If you have customers anywhere in the world, you can have customers everywhere in the world. It doesn’t matter whether you are running your own small business in your garage or working for a multi-national corporation. There is always room to expand somewhere around the globe, provided that you can comply with local rules and regulations. But given the complexity of all the rules, as well as the penalties for breaking them, it can be an overwhelming problem to contemplate. After all, for your business to be successful, your attention should be focused on your business, not on the ever-changing world of international trade policies.
If you are already operating in the European Union (EU), or if you want to move into that market, you need to understand the EU’s General Data Protection Regulation (GDPR). It will offer great benefits to your organization and your customers, but the tasks involved may seem overwhelming initially. But stick with me, and together we will sort out what it means, and what Kensington offers to make it easier for you to comply.
First, let’s break it down to the basics.
What is GDPR?
To put it simply, the GDPR requires organizations to apply sound security practices to electronic and paper-based data, and in the case of a data breach, to notify affected or potentially affected individuals.
When do I need to worry about this?
The regulations take effect in May 2018, so you need to start thinking about this now.
Does it Matter Where I Am Located?
The rules apply to every organization anywhere in the world that controls or processes personally identifiable data about people in Europe, no matter where the organization is physically located and whether the personal data relates to an EU citizen.
Why Should I Review my Physical Security Policies?
The physical security of IT hardware is a key factor in protecting data from hacking and malware because 39% of data breaches are caused by a lost or stolen device.
How Can Kensington Help Me?
Kensington is the trusted industry leader in security solutions offering a complete range of security products to ensure that you comply with GDPR to protect the sensitive data that you control and to avoid EU-mandated fines.
The GDPR is part of the European Commission’s plan to modernize and standardize data protection rules. It includes extension and clarification of the rights under the Data Protection Act (DPA).
The focus of DPA and GDPR is on preventing and combatting security breaches, hacking, and other unlawful practices. It seeks to guarantee individual’s privacy rights including, but not limited to:
- Transparency—the right to be provided with clear information about how your organization processes personal information.
- Consent—the right to control how your organization uses personal information.
- Security—the right to have information about how your organization adequately protects personal information.
- Collection and purpose limitation—the right to expect that your organization minimize the collection and use of information.
- Breach notification—the right to be informed in the case of a data breach.
GDPR expands existing rights under DPA as well as enforcing new ones. Some notable changes include:
- Data portability and the right to be forgotten
- Individuals have the right to transport their personal data from one organization to another.
- Personal data must be provided to an individual in a structured and machine-readable format.
- An individual can request the deletion or removal of personal data.
- An organization does not need to inform local authorities that personal data is being processed.
- Your organization must maintain a record of processing activities under its responsibility.
- Data protection impact assessments (DPIAs) and security
- DPIAs are a way to identify high risks to the privacy rights of individuals.
- Security requirements and recommendations should be based on a risk assessment.
Data breach notification
- Any data breach should be reported to the supervisory authority.
- Individuals affected by the breach should also be informed.
Data governance and accountability
- Your organization must be able to demonstrate compliance with GDPR.
How Could GDPR Cause Problems for Me?
If you do not comply with GDPR, your organization can be fined up to 20 million Euros or 4% of your global revenue, whichever is greatest.
In addition, any data subject has the right to sue you within a court of law.
There will also be damage to your organization’s reputation in the marketplace and professional standing if you do not protect personal data, or are perceived not to be protecting data appropriately.
Why is the Physical Security of Devices So Important?
Physical loss of portable devices is one of the biggest sources of data breaches.
Every day, on average over 5 million data records are lost or stolen, with more than a third of businesses not having a physical security policy in place to protect laptops, mobile devices and other electronic assets.
Of 697 data security incidents recorded between April and June 2017 by the UK’s data protection regulator, the Information Commissioner’s Office (ICO), 6% were due to the theft of an unencrypted device, with data being left in an insecure location or the theft of the only copy of encrypted data accounting for an additional 3.5%.
In the financial sector, 25% of breaches are due to lost or stolen devices and are the most frequent cause of data leakage, being especially tempting targets because of the volume of sensitive data stored and used
Within healthcare physical theft or loss is the biggest cause of security incidents, accounting for 32% of over 100,000 incidents surveyed in 82 countries.
Overall, 39% of data breaches are caused by a lost or stolen device, and well-implemented security policies are shown to reduce laptop theft by 85%.
Portable devices are at risk even when you or your employees are working in a secure office location. 58% of laptops are stolen from the office and 85% of IT managers suspect internal theft. Data is at risk as soon as the laptop has been taken, especially as only 3% are ever recovered.
What Should I Do To Protect My Organization?
GDPR applies to personal data and a sub-category of personal data called sensitive personal data that is handled in both electronic and physical formats. Your organization needs to devise and adhere to security policies that protect personal data and be able to demonstrate your compliance with all aspects of the regulations.
Your policies need to address who in your organization is authorized to access information about your customers, how it is accessed, and the hardware and software technology used to access and protect it.
The physical security of the devices used by your organization is a key component of any comprehensive data protection plan.
Solutions Kensington Offers to Prevent and Solve Physical Security Problems
Kensington is the trusted leader in physical security for IT hardware around the globe. We offer an integrated suite of products that protect computers and portable devices from theft and other physical breaches that could compromise personal data.
Locks and Cables for Portable Devices
Laptop locks protect portable devices in your organization from theft and save you the time and cost associated with tracking the offender and replacing the laptop. Laptop locks are primarily designed to protect against opportunistic theft, but they are also very effective at preventing theft. IDC reported that, of IT Managers that have suffered laptop theft, 52% state that the thefts would have been prevented by a lock.
Kensington offers a full range of solutions for devices with standard laptop security slots, as well as for slim tablets and other peripheral without a security slot. To back up the security of our locks, Kensington cables are cut resistant.
We are the world’s top seller of laptop locks with over 25 million locks sold around the globe. The locking cables are unobtrusive and easy to attach and use, to ensure that users in your organization can easily lock their device every time they need to. For convenience and to fit the security needs of all organizations, Kensington offers keyless combination locks as well as keyed solutions with individual and master key options.
USB Port Blockers
The ports on your device are physical gateways that someone with opportunity and malicious intent—for instance in your office after hours or in a crowded tradeshow clustered around the charging station—could use to access your computer directly to copy secure data or upload malware. The Kensington USB Port Lock with Blockers is simple to use, and prevents anyone from connecting to the USB port on your device.
VeriMark FingerPrint Key
The VeriMark FingerPrint Key is a portable pocket-sized device that uses your unique individual fingerprint to authenticate your identity and to store your passwords.
The VeriMark Fingerprint Security Key is the world’s first fingerprint security key that supports Windows Hello and Fast Identity Online (FIDO) universal 2nd-factor authentication (U2F) to protect against unauthorized access on compromised devices while offering unprecedented cyber-security for today’s trusted cloud-based service and software providers including Google, Dropbox, GitHub, and Facebook.
The Password Management feature of the VeriMark Fingerprint Security Key lets you use your fingerprint to authenticate and automatically fill in usernames and passwords for websites using popular industry-leading tools like Dashlane, LastPass (Premium), Keeper (Premium), and Roboform.
Without your fingerprint, a thief cannot access your device or the secure systems to which you have access.
Any time a piece of personal data is visible on a screen, even for an instant, it is vulnerable. A person sitting next to you on a plane or across from you in a data center should never be able to glance over and see secure personal data. To protect against this threat, Kensington offers Privacy Screens custom designed for a variety of devices. The screens are easy to install and limit the field of vision on the screen so that only an authorized viewer looking straight at the screen will be able to see the information being displayed. Anyone else glancing from the side will just see a black screen.
Every portable device in your organization is at risk, even if it never leaves your office. With a Kensington locking cabinet, you can control who has access to which devices and when they have access. As part of your security policies, you can have an easy way to make sure every device—and the information on it—is safe when it is not being used.
How Should I Get Started Complying with GDPR?
You need to review your current policies and procedures used to protect secure data, and where necessary, come up with new ones that comply with GDPR before May 2018. It is up to your organization to ensure that any of your existing systems that do not fully support the regulations are either improved or replaced. A key component of any complete security solution is making sure that devices and the secure data on them are protected from physical attack and loss.
- Kensington Security Survey, August 2016 & Ponemon Institute Cost of Data Breach Study, 2016.
- 2016 Data Breaches - Privacy Rights Clearinghouse
- Breach Level Index, September 2017
- Kensington IT Security & Laptop Theft Survey, August 2016
- Information Commissioner’s Office - https://ico.org.uk/ action-weve-taken/data-security-incident-trends
- Financial Services Breach Report, Bitglass, 2016
- Verizon Data Breach Investigations Report 2016
- Kensington Security Survey, August 2016 & Ponemon Institute Cost of Data Breach Study, 2016
- IDC Executive Brief 2010 - Laptop Theft: The Internal and External Threat
- IDC White Paper 2007 - The Threat of Theft and Loss of Laptops for the SME
- IDC Executive Brief 2010 - Laptop Theft: The Internal and External Threat