GDPR Edition 2020

GDPR: 2020
AND BEYOND
The things which are

GDPR IS STILL AN
at the forefront in 2020
and Beyond

FROM ‘PRIVACY UNTAMED ANIMAL

IS DEAD’ TO At first glance, this sounds
like the GDPR has become the

‘PRIVACY IS toothless animal some of

us had hoped for all along.

PARAMOUNT’
It is now abundantly
clear that privacy is
paramount.

RISMA SYSTEMS:
A Comprehensive Approach to
Governance, Risk & Compliance
Lars Nybro Munksgaard
CEO & Founder
 Cutting-edge device management solutions

We offer end-to-end device management solutions, consolidating all devices, processes and
stakeholders into one easy-to-use platform.

Our solutions enable users to increase instructional and administrative effectiveness, reduce
operational complexity, and save time and money, making device management smarter and
more focused.

Use cases:

MDM for Classroom Interactive

Education Management Touchscreen
Management

VR Command Single-Purpose MDM/EMM

Center & MDM Device
Management

June2020 2
Feb 2020 2
Radix Technologies Ltd. I 8 Haharoshet St., Or Yehuda, Israel 6037576
VISO benefits:

Modular and Supports many Serves all

flexible devices and OS stakeholders

Cloud-based Features Integrated by Tailored for

or on-premise designed for leading device single-purpose
solution education manufacturers devices

Our platform empowers:

IT Administrators Teachers Principals VR Coordinators Project Managers

Centrally manage, Easily manage the Analyze and Control and guide Make fact-based
monitor and secure learning on school optimize device immersive VR decisions based on
your entire fleet or BYOD devices usage experiences reports

Our solutions are trusted by leading global device manufacturers and vendors, and are implemented
in millions of devices worldwide, helping to increase performance and stability while minimizing
downtime, serving a wide range of clients: SMBs, enterprises, governmental organizations, security
services, financial institutions, universities, and training and education centers.

June
Feb 2020 3
+1-833-9606350 (US Toll Free) info@radix-int.com www.radix-int.com
 TABLE
OF CONTENTS

RISMA SYSTEMS:
A Comprehensive
Approach to
Governance, Risk
and Compliance

08

LARS NYBRO MUNKSGAARD

CEO & Founder
RISMA Systems
June 2020 4
Cover Story
 Alert Logic
12

Boldon James

16

Gemserv

Happiest Minds 22

Eccenca
26 FROM EDITOR’S DESK

Sytorus Ltd What are the Rights related to GDPR? 14

A Bottom-up Viewpoint to Privacy in GDPR 20

The Remarkable Effects of GDPR on the Cloud 24

34
The Do's and Don'ts to Endure GDPR Compliant 28

Resolving Data Governance with respect to GDPR 32

38 How Privacy and Compliance is Salient in the GDPR Era? 36

GDPR: What does it mean for Businesses and Consumers? 40

June 2020 5
 Editor’s N o t e

As the world is turning into a technology land, a huge number of high-profile data breaches had
been witnessed in the last few years. This has made consumers more aware of their data privacy
and is seeking to invest in businesses that not only meet higher standards of data privacy, but also
emphasizes on data privacy training for employees. Organizations have realized that a single role
is not enough to manage, supervise and implement data protection laws and policies.

Thus the GDPR, an 88-page law containing 11 chapters and 99 articles, was implemented by the
European government in 2018 to improve and unify data privacy practices of EU residents, marking
the beginning of the new era of data privacy. It has extended the existing duties of contractual
protections with data processors and sub-processors, advanced data protection, and evidence of
compliance. Moreover, with the application of GDPR, companies are required to be much more
transparent about what data they share with third-parties and how third parties use the data by
propagating data retention and data removal policies.

Enacted by more than 60 jurisdictions around the world, focusing on postmodern privacy and data
protection laws, GDPR has been a revolutionary act. It has enabled governments to have a better
control over regulations and laws regarding data privacy and create a cohesive national law on
governing privacy and security. GDPR also creates a framework where organizations can keep a
tab on how they process personal data.

In the coming years, companies will increase awareness about how to process, manage, store, and
secure their data, and modify more heavily regulated legislative procedures to build better data
quality and data governance industry standards. GDPR will disrupt the business landscape of not
only the European Union but also globally, helping organizations gain long term public trust.

Happy Reading!
Ben Johnson
Editor
June 2020 6
 CEO and Publisher
The CEO Views
GDPR Special June 2020

Editor Ben Johnson

Web Development & Maintenance Kevin Parker

Client Service Manager Shawn Johns

Project Manager Tracy Watson

Graphic Designer George Miller

Business Consultant Crystal Thomas

contact@theceoviews.com

Corporate Office
The CEO Views
39304, GENEVA DR
FARMINGTON HILLS
MI 48331

Follow us on: https://www.facebook.com/ceoviews/

https://twitter.com/TheCEOViews

June 2020 7
 Cover Story

RISMA Systems:
A Comprehensive Approach to
Governance, Risk and Compliance

“ RISMA Systems develops

groundbreaking solutions Lars Nybro Munksgaard
ensuring optimal resource CEO & Founder
”
use in organizations.
June 2020 8
 RISMA Systems:
RISMA Systems was founded in 2014 by Lars
Nybro Munksgaard, who initially developed a
system that helped accountants and lawyers with
the repetitive tasks of Risk Management.
Although RISMA Systems started as a Risk
Management solutions provider, now it is
dedicated to become a complete one-stop GRC
platform. RISMA Systems develops
groundbreaking solutions ensuring optimal
resource use in organizations. Through its
user-friendly online tools, RISMA helps to ensure
that all levels of an organization always have
access to updated and relevant information.
RISMA software has two guiding stars, and the
organization aims to become a full GRC-platform
so that the customers can rely on just one solution
for all the GRC-related tasks. “The organization is
heavily focused on usability and user-friendliness
to make the platform accessible for all, not just
the experts but also for every employee involved
in processes around governance, risk, and
compliance. The organization has a flexible
solution, where it is easy to add new compliance
areas as they emerge,” states Lars Nybro
Munksgaard, Founder and CEO of RISMA. Just
like the case when GDPR & CCPA was in the
brewing. RISMA added the new regulatory
framework to the solution, and then activate
widgets to support, i.e., mapping out business
processes, collecting information from the
business, GAP-analysis, risk assessment,
initiatives, and controls.
RISMA Systems is a fast-growing software
company that supplies compliance tools to
organizations and authorities, and not a
consultancy. So, when the legislation demands
specific legal or regulatory insights, RISMA
partners with leading industry experts. This was
also the case with GDPR, where the knowledge
partner is one of the largest law firms in the
Nordics. They flipped the regulation into simple
questions, so when ordinary users help the DPO
with crucial information for the GAP-analysis, they
update RISMA with the critical knowledge known to
them about their area of the business. Then RISMA
converts it into insights suitable for building a
complete GDPR compliant framework, both
initiating actions plan to close gaps, and an “off the
shelf” controls catalog to stay compliant in the
future.
RISMA recognizes the many GDPR-only solutions
out there, but as the legal tech and regtech market
“ RISMA Systems develops
groundbreaking solutions
ensuring optimal resource
use in organizations.”
mature, it believes in the suite approach for GRC. For
RISMA, GDPR is just another compliance area, which
needs intelligent software support. Combining the
RISMA engine with a strong knowledge partner, the
organization had a market-leading solution, and
with continuous updates as GDPR evolves, RISMA
makes sure to stay ahead.
When approaching businesses and organizations,
RISMA see many challenges within governance, risk,
and compliance. The biggest one is acknowledging
the importance of having a professional approach to
GRC or not understanding the consequences of
slacking. It is simply not on the top management radar
at the same level as growth, revenue, and profits even
though GRC, in many cases, represent a license to
operate and could pose either significant risks or
competitive advantages depending on the approach.
June 2020 9
GRC will only become increasingly important with the
continued demands for data security/integrity,
increasing legislation, and potential penalties.
The lack of top management involvement and
support usually means that GRC is underfunded;
Nicolai Ascanius, Lars Nybro Munksgaard,
Chief Information Officer CEO & Founder
governance and compliance teams operate as a
small independent silo, and the
GRC-professionals are perceived as someone
bothering the real business. In most companies,
the approach to GRC and GDPR is a manual,
handheld process with little or no platform
support. RISMA's biggest competitors are still the
word, excel, and share point combined with a lot
June 2020 10
of manual labor. It does work for some, but in the
long run, an organization can end up with static
information, undocumented processes, and little
or no ability to report to top management or
authorities, the long wasted hour being the most
worrisome disadvantage.
Risma Management Team
Gitte Barsøe Pedersen, Mikael Johannesen,
Customer Success Director Chief Commercial Officer
The biggest benefit of using RISMA and a GRC
platform is all the process and knowledge support
provided by the platform. It covers all the needs in
handling, controlling, and documenting the GRC
across the entire business, and an organization can
have all the functionality automatically
out-of-the-box- policy and process library,
information mapping tools, GAP-analysis, actions
and controls, dashboards and reporting.
Once the clients have system support of their GRC,
it can be seen that there is a speedy maturity curve
within the organizations. Now the GRC-teams
spend more time on actual value-adding
GRC-matters rather than wasting it on copying
information from emails to excel. Now top
management and boards get better and frequent
reporting, which eventually educates executives to
know the importance of GRC, and suddenly they
even know which questions to ask, which task to
give, and which targets to set and expect. At that
point, the GRC-platform becomes an enabler of
supporting strategic business goals and eliminates
a lot of risks itself, especially by much better
utilization of the GRC-professionals.
“ The biggest benefit of using
RISMA and a GRC platform is all
the process and knowledge
support provided by the platform.”
In terms of technological advancements, RISMA
System has 3 focus areas. Experimenting and
applying artificial intelligence and machine learning
when adding even more automation and predictive
modeling to the GRC work. A second focus is
continued flexibility, not only within RISMA and GRC
but opening the solution with smooth integrations to
other relevant systems, i.e., ERP, KYC-solutions,
project management. Just like GRC should not be a
silo for professionals, it should not be as a platform.
So, RISMA should be a part of a business software
ecosystem, and through integrations and APIs, the
organization leverage the natural synergies to and
from other systems with data, insights, triggers,
alerts, tasks, etc.
A company can have the most advanced tech
stack in their GRC-solution, but if it does not help
the GRC-professionals to engage the workforce
with key knowledge from HR, Sales, Marketing,
etc., then it is of no use. So thirdly, RISMA is also
spending a fair portion of the development of
continuously having the most user engaging front
end for both experts and novelty users.
In one instance, a global production company with
different takes on compliance and governance
was facing a challenge as they did not have a
structured framework to support all their
sustainability initiatives. Over the last years, they
have become increasingly devoted to
sustainability and are very committed to the UN
sustainability goal as a UN Global Compact. So,
RISMA has started a co-creation process, and it
does make sense to look at sustainability from a
compliance and governance perspective. RISMA
is geared to help them structure all their initiatives,
collect valuable information from all departments
involved, and document that they follow the track,
mentioned by the organization. So, now the CEO
and top management can communicate
confidently both internally and externally based
on actual progress in processes, initiatives, and
controls.
RISMA is a Nordic-based company with offices in
Denmark, Norway, and Sweden, and the
organization is planning for a European expansion,
expecting people on the ground in key countries
within the next 2-3 years. However, RISMA is a
SaaS-company, and it serves globally from its
current locations. RISMA also sees increasing
interest from both North and South America, mainly
due to the combination of being complete GRC and
the user-centric approach, which also means a
US-expansion perhaps, but it has not been decided
if it will be direct or through partners.
June 2020 11
 CXO Thoughts

Quick, Accurate
Threat Detection
is Best Defense Onkar Birk,
Against GDPR Chief Product
Officer,
Non-Compliance Alert Logic

he General Data Protection Regulation (GDPR)

went into effect two years ago. The European Union
established strong, common standards for data
protection, and ensured that individuals retain control of
their personal information. They also introduced serious
consequences to enforce those standards, and companies
that have failed to comply with GDPR have been hit with
significant fines and penalties. This far along, it may seem
like there wouldn’t be much to talk about when it comes to GDPR—and the need to protect data and privacy in
GDPR, but maintaining compliance is an ongoing challenge general—will be a central focus of cybersecurity efforts over
as technology evolves and the issues of data protection and the next few years, and a primary driver for security teams
personal privacy continue to be a primary concern. seeking out more robust cybersecurity solutions.
Maintaining compliance with GDPR and taking every
precaution to protect sensitive data builds customer
confidence and loyalty.

Challenges of GDPR

There are a number of cybersecurity tools and controls that

play pivotal roles in achieving and maintaining compliance
with GDPR. Encryption protects data from access or
compromise by unauthorized individuals. Identity and
GDPR
access management (IDAM) limits access to personal data.
Data loss prevention (DLP) tools and policies prevent the
exposure or theft of data. These cybersecurity tools
contribute to limiting access and avoiding exposure or
June 2020 12
compromise of data, but the real holy grail for organizations
is the ability to quickly detect when an attacker is able to get
past these defenses.
GDPR requires that organizations have an incident response
plan (IRP). According to GDPR requirements, “In the event of
a potential data breach that involves personal information,
an organization must notify the Data Protection Authority
without undue delay, within 72 hours if feasible, after
becoming aware of the breach; and Communicate high-risk
breaches to affected data subjects without undue delay.”
Constant Vigilance is Key
The ability to quickly detect attacks that slip through is one
of the most important elements of effective cybersecurity.
There is no amount of investment in cybersecurity that will
prevent 100% of attacks, so you need complete and
continuous visibility across your IT estate to catch the
“
attacks that preventive measures miss.
By 2024, 40% of midsize
enterprises will use MDR as their
only managed security service
That means around-the-clock monitoring, though, because
cyber attackers don’t maintain business hours. Most attacks
are conducted using automated scanning and exploits
anyway, and when it’s 3am in your area, it’s still 2pm
somewhere else. The problem is that very few organizations
are capable of monitoring their network environment 24/7.
The world is facing a shortage of skilled cybersecurity
talent, and it is cost-prohibitive for most businesses to hire
and retain the expert talent necessary to provide effective
monitoring and incident response.
Security is hard and complicated. Organizations typically
rely on other sources and providers to know when they are
being attacked and how they can respond. This ability—or
lack thereof—to respond is a natural compromise in the
presence of what they see as the impossible task of making
themselves 100% secure.
This is where MDR comes in. Managed detection and
response solutions identify active threats across an
organization and then respond to eliminate, investigate, or
contain them. Today, this can mean monitoring on-premises
and cloud deployments, endpoints, containers, mobile
devices, and other IOT (Internet of Things) and edge devices.
MDR has increased in visibility and importance as
organizations realize that the scale and complexity of the
security challenge becomes intractable for individual
organizations, regardless of size.
According to Gartner, “By 2024, 40% of midsize enterprises will
use MDR as their only managed security service.” 1 The MDR
provider provides the security tools, the threat intelligence, and
the security experts, enabling you to not only protect your data
and maintain GDPR compliance, but giving you more effective
cybersecurity and peace of mind in general.
Rapid Response Equals Minimal Impact
Much of the damage that organizations suffer from a data
breach is not a function of the initial attack. The average
dwell time—the amount of time between the initial attack
and discovering it—is often measured in months or weeks.
That delay in detection provides attackers with virtually
unlimited time to conduct further reconnaissance of the
network, infect other vulnerable systems, and identify
valuable or sensitive systems and data.
A good MDR provider will alert you to suspicious activity or
a potential breach within 15 minutes of detecting the activity.
A quick response enables you to investigate and mitigate
the incident to minimize—or possibly avoid—damage. It also
gives you plenty of time to determine exactly what
happened, and what—if any—data was affected or
compromised within the 72-hour reporting window for GDPR.
GDPR has been around a while, and every organization
subject to it should have already achieved compliance.
Technology evolves quickly, though, and organizations
have increasingly complex networks. The key to protecting
data and effectively maintaining compliance with GDPR over
the next few years is a focus on constant vigilance and
working with a trusted MDR provider.
1
Gartner, “Market Guide for Managed Detection and
Response Services,” Toby Bussa, et al., 15 July 2019.
June 2020 13
 From Editor’s Desk

What are the

Rights related
to

GDPR?
June 2020 14
The General Data Protection Regulations (GDPR) came
into force in 2018, following a grace period of two years. It
is a complex piece of legislation many employees would
have undergone comprehensive training for. Even if they
are specifically affected by the rules, very few people
would learn anything about GDPR and what it means to
them. This article aims to provide a brief overview of the
significant rights granted to people ("data subjects").
The rights under GDPR are right to be informed, right to
rectification, right of access, right to erasure/to be
forgotten, right to data portability, right to restrict
processing, and right to object and rights concerning
automated decision making and profiling.
The first right here is the right to be informed. This ensures
that whenever someone collects your personal data, you
have the right to know how to access the organizations
that collect and process your data (the controller and
processor respectively), the organizations' access details
of the Data Protection Officer (DPO), the basis for data
collection, data protection period and notification of
certain GDPR privileges (such as the ability to access the
data and the ability to lodge a lawsuit if you feel that the
data is misused). The right to be informed is a
fundamental right of the data user, as it guarantees that
they know how to use their data and what to do if they
want to alter it.
The right to be forgotten is another significant right that
many would have heard of. This ensures that they may
request that a controller or processor delete all their data
without any delay if a data subject wishes to. However,
one of several conditions needs to be met for this request
to be legitimate. For example, the data was no longer
required to complete the original task or to satisfy some
legal obligations, and the data must be erased. If the data
is made public somewhere, the controller or processor
will express the request to all the data recipients. If this is
in the public interest, data cannot be deleted.
There are two other rights related to this, the right to
object to data processing, and the right to limit data use.
If the processing of data relates to public interests or the
legitimate interests of others, you may object to the use of
your data for those purposes. More commonly, if the data
is used for targeted marketing, you have the right to
object to data processing. In the same way, you are
entitled to limit how your data is processed. Both of those
rights are circumstantially limited.
Of course, there are a variety of other privileges listed in
GDPR. For example, the right of access means you can
request access to any of your data that the controller
holds. The right to portability of data means you can
request that this data be made available to you in a
convenient way. The right to rectification means that if
the data is found to be incorrect, all data subjects may
request that improvements be made to their files.
June 2020 15
 CXO Thoughts
HOW ENTERPRISES CAN MITIGATE
THE GROWING THREATS OF DATA
MARTIN SUGDEN,
CEO,
Boldon James
s we fast approach the second
anniversary of the implementation of GDPR,
the impact it has had on businesses and driving
change has been substantial. Initially, many were
sceptical of the EU’s adoption of data protection
change. But, driven by the need to replace previous
data protection rules across Europe that were almost
two decades old – with some of them first being drafted
in the 1990s – the new regime has sparked a data
management revolution that was long overdue. In the
last twenty years we have led data-heavy lifestyles,
with people routinely sharing their personal information
freely online. GDPR has helped to harmonise data
privacy laws across the EU, as well as providing greater
June 2020 16
“
DATA
LOSS
OCCURS WHEN
DATA IS ACCIDENTALLY
DELETED, SHARED OR
SOMETHING CAUSES DATA
TO BECOME
CORRUPTED
protection and rights to individuals. The impact of these
laws has dramatically altered how businesses and
other organisations can handle the information of all
those that interact with them.
Global Impact
Last year, the ICO’s combined fines for British Airways
and Marriott International was an eyewatering
£275,787,290 (€314,990,200) grabbing many headlines
and highlighting to organisations changing their business
processes would be of the utmost importance. In 2020,
the impact of GDPR is not only being seen in Europe
where countries such as Germany, Bulgaria and Spain
have imposed more fines than the UK. Global impact has
seen the US follow suit with the California Consumer
Privacy Act (CCPA) kicking into action in January, as well
as countries such as Bahrain introducing its Personal
Data Protection Law last year and Singapore publishing a
factsheet to help businesses better understand the GDPR
when applied to the Singaporean context.
Importance of Data and its Role within your Organisation
With the increasing amount of data from new and
emerging technologies, ensuring that it is being
controlled and shared effectively becomes even more
paramount. Data loss is a serious problem for businesses
of all sizes— losing files means losing time and money to
restore or recover information that is essential to your
business, plus being exposed to the risk of legal
repercussions if the data loss infringes customers’ privacy
rights. Data loss occurs when data is accidentally
deleted, shared or something causes data to become
corrupted. From an enterprise point of view, we are still
seeing human error as a leading cause of data loss for
businesses, with 50% being attributed to inadequate or
poorly observed business processes.
Before any best practice solution or loss prevention
strategy can be rolled out, it is important for an
organisation to understand exactly what data they hold
and the potential risks to its security. This means
establishing the types of data that is being held,
collected, stored and where it is located. Alongside this, it
is important to understand why the business has it, how
sensitive it is, and who is accessing, using, or sharing it.
Privacy by Design
One of the best methodologies that an organisation can
use to fulfil its compliance obligations is a Privacy by
Design approach. The framework achieved international
acceptance when the International Assembly of Privacy
Commissioners and Data Protection Authorities
unanimously passed a resolution in 2010. This approach
takes privacy into account throughout the whole process,
ensuring that it is incorporated into an organisation’s
systems, policies and processes and technologies.
Privacy by Design needs to start with data classification.
The sheer volume of unstructured data within
organisations, combined with the ever-increasing
technical abilities of hackers and the fallibility of
employees, makes it impossible to rely on people and
processes alone to ensure that sensitive data is handled
appropriately. Data classification embeds a culture of
compliance by involving users to identify, manage and
control the regulated data they work with, while
automating parts of the protection process to enforce
rules and policies consistently.
Data Classification
The key with this approach is that data is classified at
source so the organisation’s rules can be applied at the
outset. As mentioned before, it is important to understand
what data you have, who is using it, how it is being stored,
used and shared, and whether it is company-sensitive;
this is key to any data protection strategy. Once you have
defined what data you have, you will be able to classify
and protect it.
Data classification is the categorisation of data according
to its level of sensitivity or value, using labels. These are
attached as visual markings and metadata within the file.
When classification is applied to the metadata, it ensures
that the data can only be accessed or used in
accordance with the rules that correspond with its label.
Clearly you need to define your classification policy first
and decide who should have access to each type of data.
Once this has been done, it is simply the case of selecting
an appropriate classification tool.
Best Practice in the Future
As cumulative fines across EU reach £ 410,772,087 (€
467,476,268), organisations need to ensure that by using
approaches such as Privacy by Design they can mitigate the
threat that unsecured data poses to the business. As we live
in an evolving world, businesses cannot take a ‘tick box’,
point-in-time approach. Legislation, threats, and the
business itself will constantly evolve, while demands from
regulators and the board for better governance will continue
to intensify. Ongoing measurement of the effectiveness of
security policy is the only way to check that the controls the
business has put in place remain fit for purpose. The
monitoring of classification activities is a powerful way of
doing this and improves the chances that a breach will be
quickly detected – helping the business to comply with
notification periods required by regulators, as well as to
minimise damage. If there is a breach, the detailed audit
information that robust classification provides will allow a
business to demonstrate that the appropriate steps to
protect data were taken. This is a critical aspect of
complying with increasingly weighty privacy regulation and
ensuring that data continues to be an asset that powers the
business, rather than a threat to its bottom line.
June 2020 17
June 2020 18
Align your
Cyber Security
with Threat Reality
Today’s sophisticated cyber
threats call for a more proactive
approach to cyber security.
EclecticIQ’s Threat Intelligence
Platform enables organizations to
align their security efforts with the
threats most relevant to them.

Take control of your threat

landscape today to build
tomorrow’s cyber defense.

For more information visit www.eclecticiq.com

or scan the QR-code

June 2020 19
 From Editor’s Desk
A
ata security has become an
intensified focus area for many
organizations with the
implementation of major, new
regulatory rules and requirements
of GDPR. The focus has always
been on activities related to
enforcement, one rule at a time. But
when it comes to privacy, companies
June 2020 20
Bottom-up
Viewpoint
to Privacy
in GDPR
still don't understand that compliance shouldn't be their
only priority-they should also tackle their underlying
protection and data issues.
Approaching privacy through a top-down, checklist
mentality simply to comply with regulations provides a
restricted, perfunctory privacy approach that offers little
real protection. Adapting to a bottom-up approach, i.e.,
changing emphasis to meet the underlying security
needs and use best practices in data protection — set up
organizations to achieve regulatory enforcement and a
clear privacy stance.
A Bottom-up Approach to Data Security
A data-focused, security-driven approach is a safer way
to meet privacy criteria, such as GDPR. A bottom-up
strategy is tailored to the unique needs of an
organization. It secures and handles data based on
particular specific needs and a regulatory body's
requirements: it should implement compliance while
prioritizing consumers and their data over checkboxes.
Part of the bottom-up approach to customizing a privacy
program is to consider thoroughly the threats and risks
associated with the protection and management of the
relevant consumer information. This allows the
detection of main cases of privacy misuse, necessary
changes to system design, and attempts to prioritize.
There are several elements to create an effective
privacy system, but when pursuing compliance, the
following aspects are often overlooked: privacy by
design, which encourages bottom-up data security and
process automation.
Privacy According to Design
Data security by design and its core concepts includes
incorporating privacy by default into fundamental
procedures, goals, operations, and technologies. In an
attempt to make privacy by design more feasible when
developing and implementing GDPR-compliant solutions,
a group of European privacy experts explored
privacy-by-design principles by events, techniques, and
implementation methods for privacy use. Their research
offers a structure that is easier to apply to data and
procedures and is more relevant from the software and
engineering perspective.
Efficient privacy by design should accurately represent
clients and their protection needs. It guides both data
protection efforts (such as software engineering,
including pseudonymization) and process automation
efforts (such as data topic access requests, including
"delete my data").
Data Security
Safeguarding customer data from the bottom up requires a
robust data management system as a base. This offers an
overarching framework and strategy for data protection,
which involves policies, protocols, and procedures that
comply with the tenets of privacy by design. To apply these
strategies, you need to consider all the locations and data
types, and you can't defend what you don't know is there. The
use of technology should be one component of data
protection; if possible, it is better to use technology as part of a
multi-faceted system rather than buying products and expect
them to provide single-handed compliance and security.
Automated Procedures
Effective privacy systems require repeatable, auditable,
and automated operationalized processes. As privacy
demands grow from both internal and external clients, the
introduction of additional staff resources only provides
limited scalability; increasingly important are automated
processes. Access requests for data subjects, in particular,
are a standard method for automating, but others benefit
from operationalization, such as classification and
mapping of data, data privacy impact assessment, data
management by third parties, and data response.
Even when processes related to privacy are automated,
they should be treated as operational: they should be
monitored and managed continuously, regularly, and not
regarded as a static, one-off collection of procedures.
Organizations will accept operationalized privacy as part
of their culture and perspective.
Privacy regulations like GDPR will continue to be
implemented in an attempt to pressure companies to
protect and manage consumer data appropriately. But
regulatory enforcement alone does not guarantee that an
organization's privacy policy is successful. Regulations
include top-down requirements for the meeting but limited
guidance on how to achieve an effective privacy program
that addresses a specific organization's unique needs.
Organizations need to dig deep into the root causes of
their individual privacy challenges and implement
approaches with a bottom-up mentality to really advance
privacy as well as compliance.
June 2020 21
 CXO Thoughts
GDPR:
s a professional services business operating in a world driven
by data and technology, Gemserv like many businesses,
finds itself changing its business operations dramatically due to
the impact of Covid-19 and adapting our business model to the
new normal. In this we are both custodians of datasets in the
industries we serve and adviser to others in how to protect and
secure data across business operations.
Like other major shocks, such as other epidemics or a major
war, we see existing trends speeding up once the crisis has
passed, and new societal norms coming into play. Beyond
basic data protection and privacy compliance, we have
identified many trends that have a direct impact on privacy and
data protection – topics in which Gemserv is actively engaged.
The digital services environment and the impact they have on
individual rights have become more complex as 2020 and
years beyond prove to be challenging with the ‘new normal’.
Forward looking technologies may also raise societal
concerns as they play an increasing role in the digital world in
which people will live in going forward. Privacy risks will
therefore become more prominent due to risks posed.
The Data Protection Authorities in Europe and UK have
revisited their strategies to address these complexities and
will focus on high impact areas which involve vulnerable
persons such as children, the elderly, patients, complex
processing of personal data and complex operations.
June 2020 22
In our opinion, the following are likely to be at the forefront
in 2020 and beyond:
Health Initiatives Related Privacy Issues
Right to privacy and data protection are again at the centre
of debates, with governments and businesses doing their
best to reboot the economy by investing in innovative and
‘out of ordinary’ ways to deal with the unprecedented
situation. We expect the focus to be on the transparency of
the processing of health-related information and protection
from unauthorised access, disproportionate data sharing
and the legal need for large-scale data collections.
We will see focus on health care information of employees,
especially where employers are rushing to adopt various
technologies (facial recognition camera devices, contact
tracing apps at work, health and distance tracking
technologies) to keep sick workers at home to ensure the
safety of those present in the office. Intensified workplace
surveillance could become the new normal.
We will also see challenges around the processing of
non-health data, such as location tracking data for health
monitoring purposes which are likely to increase the risks to
privacy and security of individuals.
Artificial Intelligence and Data Ethics
Big data, automated decision-making, profiling, online
behavioural tracking, surveillance and facial recognition – all
are extremely debated topic, even more so at the age of
Covid-19. All those technologies are already largely available
and in use. While the ICO and other data protection authorities
across the world are shaping their codes of conduct for the use
of AI with the aim to develop monitoring systems focused on
how AI systems use personal data and automated decision
making without human intervention, we feel that many
organisations will need support for assessing their AI solutions
and documenting a framework of obligations on how their AI
models are constructed and used. Algorithmic Impact
Assessment (the data ethics counterpart of a Data Protection
Impact Assessment) can also be used as an effective way to
measure and mitigate risks of bias and making sure that
meaningful human intervention is implemented.
Beyond basic data
protection and privacy
compliance, we have
identified many trends
that have a direct impact
on privacy and data
protection – topics in
which Gemserv is actively
engaged.
Also, advertising and direct marketing in the online environment
have become increasingly complex with the use of tracking
technologies where large ecosystems are involved in the resale
of personal data. Many Data Protection Authorities are focused
on educating the public about their privacy rights by developing
guidance materials, holding workshops and self-help tools. We
raise public awareness on online privacy concerns and privacy
by design through our webinars and blogs. We find that more
and more people are reluctant to accept generalised online
tracking to deliver targeted ads, when such tracking can also be
used as a weapon of political influence. Algorithms are now
able to infer a large volume of characteristics with a very little
amount of personal data.
Continuous scrutiny by data protection authorities,
especially on large tech companies is on the agenda and
increased suspicion by the public is leading large tech
companies to slowly abandon cookies. Children’s online
privacy is also a common theme among Data Protection
Authorities in relation to online advertising. For instance, the
ICO in the UK has recently published guidance on how the
GDPR applies in the context of children using digital services.
The main concern today is whether we would see an
increased concentration in the AdTech industry, by
destroying the real-time advertising ecosystem to the
benefit of Google and Facebook with more pervasive
tracking technologies, or if the whole online advertising
industry will take a different direction for contextual-based
advertising rather than interest-based. What is sure at the
moment is that the ePrivacy Directive (transposed into PECR
in the UK) does not reflect current situation of the internet –
and the new legal framework, the ePrivacy Regulation, is
stalling. The evolution in this area are going to be a highly
debated topic in the years to come.
Internet of Things
With the roll-out of 5G many new real-time connected
solutions will push connected devices further into the
market. Healthcare, wearables, autonomous vehicles… The
possibilities and their promises are fascinating. An ongoing
concern about connected devices the previous years has
been security and privacy of the data – and this is only going
to increase. What categories of data these devices are
actually collecting? What categories of data the
manufacturer or other third parties are able to access? Is the
device truly secured?
Security by design and Privacy by design are going to be
scrutinised by data protection authorities and we can expect
a strong enforcement in the years to come, proportionate to
the sensitivity of the data involved in some connected
devices.
The Future Relationship between the UK and the EU
The UK leaving the EU raises many uncertainties – and data
protection is not exempted. Will data flow freely between
the UK and the EU? Quid of the UK and the U.S.? Are we
going to assist to more fragmentation in Europe of the
interpretation of the GDPR, with an “EU GDPR” and a “UK
GDPR”?
All responses to those questions are pending, and like in
other industries, there is a risk of loss of momentum with the
current climate. Organisations could delay their privacy
programs while waiting for more clarity on the future position
of the UK in the global exchange of personal data.
In conclusion we see the impact of Covid-19 as speeding up
existing trends and creating new ones. Whilst there is
uncertainty what is certain is that GDPR is pivotal in
unlocking the huge societal benefits from data and
technology, whilst protecting the individual’s rights.
June 2020 23
 From Editor’s Desk

The Remarkable Effects

of GDPR on the Cloud
he General Data Protection Regulation
(GDPR) of the European Union was eventually
implemented, in 2018, after devoting four long years
in the making and two years in transformation. It will
replace astutely the national laws and regulations
focused on the revered 1995 EU Data Protection
Guideline and distributed through organizations focusing
on EU customers from outside the EU.

While the GDPR primarily carries forward the 1995

directive's ethics and locution, it also incorporates
several additional dictums with ambiguous after effects.
These could include a strict consent rule, a data
portability clause, and a 'right to be forgotten.' It also
promises optimism for large-scale conformity in Europe,
which international organizations should accept, as well
as relief from registration issues that have existed in
many countries.

While this is a significant move taken by the European

Council, after Brexit, of course, the regulatory terms are
already proving to be a huge challenge, inclusive of
twists and turns. Data Localization is one of the most
popular aspects of the law. Data Localization refers to a
regulation requiring a particular consumer data to
remain limited to a nation or region's borders. Though

June 2020 24
GDPR focuses heavily on data localization, this law isn't
entirely new for the world. Before 2018 a similar
declaration was passed by countries such as The
Netherlands, Germany, Switzerland, China, Russia,
Turkey, Uganda, Indonesia, Tanzania, Kenya, and many
others. But the imminent GDPR once again deprived them
of the limelight.
Explicitly, GDPR implies that only when a satisfactory
degree of security is guaranteed can personal data be
transmitted to nations outside the European Union. If an
organization has only a slight doubt about a particular
destination, the data does not travel there. With dissent
costs too high, many companies will opt not to take a
chance and will play it safe by ensuring that their data
stays contained within the EU, or even within the country
or area of origin. For example, Germany censors the
distribution of data across the national border, including
EU countries, without guaranteed walls of security.
Data localization will have a significant effect on
multinationals, including U.S. based businesses that use
the cloud and operate in European markets as well as
cloud service providers. This is because the
organizations fell into two big GDPR groups – ‘Data
Controllers’ and ‘Data Processors.’
Data Controllers are agencies, companies, or
corporations that operate individually or in partnership
and function on the purposes and means of personal
processing data. This group covers up to 80 percent of
establishments worldwide. Data processors are
agencies, companies, or organizations that process
personal data on a controller’s behalf. This section
covers Cloud service providers. The news does not come
as a surprise, though, that recently, significant providers
are expanding their networks across Europe to meet the
new requirements.
Data Localization refers to a
“
regulation requiring a particular
consumer data to remain limited
to a nation or region's borders.
While the public cloud provides numerous assets to
business users, it also impairs the pellucidity or the ability
to see and distinguish where data is stored, and
workloads are handled. From a GDPR viewpoint, this is
incredibly difficult. This is because organizations present
in various parts of the world would need to use the cloud
to ensure that the data remains in the assigned space
without moving to another location. If customer data
transfers to a non-vetted area outside the approved
perimeter, the company, as well as the service provider,
will be guilty of the breach.
Although consumers of enterprise cloud are aware of the
conformity risks, this does not prevent them from adopting
the cloud. Furthermore, for their advantage, they need to
ensure greater consistency and accountability in the data
storage and workload delivery framework of their service
providers, as well as a multi-cloud game plan that enables
them to migrate between various service providers when
required to guarantee compliance. Trust is vital, and
animosity towards single vendor lock-in will increase, as
companies seek greater flexibility to meet country-specific
consent requirements, as well as the opportunity to move
providers seamlessly if the trust is ever defied.
However, one thing is for sure that trustworthy data
localization capacities are another challenging
precedent in assessing and selecting providers for
enterprise users of the cloud. The data localization
hypothesis and the cloud are examples of GDPR
specifications requiring urgent and detailed
consideration.
June 2020 25
 CXO Thoughts
A “Privacy by Design”
approach is key to
creating GDPR compliant
businesses
Joseph Anantharaju,
President & CEO
Happiest Minds
We are currently living in
two different worlds – the
digital world and the
physical one. One day the
twain shall meet but for
now the common thread
between these worlds is
they are both driven by data. Everything you share online,
whether you are making an online purchase or simply
posting a picture on social media, is processed, and stored
for a very long time, if not eternity.
As Pete Cashmore, the Founder of Mashable once famously
said “Privacy is dead, and social media holds the smoking
gun”. While it is easy to buy into this dystopian view, it is
heartening to note that there have been landmark
international privacy laws like GDPR and CCPA that have
been passed to protect the information of consumers.
General Data Protection Regulation (GDPR) was passed by the
European Union (EU) and It went into effect on May 25, 2018.
Although, it was created to protect the personal data of EU
citizens, it affects businesses worldwide. If you have
customers in or collect data from users in the EU – GDPR
applies to you.
Companies that handle consumer data are entrusted with
the responsibility of keeping it safe and not exploiting
information they may be privy to unintentionally. This is
reflected in the view taken by leaders of major companies
GD
PR
like Facebook and Apple – Mark Zuckerberg has underlined
the importance of Facebook moving focus away from what
they would like to know about people to what people would
like to share about themselves.
Engineering GDPR compliant businesses
GDPR regulates how companies collect, handle, and protect
personal data and grant consumers more control over
personal information collected about them. However, most
businesses are still in the process of engineering their
systems to be able to meet the necessary GDPR guidelines
and have primarily relied on “User Consent” to achieve
compliance.
A more comprehensive approach to complying with GDPR
regulations in both the letter of the law as well as its spirit,
would require addressing these concerns –
• Data Lifecycle Management - Consumers have the
right to know what is being done with their information
and who receives it apart from demanding that their
data not be shared or stored. Businesses must have
mechanisms in place to provide consumers with visibility
of their data as well as the required interfaces to request
actions like erasure.
• Breach Notification - In the event of a breach, a
business must be able to understand the details and
nature of the data breach and promptly notify it users
about when the data was stolen, lost, destroyed, or
changed.
 • Increased Record Keeping - Businesses need to
create processes around handling personal information
and maintaining audit trails of processing requests for all
data subjects.
• Third Party Risk Management - While a business
should start with cleaning its own house, it would
also be imperative to renegotiate third-party
contracts to enable compliance and management of
contract inventory.
The importance of using a “Privacy by Design” approach
Given these regulations and the need to protect user data,
privacy should now be a critical design component while
creating a platform or a backend process flow. As a result,
all businesses should adopt the “Privacy by Design”
approach when creating products or building websites to
keep data collection to a minimum while baking in security
measures into all stages of a product’s design. The cardinal
principles of “Privacy by Design” are as follows:
• User-centric approach
A user centric approach demands that you place the needs
of your users foremost while designing a system. This
necessitates clear consent in collecting data, specifying
what the data is being collected for, minimizing the amount
of data collected and using it only for the purposes
specified.
The second aspect of a user centric approach must facilitate
transparency with users in the event of a data breach, so
that the potential damage emanating from it can be
mitigated.
Lastly, users should always be provided with complete
visibility and control over their data, so they have a view of
what information is stored about them and requesting for
edits or deletion as required.
• Incorporate privacy in the requirements and design
phase
As businesses launch new products and services, they need
to ensure that privacy has been addressed right from the
beginning instead of treating it as an after-thought. This
includes clear definitions of validating the need for data,
defining data workflows, parties accountable for the data,
and planning for data integrity and access controls.
• Proactive Safety Measures
The importance of having the right safety mechanisms
cannot be overstated. Businesses constantly need to be on
their toes by using algorithms to monitor and take corrective
action in the likelihood of a potential security incident that
could lead to a data breach.
• Leverage Technology
As the world becomes increasingly digital, there are various
emerging technologies that can play a crucial role in
enabling greater security. Apart from modernizing their
existing systems to enable greater data security, businesses
can focus on –
a) Automating security controls for new products and
applications to ensure the process of data collection and
storage confirms to the right standards.
b) Adopting Blockchain for secure transactions.
c) Using intelligent Bots to monitor platforms and
networks and detect breach attempts and
vulnerabilities.
General Data Protection
Regulation (GDPR) was
passed by the European
Union (EU) and It went into
effect on May 25, 2018.
Regulatory conformance requires expertise
As consumer privacy takes center stage and conforming to
regulations becomes increasingly important, businesses do not
have the luxury of hitting the pause button as they overhaul
their existing systems and processes. It would involve a steep
learning curve in addition to an exorbitant opportunity cost that
would adversely impact most companies.
A much better approach would be to work with a partner that
has deep technology expertise and a comprehensive
understanding of privacy regulations. As companies continue
to capture increasingly more data about their customers, it
squarely becomes their prerogative to safeguard this
information and utilize it appropriately. Like they say, with
great power comes great responsibility – allow experts like us
to shoulder some of it, so you can focus on what you do best!
From Editor’s Desk

The DO'S AND DON'TS

to Endure GDPR Compliant
 t's been nearly two years since the Global Data
Protection Regulations (GDPR) came into effect on May
25, 2018. As much as it has been in the news,
companies might be wondering: what can they do as a
system administrator to help it comply with GDPR? Before
going deep into that, let's do a quick review of what
exactly is GDPR.
Security First
The GDPR says the data subject gets to determine
whether companies can store their personal data. And
before making such a decision, the person should know
why the organization needs it, what they will do with it,
and should be sure it's stored correctly. Among other
things, storing personal data 'properly' means that you
can ensure that only those that need to see it will see it
and that they will only be able to access it when it is
required. Many assume that the GDPR merely codified
what others would find best practices in the sector, and
many of the regulations do also fall within the field of
program and database management.
There are five distinct ways administrators can help their
companies comply with GDPR.
Adequate Access
The access should be provided only to those who need
access to a specified data set. For instance, a doctor
should have access to the medical records of his patient,
but this does not mean that all doctors should have
access to the medical records of all patients. Of course,
someone without a legitimate justification should not
have the right to a patient's medical record.
System and database administrators can enable their
businesses to be more compliant by monitoring who is
accessing various types of data and making sure that
only those who need access have it.
Account Control
When you ensure that only the right people have access,
make sure that you have a process to deactivate
accounts when you no longer need to. HRs and those
dealing with contractors should have a method to notify
the appropriate team when access is to be revoked to
individuals or groups. Additionally, some kind of regular
analysis should be conducted to make sure that no one
has slipped between the cracks.
Separation of Powers
The more power a system or database administrator has,
the higher the 'blast radius' if something goes wrong with
them. This is why the use of role-based administration to
distinguish different powers is an excellent idea. For
instance, one administrator may have the ability to
configure and run new backups, but not the ability to
uninstall existing backup configurations or existing
backups. Perhaps restoration capability is restricted to
just a few people. The more resources you can isolate,
the more protected your data will be overall, and the
more protected your personal data will be.
Strongly Supported Encryption
Besides having a robust intrusion detection and
prevention system, in case the operation is ever
circumvented, one should consider using encryption for
data at rest. If a bad person ever gains access to the data
they are not supposed to get, it is a non-issue through
encryption. It should be taken into account for all the
personal data.
Backups should not be Optional
Backups must not be optional anywhere in the data
center but, where personal data and GDPR are
concerned, part of the regulation states that such data
should be covered against erasure. The only way to do
this properly is to ensure that you have a reliable program
for backup and recovery.
 olution P
S ro
P R

vid
Top 10 GD

ers 2020
GDPR
GDPR involves the implementation of appropriate technical and organizational
measures, ensuring a level of security appropriate for high value data. But
organizations need to take the responsibility of deciding what measures need to be
taken to reduce data risk. Companies who have not yet incorporated GDPR into
their system, are using temporary controls and manually processing their systems
to ensure compliance. But in case of non-compliance with general data
processing principles, companies can be fined with penalties up to 10
million euros or two percent of global annual revenue from the
previous year.

Moreover, the entire process of implementing the GDPR principles is

quite challenging, for the companies and the users. Following the guidelines
and adopting certain practices to ensure the elimination of any kind of a violation,
system audit and assessment, adapting to new implementations, team compliance
and training, and maintain transparency are the most difficult issues.

Thus the current edition of CEO Views brings to you "Top 10 GDPR Solution Providers
2020”. The list highlights some of the GDPR solution providers who offer the best in class
in the technology landscape. The proposed list aspires to assist individuals and organi-
zations to find the best companies that will help them accomplish their projects.

June 2020 30
 Company Management Description

Data Reporter Ing.Michael Data Reporter supports organizations in the process-oriented implementation of
datareporter.eu Traunau, the data protection management system with robust software solutions Privacy &
AUT CEO WebCare. The platform unites data protection officers and organizations.

dFakto is a consulting company that helps organizations make better use of the data
dFakto Thibaut de through innovative technological solutions. dFakto believes that ‘more data’ alone
dfakto.com Vylder, will not lead to better decisions. dFakto has developed a proven methodology that
Brussels, BE CEO facilitates data-driven processes on a state-of-the-art platform managed by a team of
experts.

MetaCompliance is a cybersecurity and compliance organization that helps transform

MetaCompliance Robert O’Brien, company culture and safeguard the data and values. MetaCompliance creates state-
metacompliance.com CEO of-the-art eLearning, GDPR, policy management, incident management and phishing
Piccadilly, LDN solutions that clients trust to help them create a better relationship with employees and
regulators.

MyData-Trust supports the Life Sciences Industry in leveraging compliance related to

MyData-Trust Data Protection. MyData-Trust is composed of a multi-disciplinary team including data
Xavier Gobert,
mydata-trust.com privacy lawyers, IT security specialists and life sciences experts. The organization merges
CEO
BE these skills and creates a unique combination of skills and knowledge to address the
client needs efficiently.

OMNINET Software Solutions has designed OMNIPRIVACY, a 360°AVG/GDPR

OMNIPRIVACY management tool to insure 100% control and oversight of AVG/GDPR Readiness by
Stany Hellin,
omniprivacy.be continuously monitoring 7 processes: the processing register, contract management,
CEO
Antwerp, DE data leaks, privacy requests, document management, risk management and
dashboards.

Papaya Global is reinventing global payroll, payments, and workforce management. The
Papaya Global
Eynat Guez, automated platform of the organization helps other companies hire, onboard, manage, and
papayaglobal.com
CEO pay people in more than 100 countries. The cloud-based solution is easy to use, and scale
NY
ensures full compliance and provides industry-leading BI and analytics.

RISMA Systems is a fast-growing software company that supplies compliance tools to

RISMA Systems Lars Nybro
organizations and authorities and develop groundbreaking solutions ensuring optimal
rismasystems.com Munksgaard,
resource use in organizations. The purpose of RISMA has always been to build a
Herlev, DK Founder & CEO
platform that helps customers to track, monitor and manage all GRC activities easily.

Sureway is a comprehensive digital privacy platform that safeguards all of the

Sureway Kjetil Odin company’s obligations and the rights of data subjects following privacy laws. The
sureway.no Johnsen, solution automates what must be done manually in other solutions and is self-service
AS CEO for the data subjects. Sureway acts as an ecosystem of privacy that ensures that
everything is connected together as a whole.

The Privacy Factory is the trade name of the PrivacyO group of companies. Together it
The Privacy Factory Karen-Marlies represents over 30 years of privacy expertise, information technology expertise and
theprivacyfactory.com Schenck, corporate experience. Based on the expertise and experience gained, they know that
Amsterdam, NL CEO implementing the General Data Protection Regulation (GDPR) is first and foremost a
knowledge and management challenge.

VigiTrust is an IRM (Integrated Risk Management) SaaS service provider - PCI, GDPR,
CCPA, HIPAA, and VRM. VigiOne encompasses VigiTrust’s fifteen years of experience
Vigitrust
Mathieu Gorge, in the Information Security Services Industry into one single SaaS solution enabling
vigitrust.com
CEO complex and disparate organizations to make the implementation and management
Dublin, Ireland
of adherence to Security and Privacy regulations more accessible and more
straightforward.

June 2020 31
 From Editor’s Desk
Resolving Data
Governance with
respect to GDPR
he General Data Protection Regulation
(GDPR) was implemented on 25 May 2018 as
a new regulation. The law seeks to unify and
strengthen data security for citizens living within
the EU. Regardless of where a company is situated in
the world, if it is doing business with members of the
European Union, the GDPR applies. Globally,
companies are working hard to comply with GDPR, as
the fines for non-compliance can be very high.
GDPR may have impacts such as the increased need
to review and improve organizational procedures,
applications, and systems; more stringent privacy and
protection requirements; possible fines of up to 4% of
annual turnover; addressing GDPR, to address GDPR
enforcement within an organization, various aspects
need to be addressed, including HR, legal, IT,
marketing, etc., adequate security measures need to
be enforced with the right technology to reduce risk,
address legal requirements, allow digital
transformation, improve competitive advantages;
GDPR contains critical criteria that directly influence
how a company implements IT protection; to
safeguard and protect personal data, it is essential to:
be aware of risks, know where data is stored, integrate
IT network security, review and modify existing
applications where appropriate.
It's not possible to just buy a GDPR compliant product
and leave it at that. GDPR is for risk control and
June 2020 32
security processes. This means that one specific
product cannot overcome the challenges. To be fully
GDPR compliant, a company needs to ensure that all
of its solutions work correctly together.
To ensure that a company is compliant with GDPR, it
should follow the four steps listed below.
Discovery
It is essential that the company can track, implement,
and report compliance with GDPR. The company
needs to know how data enters, what is done with it,
and how it exits the company to do so. To achieve this,
data governance is required, which provides
capabilities, including data lineage, asset inventory,
and data discovery. The more data is reused without
proper data governance, the higher the chance of data
processing malfunctions. Therefore, resources for
assisting data governance should be wisely selected.
Enrichment
Application may need to be updated to protect the
rights of data subjects (people whose data is handled).
Because personal information can reach the company
in many types of formats and can be stored at different
locations and held in various forms such as images,
text, and voice recordings, this can be a significant
challenge. Individuals can also request information on
their own. It must be possible to automate and manage
a potentially enormous number of requests efficiently.
Furthermore, data must be removed according to the
'right to be forgotten' of GDPR.
To do all of this, a company may need to merge its
customer data and provide a clear view of all data
subjects around the company. If an organization can't
distinguish the personal information of individuals from
its data sets, this may mean that there is no sufficient
control over personal information, which could raise
red flags for regulators.
Foundation
Another criterion is IT protection that focuses on the
efficiency and availability of services. The reason for
GDPR is for risk control and
“
security processes. This means
that one specific product cannot
overcome the challenges.
this is because it is difficult to predict when, and how
much at the same time, systems are expected to pull
data. When a technological or physical incident has
occurred, restoring access to personal data and
availability promptly would also be necessary.
Encryption is going to be stronger than ever. The
detailed application-to-storage mapping must ensure
that applications are connected to the physical
storage on which they reside.
Enforcement
There will also be a need for technologies that can
secure systems, software, and people. This includes
services and products that include security controls
that can predict, avoid, detect, and react through
management, identity, and protection systems for
database access. People erroneously believe GDPR
lists different technologies to be used. Instead, GDPR
keeps the data processor and controller responsible
and obliges them to take into account the risks
associated with the data handled and to implement
adequate security checks.
Opportunities for Organization
While there is plenty to do to become GDPR compliant,
it should be regarded as a once-in-a-lifetime
opportunity for companies to look at and improve data
management according to best practices. The
quantities of data have exploded, and big data have
become popular. This could be an opportunity to
incorporate the right resources and procedures, and
with GDPR a new fact of life, it could be easier to
receive executive support.
With big data systems like Hadoop, it is not always
possible to use current data governance frameworks,
causing severe problems. Sustainability requires
proper design and structure. Hadoop and other big
data platforms have an incredible amount of
knowledge about consumers and their behavior, which
can be leveraged to drive customer experience
improvements. However, this makes it challenging to
understand which data is stored, where it originates,
and who is using it for what. This poses significant
challenges as some of the details, such as names,
addresses, and account numbers, can be sensitive.
This information needs to be secured, especially with
the introduction of GDPR.
Data objects and information reside in various
locations of Big-data environments. However,
conventional data governance tools only look at data
after it has been organized, and this is not good
enough for GDPR, as big data systems enable users to
participate in experimentation before raw data is
modeled.
However, while still applying good data governance, it
is possible to maintain the exploration benefits of a big
data environment. To do this, an ecosystem-born
method explicitly designed to solve this problem
needs to be used. For example, this restricts genuinely
native Hadoop governance options for respective
distributions to the Cloudera Navigator and Apache
Atlas. There are other alternatives to look at in the
market.
June 2020 33
 CXO Thoughts

GDPR nn ,C
EO

a
ckm
Chris Bro
IS STILL AN
UNTAMED

ca
en
c
ec

ANIMAL

nterprises often restrict their
privacy management strategy to
customer data only. Though it is the personal data
of employees, spread across the entire company that may
be causing the real challenge. Chris Brockmann, CEO of
eccenca, explains how enterprises can master this
complexity problem.
When the General Data Protection Regulation (GDPR) came
into effect, adhering to its rules was probably one of the
most dreaded tasks for every company. Today, many initial
fears seem to have proven unnecessary. Initiatives that had
started with ambitious goals have lost steam. The general
public has not flocked to your inquiry
website. And you may not have heard much
from the call center you had deployed to handle
subject access requests. In fact, you already may have
re-purposed staff previously dedicated to managing GDPR
compliance.
At first glance, this sounds like the GDPR has become the
toothless animal some of us had hoped for all along. But not
so fast! During the past few months, the GDPR has surfaced
at a point, where most of us had not expected: Negotiations
about severance payments. Of course, many organizations
have employee agreements in place intended to take the

June 2020 34
sting out of data usage regulations. But laid off employees
come to court with their homework done and done well.
How about your Employee’s Data?
There is one aspect of employee data your agreements
could not fix and will never fix. It is the right to request
erasure of data after termination of employment.
As we can all imagine, terminated employees are not your
happy campers that are asking for their data out of curiosity.
Former employees might carry vengeance and frustration.
Often, they also have enough insight into your company’s
internal workings with data to make your GDPR fire squad
go ballistic. And the complexity to it does not stop here.
Personally identifiable data from customers and suppliers
might be spread over a handful of disparate applications.
But at least it can be clearly attributed to a specific subset of
processes. With employee data it is an altogether different
story. Personally identifiable employee information is
literally everywhere. Just remind yourself that a software
generally logs the names of the creator and the several
editors of a data set, process or document in its metadata.
There really is no escape.
Do you have scalable plans and processes in place to
deliver GDPR compliant deletion and documentation that is
sustainable in court? Or is it your plan to sit it out and pay
the price that might add up to 4 percent of revenue? Sure, so
far nobody has ever been fined that amount. But erasure
management could well turn out to be the “death by a
thousand needles” for any organization. After all, managing
deletion of data is a complex problem that is by no means
limited to employee data.
A Graph-based Solution can help cut through the
Complexity!
Let us assume you already attach broad and well-designed
legal stipulations to your employment contracts. But this
does not ease the pressure on being able to report on
where personally identifiable data is stored and processed
throughout your company. Apart from the legal strategy you
need a systematic, technology powered approach to data
governance that provides a solid footing when push comes
to shove.
In a nutshell your approach should at least include:
• a central catalog of all systems,
• a central catalog of all processes and its processing
purposes,
• a central catalog of the legal basis, legitimation and
your retention policy,
• an integrated index that allows you to identify
personally identifiable data on subject level as per each
of the above,
• automation of documentation and reporting on your
actions taken,
Enterprises often Restrict their Privacy
Management Strategy to Customer Data only.
Though it is the Personal Data of Employees,
Spread Across the Entire Company that may be
Causing the Real Challenge
• an active governance and observation system that
reports data once its legal retention period expires
(scarcity requirement)
What sounds like squaring the circle is far from being
impossible. As a software vendor that helps its customers
master complexity in a fully digitalized world, eccenca is
specializing in projects where data sources are abundant,
black boxed and heavily siloed. We found that using
knowledge graph technology provides the transparency
needed to evaluate, manage, visualize and link data across
a company’s disparate IT landscape. Our graph-based
approach also provides the web-scale versatility and
scalability to expand documentations as your challenges
grow and change.
In terms of the GDPR, the knowledge graph approach gives
your organization the means to establish sound
documentation of personally identifiable data and puts it
into context with applicable governance rules. Thus, the
eccenca solution enables you to fully document,
automatically validate and systematically trigger GDPR
compliance processes. After all, litigations will always cost
you more than the effort to employ an automated
compliance management solution.
June 2020 35
 n the era of GDPR and CCPA, there seems to be more
speculation about compliance and personal privacy
than there is about the environment. It's
From Editor’s Desk understandable because forecasting the weather
outside seems a lot simpler than devising and executing
an effective data security policy.

How Privacy and Despite news about data breaches being all too
frequent and significant fines for non-compliance

Compliance is becoming a growing fact, claiming naivety to the issues

and impacts for organizations of any size or form is
neither sympathetic nor necessary. The good news is
Salient in the that there are a variety of tools and solutions available,
which can automatically identify risks and secure

GDPR Era? personal data while mitigating exposure to legal and

financial risk.

Start With People, Not Technology

But before moving into any technology solutions, it's

crucial, to begin with, an understanding of how it will
affect all stakeholders in the organization. Begin by
circling the wagons and enlisting the business leaders'
support and expertise, as well as legal and enforcement
teams. Too often, the Chief Information Security Officers
(CISOs) face growing challenges of implementation due
to a lack of coordinated efforts across their organizations.
Employee resistance is a tough hurdle to clear,
particularly if they feel that compliance with new security
measures would complicate their work.

A buy-in at the C-level is a requirement for effective

policy implementation. Until these significant influencers
see and feel the risk factor, implementation of any kind of
system will be difficult. Consider a two-phase approach
as a technique to best practices. Begin by finding the
lowest-hanging fruit and execute something that is
relatively easy to exploit and get behind everyone in the
company.

Making improvements where leverage is easiest is a

smart way to gain trust and momentum. Even if this
decreases the risk by just 15 percent, you're on the
road — so remain focused on making steady, gradual
June 2020 36
progress. The method can often be overwhelming at
least at first but not sidetracked by stagnation of the
study. Instead, continue to hold discussions and push
forward with what will be done next.
Putting the Rules in Order
Rolling out workplace plans and policies requires a
foundation with clear laws to guide the process as a
whole. While a mandatory course of compliance is an
excellent start, it's crucial not to overwhelm employees
outside the gate. And it is short-sighted to conclude
that a 20-minute session offers ample training.
Alternatively, enforcing a policy that includes catching
and educating employees if improper or unsafe
behavior is detected is highly recommended.
It's important that everybody recognizes – and
accepts – the big picture. Compliance rules and
regulations and privacy policies are not meant to
limit personal productivity. Instead, they are
targeted at protecting staff, the company, and
clients. In short, driving home the credo the
“
There are a variety of tools and solutions
available, which can automatically
identify risks and secure personal data
while mitigating exposure to legal and
financial risk.
company cares for its staff and clients and doesn't
want to place anybody at unnecessary risk is
critical. The easiest and most successful way to
involve others is to learn the rules.
Think about this in the context that average office
employees send about 40 work-related emails and
receive around 90, according to TechJury.
Consequently, an organization with 1,000 staff
handles 40,000 to 90,000 emails per day, many of
which contain potentially private personal data. Put
the 80/20 rule into practice here: if 80% of possible
data threats are triggered by 20% of behavior, putting
in place policies to protect personal data as it is
generated in emails and files will provide immediate
and substantial reductions in risk.
Establish a System for Development Tools
Once everyone knows and understands the law, a
technology system and tools would be easier to
develop to help identify and reduce risks. Balance is
ideal, so avoid locking up too much data as the effect
would stifle the ability of both workers and consumers
to transact business. To reduce risk while enhancing
reward, selecting technologies and resources that
balance the need to protect information with the
potential to achieve widespread acceptance is critical.
Favor a crawl-walk-run method, because you don't need
to carry out the whole plan on day one. Instead, define
the most critical endpoints there and concentrate initial
efforts. Then don't worry about depending on the test
cases along the way. Tweak the mechanism to comply
with the workings of the company and its employees.
Going with solutions that have AI and machine learning
capabilities will help train the solution to offer the best
and most scalable match while automating other
processes to reduce employee burden.
Once up and running, the incremental rollout continues:
"Run" with a small group until you "run" with the entire
organization. Know that, and this is not a
set-it-and-forget-it situation; plan to review and change
policies and settings regularly. Think of an engine as
your data security solution. Once it is in place, it requires
periodic tuning to sustain exceptional performance. It is
also essential to choose an engine that allows
interoperability with other solutions that may be worth
adding and leveraging as business and market
conditions, as well as regulations, arise and evolve.
There's No End and No 'Enforcement' Button
A robust and compliant data protection policy is as crucial
as getting a website for companies today. Regulators
should not expect anything to be instantly flawless in
living up to regulations such as GDPR and CCPA, as well
as others, but be assured that they can judge situations
according to demonstrative and conclusive measures
taken. So get going and continue to move — there is no
end and no simple button. Privacy and confidentiality are
the responsibility of all, and the interest of all.
June 2020 37
 CXO Thoughts
Dr. John Ghent,
CEO,
Sytorus Ltd
Privacy and data protection have never been more
important, and it was not too long ago that the general
consensus was that privacy was dead. It is now abundantly
clear that privacy is paramount.
The COVID-19 Crisis has accelerated working from home
and digital adoption. This means that any privacy
programme will need a privacy management platform to
effectively do their job. As we hopefully emerge from the
COVID-19 crisis, digital adoption will continue to accelerate
and Artificial Intelligence (AI), Internet of Things (IoT) and
Machine Learning (ML) will become more ubiquitous.
Companies and governments are ramping up their own
June 2020 38
From ‘Privacy is
Dead’ to ‘Privacy
is Paramount’
GDPR
digital adoption to fight COVID-19 and help their employees
and citizens respectively get back to work in a new normal,
but the choice should not be between privacy and health, it
must be both.
There is no doubt that the COVID-19 Crisis has accelerated
digital adoption for governments and industry. In attempts
to tackle the virus, many governments have deployed very
invasive tools, China for example are monitoring smart
phones, utilising facial recognition technology and requiring
all citizens to report on their body temperature. China are
not alone, and many countries are rolling out their own app
for tracking citizens, with good reason, however, the risk is
where does it go from here? Transparency is key to trust, for privacy teams need access to the right tools to run effective
both governments and companies. DPIAs in order to determine the risks.

In the immediate term, most companies are not prepared for We are now in a global regulatory environment, 65% of the
the new norm of working from home, we see this across global population will be under ‘GDPR (General Data
every sector. The risks do increase when staff work Protection Regulation)’ like regulation by 2023, up from only
from home. Most of us at home 10% today* and more privacy laws came into effect
are relatively tech in 2018 than in the previous century. This has
savvy, with smart resulted in a massive increase in privacy
TVs, gaming teams. In 2018 there was an estimated
platforms, and 70k privacy teams in Europe, by 2019
w i r e l e s s that number was estimated to be
routers common 500k, and by the end of 2022, more
place. Some homes than 1 million organisations will
have many Internet have appointed a Data Protection
of Things (IoT) Officer (DPO).
devices installed
These privacy teams need a
which can add
privacy management platform to
complexity to
do their job, now more than ever. In
the challenge and
relation to the market, most analysts do expect a
vulnerabilities to the
deep recession at this point, most predicting an ‘L’
network. Unfortunately, it is not
shaped recovery, however, the demand for tools that
generally the case that enough protections
privacy teams need, i.e. privacy management platforms,
are in place to ensure that we are protected. Data Protection
will continue to increase over the next couple of years.
Officers (DPO’s) / Chief Privacy Officers (CPO’s) / Privacy
Before the COVID-19 crisis, the compound aggregated
Leads need at a minimum to retrain their staff that can work
growth was estimated to be 33% for the next 5 years. It is
from home, update and enforce their policies, and test how
likely that after we come out of this crisis the CAGR will be
susceptible staff are to clicking on the massive increase in
even greater.
phishing attacks.
As we move into a new norm of accelerated digital adoption,
In addition to this privacy teams need to have the ability to
this has two significant impacts for Data Protection Officers
assess vendors remotely and run Data Protection Impact
(DPO’s). The immediate challenge of how to manage privacy
Assessments (DPIA) remotely. It is clear that more and more
programmes when everyone is working from home, and
companies are deploying artificial Intelligence capabilities
secondly, how to manage increased complexity within
into their products and services. DPIAs are almost always
companies due to the deployment of more complex
required, but how should companies do them when it comes
systems. Companies need to ensure that they are building
to AI and remote working, and is the latest drafting of global
technologies that have Privacy-by-Design as a governing
data protection regulations even capable of capturing the
principle, and that also are for the good of individuals and
risks? The spirit of the GDPR is to protect the basic human
not to their detriment. Having access to the right tools to do
rights of living individuals, but do the principles of the GDPR
their jobs is more important than ever.
enforce safe guards that put the power in the hands of the
data subjects, rather than in the hands of the AI? We are Source: Gartner Predicts for Future of Privacy 2020, January
seeing many problems in the market relating to this and 20th, 2020

June 2020 39
 From Editor’s Desk
GDPR:
What does it mean for
Businesses and Consumers?
he General Data Protection Regulation (GDPR)
i s a regulation in the European Union (EU) and
European Economic Area (EEA) on data security
and privacy legislation. It also tackles personal
data transfer outside of EU and EEA zones. The primary
aim of the GDPR is to give individuals control over their
personal data and to simplify the regulatory environment
for international business by unifying the regulation
within the European Union.
The European Commission carried out proposals for
improving data security in the European Union in January
2012 to make Europe 'ready for the digital age.' Nearly
four years later, the consensus was reached on what it
entailed and how it would be applied. The
implementation of the GDPR is a critical component of the
reforms. This new EU system extends to organizations in
all member states and has implications across Europe
and beyond for companies and individuals.
The reforms are designed to represent the environment in
which we now live and bring laws and responsibilities
across Europe, including those relating to personal data,
privacy, and consent, up to speed for the internet-related
era. Basically, nearly every aspect of our lives revolves
around the data. From social media platforms to banks,
retailers, and governments-almost every service we use
includes our personal data collection and analysis. Your
name, address, credit card number, and more all that
organization's capture, evaluate, and, perhaps most
importantly, store.
What is GDPR Compliance?
Inevitably, data breaches occur. Information gets lost,
stolen, or otherwise released into the hands of people
who were never supposed to see it-and sometimes those
people have malicious intent. Under the terms of the
GDPR, not only do organizations have to ensure that
personal data is obtained lawfully and under strict
conditions, but those who collect and handle it have a
responsibility to protect it from misuse and abuse and to
respect data owners' rights - or face penalties for failing
to do so.
Who is eligible for GDPR?
GDPR applies to any organization that operates within
the EU and to any organization outside the EU that offers
goods or services to EU customers or businesses. In the
end, this means that nearly every major corporation in
the world needs a compliance strategy with GDPR.
The law refers to two separate types of
data-handlers: 'processors' and 'controllers.' A
controller is an "individual, public authority,
agency or other body that decides the
purposes and means of personal
processing data, alone or in
combination with others." At the same time, the processor
is a "person, public authority, agency or other body that
processes personal data on behalf of the controller'. In
the end, GDPR imposes legal requirements on a provider
to maintain personal data records and how they are
handled, offering a much higher degree of legal
responsibility in the case that the company is violated.
Controllers are also required to ensure that all processor
contracts adhere to GDPR.
Under the GDPR, what are personal data?
Under existing legislation, the forms of data considered
personal include name, address, and photos. GDPR
expands the concept of personal data, such that
personal data can be anything like an IP address. It also
involves confidential personal data, such as genetic data,
and biometric data that could be analyzed to identify an
individual in a specific manner.
When did the GDPR come into effect?
After four years of preparation and debate, the European
Parliament approved the GDPR in April 2016, and the official
texts and regulations of the Directive were published in all
of the EU's official languages in May 2016. On 25 May 2018,
the law came into effect in the European Union.
What does GDPR mean for businesses?
GDPR defines one continent-wide legislation and a
standard set of rules for companies in the EU Member
States. This means that the law extends beyond the
boundaries of Europe itself, as foreign organizations
located outside the country will still need to comply with
'European soil' activity. One of the hopes is that it will
offer benefits to companies by slim-lining data
regulations with GDPR. The European Commission says
that it would make operating within the country easier
and cheaper for companies by providing a single
supervisory authority for the whole of the EU.
The regulation ensures that data security protections are
developed from the earliest stage of growth into products
and services, offering 'data security by design' in emerging
goods and technologies. Organizations are also
encouraged to adopt techniques such as
'pseudonymization' to benefit from the collection and
analysis of personal data, while at the same time protecting
the privacy of their customers.
What does GDPR mean for consumers/citizens?
Because of the sheer number of data breaches and
“
attacks that occur, the unfortunate truth for many is that
some of their data-whether it's an email address,
password, social security number, or sensitive health
The primary aim of the GDPR is to give
individuals control over their personal
data and to simplify the regulatory
environment for international business
by unifying the regulation within the
European Union.
information-has been leaked on the internet.
One of the significant improvements that GDPR brings is
allowing users the right to learn when their data was
compromised. Organizations are expected to inform the
relevant national bodies as soon as possible to ensure
that EU people can take adequate steps to avoid misuse
of their data. Consumers are often given better access to
their own personal data in terms of how it is handled, with
organizations expected to explain how they explicitly and
reasonably use consumer information.
Some companies have already worked to ensure that it is
the case, even if it is as simple as sending emails to
consumers with information on how their data is used and
providing them with an opt-out if they do not want to be
part of it. Many companies have asked clients, such as
those in the retail and marketing industries, to ask if
they're going to be part of their database.
In these cases, the consumer should have a simple way
to opt-out of being on a mailing list from their details.
Meanwhile, some other sectors have been warned they
have much more to do to ensure compliance with
GDPR-especially when consent is involved. GDPR also
provides a clarified 'right to be forgotten' process,
which offers exclusive rights and freedoms to
individuals who no longer wish to have their personal
data processed to have it erased so that there is no
reason to keep them. Organizations must be mindful of
these consumer rights.
June 2020 41
June 2020 42
June 2020 43
 preserving data ecosystems

June 2020 44