[MUSIC PLAYING] Hello and welcome to CBR TV. My name is Jon Bernstein. I'm joined today by Colin Truran. Colin is principal technology strategist at Quest. Colin, we're going to talk about GDPR today, the General Data Protection Regulation coming to us very soon, some of the myths and the confusion surrounding it. So let's start with what might be a deceptively simple question for the viewers out there. How do they know whether they need to comply to GDPR?
Well, it's easy for the data controller. They know that they own the data. The responsibility lies with them for that. However, it's the question of are you a data processor that is more of a quandary for organizations. So are they actually participating in the life cycle of the data, do they have any responsibility during the journey of that data? If they do then they're a data processor.
And when considering personal data, is GDPR the only piece of regulation that they need to consider?
Absolutely not. GDPR is the baseline. It's what everyone should adhere to as a minimum. But you've got to take into account all of the legislation for all of the countries that that data resides in and passes through, so no, it's not the only one.
And then considering potential solutions, what technologies should people consider?
I hear a lot of two typical technologies that I mentioned, which are encryption, and also personally identifiable data discovery. Two great technologies, really important you don't just rely on those as your only form of bolstering your position. You need to make sure that you have other technologies there and other processes in place. For example, if you rely only on encryption, this only works when the account isn't compromised. Since the account is compromised, you've lost the benefit of the encryption.
So useful technologies, but technologies with limitations.
OK. And then thinking about other tools, other primary tools that people can apply when addressing GDPR. What are those?
Well, it's really important to keep your finger on the pulse. Know what is going on within your organization with regards to the security. How they've gained security, how they're using security, what people are accessing. So you need to be able to respond quickly, so you need to understand what's going on and take appropriate measures.
And to return to some of the areas of confusion around GDPR, is it really the case that organizations only have 72 hours to report a breach?
Not at all. This is often a number quoted to scare organizations. You only have to notify the Data Protection Authority of a breach within 72 hours if it poses a significant risk to the rights and freedoms of a data subject, an individual.
OK, final and related question. You receive, as an organization, you receive personal data in error. Are you obliged to report that data breach?
This is quite an interesting conversation to have, because in essence, you didn't request that information, but suddenly you've become either a data processor or a data owner, a data controller, and therefore you have responsibilities for that data moving on. You can't just take action on that data to remove it. So you do need to notify the organization and the authority that you've received this information in error.
Colin Truran, thank you very much.