Language:
SEARCH
  • Recent Posts

  • Categories

  • Archives

GDPR

Every day is Data Protection Day

Tuesday, February 5th, 2019

In South Africa, we’re a bit late to the Data Privacy Day party. In Europe, it’s been around since 2007, while The United States joined in 2009. 

“What day?” we hear you ask. According to Wikipedia “Data Privacy Day (known in Europe as Data Protection Day) is an international holiday that occurs every 28 January. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, Israel and 47 European countries.”

Even though data Privacy Day has been around for more than ten years, awareness around the protection of data has become more critical over the past year or two. The reason is two-fold. Firstly there has been a surge in data breach incidents across the world, whether it’s Facebook or more recently Google who was fined £44 million fine in France for alleged GDPR breaches. Which brings us to the second reason – the implementation of GDPR last year. Up until then, there was little to force companies to protect users’ data. The GDPR and POPI acts changed this. Now companies are held accountable and can be heavily fined for compromising their clients’ personal information.

Why is data so important, though? According to Mark Barrenechea, CEO at OpenText, “[e]very day we are building, brick by brick and bit by bit, a digital copy of ourselves, whether we are aware of it or not.” A bigger digital footprint makes it easier to find information about you, whether it’s personal information such as usernames and passwords, your physical location or your interests or hobbies. Algorithms can track your actions and anticipate your behaviour. Every little piece of information adds up to a bigger picture and can be used to your disadvantage. 

Sharing data is progressively becoming easier, which makes it critical that you take responsibility for protecting your own data. We can no longer depend on companies or social networks to keep our digital identity safe. This we’ve clearly seen over the past year with multiple data breaches – many including large companies such as Facebook and Google. 

Data Privacy is just one day in the year to make data owners (that’s anyone using a digital platform) aware of the importance of protecting our data. However, we should be aware of the risks every day. How can you protect your data? You already know, you just need to start or continue doing it. www.digitalguardian has an extensive guide for protecting your data, but here are 10 basic tips:

  1. Use encrypted networks when you’re accessing important information. Even though open and free Wi-Fi is tempting, it comes at a risk. If you’re browsing websites which are not https, know that whatever you do can be seen by someone else.
  2. Choose strong passwords. Don’t know how? Here are some tips. The general trend is using two-factor authentication. More tech experts are recommending a password manager as it’s the most secure solution.
  3. Protect your passwords. Don’t write them down. Don’t share them. Don’t use the same password for all your social networks or websites. 
  4. Update your software when it prompts you to. Don’t ignore it because you don’t have time – it might be an important security update.
  5. Update your anti-virus software regularly. New versions of viruses, malware, etc. are released on a daily basis. If you don’t update, you’ll be an easy target. Also, consider an anti-virus for your mobile devices – they are even more vulnerable.
  6. Check and configure privacy settings on your phone. Consider carefully which apps you give access to use certain services on your phone.
  7. Lock your smartphone and tablet devices when you are not using them. Mobile devices are used to access social media, banking services and various other apps – all of which can be abused if gained access to. 
  8. Enable remote location and device-wiping. If your mobile device is stolen, at least someone won’t be able to access your information.
  9. Delete your data from old devices, for example, smartphones, before you sell, discard or pass them onto someone else.
  10. And lastly, back up your data on a regular basis. At least you’ll have access to it even if you lose your device.

Data means power and unless you want to lose that power, you need to protect it.

[SOURCES: https://www.forbes.comhttps://www.techradar.com]

GDPR: Protecting your data

Tuesday, July 31st, 2018

The international law of data protection has changed and the General Data Protection Regulation (GDPR) came into effect on the 25 May 2018. There is a great deal of information on GDPR. Unfortunately, a lot of it is legal jargon, which can be overwhelming if you are not a legal expert.

The South African equivalent to GDPR is the Protection of Personal Information Act (POPIA); which has not been finalised yet. This article will explain GDPR, compliance requirements and the key benefits and challenges involved in its implementation.

Quick overview

GDPR is a law that governs data usage, user privacy rights, data risk management and data security systems within private and public organisations. It highlights the rights of individuals, which are 

  1. to control how personal data is collected and managed; and
  2. to place new obligations on organisations to be more accountable for data protection.

Complying with GDPR is not a simple task, and neither will be complying with South Africa’s own Protection of Personal Information Act (POPIA). However, it is unavoidable and cannot be ignored. Managing data privacy is a serious issue. Until the South African Regulations are finalised and enforced, local companies are encouraged to look to the GDPR for guidance. Whilst there are some differences between POPIA and GDPR in requirements, the principles are similar.

How does an organisation comply?

  • Raise awareness

Decision makers and key people in the organisation need to be aware that the law has changed to include GDPR, and need to understand its impact on data management.

  • Information held

An information audit, which includes any personal data held by individuals within the organisation, has to be done. The audit will establish which information the organisation has, who it’s shared with and where it came from.

  • Communication privacy

Review your privacy notices and governance, identify gaps and prepare for the changes required when implementing GDPR.

  • Individual rights

Make sure procedures cover each individual’s rights, including deleting personal data and providing data electronically in all commonly used formats.

  • Subject access requests

Update data management procedures, prepare for handling requests from consumers within the new time-frame and provide additional information.

  • Legalities when processing personal data

Understand the different data processing types, the way the organisation performs and identify the legal basis for carrying out and documenting it appropriately.

  • Consent

The way the organisation seeks, obtains and determines consent may need to be reviewed and changed.

  • Protecting children’s data

Systems to verify ages and can seek parental/guardian consent for a data processing activities should be designed and developed.

  • Data breaches

Procedures for both the customer and regulator need to be in place to detect, report and investigate a personal data breach.

  • Data protection by design

Assessments and control frameworks have to be developed with guidance from the regulator. Processes need to be developed and have governance for their use.

  • Data Protection Officers

Data Protection Officers or a similar role should be appointed to take responsibility for data protection compliance. The organisation has to decide who fits this role best.

  • International work

If the organisation works internationally, it is important to establish which data protection authority is most appropriate and where processors and controllers are located.

Some benefits of GDPR compliance

  • Greater consumer confidence

          GDPR compliance will prove to customers that your organisation is a good custodian of their data. 

  • Improved data security

GDPR compliance lays the groundwork for improved data security.

  • Reduced data maintenance costs

GDPR can help your organisation cut costs by prompting you to retire any data inventory software and legacy applications which are no longer relevant to your business.

  • Increased alignment with evolving technology

GDPR compliance requires that your organisation moves toward improving its network, endpoint, and application security.

  • Better decision-making 

Thanks to the GDPR, your organisation’s data will become more consolidated, ensuring it’s easier to use and you have a greater understanding of its underlying value.

Challenges of GDPR compliance

  • Endless consent prompts for every data process can be time-consuming.
  • High cost to reach GDPR compliance (e.g. in terms of upgrading security systems).
  • More work for developers in terms of upgrading security systems.
  • Massive fines for non-compliance, which amounts to 4% of the organisation’s annual turnover.

GDPR integration in SU IT Department

In many ways, Stellenbosch University’s Information Technology Department has been implementing data and security laws and regulations such as GDPR and POPIA for years.

We are constantly reminding users on our blog and social media to keep their passwords protected and not leave their PC’s unlocked and unattended. We are the first to alert users via email with regards to phishing attacks and send out warnings on a regular basis. We have also moved toward cloud storage and are happy to say, Microsoft is GDPR compliant. Users have been encouraged to use OneDrive for data storage as it is more secure.

Information security is important, therefore we will continue to convey the importance to our users. There is also an Information Security Awareness Training Course available on SUNLearn

In conclusion, GDPR is beneficial to South African organisations in many ways. Since South African organisations deal with large and sensitive amounts of data, GDPR compliance is required and may reduce security threats and data loss to a large degree. Although this law appears to solve and manage data management issues, there is still limited information regarding their long-term sustainability and among South African users. 

More detailed information on EU GDPR guidelines for South African Universities can be found in this document compiled by Universities South Africa (USAf), an association of South Africa’s public universities.

[ARTICLE BY MILLY VAN WYHE]

 

© 2013-2019 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.