RISMA software has two guiding stars, and the organization aims to become a full GRC-platform so that the customers can rely on just one solution for all the GRC-related tasks. “The organization is heavily focused on usability and user-friendliness to make the platform accessible for all, not just the experts but also for every employee involved in processes around governance, risk, and compliance. The organization has a flexible solution, where it is easy to add new compliance areas as they emerge,” states Lars Nybro Munksgaard, Founder and CEO of RISMA. Just like the case when GDPR & CCPA was in the brewing. RISMA added the new regulatory framework to the solution, and then activate widgets to support, i.e., mapping out business processes, collecting information from the business, GAP-analysis, risk assessment, initiatives, and controls.

RISMA Systems is a fast-growing software company that supplies compliance tools to organizations and authorities, and not a consultancy. So, when the legislation demands specific legal or regulatory insights, RISMA partners with leading industry experts. This was also the case with GDPR, where the knowledge partner is one of the largest law firms in the Nordics. They flipped the regulation into simple questions, so when ordinary users help the DPO with crucial information for the GAP-analysis, they update RISMA with the critical knowledge known to them about their area of the business. Then RISMA converts it into insights suitable for building a complete GDPR compliant framework, both initiating actions plan to close gaps, and an “off the shelf” controls catalog to stay compliant in the future.

RISMA recognizes the many GDPR-only solutions out there, but as the legal tech and regtech market mature, it believes in the suite approach for GRC. For RISMA, GDPR is just another compliance area, which needs intelligent software support. Combining the RISMA engine with a strong knowledge partner, the organization had a market-leading solution, and with continuous updates as GDPR evolves, RISMA makes sure to stay ahead.

RISMA Systems develops groundbreaking solutions ensuring optimal resource use in organizations.

When approaching businesses and organizations, RISMA see many challenges within governance, risk, and compliance. The biggest one is acknowledging the importance of having a professional approach to GRC or not understanding the consequences of slacking. It is simply not on the top management radar at the same level as growth, revenue, and profits even though GRC, in many cases, represent a license to operate and could pose either significant risks or competitive advantages depending on the approach.

GRC will only become increasingly important with the continued demands for data security/integrity, increasing legislation, and potential penalties.

The lack of top management involvement and support usually means that GRC is underfunded; governance and compliance teams operate as a small independent silo, and the GRC-professionals are perceived as someone bothering the real business. In most companies, the approach to GRC and GDPR is a manual, handheld process with little or no platform support. RISMA’s biggest competitors are still the word, excel, and share point combined with a lot of manual labor. It does work for some, but in the long run, an organization can end up with static information, undocumented processes, and little or no ability to report to top management or authorities, the long wasted hour being the most worrisome disadvantage.

The biggest benefit of using RISMA and a GRC platform is all the process and knowledge support provided by the platform. It covers all the needs in handling, controlling, and documenting the GRC across the entire business, and an organization can have all the functionality automatically out-of-the-box- policy and process library, information mapping tools, GAP-analysis, actions and controls, dashboards and reporting.

Once the clients have system support of their GRC, it can be seen that there is a speedy maturity curve within the organizations. Now the GRC-teams spend more time on actual value-adding GRC-matters rather than wasting it on copying information from emails to excel. Now top management and boards get better and frequent reporting, which eventually educates executives to know the importance of GRC, and suddenly they even know which questions to ask, which task to give, and which targets to set and expect. At that point, the GRC-platform becomes an enabler of supporting strategic business goals and eliminates a lot of risks itself, especially by much better utilization of the GRC-professionals.

The biggest benefit of using RISMA and a GRC platform is all the process and knowledge support provided by the platform.

 In terms of technological advancements, RISMA System has 3 focus areas. Experimenting and applying artificial intelligence and machine learning when adding even more automation and predictive modeling to the GRC work. A second focus is continued flexibility, not only within RISMA and GRC but opening the solution with smooth integrations to other relevant systems, i.e., ERP, KYC-solutions, project management. Just like GRC should not be a silo for professionals, it should not be as a platform. So, RISMA should be a part of a business software ecosystem, and through integrations and APIs, the organization leverage the natural synergies to and from other systems with data, insights, triggers, alerts, tasks, etc.

A company can have the most advanced tech stack in their GRC-solution, but if it does not help the GRC-professionals to engage the workforce with key knowledge from HR, Sales, Marketing, etc., then it is of no use. So thirdly, RISMA is also spending a fair portion of the development of continuously having the most user engaging front end for both experts and novelty users.

In one instance, a global production company with different takes on compliance and governance was facing a challenge as they did not have a structured framework to support all their sustainability initiatives. Over the last years, they have become increasingly devoted to sustainability and are very committed to the UN sustainability goal as a UN Global Compact. So, RISMA has started a co-creation process, and it does make sense to look at sustainability from a compliance and governance perspective. RISMA is geared to help them structure all their initiatives, collect valuable information from all departments involved, and document that they follow the track, mentioned by the organization. So, now the CEO and top management can communicate confidently both internally and externally based on actual progress in processes, initiatives, and controls.

RISMA is a Nordic-based company with offices in Denmark, Norway, and Sweden, and the organization is planning for a European expansion, expecting people on the ground in key countries within the next 2-3 years. However, RISMA is a SaaS-company, and it serves globally from its current locations. RISMA also sees increasing interest from both North and South America, mainly due to the combination of being complete GRC and the user-centric approach, which also means a US-expansion perhaps, but it has not been decided if it will be direct or through partners.

The post RISMA Systems: A Comprehensive Approach to Governance, Risk and Compliance appeared first on The CEO Views.

As Pete Cashmore, the Founder of Mashable once famously said “Privacy is dead, and social media holds the smoking gun”. While it is easy to buy into this dystopian view, it is heartening to note that there have been landmark international privacy laws like GDPR and CCPA that have been passed to protect the information of consumers.

General Data Protection Regulation (GDPR) was passed by the European Union (EU) and It went into effect on May 25, 2018.

Although, it was created to protect the personal data of EU citizens, it affects businesses worldwide. If you have customers in or collect data from users in the EU – GDPR applies to you.

Companies that handle consumer data are entrusted with the responsibility of keeping it safe and not exploiting information they may be privy to unintentionally. This is reflected in the view taken by leaders of major companies like Facebook and Apple – Mark Zuckerberg has underlined the importance of Facebook moving focus away from what they would like to know about people to what people would like to share about themselves.

Engineering GDPR compliant businesses

GDPR regulates how companies collect, handle, and protect personal data and grant consumers more control over personal information collected about them. However, most businesses are still in the process of engineering their systems to be able to meet the necessary GDPR guidelines and have primarily relied on “User Consent” to achieve compliance.

A more comprehensive approach to complying with GDPR regulations in both the letter of the law as well as its spirit, would require addressing these concerns –

• Data Lifecycle Management – Consumers have the right to know what is being done with their information and who receives it apart from demanding that their data not be shared or Businesses must have mechanisms in place to provide consumers with visibility of their data as well as the required interfaces to request actions like erasure.

• Breach Notification – In the event of a breach, a business must be able to understand the details and nature of the data breach and promptly notify its users about when the data was stolen, lost, destroyed, or changed.

• Increased Record Keeping – Businesses need to create processes around handling personal information and maintaining audit trails of processing requests for all data

• Third Party Risk Management – While a business should start with cleaning its own house, it would also be imperative to renegotiate third-party contracts to enable compliance and management of contract

The importance of using a “Privacy by Design” approach

Given these regulations and the need to protect user data, privacy should now be a critical design component while creating a platform or a backend process flow. As a result, all businesses should adopt the “Privacy by Design” approach when creating products or building websites to keep data collection to a minimum while baking in security measures into all stages of a product’s design. The cardinal principles of “Privacy by Design” are as follows:

User-centric approach

A user centric approach demands that you place the needs of your users foremost while designing a system. This necessitates clear consent in collecting data, specifying what the data is being collected for, minimizing the amount of data collected and using it only for the purposes specified.

The second aspect of a user centric approach must facilitate transparency with users in the event of a data breach, so that the potential damage emanating from it can be mitigated.

Lastly, users should always be provided with complete visibility and control over their data, so they have a view of what information is stored about them and requesting for edits or deletion as required.

Incorporate privacy in the requirements and design phase

As businesses launch new products and services, they need to ensure that privacy has been addressed right from the beginning instead of treating it as an after-thought. This includes clear definitions of validating the need for data, defining data workflows, parties accountable for the data, and planning for data integrity and access controls.

Proactive Safety Measures

The importance of having the right safety mechanisms cannot be overstated. Businesses constantly need to be on their toes by using algorithms to monitor and take corrective action in the likelihood of a potential security incident that could lead to a data breach.

Leverage Technology

As the world becomes increasingly digital, there are various emerging technologies that can play a crucial role in enabling greater security. Apart from modernizing their existing systems to enable greater data security, businesses can focus on –

1. Automating security controls for new products and applications to ensure the process of data collection and storage confirms to the right
2. Adopting Blockchain for secure
3. Using intelligent Bots to monitor platforms and networks and detect breach attempts and vulnerabilities.

General Data Protection Regulation (GDPR) was passed by the European Union (EU) and It went into effect on May 25, 2018.

Regulatory conformance requires expertise

As consumer privacy takes center stage and conforming to regulations becomes increasingly important, businesses do not have the luxury of hitting the pause button as they overhaul their existing systems and processes. It would involve a steep learning curve in addition to an exorbitant opportunity cost that would adversely impact most companies.

A much better approach would be to work with a partner that has deep technology expertise and a comprehensive understanding of privacy regulations. As companies continue to capture increasingly more data about their customers, it squarely becomes their prerogative to safeguard this information and utilize it appropriately. Like they say, with great power comes great responsibility – allow experts like us to shoulder some of it, so you can focus on what you do best!

The post Happiest Minds: A “Privacy by Design” approach is key to creating GDPR compliant businesses appeared first on The CEO Views.

Like other major shocks, such as other epidemics or a major war, we see existing trends speeding up once the crisis has passed, and new societal norms coming into play. Beyond basic data protection and privacy compliance, we have identified many trends that have a direct impact on privacy and data protection – topics in which Gemserv is actively engaged.

The digital services environment and the impact they have on individual rights have become more complex as 2020 and years beyond prove to be challenging with the ‘new normal’. Forward looking technologies may also raise societal concerns as they play an increasing role in the digital world in which people will live in going forward. Privacy risks will, therefore, become more prominent due to risks posed.

The Data Protection Authorities in Europe and UK have revisited their strategies to address these complexities and will focus on high impact areas which involve vulnerable persons such as children, the elderly, patients, complex processing of personal data and complex operations.

In our opinion, the following are likely to be at the forefront in 2020 and beyond:

Health Initiatives Related Privacy Issues

Right to privacy and data protection are again at the centre of debates, with governments and businesses doing their best to reboot the economy by investing in innovative and ‘out of ordinary’ ways to deal with the unprecedented situation. We expect the focus to be on the transparency of the processing of health-related information and protection from unauthorised access, disproportionate data sharing, and the legal need for large-scale data collections.

We will see focus on health care information of employees, especially where employers are rushing to adopt various technologies (facial recognition camera devices, contact tracing apps at work, health and distance tracking technologies) to keep sick workers at home to ensure the safety of those present in the office. Intensified workplace surveillance could become the new normal.

We will also see challenges around the processing of non-health data, such as location tracking data for health monitoring purposes which are likely to increase the risks to privacy and security of individuals.

Artificial Intelligence and Data Ethics

Big data, automated decision-making, profiling, online behavioural tracking, surveillance and facial recognition – all are extremely debated topic, even more so at the age of Covid-19. All those technologies are already largely available and in use. While the ICO and other data protection authorities across the world are shaping their codes of conduct for the use of AI with the aim to develop monitoring systems focused on how AI systems use personal data and automated decision making without human intervention, we feel that many organisations will need support for assessing their AI solutions and documenting a framework of obligations on how their AI models are constructed and used. Algorithmic Impact Assessment (the data ethics counterpart of a Data Protection Impact Assessment) can also be used as an effective way to measure and mitigate risks of bias and making sure that meaningful human intervention is implemented.

Beyond basic data protection and privacy compliance,we have identified many trends that have a direct impact on privacy and data protection-topics in which Gemserv is actively engaged.

Also, advertising and direct marketing in the online environment have become increasingly complex with the use of tracking technologies where large ecosystems are involved in the resale of personal data. Many Data Protection Authorities are focused on educating the public about their privacy rights by developing guidance materials, holding workshops, and self-help tools. We raise public awareness of online privacy concerns and privacy by design through our webinars and blogs. We find that more and more people are reluctant to accept generalised online tracking to deliver targeted ads when such tracking can also be used as a weapon of political influence. Algorithms are now able to infer a large volume of characteristics with a very little amount of personal data.

Continuous scrutiny by data protection authorities, especially on large tech companies is on the agenda, and increased suspicion by the public is leading large tech companies to slowly abandon cookies. Children’s online privacy is also a common theme among Data Protection Authorities in relation to online advertising. For instance, the ICO in the UK has recently published guidance on how the GDPR applies in the context of children using digital services.

The main concern today is whether we would see an increased concentration in the AdTech industry, by destroying the real-time advertising ecosystem to the benefit of Google and Facebook with more pervasive tracking technologies, or if the whole online advertising industry will take a different direction for contextual-based advertising rather than interest-based. What is sure at the moment is that the ePrivacy Directive (transposed into PECR in the UK) does not reflect the current situation of the internet – and the new legal framework, the ePrivacy Regulation, is stalling. The evolution in this area is going to be a highly debated topic in the years to come.

Internet of Things

With the roll-out of 5G, many new real-time connected solutions will push connected devices further into the market. Healthcare, wearables, autonomous vehicles… The possibilities and their promises are fascinating. An ongoing concern about connected devices the previous years has been security and privacy of the data – and this is only going to increase. What categories of data these devices are actually collecting? What categories of data the manufacturer or other third parties are able to access? Is the device truly secured?

Security by design and Privacy by design is going to be scrutinised by data protection authorities and we can expect strong enforcement in the years to come, proportionate to the sensitivity of the data involved in some connected devices.

The Future Relationship between the UK and the EU

The UK leaving the EU raises many uncertainties – and data protection is not exempted. Will data flow freely between the UK and the EU? Quid of the UK and the U.S.? Are we going to assist to more fragmentation in Europe of the interpretation of the GDPR, with an “EU GDPR” and a “UK GDPR”?

All responses to those questions are pending, and like in other industries, there is a risk of loss of momentum with the current climate. Organisations could delay their privacy programs while waiting for more clarity on the future position of the UK in the global exchange of personal data.

In conclusion, we see the impact of Covid-19 as speeding up existing trends and creating new ones. Whilst there is uncertainty what is certain is that GDPR is pivotal in unlocking the huge societal benefits from data and technology, whilst protecting the individual’s rights.

The post Gemserv: GDPR 2020 and Beyond appeared first on The CEO Views.

When the General Data Protection Regulation (GDPR) came into effect, adhering to its rules was probably one of the most dreaded tasks for every company. Today, many initial fears seem to have proven unnecessary. Initiatives that had started with ambitious goals have lost steam. The general public has not flocked to your inquiry website. And you may not have heard much from the call center you had deployed to handle subject access requests. In fact, you already may have re-purposed staff previously dedicated to managing GDPR compliance.

At first glance, this sounds like the GDPR has become the toothless animal some of us had hoped for all along. But not so fast! During the past few months, the GDPR has surfaced at a point, where most of us had not expected: Negotiations about severance payments. Of course, many organizations have employee agreements in place intended to take the sting out of data usage regulations. But laid off employees come to court with their homework done and done well.

How about your Employee’s Data?

There is one aspect of employee data your agreements could not fix and will never fix. It is the right to request erasure of data after termination of employment.

As we can all imagine, terminated employees are not your happy campers that are asking for their data out of curiosity. Former employees might carry vengeance and frustration. Often, they also have enough insight into your company’s internal workings with data to make your GDPR fire squad go ballistic. And the complexity of it does not stop here.

Personally identifiable data from customers and suppliers might be spread over a handful of disparate applications. But at least it can be clearly attributed to a specific subset of processes. With employee data, it is an altogether different story. Personally, identifiable employee information is literally everywhere. Just remind yourself that software generally logs the names of the creator and the several editors of a data set, process or document in its metadata. There really is no escape.

Do you have scalable plans and processes in place to deliver GDPR compliant deletion and documentation that is sustainable in court? Or is it your plan to sit it out and pay the price that might add up to 4 percent of revenue? Sure, so far nobody has ever been fined that amount. But erasure management could well turn out to be the “death by a thousand needles” for any organization. After all, managing the deletion of data is a complex problem that is by no means limited to employee data.

A Graph-based Solution can help cut through the Complexity!

Let us assume you already attach broad and well-designed legal stipulations to your employment contracts. But this does not ease the pressure on being able to report on where personally identifiable data is stored and processed throughout your company. Apart from the legal strategy, you need a systematic, technology powered approach to data governance that provides a solid footing when push comes to shove.

In a nutshell, your approach should at least include:

• a central catalog of all systems,
• a central catalog of all processes and its processing purposes,
• a central catalog of the legal basis, legitimation and your retention policy,
• an integrated index that allows you to identify personally identifiable data on the subject level as per each of the above,
• automation of documentation and reporting on your actions taken,
• an active governance and observation system that reports data once its legal retention period expires (scarcity requirement)

Enterprises often Restrict their Privacy Management Strategy to Customer Data only. Though it is the Personal Data of Employees, Spread Across the Entire Company that may be Causing the Real Challenge

What sounds like squaring the circle is far from being impossible. As a software vendor that helps its customers master complexity in a fully digitalized world, eccenca is specializing in projects where data sources are abundant, black boxed and heavily siloed. We found that using knowledge graph technology provides the transparency needed to evaluate, manage, visualize and link data across a company’s disparate IT landscape. Our graph-based approach also provides the web-scale versatility and scalability to expand documentation as your challenges grow and change.

In terms of the GDPR, the knowledge graph approach gives your organization the means to establish sound documentation of personally identifiable data and puts it into context with applicable governance rules. Thus, the eccenca solution enables you to fully document, automatically validate and systematically trigger GDPR compliance processes. After all, litigations will always cost you more than the effort to employ an automated compliance management solution.

The post ECCENCA:GDPR IS STILL AN UNTAMED ANIMAL appeared first on The CEO Views.

DATA LOSS OCCURS WHEN DATA IS ACCIDENTALLY DELETED, SHARED OR SOMETHING CAUSES DATA TO BECOME CORRUPTED

Global Impact

Last year, the ICO’s combined fines for British Airways and   Marriott   International was an eyewatering £275,787,290 (€314,990,200) grabbing many headlines and highlighting to organisations changing their business processes would be of the utmost importance. In 2020, the impact of GDPR is not only being seen in Europe where countries such as Germany, Bulgaria, and Spain have imposed more fines than the UK. The global impact has seen the US follow suit with the California Consumer Privacy Act (CCPA) kicking into action in January, as well as countries such as Bahrain introducing its Personal Data Protection Law last year and Singapore publishing a factsheet to help businesses better understand the GDPR when applied to the Singaporean context.

Importance of Data and its Role within your Organisation

With the increasing amount of data from new and emerging technologies, ensuring that it is being controlled and shared effectively becomes even more paramount. Data loss is a serious problem for businesses of all sizes— losing files means losing time and money to restore or recover information that is essential to your business, plus being exposed to the risk of legal repercussions if the data loss infringes customers’ privacy rights. Data loss occurs when data is accidentally deleted, shared or something causes data to become corrupted. From an enterprise point of view, we are still seeing human error as a leading cause of data loss for businesses, with 50% being attributed to inadequate or poorly observed business processes.

Before any best practice solution or loss prevention strategy can be rolled out, it is important for an organisation to understand exactly what data they hold and the potential risks to its security. This means establishing the types of data that are being held, collected, stored, and where it is located. Alongside this, it is important to understand why the business has it, how sensitive it is, and who is accessing, using, or sharing it.

Privacy by Design

One of the best methodologies that an organisation can use to fulfill its compliance obligations is Privacy by Design approach. The framework achieved international acceptance when the International Assembly of Privacy Commissioners and Data Protection Authorities unanimously passed a resolution in 2010. This approach takes privacy into account throughout the whole process, ensuring that it is incorporated into an organisation’s systems, policies, and processes, and technologies. Privacy by Design needs to start with data classification. The sheer volume of unstructured data within organisations, combined with the ever-increasing technical abilities of hackers and the fallibility of employees, makes it impossible to rely on people and processes alone to ensure that sensitive data is handled appropriately. Data classification embeds a culture of compliance by involving users to identify, manage, and control the regulated data they work with while automating parts of the protection process to enforce rules and policies consistently.

Data Classification

The key with this approach is that data is classified at the source so the organisation’s rules can be applied at the outset. As mentioned before, it is important to understand what data you have, who is using it, how it is being stored, used and shared, and whether it is company-sensitive; this is key to any data protection strategy. Once you have defined what data you have, you will be able to classify and protect it.

Data classification is the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings and metadata within the file. When classification is applied to the metadata, it ensures that the data can only be accessed or used in accordance with the rules that correspond with its label. Clearly you need to define your classification policy first and decide who should have access to each type of data. Once this has been done, it is simply the case of selecting an appropriate classification tool.

Best Practice in the Future

As cumulative fines across EU reach £ 410,772,087 (€ 467,476,268), organisations need to ensure that by using approaches such as Privacy by Design they can mitigate the threat that unsecured data poses to the business. As we live in an evolving world, businesses cannot take a ‘tick box’, point-in-time approach. Legislation, threats, and the business itself will constantly evolve, while demands from regulators and the board for better governance will continue to intensify. Ongoing measurement of the effectiveness of security policy is the only way to check that the controls the business has put in place remain fit for purpose. The monitoring of classification activities is a powerful way of doing this and improves the chances that a breach will be quickly detected – helping the business to comply with notification periods required by regulators, as well as to minimise damage. If there is a breach, the detailed audit information that robust classification provides will allow a business to demonstrate that the appropriate steps to protect data were taken. This is a critical aspect of complying with increasingly weighty privacy regulation and ensuring that data continues to be an asset that powers the business, rather than a threat to its bottom line.

The post Boldon James: HOW ENTERPRISES CAN MITIGATE THE GROWING THREATS OF DATA appeared first on The CEO Views.

GDPR—and the need to protect data and privacy in general—will be a central focus of cybersecurity efforts over the next few years, and a primary driver for security teams seeking out more robust cybersecurity solutions. Maintaining compliance with GDPR and taking every precaution to protect sensitive data builds customer confidence and loyalty.

Challenges of GDPR

There are a number of cybersecurity tools and controls that play pivotal roles in achieving and maintaining compliance with GDPR. Encryption protects data from access or compromised by unauthorized individuals. Identity and access management (IDAM) limits access to personal data. Data loss prevention (DLP) tools and policies prevent the exposure or theft of data. These cybersecurity tools contribute to limiting access and avoiding exposure or compromise of data, but the real holy grail for organizations is the ability to quickly detect when an attacker is able to get past these defenses.

GDPR requires that organizations have an incident response plan (IRP). According to GDPR requirements, “In the event of a potential data breach that involves personal information, an organization must notify the Data Protection Authority without undue delay, within 72 hours if feasible, after becoming aware of the breach; and Communicate high-risk breaches to affected data subjects without undue delay.”

Constant Vigilance is Key

The ability to quickly detect attacks that slip through is one of the most important elements of effective cybersecurity. There is no amount of investment in cybersecurity that will prevent 100% of attacks, so you need complete and continuous visibility across your IT estate to catch the attacks that preventive measures miss.

By 2024, 40% of midsize enterprises will use MDR as their only managed security service

That means around-the-clock monitoring, though, because cyber attackers don’t maintain business hours. Most attacks are conducted using automated scanning and exploits anyway, and when it’s 3 am in your area, it’s still 2 pm somewhere else. The problem is that very few organizations are capable of monitoring their network environment 24/7. The world is facing a shortage of skilled cybersecurity talent, and it is cost-prohibitive for most businesses to hire and retain the expert talent necessary to provide effective monitoring and incident response.

Security is hard and complicated. Organizations typically rely on other sources and providers to know when they are being attacked and how they can respond. This ability—or lack thereof—to respond is a natural compromise in the presence of what they see as the impossible task of making themselves 100% secure.

This is where MDR comes in. Managed detection and response solutions identify active threats across an organization and then respond to eliminate, investigate, or contain them. Today, this can mean monitoring on-premises and cloud deployments, endpoints, containers, mobile devices, and other IoT (Internet of Things) and edge devices. MDR has increased in visibility and importance as organizations realize that the scale and complexity of the security challenge become intractable for individual organizations, regardless of size.

According to Gartner, “By 2024, 40% of midsize enterprises will use MDR as their only managed security service.”1 The MDR provider provides the security tools, the threat intelligence, and the security experts, enabling you to not only protect your data and maintain GDPR compliance but giving you more effective cybersecurity and peace of mind in general.

Rapid Response Equals Minimal Impact

Much of the damage that organizations suffer from a data breach is not a function of the initial attack. The average dwell time—the amount of time between the initial attack and discovering it—is often measured in months or weeks. That delay in detection provides attackers with virtually unlimited time to conduct further reconnaissance of the network, infect other vulnerable systems, and identify valuable or sensitive systems and data.

A good MDR provider will alert you to suspicious activity or a potential breach within 15 minutes of detecting the activity. A quick response enables you to investigate and mitigate the incident to minimize—or possibly avoid—damage. It also gives you plenty of time to determine exactly what happened, and what—if any—data was affected or compromised within the 72-hour reporting window for GDPR.

GDPR has been around a while, and every organization subject to it should have already achieved compliance. Technology evolves quickly, though, and organizations have increasingly complex networks. The key to protecting data and effectively maintaining compliance with GDPR over the next few years is a focus on constant vigilance and working with a trusted MDR provider.

1 Gartner, “Market Guide for Managed Detection and Response Services,” Toby Bussa, et al., 15 July 2019.

The post Alert Logic: Quick, Accurate Threat Detection is Best Defense Against GDPR Non-Compliance appeared first on The CEO Views.

• Great technology for a global problem
• Collaboration to drive the circular economy
• Licensing and JV to service global markets
• Strong R&D
• Diverse and dedicated team

Great technology for a global problem

Globally we will generate over one billion scrap tires this year, and every year thereafter in the foreseeable future. Scrap tire rubber cannot be reused easily, so for reasons of expediency, nearly 50% of them are burned for their energy value. The scrap tire recycling philosophy continues to be driven by a disposal mindset even though scrap tires are a valuable resource that is renewable. Some scrap tires are ground into crumb rubber for use in playgrounds, sport surfaces and low value molded products. Very small amounts of crumb rubber find its way back into tires.

Tyromer Inc. was established by the University of Waterloo in Canada to commercialize an invention by Professor Costas Tzoganakis whereby he used carbon dioxide as a “catalyst” to devulcanize crumb rubber in an extruder. Unlike other attempts, his process does not require the use of chemical solvents and devulcanization chemicals. For his invention, he was named the winner of the prestigious 2018 James L. White Innovation Award by the Polymer Processing Society. In a nutshell, Tyromer technology allows scrap tire rubber to be reused in meaningful amounts in new and retreaded tires, something that was previously unattainable.

Tyromer systematically scaled up the lab invention and now produces TDP (Tire-Derived Polymer) from scrap tire crumb rubber for reuse in rubber goods. Because the tire industry consumes more than 50% of global rubber, and to make the most meaningful impact, Tyromer focused on returning scrap tire rubber to tires.

Tire rubber is a high-tech material with very stringent performance requirements whereas scrap tire rubber is old and degraded, and crumb rubber is a mixture made from different types of scrap tires. Against these odds, Tyromer optimized and validated TDP for reuse in retread tire rubber at up to 20%. Due to excellent industry feedback, use of TDP will expand to new tires in 2019. For the first time, scrap tire rubber can be reused in new tires in tangible amounts. There is now a socially responsible and environmentally sustainable option to recycle scrap tires where the mindset can shift from disposal to reuse. As a small company, Tyromer has made a transformational impact in both the scrap tire recycling and the tire industries.

Collaboration to drive the circular economy

The tire industry is sophisticated with deep knowledge of materials. It is virtually impossible for a small company to develop a new material and push it into the industry. Tyromer chose an open-innovation collaboration business model where it learns from the deep knowledge of the industry to optimize a material that can be pulled into the industry once proven. Through collaborations with AirBoss Rubber Solutions, a major custom rubber compounder, and KAL Tire, a global leader in tire sales and service to the mining, transportation and consumer sectors, Tyromer validated its TDP for use in OTR (Off-The-Road) tire retreading at the 20% level. In terms of use of recycled material, this is well beyond what has been achieved in the industry. Collaboration with other global tire industry leaders will see TDP in new OTR tires, truck and passenger tires in 2019. This is the beginning of a true circular economy in which scrap tire rubber is reused in new tire production. Tyromer also has collaborations for non-tire applications: automotive parts, waterproofing, coating and building components. For a small company, Tyromer has established itself as an equal partner with industry leaders.

Licensing and JV to service global markets

Because scrap tire recycling and tire manufacturing are global, Tyromer chose a licensing and joint venture business model to globally implement its scrap tire recycling solution and its TDP production to service the tire industry. There is urgency to deal with the tire recycling problem and Tyromer does not have the luxury of serving one customer at a time. Currently Tyromer has one TDP production operation in Canada with a 4,000-ton capacity and a similar one in a licensed operation in China. Under the Tyromer licensing program, a larger facility with 10,000-ton capacity is nearing completion in Canada to supply a global brand with TDP for use in truck and passenger tires; another 10,000-ton facility is set to begin construction to supply a global brand in OTR tires, and licensed operations are pending in US, New Zealand, China, India, Italy, Croatia and Estonia. As a small company, Tyromer has created a platform to efficiently roll out its business to the world.

Strong R&D

Professor Tzoganakis continues to maintain his active academic research program at the University of Waterloo while serving as Tyromer Chief Technology Officer. His diverse research group serves as a talent pipeline to Tyromer. Tyromer provides scholarship and financial support to select graduate students and post-docs. Tyromer bridges academia and industry to give impact to university research.

Diverse and dedicated team

The Tyromer team, not having traditional experience in the scrap tire recycling sector and the tire and rubber industry, was able to see challenges and opportunities from a new perspective not burdened by historic bias. Tyromer leadership took a simple lab invention, positioned it to serve and bridge two major industries, overcoming barriers to bring a circular economy to support sustainability in one of the largest industry sectors. The small Tyromer team is driven by the belief that collectively they are making a positive impact through their actions on a daily basis. Their focus and commitment are particularly commendable.

As explained by Sam Visaisouk, Tyromer CEO, using TDP as a new tire rubber compound replacement material provides a 90%+ savings on the energy otherwise needed to produce the new compound. This is becoming significant as we move towards a low carbon economy.

With sustainability more and more on our mind nowadays, we applaud Tyromer for its vision and effort to enable a circular economy for the tire industry where tires can go round and round. Tyromer’s collaborative approach removes blinders and breaks down silos of thought. Its licensing business approach will energize the stagnant crumb production sector to become a key contributor to solving the global scrap tire problem. Tyromer’s actions add up to much more than their parts.

The post Tyromer Inc. : Pioneer Largescale Devulcanization Technology Gives New Life to Old Tires appeared first on The CEO Views.

Based on my Spanish privacy legislation knowledge, because we are lucky for living in a privacy hard-protected environment, GDPR implies a significant change in the industry, but neither a complete revolution nor apocalypse. The main challenges GDPR faced after its development and approval were the modernization of the legal system, the enforcement of the citizen’s individual rights and the harmonization of the data protection rules throughout the whole European Union. All these challenges are an evolution and an opportunity for organizations, both, established or not, in the EU territory to improve their internal organization, their communication, the customer and provider relationship, and even the employees learning about how to deal with personal data in their positions.

One of the most relevant changes of GDPR is the accountability principle, which means companies must not only comply with the rule, but also be able to prove it. In some way, this principle is reinforced with the withdrawal of the catalogue of security measures settled by RLOPD and the possible need to develop the “Risk Assessments” process established in RGPD which requires that companies takes a risk based approach that contemplates the rights of all data subjects. This will make that customers and/or consumers will feel more comfortable sharing their data with organizations that can prove their commitment to privacy, giving customers all the information they need to understand the processing of their data and asking for their explicit consent, if necessary.

A DMA research shows that the majority of consumers feel more comfortable sharing their personal data since GDPR came into force and, unexpectedly, they prefer to receive personalized marketing.In other words, they would give their consent to profiling actions, if that means the avoidance of irrelevant communications.

In conclusion, GDPR could be a great opportunity for companies to create a better relationship and engagement with their clients, as the transparency and diligence of a company increases the loyalty and trust of their clients.

Furthermore, we cannot ignore that GDPR could be substantially modified, or even derogated, in the near future. A recent IBM survey about the transformational power of GDPR shows that a great amount of companies are worried about that fact.
From my point of view, we all should be careful taking into consideration that the efforts to unify all the European privacy regulations has taken many years of negotiations which means, in the words of José Luis Zimmermann, ADigital General Director, that “In that time many things have happened, new business models have emerged, new uses of the date, numerous innovations and the citizen´s perception has changed. GDPR It is therefore a law that from the moment it came into force, it seems, in part, obsolete”,

Increasing the complexity of this issue, other regulations, as E-Privacy Directive, will require an “update” to align their content with the new legal provisions established in the GDPR. So, if companies though GDPR was a “strict law”, E-Privacy Regulation project is even stricter but necessary. Although some organizations, in concrete, the Developers Alliance, a trade group representing among others companies as Facebook and Google, said it could cost more than 550 billion euros to Europe businesses , or Digital Europe, which said the legislation’s prohibitive approach “seriously underminesthe development of Europe’s digital economy”, the new Directive will try to settle the principles of a new digital scenario in which companies will obtain the citizens´ explicit consent before placing tracking tools on their devices or collecting data through their communications, which means that in a short term, the rules for all the players in this market will have changed, forcing EU and Member States governments and companies to find a common strategy to confront the new privacy rules.

Information previously explained shows that, the GDPR and all the regulations that come after involve a change in how organizations deal with the processing of the personal data. As a result, all the players (governments, companies, consultants, and even users) should pay attention to how things evolve in terms of privacy, because both, privacy and technology, are constantly evolving. Further as time passes, users not only will become conscious about their rights, but they will also be more demanding about who wants their data and how they are going to process it. Consequently, I honestly consider that all of us, as users will choose the company which could prove their implication and diligence.

The post GDPR: Challenges, Opportunities and the Road Ahead appeared first on The CEO Views.

The larger the company is, the greater the hassle to ensure you have people to process requests, make sure everything is in place, and so on, so that’s where the idea for GDPR Auto stemmed from. It is both a technical and business solution that delivers the required automation, as well as the embedded legal advice that dictates this regulation. It provides a starting point in the form of a set of audits, so that companies can self-assess and identify where they stand.The responses to the legal audit provide a full GAP Analysis report highlighting all the aspects that the company needs to start working on, in order to achieve GDPR compliance, with a detailed list of actions reflecting the answers to the audit provided by the company. At this stage, if it is determined that any internal policies relevant to the data types being handled are required, the system will make all legal documentation available in the form of text templates, allowing the company to bring their processes in line with regulation.

Another requirement that forms part of GDPR which an organisation may find particularly difficult to do manually is the mapping of data processes. Again, here GDPR Auto simplifies and streamlines what would otherwise be a taxing and long-winded process into a simple function.

While the standardisation of new data is challenging enough under the new legislation, making sure past data, collected long before GDPR compliance was a concern, is another issue that has been a stumbling block for many firms. “When some companies realised that some of the data they held was not fully GDPR-compliant, they considered purging their collection of data entirely, some of which spanned several decades. This would have been a huge and valuable loss,” Mr Zammit Ciantar points out. GDPR Auto has a solution for this too – once subject data is mapped out, the programme allows for individual and bulk opt-in audited consent acquisition, as well as regular/scheduled re-consent processes across all aspects of the data being held. “This feature allows the user to instantly identify what data is authorised for specific use, and immediately excludes use that is not permitted under GDPR. At the same time, it manages the requirement for individual assent that the customer may not have even thought about or agreed to at the time, ensuring that the company is in full compliance with the legal provision.” Individuals whose data has been collected are provided with a means to update their data and ensure that whatever information being kept is correct; namely a secure portal, bolstered by two-factor authentication, through which data can be managed and requests for updates to be sent. Once reviewed by the data protection officer, such change requests are communicated internally over the platform for execution keeping a full audit trail of accountability with system owners and third-party processors.

GDPR Auto has garnered interest from a wide range of businesses within the EU, as well as non-European companies that do business with Europe, including firms from the US and Turkey. Its adaptability for companies of different kinds and sizes has also made it a versatile tool for businesses to have in their arsenal. “Even though it will still prove to be quite a challenge, small companies handling a few subjects can likely get away with bringing its processes up to scratch manually. Such approach might work in the short term; however, it is not a sustainable model knowing that GDPR is here to stay. For larger companies, or companies with an ambition to grow, GDPR Auto will save a lot of time and effort, not just now, but in the coming years too.”

The post GDPR Auto: GDPR’s Next Paradigm Shift appeared first on The CEO Views.

The GDPR Industry

In the latter stages of 2017 and early 2018 some panic did start to set in, with companies scrambling to get on track for GDPR compliance. For large institutions this meant lawyering up to interpret the somewhat vague new data protection legislation, in order to review or even establish policies and procedures for the new compliance landscape. That is somewhat the point, such companies were unlikely to be starting from scratch as they were already required to comply with the pre-GDPR 1995 EU Data Protection Directive (DPD) and other privacy regulations and data security standards. For instance, if handling card payments they would also be familiar with ensuring compliance with the PCI DSS standards.

However, what caused the hype around GDPR was not the fact that it brought a somewhat stricter framework for protecting personal data than had existed under previous EU regulations, or that it shifted the requirement to prove compliance onto the organization rather than requiring the regulator to prove the opposite. What got the attention of the market, seem to be the fact that GDPR encompassed the potential for far stricter penalties – €20 million or 4% of annual turnover, whichever is the greatest.

If the intention of the fines was to direct the attention of organizations to their responsibilities under Data Protection regulations, then it certainly worked. Many organizations chose to validate their existing Data Protection Policies and Procedures and I suspect some found them wanting or non-existent even in relation to existing EU or even local legislation. As these larger organizations set about getting their house in order, smaller businesses and even sole traders were also seeking guidance, looking mostly to local and national government, and searching for online support. Predictably, where there is demand, supply follows. GDPR consultants and dedicated firms began to emerge. So too did a host of ‘GDPR entrepreneurs’, creating GDPR products and service offerings for businesses at all levels, from sophisticated tech platforms for managing large organizational compliance to out of the box template solutions.

The GDPR industry burst into life and even post deadline, every business topic seems to have a GDPR dimension, but will this so called GDPR industry survive and thrive? What exactly are it’s chances of thriving in the post-GDPR period? Personally, I would say that the emphasis on compliance to Data Protection and other privacy regulations will continue, but not as a hyped up topic, spreading falsehoods and rumor to scare businesses into compliance, but as a sensible methodology for evaluating what is reasonable, practical and of course legal when it comes to utilizing personal and sensitive data. Proper, considered and compliant use of such data will become the norm, and there will be a genuine need for expertise, systems and tools to assist organizations to evaluate, implement and most importantly demonstrate their compliance to the regulations in a manner that is appropriate for their business, the nature of the processed data and the sensitivities of the data subjects.

GDPR must be ‘business as usual’

For any organization processing personal data, GDPR is not a one-off program that has now passed, it is a serious business need that requires ongoing attention throughout the organization.

According to research published by Markets and Markets, the GDPR market is predicted to grow from $907.4m in 2018 to $2.7bn in 2023. Be sure, this isn’t just latecomers to the GDPR party. It represents ongoing facilitation of GDPR policy as part of ‘business as usual’ operations. The protection of personal data will also be compelled by increasing concerns and awareness about privacy and security in these increasingly digital times. Ongoing investment is needed to ensure no data breaches take place, and to demonstrate compliance with the GDPR. How then is this money best spent to future-proof your organisation?

Ongoing investment in GDPR Compliance

For me, it comes down to the nuts and bolts of GDPR compliance – people, policies and technology. The weakest link in any information security chain is always the humans involved. Investing in regular GDPR awareness training for employees of all levels is therefore critical. A laudable Privacy or Data Protection Policy that is not understood and followed through the organization will not serve anyone well in the event of a breach, a fine or other sanction from the regulator. These policies and procedures which provide the roadmap for collecting, controlling and processing personal data, need to be regularly assessed to ensure they remain fit for purpose as the business environment changes. If your people know and understand why and how they should comply, complying with the regulation is not difficult. While the digital world is at the heart of data protection and risk it also supports compliance. A simple intuitive GRC suite or integrated risk-management platform that everyone can access will be money well spent, once the right solution for your business can be found. These systems will need to expand and evolve, as the organisation changes the way it uses personal information to succeed in its mission.

The Future

The EU’s GDPR legislation is here to stay, and it does seem that it may be the harbinger of similar changes across the Atlantic and elsewhere. It seems likely, that the hype will die down, although a few high-profile breaches, fines or sanctions that impact on company performance may kick start it again. Ultimately, the cost and risk of a GDPR breach is too high for companies to ignore, so they must continue to invest in maintaining compliance. Thus, the GDPR economy will prevail.

The post Is the GDPR Industry a One-time Economy? appeared first on The CEO Views.