[Log In] []

Exploring the science and magic of Identity and Access Management
Saturday, December 15, 2018

Personal Data: To Share or Not To Share?

Privacy
Author: Mark Dixon
Monday, June 18, 2018
7:22 am

We talk a lot about restricting what personal data we share on line, but is that sharing all bad? Tom Fishburne nails the issue with this week’s Marketoonist post.

We’re in a marketing catch-22. Consumers increasingly demand hyper-personalized experiences but are increasingly reluctant to hand over the data needed to make those experiences personalized.

Marketoonist 180618

Comments Off on Personal Data: To Share or Not To Share? . Permalink . Trackback URL
WordPress Tags: ,
 

GDPR Enforcement – What Will Happen Now?

Information Security, Privacy
Author: Mark Dixon
Tuesday, May 29, 2018
10:54 am

Gdpr1 1

Here we are, four days beyond May 25th – the date when enforcement of the Global Data Protection Regulation was to begin.  So far, no planes have fallen from the sky (remember dire Y2K warnings?) and no specific enforcement actions by the EU have been announced. Privacy activist Max Schrems’ organization noby.eu immediately filed $8.8 billion in lawsuits against Facebook and Google. But what of the EU regulators?  What are their plans?

Only time will tell.  I get the feeling that what will happen with GDPR enforcement is kind of like the Super Bowl.  There has been incessant conversation and speculation leading up to May 25th, and now the game has begun.  It will be played out on the field over the next months and years.  Then we will really know what will happen.

An Dark Reading article, “GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?”, includes some interesting speculation and advice from privacy experts.  I particularly like a comment in the article by  says Dave Lewis, global security advocate at Akamai Technologies. 

There has been an inordinate amount of focus on the potential fines. The reality is that GDPR is very much a push towards ensuring the accountability of the data for which [companies] are stewards.

If that accountability really improves, we should cheer GDPR, not live in fear of its dire consequences.

My two cents …

Comments Off on GDPR Enforcement – What Will Happen Now? . Permalink . Trackback URL
WordPress Tags:
 

GDPR Regulators Not Ready?

Privacy
Author: Mark Dixon
Wednesday, May 9, 2018
7:22 am

Gdpr3

I find it incredibly ironic that EU regulators may not be ready to enforce GDPR when scheduled on May 25th.

A Reuters Business News article, European regulators: We’re not ready for new privacy law, reported:

Many of the regulators who will police [GDPR} say they aren’t ready yet. …

Seventeen of 24 authorities who responded to a Reuters survey said they did not yet have the necessary funding, or would initially lack the powers, to fulfill their GDPR duties.

“We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” Isabelle Falque-Pierrotin, president of France’s CNIL data privacy watchdog, said in an interview.

After working with customers about GDPR compliance preparation for over 18 months, it has been amazing to me how ill-prepared many companies are, but it was really surprising to learn that the EU may not be ready either!  It all goes to prove that it is much easier to talk about something than actually do it.

 

Comments Off on GDPR Regulators Not Ready? . Permalink . Trackback URL
WordPress Tags:
 

GDPR: A Cost vs. Benefit Analysis

Privacy
Author: Mark Dixon
Tuesday, April 24, 2018
8:34 pm

GDPRvalue

With the May 25th enforcement date for GDPR looming before us, it is easy to focus on the huge investment companies are making in efforts to comply.  

However, an Information Week article authored by Dimitri Sirota, CEO and Co-founder, BigID, offers a brighter picture:

The International Association of Privacy Professionals estimates that Fortune’s Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with GDPR – no small sum. Yet, viewing GDPR through the lens of compliance cost alone doesn’t reflect the broader change afforded by the sweeping regulation. Yes, there will be substantial cost association with operationalizing specific obligations inside the organization, but the benefits can be argued to far outweigh the investment.

Sirota proposes tangible business benefits arising from work towards GDPR compliance (selected excerpts are shown):

Understanding the customer

First and foremost, compliance efforts help companies better understand their customer by better understanding their data. If customers are the lifeblood of a modern digital business, then knowing customers’ data takes on commercial “life or death” urgency.

Cyber insurance and civil action savings

Companies mandated to comply [with GDPR], and those showing proof of compliance with these stringent regulations will likely see a significant reduction in annual cyber insurance costs. …

A hard rule on public disclosure is understandably daunting, but the role GDPR will play in helping companies better understand what data they have, its risk and how to protect it, will prove greatly beneficial to avoiding a breach all together.

Minimizing response costs

Through increased data visibility required for compliance, funds spent on determining who exactly was affected by a breach will be all but eliminated.

In conclusion, Sirota takes the optimistic view:

GDPR aims to provide better consumer accountability through better data accounting. Ultimately, this helps build trust between a company and its customers. However, in a very real financial way it also has economic benefit. The investments required to comply with GDPR equip companies to better protect themselves and better extract value from its customers. GDPR at first blush looks like a cost for businesses to incur. But dig deeper and you find it opens up new protections and value.

I am a fan of looking for business benefits of security and compliance beyond reducing risk.  I think the most important benefit that Sirota proposes is understanding the customer because of better understanding of their data.  I really like how he puts it:

Data is the new oil, and knowing exactly what kind of oil, how much and where it is running through the engine not only provides a vehicle to safeguarding data, but also a way to unlock value within that data and improve performance, in a private and secure way.

Thanks for the insight, Dimitri!

Comments Off on GDPR: A Cost vs. Benefit Analysis . Permalink . Trackback URL
WordPress Tags: ,
 

Keep your Personal Data Safe Online

Privacy
Author: Mark Dixon
Thursday, April 19, 2018
11:51 am

DigiMe

In the wake of the US Senate grilling Mark Zuckerberg about the Cambridge Analytics scandal, and as we move ever so quickly towards the May 25th date when the EU will begin enforcing the General Data Protection Regulation (GDPR), it is easy to focus on the responsibilities online companies have for implementing what GDPR calls “Data Protection by Design and by Default.”

All that focus is good, but we should not forget the responsibilities each person has for making sure their own personal data is safe. In her blog post today, Emma Firth of digi.me proposes “10 ways to keep your personal data safe online.”

Please take a few minutes to read Emma’s commentary, but here are the ten points she recommends:

  1. Be clear who can see what
  2. Have strong passwords – and don’t reuse them or write them down
  3. Take care not to post information that is often used as security questions 
  4. Don’t fall for dodgy or so-called phishing emails
  5. Be careful where you log-on – take care to disconnect from a session if using public computers
  6. Make sure your home wifi is password-protected
  7. Be wary about who you befriend online
  8. Beware what pictures and status updates on social media tell a potential criminal about you
  9. Be sensible and always have your wits about you

Thanks, Emma, for your insightful reminders.

And remember, in the words of Sergeant Phil Esterhaus (Michael Conrad) of Hill Street Blues fame …

Comments Off on Keep your Personal Data Safe Online . Permalink . Trackback URL
WordPress Tags: ,
 

Bermuda Personal Information Protection Act

Privacy
Author: Mark Dixon
Monday, April 16, 2018
9:07 am

When I give a presentation about the Global Data Protection Regulation (GDPR), someone usually asks how long it will be before the United States has a similar regulation?  I really don’t know, but the Senate Facebook hearings last week show that the topic is certainly on the minds of our elected leaders.

Bermudaflag

Another strong indicator that a US regulation is forthcoming is the emergence of “GDPR-like” regulations in other countries.  For example, the article “A paradise for data privacy advocates – Bermuda’s privacy law now in full effect,” states:

With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. 

Regulations such as this will put pressure on the US to act, in order to facilitate economic interaction with other countries:

Unless and until the United States passes an overarching privacy statute providing comparable levels of protection over the use of one’s personal information, including for non-US Persons, it is unlikely that the Privacy Commissioner will allow for the free flow of personal information between Bermuda and the United States.

A concluding statement

Ultimately, the trend towards greater privacy protections—and the limitation on cross-border data transfers, especially to the United States—is only picking up steam, as this Bermuda law highlights. And more may still be to come.

How soon do you think the United States will act?

Comments Off on Bermuda Personal Information Protection Act . Permalink . Trackback URL
WordPress Tags: ,
 

Identity – Critical for GDPR?

Identity, Privacy
Author: Mark Dixon
Friday, July 28, 2017
12:44 pm

GDPR2

How critical is Identity and Access Management to GDPR Compliance?

The somewhat radical, but underlying philosophy of GDPR is that enterprises must enable individual data subjects (EU citizens) to control their own Personally Identifiable Information (PII), and grant or withdraw permission to store and use such data. Certainly, appropriate processes and technology are essential to protect the data “by design and default,” but the question remains – how can enterprises keep track of all the data subjects and their PII data?

I propose that Identity is at the heart of the matter.  How can an enterprise:

  1. Know who all data subjects are and what personal data is being maintained?
  2. Know what rights of data use each data subject has granted? 
  3. Know PII data elements are being maintained and processed for each data subject?
  4. Enable data subjects to edit (rectify) any of the data elements being maintained?
  5. Allow each data subject to grant or withdraw consent?
  6. Securely authenticate and authorize data subjects when they desire access to their PII?
  7. Guarantee that only people with legitimate need-to-know can access PII?
  8. Enable data subjects to request erasure?
  9. Audit and certify processes for consent, use and erasure?
  10. Notify data subjects of any breaches?

There are probably more reasons, but this list is a start. In my opinion, Identity at the heart of effective GDPR compliance.

By the way, as of today, there are only 300 days left.

Comments Off on Identity – Critical for GDPR? . Permalink . Trackback URL
WordPress Tags:
 

Oracle White Paper: Helping Address GDPR Compliance

Information Security, Oracle, Privacy
Author: Mark Dixon
Thursday, July 27, 2017
12:00 pm

GDPR

May 25, 2018 is bearing down on us like a proverbial freight train. That is the date when the European Union General Data Protection Regulation (GDPR) becomes binding law on all companies who store or use personal information related to EU citizens. (Check out the count down clock on the GDPR website).

Last week, Oracle published a new white paper, “Helping Address GDPR Compliance Using Oracle Security Solutions.”

Leveraging our experience built over the years and our technological capabilities, Oracle is committed to help customers implement a strategy designed to address GDPR security compliance. This whitepaper explains how Oracle Security solutions can be used to help implement a security framework that addresses GDPR.

GDPR is primarily focused on protecting fundamental privacy rights for individuals. By necessity, protection of personal information requires good data security. As stated in the white paper, 

The protection of the individuals whose personal data is being collected and processed is a fundamental right that necessarily incorporates IT security.

In modern society, IT systems are ubiquitous and GDPR requirements call for good IT security. In particular, to protect and secure personal data it is, among other things, necessary to:

  • Know where the data resides (data inventory)
  • Understand risk exposure (risk awareness)
  • Review and, where necessary, modify existing applications (application modification)
  • Integrate security into IT architecture (architecture integration)

Oracle proposes the following framework to 

… help address GDPR requirements that impact data inventory, risk awareness, application modification, and architecture integration. The following diagram provides a high-level representation of Oracle’s security solutions framework, which includes a wide range of products and cloud services.

OracleGDPR SecuritySolutions july17

 

The paper primarily focuses on the “Enforcement” portion of this model, postposing that:

… four security requirements are a part of many global regulatory requirements and well-known security best practices (i.e. ISO 27000 family of standards, NIST 800-53, PCI-DSS 3.2, OWASP and CIS Controls).

Enforcement

In conclusion, the paper states:

The path towards GDPR compliance includes a coordinated strategy involving different organizational entities including legal, human resources, marketing, security, IT and others. Organizations should therefore have a clear strategy and action plan to address the GDPR requirements with an eye towards the 25 May, 2018 deadline.

Based on our experience and technological capabilities, Oracle is committed to help customers with a strategy designed to achieve GDPR security compliance.

 

May 25, 2018 is less than ten short months away.  We all have a lot of work to do.

 

 

 

Comments Off on Oracle White Paper: Helping Address GDPR Compliance . Permalink . Trackback URL
WordPress Tags: , , ,
 
Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.