EU General Data Protection Regulation (GDPR) Compliance: How RiskIQ Can Help

June 14, 2016, Jay Huff

The new EU General Data Protection Regulation (GDPR) has been published and will take effect on May 15, 2018, replacing the current directive. The new cybersecurity compliance requirements on organizations are considerable, and many are already hard at work preparing for it. Not only will the GDPR apply to all EU Member States without the need for country­level legislation, but it will also apply to organizations that actively target EU citizens, even if they have no physical presence in the EU.

The changes from the current legislation are extensive. Data processors now have direct obligations and liabilities with maximum penalties for non­compliance increasing to 4% of global turnover, or € 20 million (whichever is higher). The new regulation also makes it a requirement to report a data breach within 72 hours of detection, where feasible, and rules around consent will be tighter as well, adopting the practices of explicit consent currently in place in some EU countries such as Germany.

Organizations will have to demonstrate compliance with regulators’ data privacy requirements through the adoption and implementation of appropriate policies and procedures. RiskIQ helps them discover and monitor their public­facing Digital Footprint, including websites, mobile apps across 150+ app stores, and social media profiles. While the GDPR encompasses many data processing activities that occur “behind the firewall”, there are key areas in which RiskIQ is ideally placed to help GDPR compliance teams.

Most data capture forms found on websites fall under GDPR as they collect Personally Identifiable Information (PII). As part of the regulation’s fairness and transparency guidelines, organizations must clearly state at the point of capture how they’ll be using an individual’s data. “Opt out” language and pre­filled consent tick boxes are no longer allowed, and organizations must be able to prove that a person gave his or her consent. Therefore, permission to use their data must be explicit and demonstrated through an action such as ticking a box.

The Regulation emphasizes that provisions are in place to ensure that PII is securely captured and processed. In the UK, the Information Commissioner has formed the view that in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.

RiskIQ’s Enterprise Digital Footprint can also support the initial audit process by helping organizations identify all websites belonging to them, as well as all the pages on those websites that collect data, which provides an up­to­date inventory of pages that must be assessed to identify applicability for and compliance with GDPR. Also, it flags situations where data collection is not encrypted, or SSL is configured incorrectly. Knowing everywhere digital data is collected can also help identify the associated data processing systems that need review. Contact us today to find out more.