GDPR compliance

Information Security Regulatory Compliance & Services

What is Compliance

Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations.

Business and Compliance

When it comes to a business and corporate management, compliance refers to the company obeying all of the legal laws and regulations in regards to how they manage the business, their staff, and their treatment towards their consumers. The concept of compliance is to make sure that corporations act responsibly.

The pressure to comply with constantly changing regulatory, third-party, and internal guidelines can be overwhelming. Being unprepared to manage risks yet meet mandates can lead to economic consequences and legal liabilities. Both can contribute to a significant financial impact and hurt to your reputation, which could prove even more damaging. You may be exposed to threats you’re not yet familiar with that could be putting your company’s reputation at risk—and even jeopardizing its future.Many major companies within the United States are subject to some type of security regulation.

Complying to regulatory compliance

Regulations that contain information security requirements are intended to improve the information security level of organizations within that industry and many organizations would welcome such information. The difficulty comes in determining which regulations apply and in interpreting the requirements of the regulation. The regulations are not written in a way that is easily understood by the average business person so many times a security professional is needed to understand the requirements and how to best implement them. Professionals have experience implementing systems, policies, and procedures to satisfy the requirements of the regulation and enhance the security of your organization and some have obtained credentials such as (CyberSecOp Information Security Practitioner) that signify their understanding of the regulations. Often the requirements are given in general terms leaving the company to determine how to best satisfy the requirements.

For those organizations without a robust security department, we provide a Virtual CISO offering with expertise in the following:

  • ISO 27001/27002

  • NIST & NIST Cybersecurity

  • GDPR

  • CCPA

  • FedRamp

  • NY DFS Requirements 23 NYCRR 500

  • FFIEC Handbook

  • FERPA

  • HIPAA/HITECH

  • Hi-Trust

  • PCI-DSS

GDPR Questions Answered: Do We Need Consent to Hold Information in a Database?

Now just a few weeks remain before the deadline for the General Data Protection Regulation (GDPR), so data protection advisor Jon Baines is here to answer your questions.

Today, Jon was asked:
 
Q: “If our database holds names, email addresses, telephone numbers addresses and job roles of people involved in the classical music industry, of which most of the information is available on their websites, do we have to have specific consent to hold this information, which we use to contact them in terms of business and to occasionally send out a newsletter (twice a year) from which they can unsubscribe? There are a few thousand names involved so it would be good to know whether we need to contact them or not!”
 

A: “I wish my answer could be a simple one, but, regrettably, the law here is rather complex. However, I will try to explain.

“Unfortunately, what we don’t have here are details on how the business gathered this personal data, and whether the marketing they wish to send is by email (I’ve assumed it is). The author says the information gathered appears publicly on websites, so it might be inferred that the business has ‘scraped’ the details from those sites. If that’s the case, then there may be some problems. 
 
“As a general rule people should be aware (or be made aware) that their personal data is being gathered and collated, even if it’s publicly accessible. Furthermore, sending marketing in electronic form to individual recipients (which I think most of the musicians here would be) requires explicit consent from the recipient (or, in some circumstances, and subject to various qualifications, a prior customer relationship). Sending email marketing, therefore, without consent, would almost certainly be a breach of the law.
 
“If, contrary to what I’ve inferred, the business got the musicians’ details direct from the musicians themselves, then the question as to whether they can send them email marketing is a bit different. If the business has their prior explicit consent to receive marketing emails, then they can continue to do so. Or if they got the musicians’ details during the sale (or negotiations for sale) of a product or service, they can send them marketing emails, provided that at all stages they have offered, and continue to offer, the option to opt out of receiving them.

“The irony here is that the law in question is not the GDPR but the Privacy and Electronic Communications (EC Directive) Regulations 2003, which often get overlooked. Over recent years the Information Commissioner has issued plenty of fines for breaches of this 2003 law.

“Generally, the firms getting those fines have sent very high volumes of unlawful electronic marketing, and the Commissioner has not tended to target SMEs. Nonetheless, even if the risk to a small business of big fines may be relatively low, they do need to be aware of the other risks, particularly of legal claims by individuals, and reputational harm.”

Small Business Benefits from Cybersecurity Consulting Services

Cybersecurity news stories are becoming more and more prevalent, especially over the last few years. Whether the stories are about stolen emails or huge data breaches, it has been virtually impossible to ignore them.

While the major stories about compromised corporations and hacked email accounts make the news, cybersecurity is something that concerns everyone who uses a computer. Even small business owners can become victims of cybercrime. In fact, small business owners, in particular, need to be concerned with cybersecurity so they can protect their intellectual property. No matter whether the intellectual property is research or recipes, it is one of the greatest assets a small business has. Intellectual property is a prime target for hackers, whether they are stealing information for a competitor or running a ransomware scheme where a hacker demands something in return for the stolen information.

The trouble is that protecting that intellectual property and keeping other sensitive information, such as client and customer data, isn’t cheap. Many small business owners may not have the available capital to afford a cybersecurity system. Although this puts an owner in a tough spot, you can’t put a price on peace of mind, and neither can a small business owner afford the losses associated with becoming the victim of a cybercrime.

As with most things for small-business owners, cybersecurity comes down to a cost analysis. A cybersecurity system can be a big expense. On the other hand, a small business owner has to consider the cost of not having their systems protected from hackers. It’s hard enough for a large corporation to recover from a cyber attack, even with all the resources and infrastructure they have. According to the U.S. National Cyber Security Alliance, 60 percent of small businesses fold within six months of a cyber attack.

Ultimately, each business owner has to decide if and when a formal data security protection plan is necessary. A consultation with an expert may help you better weigh the pros and cons of taking on this type of business expense. Start with this list of Cybersecurity Consulting Providers as a jumping off point for your research. After comparing the benefits of these companies’ plans, set up a few consultations to see if and how these providers can best help protect your business, and what it costs to do so. You may find that it’s worth the investment.

 

Are you ready for GDPR compliance?

GDPR Is Coming. Are You Ready

What is the GDPR requirements:

                     EU Compliance - General Data Protection Regulation (GDPR

                     EU Compliance - General Data Protection Regulation (GDPR

For more details on GDPR see GDPR a risk to your organization