Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
June 14, 2016, Jay Huff
The new EU General Data Protection Regulation (GDPR) has been published and will take effect on May 15, 2018, replacing the current directive. The new cybersecurity compliance requirements on organizations are considerable, and many are already hard at work preparing for it. Not only will the GDPR apply to all EU Member States without the need for countrylevel legislation, but it will also apply to organizations that actively target EU citizens, even if they have no physical presence in the EU.
The changes from the current legislation are extensive. Data processors now have direct obligations and liabilities with maximum penalties for noncompliance increasing to 4% of global turnover, or € 20 million (whichever is higher). The new regulation also makes it a requirement to report a data breach within 72 hours of detection, where feasible, and rules around consent will be tighter as well, adopting the practices of explicit consent currently in place in some EU countries such as Germany.
Organizations will have to demonstrate compliance with regulators’ data privacy requirements through the adoption and implementation of appropriate policies and procedures. RiskIQ helps them discover and monitor their publicfacing Digital Footprint, including websites, mobile apps across 150+ app stores, and social media profiles. While the GDPR encompasses many data processing activities that occur “behind the firewall”, there are key areas in which RiskIQ is ideally placed to help GDPR compliance teams.
Most data capture forms found on websites fall under GDPR as they collect Personally Identifiable Information (PII). As part of the regulation’s fairness and transparency guidelines, organizations must clearly state at the point of capture how they’ll be using an individual’s data. “Opt out” language and prefilled consent tick boxes are no longer allowed, and organizations must be able to prove that a person gave his or her consent. Therefore, permission to use their data must be explicit and demonstrated through an action such as ticking a box.
The Regulation emphasizes that provisions are in place to ensure that PII is securely captured and processed. In the UK, the Information Commissioner has formed the view that in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.
RiskIQ’s Enterprise Digital Footprint can also support the initial audit process by helping organizations identify all websites belonging to them, as well as all the pages on those websites that collect data, which provides an uptodate inventory of pages that must be assessed to identify applicability for and compliance with GDPR. Also, it flags situations where data collection is not encrypted, or SSL is configured incorrectly. Knowing everywhere digital data is collected can also help identify the associated data processing systems that need review. Contact us today to find out more.