-protection-regulation-will-affect-your-web-services/
Even if you only have installed Google Analytics or social media sharing buttons like Facebook or Linkedin ‘like’ buttons on your site, you still have to ask consent from all who are visiting your site. When the consent is collected, our solution remember your visitors consent and don’t ask it again. Be aware that a company or a site owner still has the responsibility when applications or systems collects data. Many plug-ins and free tools usually collects user data and with this service you have control what information will be passed through.
Online Data collection governed by GDPR and the E-privacy directive:
– E-Privacy Directive sets the ’consent’ requirements
– GDPR requires ‘unambiguous’ consent through clear, affirmative action
If your site collect any personal information you just need to fill out one form and order a script to your site. After it has been installed, your site will be GDPR compliant.
Relevant Consent help you to easily comply with the GDPR and other data privacy regulations, assess privacy risk and to stop unauthorized website trackers from following your visitors.
In short: when cookies can identify an individual via their device, it is considered personal data.
Relevant ☰
EU’s general data protection regulation will affect your web services
2018/04/10
‘Much has been said about the GDPR. In a nutshell, it is a regulation from the European Commission that replaces the old data protection regulation and will, in equal measure, expand the existing policies. The many privacy rights provided by the GDPR mean that any person becomes the owner of any data collected about him or her. Should the individual choose to exercise those rights, the data collector or processor must be able to comply.’ Comment by Anna-Riitta Vuorenmaa, partner at Privago and Allan Sørensen, Chair of IAB Europe’s Policy Committee.
Whether you’re a big or small company you must get consent from your visitors to collect any information or data from them.
Even if you only have installed Google Analytics or social media sharing buttons like Facebook or Linkedin ‘like’ buttons on your site, you still have to ask consent from all who are visiting your site. When the consent is collected, our solution remember your visitors consent and don’t ask it again. Be aware that a company or a site owner still has the responsibility when applications or systems collects data. Many plug-ins and free tools usually collects user data and with this service you have control what information will be passed through.
Online Data collection governed by GDPR and the E-privacy directive:
– E-Privacy Directive sets the ’consent’ requirements
– GDPR requires ‘unambiguous’ consent through clear, affirmative action
If relying on implied consent, consider timing of cookie drop
But don’t worry, we have easy plug and play solution ready for you and your site.
If your site collect any personal information you just need to fill out one form and order a script to your site. After it has been installed, your site will be GDPR compliant.
Relevant Consent help you to easily comply with the GDPR and other data privacy regulations, assess privacy risk and to stop unauthorized website trackers from following your visitors.
Definition:
Cookies are mentioned only once in the EU General Data Protection Regulation (GDPR), but the repercussions are significant for any organisation that uses them to track users’ browsing activity.
Recital 30 of the GDPR states:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In short: when cookies can identify an individual via their device, it is considered personal data.
This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.
What it means
Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising, social media and personalisation or functional services, such as surveys, recommendations and chat tools.
To become compliant, organisations will need to either stop collecting the offending cookies or find a lawful ground to collect and process that data. Most organisations rely on consent (either implied or opt-out), but the GDPRs strengthened requirements mean it will be much harder to obtain legal consent.
The consequences of this were discussed during the 2016 Data Protection Compliance Conference and its findings described by Cookie Law:
– Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
– ‘By using this site, you accept cookies’ messages are not sufficient for the same reasons. If there is no genuine and free choice, it is not a valid consent. You must make it possible to both accept or reject cookies.
This means:
– It must be as easy to withdraw consent as it is to give it. If organisations enables visitors to block cookies who doesn’t want to give their consent, they first have to enable the visitor to accept cookies.
– Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind.
Tomi Engdahl says:
Facebook:
Ahead of GDPR, Facebook debuts enhanced privacy controls for all users globally, starting in EU, with more choices about ads, allowing face recognition, more
Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live
https://newsroom.fb.com/news/2018/04/new-privacy-protections/
Tomi Engdahl says:
https://www.blackducksoftware.com/ug-download/gdpr-open-source-infographic?cmp=em-sig-eloqua&utm_medium=email&utm_source=eloqua&elq_mid=550&elq_cid=166673
Tomi Engdahl says:
Facebook:
Ahead of GDPR, Facebook debuts enhanced privacy controls for all users globally, starting in EU, with more choices about ads, allowing face recognition, more — In recent weeks we’ve announced several steps to give people more control over their privacy and explain how we use data.
Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live
https://newsroom.fb.com/news/2018/04/new-privacy-protections/
Tomi Engdahl says:
Josh Constine / TechCrunch:
With an interface designed to push users to consent, Facebook’s privacy changes comply with the letter of GDPR law but with questionable spirit — Facebook is about to start pushing European users to speed through giving consent for its new GDPR privacy law compliance changes.
A flaw-by-flaw guide to Facebook’s new GDPR privacy changes
“Just click accept, ignore those settings”
https://techcrunch.com/2018/04/17/facebook-gdpr-changes/
Facebook is about to start pushing European users to speed through giving consent for its new GDPR privacy law compliance changes. It will ask people to review how Facebook applies data from web to target them with ads, and surface the sensitive profile info they share. Facebook will also allow European and Canadian users to turn on facial recognition after six years of the feature being blocked there. But with a design that encourages rapidly hitting the “Agree” button, a lack of granular controls, a laughably cheatable parental consent request for teens, and an aesthetic overhaul of Download Your Information that doesn’t make it any easier to switch social networks, Facebook shows it’s still hungry for your data.
The new privacy change and terms of service consent flow will appear starting this week to European users, though they’ll be able to dismiss it for now, though the May 25th GDPR compliance deadline Facebook vowed to uphold in Europe is looming
Tomi Engdahl says:
GDPR and cookies | What do I need to know? | Is my use of cookies compliant?
https://www.cookiebot.com/en/gdpr-cookies/?utm_campaign=%7B%7Bminder+om+alle+besøgende%7D%7D&utm_source=%7B%7Bfacebook_cpc_FI%7D%7D
The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use cookies and online tracking of visitors from the EU.
Tomi Engdahl says:
Yotpo’s Guide to GDPR
https://www.yotpo.com/blog/yotpo-gdpr-guide/?utm_source=facebook&utm_medium=social&utm_campaign=blog-post
Tomi Engdahl says:
David Ingram / Reuters:
Facebook says it will change ToS in May for 1.5B users outside EU; US, Canada to be governed by US instead of Ireland ToS, limiting GDPR impact to 400M users — SAN FRANCISCO (Reuters) – If a new European law restricting what companies can do with people’s online data went into effect tomorrow …
Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law
https://www.reuters.com/article/us-facebook-privacy-eu-exclusive/exclusive-facebook-to-change-user-terms-limiting-effect-of-eu-privacy-law-idUSKBN1HQ00P
If a new European law restricting what companies can do with people’s online data went into effect tomorrow, almost 1.9 billion Facebook Inc users around the world would be protected by it. The online social network is making changes that ensure the number will be much smaller.
Facebook members outside the United States and Canada, whether they know it or not, are currently governed by terms of service agreed with the company’s international headquarters in Ireland.
Tomi Engdahl says:
Josh Constine / TechCrunch:
With an interface designed to push users to consent, Facebook’s privacy changes comply with the letter of GDPR law but with questionable spirit
https://techcrunch.com/2018/04/17/facebook-gdpr-changes/
Tomi Engdahl says:
Nate Lanxon / Bloomberg:
Companies are scaling back and simplifying their ToS to comply with GDPR because users’ consent would be legally invalid if they don’t understand the agreement
The ‘Terms and Conditions’ Reckoning Is Coming
https://www.bloomberg.com/news/articles/2018-04-20/uber-paypal-face-reckoning-over-opaque-terms-and-conditions
Everyone from Uber to PayPal is facing a backlash against their impenetrable legalese.
Tomi Engdahl says:
https://www.argilla.fi/tuote/tietosuojasuunnitelma-tyokalut-pienyritykselle/
Tomi Engdahl says:
How will the GDPR impact open source communities?
https://opensource.com/article/18/4/gdpr-impact?sc_cid=7016000000127ECAAY
Many organizations are scrambling to understand how changes in privacy laws will impact their work.
Tomi Engdahl says:
https://www.ecraft.com/fin/blog/2018/4/17/saanko-luvan-4-tapaa-saada-gdpr-varma-markkinointilupa?utm_content=70243619&utm_medium=social&utm_source=facebook
Tomi Engdahl says:
A flaw-by-flaw guide to Facebook’s new GDPR privacy changes
“Just click accept, ignore
https://techcrunch.com/2018/04/17/facebook-gdpr-changes/?utm_source=tcfbpage&sr_share=facebook
A flaw-by-flaw guide to Facebook’s new GDPR privacy changes
“Just click accept, ignore those settings”
Josh Constine
@JoshConstine / Apr 18, 2018
Facebook GDPR
Facebook is about to start pushing European users to speed through giving consent for its new GDPR privacy law compliance changes. It will ask people to review how Facebook applies data from the web to target them with ads, and surface the sensitive profile info they share. Facebook will also allow European and Canadian users to turn on facial recognition after six years of the feature being blocked there. But with a design that encourages rapidly hitting the “Agree” button, a lack of granular controls, a laughably cheatable parental consent request for teens and an aesthetic overhaul of Download Your Information that doesn’t make it any easier to switch social networks, Facebook shows it’s still hungry for your data.
Tomi Engdahl says:
Generate a GDPR compliant cookie policy for your website
https://www.cookiebot.com/en/cookie-policy/?utm_campaign=%7B%7Bminder+om+alle+besøgende%7D%7D&utm_source=%7B%7Bfacebook_cpc_FI%7D%7D
Tomi Engdahl says:
Clear Scope for Conflict Between Privacy Laws
https://www.securityweek.com/clear-scope-conflict-between-privacy-laws
The Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, was enacted into U.S. federal law on March 23, 2018. It had been attached, at page 2212 of 2232 pages, to the omnibus spending bill, and allows law enforcement to demand access to data of concern wherever in the world that data is stored.
The General Data Protection Regulation, or GDPR, becomes European Law on May 25, 2018. It restricts companies that operate in Europe or process EU citizen data from transferring that data to third parties.
On the surface, there is clear scope for conflict between these two laws; but as always, it is more complex than that. The two key elements are, for CLOUD, section 2713; and for GDPR, article 48.
Section 2713 reads, “A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire of electronic communication and any record or other information relating to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside the United States.”
Article 48 of GDPR states, “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
It gets complicated because CLOUD specifically allows for ‘international agreements’, but not mutual legal assistance treaties (MLATs), which it does not mention at all.
Other opinions are more optimistic that CLOUD will operate without disturbance from GDPR.
Dr Brian Bandey, a Doctor of Law specializing in international cyber laws, told SecurityWeek, “I believe it is generally accepted that the CLOUD Act… would meet the requirements of the GDPR’s Article 48. This addresses foreign (including U.S.) investigations and prohibits the transfer or disclosure of personal data unless pursuant to an MLAT or other international agreement. One possible resolution would be for the U.S. to enter into an agreement with the EU or for the EU to agree that the U.S. investigations and subsequent transfers or disclosures in compliance with the CLOUD Act procedures do not conflict with Article 48.”
Alexander Hanff, a respected privacy expert and advocate, believes that CLOUD “completely undermines MLATs.
This is similar to the effect of CLOUD: European law enforcement will be able to demand access to data from U.S. companies operating in the EU.
The implication is that U.S companies have nothing to worry about over CLOUD and GDPR. Provided they adhere to the basic demands of GDPR, they will be able to turn EU data over to the FBI without concern over GDPR. But again, it’s not that simple. The greatest danger from CLOUD to trans-Atlantic privacy relations is only indirectly related to GDPR — it is the effect of CLOUD on the Privacy Shield.
Privacy Shield is the agreement between the EU and the U.S. that allows U.S. companies to ‘export’ European PII — which is a fundamental aspect of doing business with the EU. Privacy Shield replaces an earlier agreement (Safe Harbor) that was struck down by the European Court as being unconstitutional. That court also specifically told the national regulators that they could not be bound by an EC ‘adequacy’ ruling. In effect, while they will be guided by the EC, they do not simply have to accept that the Privacy Shield is ‘adequate’ to comply with EU law and the constitution.
Tomi Engdahl says:
Josh Constine / TechCrunch:
Instagram begins rolling out a data download tool, similar to Facebook’s Download Your Information feature, ahead of new GDPR privacy law rollout next month — Two weeks ago TechCrunch called on Instagram to build an equivalent to Facebook’s “Download Your Information feature so if you wanted …
Instagram launches “Data Download” tool to let you leave
https://techcrunch.com/2018/04/24/instagram-export/
Two weeks ago TechCrunch called on Instagram to build an equivalent to Facebook’s “Download Your Information feature so if you wanted to leave for another photo sharing network, you could. The next day it announced this tool would be coming and now TechCrunch has spotted it rolling out to users.
Tomi Engdahl says:
What Developers Need to Know About Europe’s Data Privacy Rules
https://spectrum.ieee.org/at-work/tech-careers/what-developers-need-to-know-about-europes-data-privacy-rules
On 25 May, enforcement will begin of the European Union’s General Data Protection Regulation (GDPR): a law covering any organization anywhere in the world that handles the personal data of EU residents. Many individual developers and small-business owners will need to make sure that their applications, services, and websites comply with the GDPR, even if they do not live in EU countries.
Tomi Engdahl says:
Barry Levine / MarTech Today:
Trade groups representing 4,000 publishers criticize Google’s GDPR policies, say proposal to get consent from EU visitors if Google ads are served “falls short”
Four publisher groups to Google: Your GDPR proposal ‘severely falls short’
https://martechtoday.com/four-publisher-groups-to-google-your-gdpr-proposal-severely-falls-short-214870
The organizations point to Google’s requirements that publishers collect consent and assume liability as some of the many issues.
Tomi Engdahl says:
Measure against what? If you accept EU customerd, GDPR rules apply. If you don’t accept them, you lose the market of 500M people.
Block EU users
from accessing your site
https://gdpr-shield.io
Don’t spend thousands on legal fees to make your site GDPR-compliant. If you aren’t targeting EU users, simply use GDPR Shield to block all traffic from the EU
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Email management service Unroll.me will stop serving EU users and delete all EU user accounts by May 24 as it’s unable to comply with EU’s GDPR
Unroll.me to close to EU users saying it can’t comply with GDPR
https://techcrunch.com/2018/05/05/unroll-me-to-close-to-eu-users-saying-it-cant-comply-with-gdpr/
Put on your best unsurprised face: Unroll.me, a company that has, for years, used the premise of ‘free’ but not very useful ’email management’ services to gain access to people’s email inboxes in order to data-mine the contents for competitive intelligence — and controversially flog the gleaned commercial insights to the likes of Uber — is to stop serving users in Europe ahead of a new data protection enforcement regime incoming under GDPR, which applies from May 25.
In a section on its website about the regional service shutdown, the company writes that “unfortunately we can no longer support users from the EU as of the 23rd of May”, before asking whether a visitor lives in the EU or not.
Clicking ‘no’ doesn’t seem to do anything but clicking ‘yes’ brings up another info screen where Unroll.me writes that this is its “last month in the EU” — because it says it will be unable to comply with “all GDPR requirements” (although it does not specify which portions of the regulation it cannot comply with).
While Unroll.me, which is owned by Slice Technologies, also claims on the very same website that its parent company “strips away personal information”
And in fact if you go to the trouble of reading the small print of Unroll.me’s privacy policy it says it can share users’ personal information how it pleases — not just with its parent entity (and direct affiliates) but with any other ‘partners’ it chooses…
Tomi Engdahl says:
Christopher Mims / Wall Street Journal:
A central custodian of our personal data, which can be a government or a private firm like Apple, under regulations like GDPR, may solve today’s privacy woes
Privacy Is Dead. Here’s What Comes Next
‘Group privacy’ is an idea whose time has come; what if Facebook and Google were the companies to manage it?
https://www.wsj.com/articles/privacy-is-dead-heres-what-comes-next-1525608001
Short of living in a remote hut while forsaking cellphones, the internet and credit cards, there is no longer any way that you, as an individual, can prevent marketers, governments or malicious actors from gathering and using comprehensive, personally identifying information about you.
Tomi Engdahl says:
Facebook’s Growing Privacy Concern
https://www.securityweek.com/facebooks-growing-privacy-concern
Facebook’s Web Traffic Monitoring is Second Only to Google
With GDPR imminent (25 May), Facebook’s problems in Europe are mounting. In April, CEO Mark Zuckerberg was questioned by Congress on the Cambridge Analytica affair. He declined to face British lawmakers, sending CTO Mike Schroepfer in his place. Now Damian Collins, head of the UK parliament’s Digital, Culture, Media and Sport Committee, has said, “We hope that [Zuckerberg] will respond positively to our request, but if not the Committee will resolve to issue a formal summons for him to appear when he is next in the UK.”
It’s not just the Cambridge Analytica scandal. Austrian privacy activist Max Schrems has been pursuing Facebook for years. An earlier case against Facebook led to a European Court of Justice ruling on October 6, 2015 declaring the Safe Harbor agreement between the EU and U.S. to be unconstitutional and invalid. This is often described as the Schrems Ruling, and is now part of EU case law.
Safe Harbor was replaced by Privacy Shield; and Max Schrems has pursued a largely similar course of action — claiming that his rights as an EU citizen are violated by Facebook transferring his PII to the U.S. where they are easily available to third parties. Once again the case was heard in Ireland (EU home to Facebook); and once again, it has been referred to the Court of Justice of the EU for a decision.
The Schrems Ruling will undoubtedly figure in the court’s deliberations; as will the new U.S. CLOUD Act that makes it easier for U.S. government agencies to access any data held by U.S. companies anywhere in the world.
Tomi Engdahl says:
https://gdprchecklist.io
Tomi Engdahl says:
WHOIS Behind Cyberattacks? Under GDPR, We May Not Know
https://securityintelligence.com/whois-behind-cyberattacks-under-gdpr-we-may-not-know/
The goal of the European Union’s General Data Protection Regulation (GDPR) is, among other things, to standardize data protection laws applicable to EU data subjects. Aimed at enhancing privacy protection, the enforcement of the regulation becomes effective on May 25.
GDPR’s implementation on an issue relevant to the cybersecurity industry may well have negative consequences that, ironically, run contrary to its original intent.
What’s at Stake?
The central issue involves changes to accessing business contact information in the ICANN WHOIS database as a result of the current interpretation of the GDPR. WHOIS is a service that has readily provided basic information about a registered domain, such as domain owner contact information, domain availability status and the company with which the domain is registered. Registrants of new domains provide this information as part of the registration process.
How We Stop Cybercrime Today
IBM receives upward of 35 million malicious spam messages per day in our spam traps. Using high-speed machine-to-machine technology and with full access to WHOIS data, we can block these messages. But organizations like IBM X-Force can also block or at least delay activity coming from domains associated with the individuals (or phone numbers, email addresses or physical addresses) aligned with these spam messages.
That’s how IBM X-Force identifies and blocks nearly 1.3 million malicious domains per month.
Also, it is important to understand how attacks are often launched. Organized criminals — and that is exactly who is behind an estimated $600 billion annual cybercrime business — invest heavily in buying legal and illegal email lists. They also purchase spam and phishing kits on the Dark Web.
Tomi Engdahl says:
The GDPR Opportunity
https://www.securityweek.com/gdpr-opportunity
New Regulations Present an Opportunity to Improve Overall Security and Optimize Business Processes
Privacy has been top of mind recently-especially as we near May 25 when the General Data Protection Regulation (GDPR) goes into effect. Companies that do business in Europe will now be on the hook for damages caused by data breaches and are doing everything they can to remain in compliance.
According to Gartner, European companies are expected to spend an average of $1.4 million on ensuring compliance while U.S.-based businesses are setting aside $1 million each. And with good reason-being in breach of GDPR’s requirements could cost organizations many times more than that as well as increased legal fees, additional insurance and damage to brand reputation.
Given the cost and effort involved in trying to become compliant, not to mention the risks of penalties if they experience a breach, businesses are understandably apprehensive about preparing for their new reality.
GDPR doesn’t have to be anxiety inducing. Instead, organizations should view the new regulations as an opportunity to enhance business processes and better protect themselves from damaging breaches and cyberattacks. It’s also an opportunity to put in place measures that strengthen the overall security and compliance posture of organizations, using GDPR’s requirements as the pivot point.
Tomi Engdahl says:
Virtual Session: GDPR without the Hype
https://www.youtube.com/watch?v=HgYl7OQsiLY
Tomi Engdahl says:
Your Guide to the GDPR
https://spectrum.ieee.org/telecom/internet/your-guide-to-the-gdpr
Among the main concerns for companies in the business of gathering and selling people’s personal information is determining what exactly “personal data” is and how companies must change the way they handle it. Ordinary users (dubbed “data subjects” in the regulation) also have questions about their new or expanded rights. For instance, when a user clicks the “cookies notification” window, what does it mean? And how do users ensure that their data isn’t being collected and stored so it can be bought and sold repeatedly, ad infinitum?
Tomi Engdahl says:
https://www.cookiebot.com/?utm_campaign=%7B%7Bminder+om+funnel%7D%7D&utm_source=%7B%7Bfacebook_cpc_FI%7D%7D
Tomi Engdahl says:
https://www.nebula.fi/blogi/gdpr-jo-oven-takana-varmista-etta-yrityksellasi-nama-viisi-asiaa-valmiina?utm_campaign=GDPR18&utm_source=facebook&utm_medium=paidsocial&utm_term=gdpr%2C%20tietosuoja-asetus&utm_content=gdpr_on_oven_takana_blog
Tomi Engdahl says:
Doc Searls Weblog:
There has been a bubble in adtech, a bloated industry that undermines brands’ value and remains at odds with consumer privacy and security, and GDPR will pop it
GDPR will pop the adtech bubble
http://blogs.harvard.edu/doc/2018/05/12/gdpr/
Since tracking people took off in the late ’00s, adtech has grown to become a four-dimensional shell game played by hundreds (or, if you include martech, thousands) of companies, none of which can see the whole mess, or can control the fraud, malware and other forms of bad acting that thrive in the midst of it.
And that’s on top of the main problem: tracking people without their knowledge, approval or a court order is just flat-out wrong. The fact that it can be done is no excuse. Nor is the monstrous sum of money made by it.
Without adtech, the EU’s GDPR (General Data Protection Regulation) would never have happened. But the GDPR did happen, and as a result websites all over the world are suddenly posting notices about their changed privacy policies, use of cookies, and opt-in choices for “relevant” or “interest-based” (translation: tracking-based) advertising. Email lists are doing the same kinds of things.
“Sunrise day” for the GDPR is 25 May. That’s when the EU can start smacking fines on violators.
Tomi Engdahl says:
UK Regulator Issues Advice on ‘Consent’ Within GDPR
https://www.securityweek.com/uk-regulator-issues-advice-consent-within-gdpr
The UK’s Information Commissioners Office (ICO — the data protection regulator) has published detailed guidance (PDF) on ‘consent’ within the General Data Protection Regulation. Since the UK is still in the European Union, the document provides a reasonable analysis of what is one of the trickiest aspects of GDPR. Once the UK leaves the EU, GDPR within the UK will be replaced by the new Data Protection Bill, which is designed to ensure the UK’s data protection adequacy. It is not guaranteed to succeed in this.
Consent is not the only legal basis for processing personal data under GDPR. Others are a contractual relationship; compliance with a separate legal obligation; a public task; vital interest (as in, to save a life); and legitimate interests. Some of these are nuanced and may require detailed legal advice before being relied upon — ‘legitimate interests’ does not mean that any commercial enterprise can ignore consent in the pursuit of profit.
Nevertheless, user consent is likely to be the primary legal justification for processing user data. Under GDPR, it is not very different to the existing requirement for consent under the European Data Protection Directive (DPD), but adds a few significant aspects. In particular, it requires that consent must be ‘unambiguous’ and involve ‘a clear affirmative action’.
The GDPR expansion of consent comes not in the definition but in the use and implications of consent. Three key areas are the need for keeping records of consent; the user’s right to withdraw consent; and the inability to make consent a condition of a contract. “In essence,” says the ICO, “there is a greater emphasis in the GDPR on individuals having clear distinct (‘granular’) choices upfront and ongoing control over their consent.”
https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent-1-0.pdf
Tomi Engdahl says:
Consent Control and eDiscovery: Devils in GDPR Detail
https://www.securityweek.com/consent-control-and-ediscovery-devils-gdpr-detail
The European General Data Protection Regulation will be in force in just over 12 months: May 25, 2018. This is the date by which all EU nations must have enacted the regulation. Gartner predicts that “by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.”
GDPR will affect all EU-based companies, and all US companies that have any trade with the EU. Despite the threat of hefty non-compliance fines, Gartner is not alone in finding a lack of preparatory urgency among organizations.
“The Gartner data aligns with a survey Imperva recently conducted of IT security professionals at RSA,” Imperva’s chief product strategist Terry Ray told SecurityWeek. “Our data showed an overall lack of urgency among the IT professionals surveyed, with only 43 percent of respondents indicating that they are evaluating or implementing change in preparation for GDPR.”
An April 2017 NetApp survey that queried 750 CIOs, IT Managers and C-suite executives in France, Germany and the UK, found that around 10% of companies have yet to begin preparations. Seventy-three percent of respondents have some concern over meeting the GDPR deadline.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/onko-yrityksesi-valmis-gdpr-aikaan-nailla-tyokaluilla-voit-arvioida-6723858
Tomi Engdahl says:
https://www.protegrity.com/gdpr/?utm_source=paidsocial&utm_medium=cpc
Tomi Engdahl says:
EU Data Protection May Trigger Global Ripple Effect
https://www.securityweek.com/eu-data-protection-may-trigger-global-ripple-effect
The EU’s new data protection rules that enter into force later this month are having an impact around the world as firms, including in the United States and China, move to comply.
While all firms globally are required to comply with the provisions of the General Data Protection Regulation (GDPR) when it comes to the data of Europeans, the rules may have a wider impact if firms decide to extend the protections to all users.
Major US platforms such as Facebook, Twitter, Instagram and Airbnb have begun to notify their users in Europe of modifications of their user terms in order to comply with the new EU rules.
Under GDPR firms user consent for use of their personal data must be freely “given, specific, informed and unambiguous”.
Tomi Engdahl says:
Alex Hern / The Guardian:
With GDPR imminent, investigation finds Facebook lacks privacy controls for information inferred about users, including sensitive details used in ad targeting — Social network categorises users based on inferred interests such as Islam or homosexuality — Facebook allows advertisers …
Facebook lets advertisers target users based on sensitive interests
https://www.theguardian.com/technology/2018/may/16/facebook-lets-advertisers-target-users-based-on-sensitive-interests
Social network categorises users based on inferred interests such as Islam or homosexuality
Tomi Engdahl says:
GDPR: Quickest wins and easiest mistakes
http://www.ibmbigdatahub.com/blog/gdpr-quickest-wins-and-easiest-mistakes?cm_mmc=PSocial_Facebook-_-Analytics_Unified%20Governance%20and%20Integration-_-EP_INO-_-25020536_Carousel%20Ad2%20Prospecting%20Facebook%20IBM%20GDPR%20AnInspectorCalls&cm_mmca1=000030YY&cm_mmca2=10008653&cm_mmca4=25020536&cm_mmca5=52768600&cm_mmca6=d1a8089c-bb1d-46e9-a4bb-74372ea1aaab&cvosrc=social%20network%20paid.facebook.Discover%20Visits%20Blogs%20Carousel%20%20%20%20%20SiteVisits%20%20%20%20%20CarouselAd2%20GDPR%20quickest%20wins%20and%20easiest%20mistakes_Prospecting_DesktopTablet_1x1&cvo_campaign=000030YY&cvo_pid=25020536
Tomi Engdahl says:
https://areena.yle.fi/1-4423562
Tomi Engdahl says:
‘My Data Request’ lists guides to get data about you
https://techcrunch.com/2018/05/19/my-data-request-lists-guides-to-get-data-about-you/?utm_source=tcfbpage&sr_share=facebook
GDPR is right around the corner, so it’s time to prepare your personal data requests. If you live in the European Union, tech companies have to comply with personal data requests after May 25th. And there’s a handy website that helps you do just that.
My Data Request lists dozens of tech companies and tells you how you can contact them. The website also links to the privacy policy of each service and tells you what to do even if you don’t live in the EU.
Some companies, such as Facebook, LinkedIn, Twitter, Google, Tinder and Snapchat have made that easy as they have created a page on their website to download a zip archive with all your personal data.
But it’s worth nothing that your archive doesn’t necessarily include all data about you.
Tomi Engdahl says:
https://spectrum.ieee.org/telecom/internet/your-guide-to-the-gdpr
Tomi Engdahl says:
https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2018/04/ttn201805091303.html
Tomi Engdahl says:
Most GDPR emails unnecessary and some illegal, say experts
https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts?CMP=share_btn_fb
Many firms have the required consent already; others don’t have consent to send a request
Tomi Engdahl says:
Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.
Why the GDPR email deluge, and can I ignore it?
But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.
https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts?CMP=share_btn_fb
Tomi Engdahl says:
https://www.tivi.fi/blogit/tietosuoja-asetus-yksinkertaistaa-verkkopalveluja-6726462