What Is EU GDPR? 

The EU GDPR is a law designed to protect and empower residents of the EU by guiding business usage of personal data. In essence, it is reshaping the way corporations handle personal data by controlling its collection, use, and storage. It will replace the regulations and frameworks of the existing 20-year-old directive (95/46/EC).

Who Is the GDPR Protecting and Empowering? 

The data subject: This is any individual that can be directly or indirectly identified or uniquely singled out in a group of individuals, from any stored data.

What Is the GDPR Protecting? 

Personal data: This is any information relating to an individual, whether in reference to their private, professional, or public life. It includes things like names, photos, email addresses, location data, online identifiers, a person’s bank details, posts on social networking websites, medical information, work performance details, subscriptions, purchases, tax numbers, education or competencies, locations, usernames and passwords, hobbies, habits, lifestyles, or a person’s computer’s IP address.

Who Is the GDPR Regulating? 

The data controller: This is the person who, alone or jointly with others, determines the purposes for, and means of, processing personal data. A data controller is not responsible for the act of processing (this falls to the data processor); they can be defined as the entity that determines motivation, condition, and means of processing.

Generally, the role of the controller is derived from the organization’s functional relation with the individual. That is, a business is the controller for the customer data it processes in relation to its sales, and an employer is the controller for the employee data they process in connection with the employment relationship.

Who Else Is the GDPR Regulating? 

Data processors: This is the person who processes personal data on behalf of the controller. Typical processors are IT service providers (including hosting providers) and payroll administrators. The processor is required to process the personal data in accordance with the controller’s instructions and take adequate measures to protect the personal data. The GDPR does not allow data processors to use the personal data for other purposes beyond providing the services requested by the controller.

What Does the GDPR Consider “Processing?” 

Processing refers to any operation or set of operations performed upon personal data, whether or not by automatic means—such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. Processing must be fair and lawful, although transparency is significantly strengthened. The processor may not use the personal data for their own purposes.

What Rights Do the Data Subjects Have? 

Under the GDPR, data subjects can request the following:

• To be informed about the data processing
• To consent to the processing of their personal data (opt in) or object to the processing of their personal data (opt out)
• To obtain their personal data in a structured and commonly used format in order to transfer that data, in certain circumstances, to another controller (data portability)
• To not be subject to fully automated data processing or profiling
• To know what data is processed (right of access)
• To correct where any data is incorrect
• To have data erased under certain circumstances, for example, where the retention period has lapsed or where consent for the processing has been withdrawn (referred to commonly as the “right to be forgotten”) and to register a complaint with the supervisory authority

Other Key Elements to Consider in Preparing for GDPR

We’re not done yet. There are four more important elements to consider with GDPR as you become ready.

1) Data Breach Notification

For controllers, GDPR requires that breach notice must be provided, where feasible, within 72 hours of becoming aware of a breach; processors need to provide notice to controllers without undue delay. Any data breaches must be documented.

2) Data Minimization

This requires the level and type of data being processed to be limited to the minimum amount of data necessary. This requires you to ensure that the purpose in which the data is agreed and the purpose in which the data was collected are materially similar. The processors should ensure that individuals’ privacy is considered at the outset of each new processing, product, service, or application, and only minimum amounts of data are processed for the specific purposes collected and processed.

3) Data Pseudonymization

The GDPR defines pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” To pseudonymize data, the “additional information” must be “kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person.” In other words, it is a strategy designed to enhance protection and privacy for applicable identifying data.

Although similar, anonymization and pseudonymization are two distinct techniques that permit data controllers and processors to use de-identified data. The difference between the two techniques rests on whether the data can be re-identified.

4) Fair Processing of Personal Data

This requires the processing of personal data to be fair and lawful. Generally, only the level and type of data collected should be limited to the minimum amount of data necessary (see data minimization above). There are a number of methods in which the data may be processed, including: express consent (which may be withdrawn at any time), legitimate interest basis (the subject of which legitimacy may be challenged by the data subject), honoring obligations under the agreement with the data subject, or any other legal basis that may apply.

What We Can Do to Help

We know this information can be overwhelming, but taking the proper steps now will save you headaches later. SolarWinds provides products that can help you with getting ready. Our Risk Intelligence software is one of them, providing you with hard data on:

• A business’ quantified financial risk
• Personally identifiable information (PII)
• Protected health information
• Payment information located in storage
• Access permissions for sensitive data

Search your ‘data at rest’ for risk areas and start the data mapping you need to get ready for GDPR.

Every year brings with it new challenges, and new lessons, for IT in the enterprise. Here are 10 of the lessons IT learned this past year.

The end of a year is always a good time for reflection, especially so if you’re evaluating what your business did right and what you can improve upon. In an increasingly digital world, IT has quickly become one of, if not the most, important aspects of an organization. So, it should be with great care that executives and admins look back on their year and try to glean some wisdom about what can be done differently in the year to come.

Here are 10 of the most important lessons that IT learned in 2015.

1. BYOX is here to stay

As smartphone use grew to near ubiquity in the enterprise, it brought with it the trend of BYOD, or, bring your own device. While that originally referred to mobile devices such as smartphones and tablets, it spawned as host of “bring your own” everything else.

“BYOX is the new mantra with consumers bringing their own applications, cloud sharing tools, social media into the enterprise; essentially bringing their own expectations of which technology they want to use and how and where they want to work in a corporate environment,” said Chuck Pol, president of Vodafone Americas.

2. DevOps is no longer just a buzzword

The term “DevOps” gained huge popularity in 2015 as a reference to an agile method that stresses the collaboration of development and operations. The goal is to connect the writers of the code with those who maintain the systems that run it. However, DevOps continues to evolve and, although it has its own set of challenges, it could be poised to become the method of choice for enterprise IT starting in 2016.

3. Data is currency

Data, especially as it relates to big data has been steadily growing in value but 2015 felt like a tipping point. Tools for both structured and unstructured data exploded in popularity and major data service providers went public, adding credibility to the field and likely creating a better inroad into the enterprise. Also, businesses got better at distinguishing between relevant and irrelevant data.

“It is no longer credible to look at data as big static objects in a deep lake, but rather be considered a set of fast moving assets in a raging river,” said Neil Jarvis, CIO of Fujitsu America. “In 2016 and beyond, companies need to look at the data that creates business-relevant information for today and tomorrow.”

4. Finding talent is problematic

Talent shortages don’t just affect startups on the West Coast. CompTIA CIO Randy Gross said that current estimates suggest there are more than one million IT job opening across the US alone, ranging across skill level from support specialists to network admins. Enterprises are going to have to work harder to attract and retain talent.

“Wise employers with IT jobs to fill have engaged in a self-examination of the tactics and strategies they’re using to attract new talent—and adjusting accordingly,” Gross said. “For some companies, new telecommuting and remote work options have helped them fill their talent gaps.”

5. SMAC is still relevant

The SMAC stack, which stands for social, mobile, analytics, and cloud, is also known by some as the “third platform.” As all of these individual components continue to grow and thrive in the workplace, their interdependencies will grow along with them.

“Senior management must become well versed about these technologies and their possibilities to create new value and new competitive advantages in their own business and markets,” Pol said.

6. Cloud lost its fear factor

Cloud acceptance was a mixed bag for a long time, but 2015 brought a more widespread embrace of cloud technologies and services in the enterprise. In fact, some trends are making it almost a necessity.

“The complete adoption of virtualization, as well as investigation into cloud and other strategies, is far more advanced than expected—particularly amongst SMBs,” said Patrick Hubbard, technical product marketing director at SolarWinds. “Making operating systems and applications truly mobile is redefining how companies think about their IT infrastructure.”

7. The security mindset is changing

Anthem BlueCross BlueShield and Harvard University were among the major organizations that dealt with a public security breach in 2015. With today’s social media, you can almost guarantee any data breach that occurs in the enterprise won’t stay a secret. And, with the risk of a breach high, Intel Security CTO Steve Grobman said that teams must adopt a new way of thinking.

“IT must embrace the mindset that they have already been breached, now how do you protect your environment with this new default outlook?,” Grobman said.

8. Shadow IT is a line item

Shadow IT carries nowhere near the same amount of scorn it once did in the enterprise. Some organizations are even openly embracing it, and making it a foundational part of their IT strategy. And, as shadow IT continues to grow, Pol said, it needs to be properly accounted for in the budget.

“As technology continues to transform business, IT infrastructure will become more complex and more difficult to have a complete view of technology across the business,” Pol said. “The role of IT will need to become more strategic and set clear lines of accountability between IT and line of business budget holders.”

9. Employees are the biggest security risk

When most people think about security risks to their organization, the image of the hooded hacker furiously typing away in a dark room. However, employees themselves pose a real threat to the security of an organization as well. Issues such as poor password practices and using unsecured networks with company devices are a real problem. Kelly Ricker, senior vice president of events and education at CompTIA, said mobile, while helping with agility and productivity, is a cybersecurity nightmare.

“Every device that employees use to conduct business—smartphones and smartwatches, tablets and laptops—is a potential security vulnerability,” Ricker said. “Companies that fail to acknowledge and address this fact face the very real risk of becoming a victim of cyber criminals and hackers.”

10. Commoditization is a threat

With the plethora of tools available to build and replicate popular tech, it is increasingly important for organizations to guard against the threat of commoditization.

“As development cycles become shorter and the potential for intellectual property to be recreated and copied increases, it is becoming more difficult to create a sustainable competitive advantage for your products and services,” Pol said.

Have questions?

Get help from IT Experts/Microsofts Cloud Solutions Partner
Call us at: 856-745-9990 or visit: https://techies.net/

South Jersey Techies, LLC is a full Managed Web and Technology Services Company providing IT Services, Website Design Services, Server Support, Network Consulting, Internet Phones, Cloud Solutions Provider and much more. Contact for More Information.

BYOD means you must make a few extra preparations to protect your organization in cases of litigation and eDiscovery.

It’s a fact that we live in a litigious world. Bring Your Own Device (BYOD) and even corporate-owned mobile devices often are caught up in legal cases. Chris Gallagher, national director for Adecco eQ, a nationwide eDiscovery firm gives an overview of how businesses can navigate eDiscovery when a business has BYOD devices seized as part of a court case.

eDiscovery and mobile devices

BYOD and corporate-owned devices can be put a litigation hold (sometimes called a “preservation order”) when an organization must preserve all forms of relevant information when there’s the anticipation of litigation.

Gallagher’s firm helps legal counsel with data forensic collection, acquisition on mobile devices and PCs. His company processes the data on these devices and uses advanced analytics to locate information pertinent to the litigation

eDiscovery and BYOD: The blurred line

BYOD is still, from a legal perspective, in its infancy, Gallagher said. He said every time his firm does a customer survey, they still hear about strong BYOD activity in the market.

He said, “Of course, from a discovery perspective, from a litigation hold perspective, it makes both the general counsel’s life that much more difficult as well as the law firm’s life more difficult because number one, there’s that blurred line, what is corporate data versus what is personal and individual data, where does that line cease?”

Gallagher points out that anytime you have devices entering and leaving a network there’s a control factor. Companies who master that control have a better (but still not perfect) time when they get called into discovery.

“When you have a device that is not a corporate-owned device that is accessing corporate information, the ownership of that information always comes into question,” Gallagher said.

“When dealing with eDiscovery, part of discovery requests are information that is under your direction and control,” he said. “It’s on a personal device, it’s not owned by the corporation, but it’s corporate-owned data, so is that under your control? Absolutely.”

Litigation holds on BYOD devices can be an added nuance and one more gray area that corporation have to deal with when it comes to BYOD in their enterprise.

Gallagher said you need to ask, ” How do you get that data back? How do you ensure that you’re not losing, not only from a litigation perspective, but the other major issue is corporate information, trademark secrets, corporate secrets, confidential information that you wouldn’t want to enhance?”

He further explained that a litigation hold over a BYOD devices means going beyond the normal things like a desk drawer, files, email, and shared devices. It means you have to ask “Okay, what else have you used to access the corporate network in the last year?

Wearables and eDiscovery

Wearable tech would have minimal impact on eDiscovery. Gallagher said, “Now, if you’re a corporate attorney, if you’re a defense counsel, one of the things you’re going to argue is “Well, the watch, everything that’s available on the watch, it’s just email, weather, that’s available on the server anyway, so you have another place to get it.”

The wearable is a highly discoverable type of device because most of that information is just replicating from somewhere else, Gallagher said. Usually, you are replicating wearable data from your phone so if you have the phone then everything’s replicated.

“For smaller cases, for cases at a location, for criminal cases, or matrimonial cases, where location is important, wearables could come into play,” he said.

Onboarding BYOD devices and eDiscovery

Much of what Gallagher said around BYOD policies is standard fare. I asked Gallagher how a company could protect themselves in the cases of salespeople (the “original BYOD”users) contracts and non-compete agreements. Competitors in highly competitive industries sue each over this kind of stuff all the time.

Career salespeople have their contacts (built from years of selling in an industry) that they keep on their phones. They may have sold to these customers over the years.

From a legal perspective in this scenario, Gallagher recommends that corporations have an addendum added to their standard employment agreement. The addendum should state, “I certify that I am not bringing anything from my former employee. We are hiring you for your knowledge of the industry in general and not any specific contacts that you may or may not have from former employees.

Gallagher said this sort of contract boilerplate puts the responsibility on their shoulders and that you aren’t hiring them for a particular contact.

He also advised that you want to make sure that they abide by their previous non-compete, but you don’t want them downloading or taking anything with them from their previous employer. Gallagher cautioned that you should not place any data from their previous employer on your corporate-owned system. Take, for example, syncing a personally owned smartphone to a corporate-owned laptop. Along with that sync can come corporate data from your competitor. eDiscovery can detect that data.

He further recommends that you have that new sales rep come to you with a clean slate of a cell phone.

Bringing contacts along on a personal device has become much easier legally speaking according to Gallagher. He said, “One of the recent things that’s come out of court cases is if you look at LinkedIn profiles, if you look at customer information but the sales rep proved that most of the information that he had from his ‘client’ was available publicly on their LinkedIn profiles.”

You don’t want them backing up their tablet to their new computer that could result in a breach of their non-compete, and now it’s backed up on your servers according to Gallagher.

Conclusion

Above and beyond the usual BYOD and challenges that enterprises face each day, you may also be navigating a blurred legal line so prepare yourself accordingly with BYOD policies and advice from your counsel to ensure that you are prepared if and when BYOD devices get put on a litigation hold.

Have questions?

Get help from IT Experts/Microsofts Cloud Solutions Partner
Call us at: 856-745-9990 or visit: https://southjerseytechies.net/

South Jersey Techies, LLC is a full Managed Web and Technology Services Company providing IT Services, Website Design Services, Server Support, Network Consulting, Internet Phones, Cloud Solutions Provider and much more. Contact for More Information.

To read this article in its entirety click here.