Archive for the ‘privacy’ Category

Finding a Safe Place for Your Data and Software

Data Security


Your organization runs on data and software. But this whole IT environment needs to live somewhere. Preferably a safe place that no unwanted people can access.

What options do you have? How should you choose where to host your data and your software?

In this article, we’ll explore these topics in-depth, hopefully giving you that bit of additional information that you need to choose a safe place for your IT environment.


Where can you host your software/data?

The traditional way is to host it on your own servers, which is called on-premise hosting.

It’s private by nature because the whole infrastructure is dedicated only to your company. The software literally lives on your own machines, along with the data and all of your intellectual property. Servers don’t need to actually be located at your headquarters, they’ll probably be in a dedicated data center.

The “new” (it’s not that new and pretty much standard by now) way to manage your IT resources is cloud hosting.

It’s public by default because it’s provided by a company like Amazon or Microsoft, whose insane server power is shared by all of their customers. But it can be private because cloud providers offer the option to get a share of their servers dedicated only to your company.

Finally, you can also mix the different options, and then you get hybrid hosting. There are a lot of ways to organize a hybrid solution, with different combinations of hardware and software. Choosing one cloud provider doesn’t mean you can only use that one, you can also combine different services from multiple providers.

How much control do you need?

When it comes to hosting your software and data, available server options generally fall into these categories:

  • Control the hardware, control the software
  • Control the hardware, outsource the software
  • Outsource the hardware, control the software
  • Outsource the hardware, outsource the software

Control the hardware and software

If you need to control and customize the performance of your physical servers, as well as the software that runs them, the go-to choice is on-premise hosting.
Control the hardware, outsource the software

What if you need to control the hardware, but you want the same workload management experience that’s offered by big cloud providers? There are ways to run, for example, AWS services on your own on-premise servers. The offerings in this area vary based on the provider.

Outsource the hardware, control the software

Your server workloads are pretty typical, you don’t need custom hardware for your IT environment – but you want to use, for example, FileCloud to share and manage your organization’s data. You can easily run FileCloud on AWS, as well as other services that you might need.

Outsource the hardware and software

This is probably the most popular solution at the moment for non-enterprise companies. You just spin up a server instance at your favorite cloud provider and manage it using the software tools they provide. Use it to host your data, your ERP system, or your SaaS, without worrying about the server infrastructure.

Comparing hosting options – On-Prem vs Cloud vs Hybrid


So far we know that on-premise hosting is private (dedicated only to your company), with your IT environment living on your own physical servers.

But when should you use on-premise hosting? Modern tech companies usually start with the cloud, and move on to on-prem.

Take the case of Instagram, they migrated to Facebook’s infrastructure after FB bought them in 2012.

(but then they also branched out to different data centers around the world to ensure that all of their users have a good experience, so they’re definitely not on-prem only)

Companies and enterprises that have been around for decades tend to go from on-prem to adding a bit of cloud, or migrating to the cloud completely.

Like when AdvancedMD moved to the cloud. AdvancedMD is a healthcare-related provider of digital services that’s been around since 1999, which makes this a great example. The most common argument for on-premise hosting is that it’s the most secure option for highly sensitive data. AdvancedMD runs on healthcare data, which is extremely sensitive, and yet nothing tragic happened when they migrated to the cloud.

As AdvancedMD proves, the issue of security is not that important anymore. Both on-premise and cloud hosting can safely store sensitive data.

So the choice between on-prem and cloud is more about control and/or customization.

For the highest amount of control, and the ability to literally customize every part of your infrastructure, on-prem is the right option. Long-term cost management is easier, however, it takes a large initial cost to build your on-prem hosting from the ground up.

On-prem is also a good option when you have high demands:

  • You’re constantly moving large amounts of data in and out of your servers (cloud providers can charge fees for moving data outside of your cloud),
  • You need the lowest latency possible.

One problem with on-prem is that it’s harder to scale, but you can use a cloud provider to mitigate this issue.


You’ve probably heard this, but – there is no cloud, it’s always somebody’s server. It’s a popular saying, but it carries a hidden warning about your data being on somebody else’s server.

How big is the risk that cloud providers will mismanage your data, or give someone else access to it? Unless you’re handing out access credentials to your cloud to everyone you meet, the risk is actually very small.

There is no way cloud would’ve become the new standard for hosting if it were risky. Providers know this, and they’ve put extreme amounts of money into making sure that your resources are safe with them.

Another popular issue that people bring up when talking about the cloud is compliance with standards. But it turns out that cloud providers are surprisingly compliant with cross-industry IT standards, so this issue depends on your unique case.

There is a different, much more real, risk associated with the cloud – cost management.

Sure, at the start you pay much less compared to an on-premise solution. As you keep going, it’s super easy to spin up new services from a cloud provider, especially if you have a huge IT budget.

This is a benefit because you can scale up extremely easily. It’s also a problem because you might end up paying for a lot of unnecessary services.

So if you don’t want to overspend, you need to be very careful about managing your cloud infrastructure.

Choosing cloud isn’t a problem of compliance nor security, but rather a problem of your unique workloads. As we learned above, on-premise can be better when you need to move huge amounts of data regularly, or you need minimal latency.

For example, if your servers are just supposed to do the standard job of serving a website to people online, the cloud is the logical solution. But if you’re building a complex web application that performs difficult computations on large amounts of data, you’ll probably be better off with an on-prem, or a hybrid solution.


And so we arrive at the most common option, hybrid hosting.

The complex demands of enterprise IT environments make it almost impossible to just pick one hosting option and roll with it for eternity.

There are too many considerations:

  • Integrating with legacy software,
  • Speed vs reliability,
  • Location of data,
  • Latency…

… and so on, and different parts of a typical IT environment require varying approaches. For example, a cloud provider might work for your in-house data store, but you still need on-prem servers to run particular applications or legacy software.

Hybrid hosting is a way to address all of this complexity because you can combine multiple options to create the infrastructure that meets your requirements to the letter.


All in all, there is no silver bullet when it comes to hosting your data and software. The safest place for your IT environment might be at a cloud provider, or on your own on-premise servers. Or both.

It depends on what you need, and it turns out that security and compliance are not the biggest issues when you’re thinking about migrating to the cloud. It’s more about the type of data workloads that you have, and the requirements that result from this.

Hope this article was helpful, thank you for reading!

EU-US Privacy Shield – Updates and the Repercussions

EU-US Privacy Shield Framework
EU-US Privacy Shield Framework

The Privacy Shield program is being administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, to enable enterprises in the US to join the EU-US Privacy Shield framework. This program enables these organizations with a mechanism to comply with the requisite data protection requirements when transferring personal data for transatlantic commerce.
Primarily, this program helps the US organizations to register with them, self-certify about complying with the data protection requirements publicly. This ensures all their customers about compliances being in place about the data being collected and transferred. The self-certification also becomes an enforceable commitment under the US law.

There is also a Swiss-US Privacy Shield Framework being implemented similarly by the European Commission and Swiss Administration for the transfer of personal data from Switzerland. Both these frameworks were evaluated for adequacy on personal data transfers under the EU and Swiss law respectively and approved as valid. The European Commission approved it on July 12, 2016, and the Swiss Government approved it on January 12, 2017.

The Updates

The Privacy Shield Framework website lists the below updates on their website:

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. That decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.

On September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP). As a result of that opinion, organizations wishing to rely on the Swiss-U.S. Privacy Shield to transfer personal data from Switzerland to the United States should seek guidance from the FDPIC or legal counsel. That opinion does not relieve participants in the Swiss-U.S. Privacy Shield of their obligations under the Swiss-U.S. Privacy Shield Framework.

On August 10, 2020, a Joint Press Statement from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders available in public domain stated that ‘The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the July 16 judgment of the Court of Justice of the European Union in the Schrems II case’. Further to this, on September 28, 2020, the U.S. government has also come out with a white paper to assist organizations to help assess their compliances concerning the EU-US data transfers, specific to this above ruling.

The Repercussions

There are serious repercussions for companies that deal with and transfer personal data from the EU and Switzerland. They are now bound to examine their data flows across the Atlantic, the requisite laws that will be applicable, and would need to ensure compliance. In other words, these companies must now find alternate ways to ensure data protection measures as the Swiss and EU –US  Privacy Shield has been invalidated. There could be investigations on the violations, followed by a fine if found guilty of the same.

The Actions

This is what is necessitating organizations to evaluate their international data flows viz a viz the requirements under the GDPR and take corrective actions. The European Union has issued two sets of Standard Contractual Clauses (SCC) for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). There is also one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA.

Organizations would now have to use these SCCs to analyze if they are providing an adequate level of protection to the data transfers they are undertaking. Every organization can do this evaluation and take measures to plug gaps, if any, and keep their customers and stakeholders informed about the same. This may mean passing down new safeguards and measures including implementing SCCs with all their stakeholders, as per GDPR requirements, wherein data processing is involved.

The Binding Corporate Rules (BCR) for transfers is still valid and that is an option that organizations can explore. But even the BCRs will have to be assessed and validated for adequacy and compliances, before adopting this route. They may also have to assess and amend all applicable contracts to reflect these changes. They would have to update all their communiqué concerning data privacy as well as Privacy Shield compliances or withdrawals.

Another option is to obtain explicit, specific, and informed consent of the data subject before the transfer is undertaken.  This is applicable under Article 49 of the GDPR, wherein, if the transfer is necessary for the performance of a contract between data subject and controller also, it is allowed. The third clause in this also states that the transfer is allowed if it is necessary for important reasons of public interest. But, even in this case, it needs to be done with due legal considerations.

Importantly, organizations need to know that there is no grace period provided in the CJEU ruling for the same. This means that organizations cannot continue to do data transfers under Privacy Shield Program till a certain period with the hope of it getting it resolved. They will be held liable for all such data transfers under necessary compliances with immediate effect and have to assess their legal basis for the transfers.

The U.S. Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program. As per FAQs listed on the Privacy Shield website, US organizations continued participation in the program shows their commitment towards data and protection. There are also provisions provided for organizations that wish to withdraw from the program. The withdrawal requests will be handled as per due process and would have to comply with all the conditions set forth to do so.

The organizations are also requested to contact the appropriate European national data protection authority or legal counsel for answers to their queries regarding clarity and adequacy of the measures they are undertaking. This step can also help them decide on appropriate alternate data transfer mechanisms. The Privacy Shield website has also listed out some key new requirements that organizations need to comply with for participating in the EU- US Privacy Shield Program.

Apart from this, all organizations would need to monitor the developments happening as the discussions continue to see how things can be resolved to arrive at an adequate solution.

What is Geo-fencing? And How Does it Play a Role in Data Privacy?



Geo-fencing is a new term in the digital marketing space that puts the location of the devices to work for the provision of services. The services could be push messages and notifications that a user gets when the device enters a virtual boundary, known as geo-fence. These virtual fences are set up around certain stores, stadiums, event spaces, malls, and so on.

When a user enters this space with a GPS or an RFID enabled device, it triggers an action that results in the user getting some specific promotions about the particular event or store. Certain apps and software interact with the geo-fence that is set up in the area when the device is connected to GPS, cellular data, RFID, or Wi-Fi. This results in the user getting geo-fence specific messages, which is a useful tool for marketers to promote their products and services timely. Perhaps, the user while entering the space, may not have known about a new product or a promotion, etc.


The applications of geofencing go much beyond the mere marketing push notifications. Its potential is huge and almost all industries are exploring the endless possibilities that it offers. For example, businesses with huge fleets use it to track the movement of their vehicles; the cattle industry also uses it for the same purpose. Field employees are also tracked in a similar way by certain organizations, for automatically logging time.

Similarly, pets and toddlers could also be tracked for their movement. There are instances of authorities using geofencing to track peoples’ movement when they are in COVID-19 quarantine or for lockdown violations. Geo-fences are set up around important spots like airports, or important buildings as well. This helps monitor the movement, including that of drones in the area. So, geofencing does also play a role in security to track unwanted movement within a geo-fence.

Social networking apps use geo-fencing for location-based filters, stickers, and more; prominently, Snapchat is a very good example of this. Also, in Flickr, you can limit your photo sharing with people in a certain locale only. In-store promotions and audience engagement at events are other good examples of its use. Many of the smart home appliances can also be programmed to send you reminders based on geo-fencing.

Geo-fences are used to track movement in parking spaces to understand the availability of spaces. Certain auto brands even allow you to set up geo-fences around your parked vehicle, so you get a notification if it moves out of the same. Certain people are also using it to send messages to target customers entering their competitor spaces to try and lure them. Some marketers are also offering banner ads based on geo-fencing. Most importantly, a geo-fence sending out alerts about a possible hacker in a network can be used as part of the multi-factor authentication system of an organization’s cybersecurity strategy.

Role in Data Privacy

However, there are concerns raised about data privacy in the use of geo-fencing. When you track users in a specific fence, you are collecting information about them which they may not otherwise be wanting to share. In a world where social profiles are built using digital identities, this could be dangerous. For example, a user may not want people to know why he visited a certain clinic, a religious place, a club, or an event. These could be individual preferences, which were meant to be kept private, but, the geo-fence would have collected information about this.

The legal aspect of the use of geo-fence depends on the privacy laws of the land. In Europe, user consent is a must before this service can be activated. Once specific permission is obtained, then the location-specific data being collected will come under the ambit of the GDPR, which is meant to protect the privacy of the users. Unless all the personally identifiable information is masked by the device ID and the IP addresses that are being collected, it will be treated as a violation. This is because, Personally Identifiable Information (PII) also pertains to IP targeting, email targeting, and phone number detection under the GDPR.

Even the CCPA follows these ethics for its privacy laws applicable in the state of California. And it is expected that companies across the US will be affected by the CCPA, to give consumers new rights and protection almost equal to GDPR and that includes geofencing as well.

There is also the concern that geo-fencing may cause an overdose of unwanted notifications which is a disturbance for an individual. An individual may walk into a coffee shop at the end of a morning walk every day and be bombarded with offers. Or, one may just be passing by a shop with a geo-fence and get messages as a result. This can prove to be quite annoying and may even, ultimately put the customer off. There have been a few cases in the US wherein advertising firms have had to deal with legal cases as a result of their geofencing ads. Especially when the information collected is around health care, children, religious preferences, etc., which come under sensitive personal information, the privacy concerns around geo-fencing takes on a serious turn.

Interestingly, even the banking industry is exploring options with geo-fencing to provide improved customer experiences and fraud detection. People walking into a branch are provided inputs on customized services and offers for them to be able to make better choices. Some banks have enabled their ATMs with geo-fencing, so customers are provided with information about the nearest ATM.

Personal Choices

However, apart from the local privacy laws, individuals can control the information collected by the geofencing apps. If GPS is turned off, then geofencing cannot function, and hence, an individual’s privacy is fully protected. Some of the geofencing marketing happens with the help of the specific apps of stores, dealers, etc.

If an individual chooses not to download these apps, or check the settings in the app to opt-out of the geofencing services, then the location-specific inputs and data collection can be avoided. VPNs can be used to mask IP addresses so that no Personally Identifiable Information can be collected by the geo-fences.

Data Leak Prevention Technology – Top DLP EFSS Solutions 2020

Data leak prevention technology


Data Leak Prevention Technology:

Data leak prevention technology keeps sensitive corporate data secure by identifying potential data breaches and helping to eliminate them. DLP software classifies, regulates confidential business data, and identifies data violations typically driven by regulatory compliance such as Federal laws, HIPAA, FINRA, and EU-GDPR. Once the violation or data breach is identified, DLP enforces immediate remedial measures such as alert messages, access restriction, and other measures that prevent end-users from sharing data that could put the organization in jeopardy.

What Is Data Leak Prevention?

Data leak prevention (DLP) combines the power of security tools and strategic processes to ensure that company’s confidential data is not lost, misused, or accessed by unauthorized users. Simply put, Data leak prevention is a strategy that makes sure that end users are not able to intentionally or accidentally destroy or steal the company’s data. The enterprise must have a data leak prevention policy so that all the access control are predefined and linked to the data.

This prevention strategy should be covered by the EFSS solution which you use to store and share organization files. With the correct data protection policies and systems, you will be able to reduce or eliminate data leak incidents.

Top Data Leak Prevention Solutions 2020


FileCloud offers 360° protection with smart data leak prevention technology to ensure accidental data leakage. FileCloud’s real-time data prevention capabilities control user actions (login, download, share) based on the IP range, team groups, user types, email domain, folder paths, metadata and many more rules. FileCloud also integrates with existing security information and event management (SIEM) tools to provide more stringent data leak prevention. FileCloud’s evaluates user actions in real-time and logs rule violation reports for future auditing.

FileCloud helps enterprises comply with HIPAA, FINRA, ITAR, EU-GDPR, and other data privacy regulations. Smart DLP can be extended to the on-premise server as well as the cloud server, thereby offering flexibility to businesses in selecting the right fit for them.


Dropbox offers a data leak prevention technology solution in collaboration with Symantec. The security to the Dropbox cloud is provided by Symantec CloudSOC that safeguards organization against data loss and threats that targets cloud accounts. The Cloud Access Security Broker (CASB) technology by Dropbox protects businesses against any threats that may impose danger. The post data analysis of user activity helps in identifying the potential threat that an insider could pose to the confidential data.


Box data leak prevention technology helps with data security, access control and mitigates security challenges. Box DLP helps in avoiding the deletion or exposure of confidential data stored on company networks and servers. Box offers granular access permissions, and activity monitoring and significantly reduces data security risks associated with malicious activity and unauthorized sharing.


Egnyte DLP solution helps in identifying, classifying, and protecting your business data. Egnyte takes a proactive approach in content governance and provides insights into detecting unusual file behavior. File access control in real-time ensures that businesses can be strategic in their approach while deciding the security rules. The intuitive self-service experience that Egnyte offers help in protecting your business data and keep you compliant with latest business regulation.


Citrix’s ShareFile data leak prevention technology is offered in partnership with Digital Guardian and Code Green Networks. This solution mitigates the risk of data leakage by leveraging ShareFile’s APIs to move or revoke access to the files that contained sensitive information. You can classify and restrict data flow thereby having more control over the security aspect of the storage and data transfer. This allows you to find a sweet spot between security and usability that best fits your organization.


Microsoft OneDrive’s DLP policy identifies sensitive information including financial data and personally identifiable information. The sensitive information is monitored and protected from accidental sharing. It helps in staying compliant with the global guidelines without interrupting the data workflows. Also, you can view the DLP reports that help you make better security decisions. With OneDrive’s DLP you can restrict the sharing of sensitive data, define actions that must be taken in case of a data breach, audit incident reports, and set priority for user accounts.

How FileCloud Data Leak Prevention Technology Safeguards Your Data

  • Detects threats in FileCloud accounts: Using advanced data science and machine learning technology we analyze the user activity and identify risks that pose a threat to your business data.
  • Protects data in FileCloud accounts with Smart DLP: Protect your business data in FileCloud with the same policy frameworks and workflows that your company uses across your organization.
  • Network control and flexibility in inter-operability: Empower organizations to limit the use of unauthorized personal accounts on networks while allowing access to company-managed accounts using access control settings.
  • Detects risky user activity: User activity Analytics identifies potentially risky user activity and enables automated policy controls to secure your business data and accounts.
  • Powerful encryption technology to protect user data:  Protecting your organization data with automated policies and encryption to prevent accidental or malicious sharing of data.
  • 360 ° analysis of user activity: Quickly assess activity that may impact your FileCloud accounts with detailed information and extensive log filtering capabilities.

Advantages of FileCloud’s Data Leak Prevention:

  • Data protection from external and internal threats: DLP can detect files that contain confidential data and prohibit them from leaving the network. The sensitive data transfers can be instantly blocked using Smart DLP in case of a data breach. Apart from this, DLP policies also provide for quarantine or encryption of data in real-time in response to events.
  • Auditing capabilities and compliance with regulations: Accountability in terms of collection, storage, and sensitive data needs a mechanism for the compliance and auditing capability fills that gap. Consequences of non-compliance can include fines or complete cessation of business operations. DLP sought out a path that provides control, policy template, automate compliance, and the collection and reporting of metrics.
  • Forensic data and E-discovery: DLP technology allows for capturing and archiving of evidence for forensic data analysis. Monitoring via DLP can include email, instant messaging, keystrokes, documents accessed, and application used. Also, in case of a lawsuit or investigation, the forensic data can be used as evidence when data is sought in electronic format.
  • Automate corporate governance: DLP capabilities help you in the enforcement and automation of corporate policies and processes. This can bring in technical and organizational efficiencies, promote compliance, and bring in transparency in information governance. Automate corporate governance enables for selecting an appropriate policy template on your system that will help in bringing in more accountability.
  • Complementary data controls: DLP comes with complementary data controls such as data classification and data tagging, encryption, security information and event management, and incident response system. These features ensure that your complete data is safe on the cloud storage system. Complementary control along with DLP ensures that no data is accidentally exposed. DLP can monitor data in transit, at rest, and ensure that it is safeguarded and protected.

Use Case: Limiting the Web login to a Specific Group of Users

With FileCloud’s Smart DLP you can limit certain external users to log in only through a web interface and no other means for accessing the account. You can create a Smart DLP rule that allows login to FileCloud account through a web browser only. These rules are easy to implement and provide flexibility in the security of the data. FileCloud’s Smart DLP is your goto solution for making the cloud ecosystem more transparent, accountable, and protected.

Protecting Remote Work Data From Cyber Threats

The COVID-19 pandemic has created many challenges for enterprises across the world who have adopted remote work culture full time. Certain statistics out in the public domain suggest that working-from-home culture is not new to many organizations. Across the world, many organizations were already following this, either fully or in parts. Many employees have had the flexibility to work from home at least once a  week or so. Of course, there are many sectors where this would not be true, but in most IT and enabled sectors, this certainly holds true.

What has changed though with the COVID-19 crisis is the choice to work from home or office. Many governments across the world have made it mandatory that organizations provide work from home options to their employees, wherever applicable. Thus, the COVID-19 situation has resulted in a great jump in the remote work statistics, as compared to a few months back. While for a few companies, it was just a matter of institutionalizing their already existing work from home policies, for many others, it meant exploring options to make it possible. Either way, business continuity plans of enterprises are changing, to include considerations and challenges around the remote work culture.

The Statistics

A State of Remote Work 2019 survey published by OWL Labs based on respondents in the US, suggests that ‘54% of respondents work remotely at least once per month, 48% work remotely at least once per week, and 30% work remotely full-time’. The survey covered respondents across all levels of people like individual contributors, team managers, consultants, directors, VPs, and more. It also covered industries like Healthcare, Education, Retail, Financial Services, Manufacturing, Technology/Internet, Government, Hospitality, and more. (Owl Labs has published a newer version of this report: State of Remote Work 2021.)

Considering the scenario of last year, it is safe to assume that these numbers would have jumped by leaps and bounds owing to the COVID-19 situation. And it would be the same across the globe, as governments are trying to curb the spread of the disease by minimizing the people to people contact. Workplaces with centralized air conditioning were a cause of major worry as chances of one person infecting many others were high. So, it appears as if remote work is here to stay and all challenges around it need to be addressed by the organizations, on priority.

The Challenges

Almost all issues surrounding the remote work mode are about security. Within secure corporate environments, data is protected by means of necessary precautions put in place. So, there is not much onus on employees to worry about the security aspect. Since they will be working with company-issued laptops, that will have company authorized software that also includes security aspects, there is a sense of safety. This scenario changes drastically when the employees start working remotely, as they could be working from home or elsewhere.

Problems range from using public Wi-Fi, not being aware of scams and phishing that happen in the cyber world, and a simple thing like just leaving your laptop open when moving around. Issues come in the form of a snooping housemate, to cyber attack experts who will be on the prowl. It is assumed that people working from home will be slightly lax on the security front, (knowingly or unknowingly) and they will take their chances.

Why is Cybersecurity Important?

Cybersecurity is of prime importance, and many organizations have learned this at a great cost. According to a report published in the Cyber Defense magazine quoting multiple sources, 43% of the cyber attacks were targeted at small businesses. 31% of organizations have experienced cyber attacks on operational infrastructure and malware is the most common type of cyber attack. The same report further states that the annual cost of cybercrime damages is expected to hit $5 trillion this year (2020).

A very interesting statistic put up here is that 95% of data breaches have causes attributed to human error! This is why awareness training for employees is important. Hackers are certainly becoming better at identifying and manipulating vulnerabilities in IT systems. This has also lead to an increase in cybersecurity budgets of organizations, and in the current situation perhaps, more so.

The Organizational Changes

From an organizational point of view, it is important to ensure that every employee working remotely is made aware of the risks involved.  Comprehensive training covering all aspects, including probable cyber threats and how they happen, should be conducted. Also, it is important to make people aware of the consequences, so that maximum caution is applied while working remotely. The IT environment should be strengthened in such a way that people can work from elsewhere securely.

All end-point devices should be safe, should be monitored for any mischievous activity, and the device and identity should be protected to make sure misuse cannot happen. Multiple factor authentication using strong passwords, 2FA, etc. should be adopted. If the enterprise is already using Cloud services, then the security policies may be revisited to ensure all necessary compliances are in place. Also, in such cases, employees should be given access to collaboration and office productivity tools to make sure all communication remains within the gambit of defined security measures.

The Suggestions

There are some simple steps that can be taken to ensure a reasonably good level of security for remote work. The main among these perhaps is something that most organizations would have already put in place. This is to ensure anti-virus software on employee laptops. Depending on the mode using which the employees access the corporate network, this can ensure the basic security at the end-point.

Update Anti-virus Software

An important thing to remember is to ensure updates of anti-virus or any other security solutions across. These solutions are being updated to detect more vulnerabilities on a day to day basis. Hence, unless the updates are synced across the organizational devices, the benefits won’t be seen. Public Wi-Fi or even the home Wi-Fi can be easily hacked. Using public Wi-Fi should be avoided totally and home Wi-Fi should be protected with strong passwords that are changed often. The Wi-Fi settings should be changed to enable the highest possible encryption.

Use VPN or Secure Remote Connections

Using VPNs may be a good option to ensure a secure connection to the corporate resources. Since every enterprise is dealing with confidential information exchange, the laptops should never be left unattended and open. Breaches have and can happen unintentionally by this simple oversight also. Employees should be trained to follow all corporate communication policies and should only use official communication channels. No local copies of documents and reports should be maintained unless absolutely essential and permitted to do so.

Report Suspicious Activity

Another safeguarding measure that employees should adopt is to report any untoward activity, mail, or suspicious documents and links, immediately to the IT/security department. This can ensure any breach is caught immediately. One of the alarming aspects of breaches has been that it is usually too late (as much as six months) by the time they are reported and found. Employees being aware and vigilant can contribute a lot to the organizational security policy.


A secure IT environment with aware and empowered employees, and good supporting security and collaboration tools can ensure protection from cyber threats.

Reference for the Suggestions: Remote Work Security.


Privacy In The Digital Age | Why Digital Privacy Is Important

Privacy has always been a crucial aspect of human existence. But as more data becomes digitized, and more information is shared online, data privacy is becoming more important.  Data privacy denotes how information should be managed based on its perceived importance. It isn’t just a business concern; individuals have a lot at stake when it comes to the privacy of their data. The more you are aware of it, the better you’ll be able to shield yourself from multiple risks. In this digital age, the concept of data privacy is mainly applied to critical personal information, also refereed to as personally identifiable information (PII) and personal health information (PHI). This typically includes financial data, medical and health records, social security numbers, and even basic yet sensitive information like birthdates, full names, and addresses.

For a business, data privacy transcends the PII of its customers and employees. It also encompasses the information that helps it operate, whether it’s propriety research and development data or financial information that shows how money is spent within the company. Recent history has shown that when data that should remain private gets into questionable hands, bad things follow.

It’s a Data Driven Economy

User data is an extremely valuable asset in this information age. It not only helps organizations understand their customers, but also enables them to ‘track’ customers and target them with ‘relevant’ ads. Marketing is just one of the ways companies leverage user data to strengthen their position in the market and increase their revenues. There are other more harmful ways. In 2018, Facebook founder Mark Zuckerberg was called to testify before the United States Congress, following the Cambridge Analytica Scandal. Questioning during the hearings unearthed several details of a data privacy crisis for companies like Facebook that are dependent on data manipulation and harvesting.

More and more user groups, regulators and non-profits have begun demanding for a legally enforceable ‘right to privacy’. Speaking at a privacy conference in Brussels, Apple CEO, Tim Cook, called for improved privacy laws. At a time when the data practices of industry titans like Facebook and Google are being put into question, Cook is pushing Apple in the opposite direction, by not only talking up data privacy, but also embracing new regulations. Cook has also criticized companies that base their business models on the harvesting of personal data for advertising, while highlighting that his company tires to collect as little of it as possible.

The Service Affordability Tradeoff

Many in the tech industry are disinclined to support privacy regulations due to its potential to hold back innovation.  Mark Zuckerberg defended his company’s advertising-based model by pointing out that it enabled its services to “be affordable to everyone”. “Instead of charging users, we charge the advertisers”, he added. Google’s Senior VP for Global Affairs, Kent Walker, echoed the same sentiment by saying ads allow them to deliver search to users of all income levels across the globe for free. However, both executives also acknowledged that security and privacy has to be a principal consideration, even if it impacts profitability. Its impossible to ignore the fact that all this personal data can lead to interferences and intrusions with people’s private lives. This can have a damaging and distressing effect on individuals.

Data Privacy Should be a Basic Human Right

Though the US has relatively few regulations that govern the gathering and use of personal data, in several other places around the globe, data privacy is considered a basic human right. Within the European Union, the recently enacted General Data Protection Regulation (GDPR), sets stringent legal standards for the handling of personal data. While ‘privacy’ may sound like a nebulous concept, it’s not a new idea in human rights law. The right to privacy safeguards an individual’s dignity by protecting their personal information from public scrutiny. This right is typically protection by statutory law.

The UN’s human rights office inferred that governments should respect the right to privacy by regulating how private organizations – not just intelligence agencies and the police – treat personal data. Human rights courts have also acknowledged that the collection, use, storage, and sharing of personal data can balk privacy. Those actions should therefor be limited to what is unquestionably necessary and relative to a justifiable goal.

“All of us will have to think about the digital experiences we create to treat privacy as a human right”

– Satya Nadella, CEO of Microsoft

The GDPR Is Charting the Way

The EU enacted GDPR will improve privacy and should propel other countries to enhance the protection of people’s personal information. The new regulation that became legally binding across the EU’s 28 member states on May 25, 2018, is one of the most comprehensive and strongest attempts globally to regulate the collection and use of personal data by both the government and the private sector. Despite the fact that the GDPR has prompted multiple other nations to strengthen their cyber laws, none offer residents the right to data privacy. Courts and regulators have to work attentively to ensure that corporations and governments don’t try to exploit ambiguities in data protection laws.

Several companies have begun exploring how they can enhance the protection of users’ data and play a role in the continuing conversation about privacy as a human right. Those that are yet to do so have to develop the necessary tools and processes needed to track the source of the data they collect, making sure that data collected for a specific purpose is not exploited for another. They will also have to develop new policies outlining how data is collected and used in a clear, concise language, not legalese.


GDPR Presents Opportunities for MSPs

In today’s digital world, the issue of data privacy is provoking constant debates with large corporations and even governments being objurgated for invasions of privacy. According to online statistics firm Statista, only about a third of internet users in the United States are concerned about how their personal is data is shared. However, that number is likely to rise as privacy compliance becomes a ubiquitous business concern due to the growing number of regulations formulated to curb the unauthorized access and use of personally identifiable information. The GDPR is one such legislation. No other legislation measures up to the inherent global impact of the EU’s General Data Protection Regulation (GDPR).

Gartner’s prediction that more than half of companies governed globally by the GDPR will not be fully compliant by the end of 2018 has come to fruition. With less than a month to go, a survey of 400 companies conducted by CompTIA inferred that 52 percent were still assessing how GDPR applies to their business. The research also showed that only 13 percent were confident that they are fully compliant. GDPR will without a doubt be a disruptive force in the global marketplace that cannot be ignored. This presents prodigious business opportunities for MSPs to leverage their experience in network security offerings, class analytics solutions, and their own experiences implementing strategies around this new development.

1. An Opportunity to Become GDPR Compliant

As an MSP, it makes sense to protect your business from any reputational and financial consequences by becoming GDPR compliant. It is said that charity starts at home, it would therefore be incongruous for an MSP that is yet to achieve full GDPR compliance to offer guidance in the same aspect. The experiences you gain in your journey to compliance will be of great value to both current and potential customers.

2. An Opportunity to Engage and Educate Your Clients

Most non-European businesses are yet to establish whether the GDPR will apply to them. And for those that are aware, their MSP will likely be the first place they turn to for help; whether its to set up reporting tools, work on data encryption, conduct audits, or implement new data management practices. MSPs should ensure that their clients fully understand the extent and impact of the regulations, and prepare them for GDPR. Since they are already aware of their client’s internal practices and processes, managed service providers are better suited to architect solutions that incorporate GDPR compliance and governance.

MSPs will have to re-onboard clients to make sure their prescribed SaaS offering will meet GDPR requirements. Gather resources and links that can help educate your clients. The use of informative marketing campaigns, or a resource center on your site will help create channels for dialogue – which may subsequently lead to new business projects.

3. An Opportunity to Understand Your Clients Data

Data is a crucial asset, however, most MSPs know very little about the data their clients possess. The only way an MSP can offer guidance and services related to GDPR is by understanding what data your clients have and the location of said data. MSPs should be ready to make an extra effort beyond protecting business applications to protecting personal data. The only way to accomplish this is by analyzing your client’s existing data. Through this process, you will be able to identify any security gaps and create customized security offerings to fill them. Additionally, the data discovery will allow you to adjust your pricing accordingly and push your customers towards more secure technologies or sell additional services that mitigate the risks their current business systems present.

4. An Opportunity to Offer Compliance and Security Related Services

MSPs tend to act as virtual CIOs for their customers. In most cases, the line between packaged service and free consultation tends to get blurred somewhere along the line. GDPR guidance could easily follow the same track – unless the value you offer is presented as a bundle that can be allotted a price tag. Compliance and security services are a potential gold mine for service providers who have acquired the management expertise to satisfy and simplify the complexities associated with the General Data Protection Regulation. Since having a designated Data Protection Officer (DPO) is a mandatory requirement under GDPR regardless of the size of the company; MSPs can use that as an opportunity to establish a DPO as a service model geared towards SMEs that may lack the resources to recruit costly, in-house compliance staff.

5. An Opportunity to Expose Your Brand

Marketing a compliance culture with transparency builds greater relevance and trust among current and potential customers. Companies looking to achieve full GDPR compliance are likely to align themselves with a service provider that has a demonstrated track record. Publicly documenting your GDPR compliance milestones on blogs, social media and your website confirms your familiarity with the subject. Once achieved, full GDPR compliance will act as a quality standard that can be placed on marketing channels to attract and reassure prospective clients.

In Closing

As the weight of the General Data Protection Regulation continues to impact the globe, sagacious MSPs will have an opportunity to assist their customers prepare and gain incremental revenues while supporting the European Unions effort to create a digitally secure global marketplace. Despite the current rush to beat the May 25th deadline, compliance isn’t a one off activity. Companies will always have a budget for comprehensive strategies aimed at achieving and maintaining privacy compliance.

image curtesy of freepik



Author: Gabriel Lando

ITAR Regulations {International Traffic in Arms Regulations}



ITAR was enacted in 1976 to control the export of defense-related articles and services. It stipulates that non-US persons are not allowed to have logical or physical access to articles modulated by International Traffic in Arms Regulations; which is administered by the Directorate of Defense Trade Controls – DDTC, a sub-division of the State Department. The articles covered by ITAR are listed on the United States Munitions List – USML, and generally, encompass any technology that is specifically designed or intended for military end-use. ITAR was also contrived to govern the import and export of any related technical data that consists of describes, supports, or accompanies the actual exported service or goods unless exemptions or special authorization is created.

The goal of ITAR is to prevent the transfer or disclosure of sensitive information, typically related to national security and defense, to a foreign national. In most cases, non-compliance usually translates to the loss of assets and professional reputation. However, with ITAR, lives may possibly be at stake. This is why the International Traffic in Arms Regulations is a strictly enforced United States government regulation and carries some of the most austere criminal and civil penalties that not business or individual would want to be on the receiving end of.

ITAR is not applicable to information that is already available in the public domain, or that is commonly taught in school under general scientific, engineering or mathematical principles.

Who is required to be ITAR compliant?

The law essentially applies to defense contractors who manufacture or export services, items or other information on the United States Munitions List. However, any company that is in the supply chain for such items must make ITAR compliance a priority. ITAR has a fairly complicated set of requirements, and since the repercussions of non-compliance are severe, companies should not hesitate to seek legal clarifications of their obligations if they even suspect the regulation applies to them – better safe than sorry. The vague categories of the USML make it difficult to intelligibly understand what exactly falls under the purview of military equipment.

The list is inclusive of most technology used for spaceflight, along with a vast range of technical data such as product blueprints, software and aircraft technology. Most of these items were initially developed for military purposes but were later on adapted for mainstream purposes – in aviation, maritime, computer security, navigation, electronics and other industries. It is crucial for firms that offer products and services to government consumers to fully grasp this distinction, to avoid expensive legal violations. ITAR may also likely impact large commercial enterprises, universities, research labs, and other institutions who are not directly involved in the defense industry.

The Repercussions of Non-compliance

Violating ITAR could lead to both criminal and civil penalties. The imposed fines are virtually unlimited – typically, organizations are prosecuted for hundreds of violations at once. The penalties for ITAR violations, both criminal and civil, are substantial. Criminal penalties may include fines of up to a million dollars per violation and 10 years’ imprisonment while civil fines can be as high as half a million dollars per violation. Failure to comply with ITAR may also damage an organizations reputation and ability to conduct business. The State Department maintains publicly available records of all penalties and violations dating back to 1978. Organizations and individuals run the risk of being completely debarred from exporting defense-related services and items.

Challenges in the Cloud

ITAR compliance and the adoption of cloud platforms presents unique challenges. Uploading technical data to the cloud carries with it a huge risk of penalties and violations. There are a lot of questions in regards to whether or not regulated technical data can be stored in a public cloud. The intrinsic quandary in that cloud vendors use distributed and shared resources that will likely cross national borders, and this dispensation of resources is not entirely transparent to the end-user. Data back-up and replication are common security measures when sharing files and collaborating via the cloud, but they can inadvertently lead to unlicensed exports in the event data is sent to servers located outside the United States. Once technical data goes beyond U.S borders, the risk of non-US persons having access to it increases exponentially.

In 2016 for example, Microwave Engineering Cooperation settled an ITAR violation with the State Department after technical data related to a defense article was exported to a foreign person without authorization. So if giving a foreign person access to technical data, or placing it on a server in a foreign nation is deemed and export. What guidance does ITAR give to ensure the entire process is done in a legal manner? Or is cloud storage simply off the table?

The State Department maintains that technical data can be stored on servers outside the U.S, provided that the of the ITAR license exemption conditions are met, and adequate measures are taken to obviate non-US individuals from accessing technical data. In most cases, the measure typically involves ensuring that any data sent to a server beyond U.S borders, or that is potentially accessible by a foreign person within or outside the U.S has to be properly encrypted. It is important to note that by law, cloud providers aren’t considered exporters of data, however, your organization might be. So the burden of ensuring ITAR compliance when handling technical data falls squarely on the people within the organization. Organizations dealing with defense-related articles in any capacity have to exercise extreme caution when using any commercial file sharing and sync service.


Author: Gabriel Lando

Personal Data Breach Response Under GDPR

personal data breach

Data security is at the heart of the upcoming General Data Protection Regulation (GDPR). It sets strict obligations on data controllers and processors in matters pertaining data security while concurrently providing guidance on the best data security practices. And for the first time, the GDPR will introduce specific breach notification guidelines. With only a few months to go until the new regulations come into effect, businesses should begin focusing on data security. Not just because of the costs and reputational damage a personal data breach can lead to; but also because under the GDPR, a new data breach notification regime will be applied to statute the reporting of certain data breaches to affected individuals and data protection authorities.

What Constitutes a Personal Data Breach Under GDPR?

GDPR describes A personal data breach as – a security breach that leads to the unlawful or accidental loss, destruction, alteration, or unauthorized disclosure of personal data stored, processed or transmitted. A personal data breach is by all means a security incident; however, not all security incidents require the same strict reporting regulations as a personal data breach. Despite the broad definition, it is not unusual in data security laws that require breach reporting. HIPAA, for example, makes the same distinctions at the federal level for medical data. It aims to prevent data protection regulators from being overwhelmed with breach reports.

By limiting breach notifications to personal data (EU speak for personally identifiable information – PII), incidents that solely involve the loss of company data/ intellectual property will not have to be reported. The threshold to establish whether an incident has to be reported to a data protection authority is dependent on the risk it poses to the individuals involved. High risk situations are those that can potentially lead to the significant detrimental suffering – for example, financial loss, discrimination, damage to reputation or any other significant social or economic disadvantage.

…it should be quickly established whether a personal data breach has occurred and to promptly notify the supervisory authority and the data subject.

– Recital 87, GDPR

If an organization is uncertain about who has been affected, the data protection authority can advise and, in certain situations, instruct them to immediately contact the individuals affected is the security breach is deemed to be high risk.

What Does The GDPR Require You to Do?

Under GDPR, the roles and responsibilities of processors and data controllers have been separated. Controllers are obliged to only engage processors who are capable of providing sufficient assurances to implement appropriate organizational and technical measures to protect the rights of data subjects. In the event of a data breach that affects the rights and freedoms of said data subjects, the organization should report it, without any delay and, where practicable, within 72 hours of becoming aware of it.

The data processor is mandated to notify the controller the moment a breach is discovered, but has no other reporting or notification obligation under the GDPR. However, the 72-hour deadline begins the moment the processor becomes aware of the data breach, not when the controller is notified of the breach. A breach notification to a data protection authority has to at least:

  1. Have a description of the nature of the breach, which includes the categories and number of data subjects affected.
  2. Contain the data protection officer’s (DPO) contact information.
  3. Have a description of the possible ramifications of the breach.
  4. Have a description of steps the controller will take to mitigate the effect of the breach.

The information can be provided in phases if it is not available all at once.
If the controller determines that the personal data breach can potentially put the right and freedoms of individuals at risk, it has to communicate any information regarding the breach to the data subjects without undue delay. The communication should plainly and clearly describe the nature of the personal data breach and at least:

  1. Contain the DPO’s contact details or a relevant contact point.
  2. Have a description of the possible ramifications of the breach.
  3. Have a description of measures proposed or taken to mitigate or address the effects of the breach.

The only exception in this case is if the personal data has been encrypted, and the decryption key has not been compromised, then there is not need for the controller to notify the data subject.

The most ideal way for companies to handle this GDPR obligation is to not only minimize breaches, but also, establish policies that facilitate risk assessment and demonstrates compliance.

The GDPR stipulates that all the records pertaining the personal data breach, regardless of whether the breach needs to be reported or not. Said records have to contain the details of the breach, any consequences and effects, and the follow up actions taken to remedy the situation.

Should Ransomware Attacks Be Reported?

Ransomware typically involves the ‘hijacking’ of cooperate data via encryption and payment is demanded in order to decrypt the ransomed data. Under GDPR, Ransomware attacks may be categorized as a security incident but it does not necessarily cross the threshold of a personal data breach. A Ransomware attack would only be considered a personal data breach if there is a back up but the outage directly impacts user’s freedoms and rights, or if there is no back up at all. Ideally, a Ransomware attack where the ransomed data can be quickly recovered does not have to be reported.

What Are the Consequences of Non-Compliance?

A failure to comply with the GDPR’s breach reporting requirements will not only result in negative PR, constant scrutiny, and possibly loss of business; but will also attract an administrative fine of up to € 10 million or up to two percent of the total global annual turnover of the preceding financial year. Additionally, failure to to notify the supervising authority may be indicative of systematic security failures. The would show an additional breach of GDPR and attract more fines. The GDPR does have a list of factors the supervising authority should consider when imposing fine; chief among them being the degree of co-operation by the data controller with protection authority.

In Closing

Data breach notification laws have already been firmly established in the U.S. These laws are designed to push organizations to improve their efforts in the detection and deterrence of data breaches. The regulators intentions are not to punish but to establish a trustful business environment by equipping organizations to deal with with security issues.

Author: Gabriel Lando

image courtesy of freepik

Personal Data, PII and GDPR Compliance



The countdown for the European Union’s General Data Protection Regulation (GDPR), which will go into full effect in May 2018, is coming to a close. GDPR aims to solidify the data privacy rights of EU residents and the requirements on organizations that handle customer data. It introduces stern fines for data breaches and non-compliance while giving people a voice in matters that concern their data. It will also homogenize data protection rules throughout the EU. The current legislation, the EU Data Protection Directive was enacted in 1995, before cloud technology developed innovative ways of exploiting data; GDPR aims to address that. By enacting strict regulations and stiffer penalties the EU hopes to boost trust within a growing digital economy.

Despite the fact that GDPR came into force on 24th May 2016, organizations and enterprises still have until the 25th of May 2018 to fully comply with the new regulation. A snap survey of 170 cybersecurity pros by Imperva revealed that While a vast majority of IT security professionals are fully aware of GDPR, less than 50 percent of them are getting everything set for its arrival. It went on to conclude that only 43 percent are accessing the impact GDPR will have on their company and adjusting their practices to comply with data protection legislation. Even though most of the respondents we based in the United States, they are still likely to be hit by GDPR if they solicit and/or retain (even through a third party) EU residents’ personal data.

Remaining compliant with GDPR demands, among several other things, a good understanding of what constitutes ‘personal data’ and how it differs from ‘personal identifiable information’ or PII.

What is Personal Data In the GDPR Context?

The EU’s definition of personal data in GDPR is markedly broad, more so than current or past personal data protection. Personal data is defined as data about an identifiable or identified individual, either indirectly or directly. It is now inclusive of any information that relates to a specific person, whether the data is professional, public or private in nature. To mirror the various types of data organizations currently collect about users, online identifiers like IP addresses have been categorized as personal data. Other data such as transaction histories, lifestyle preferences, photographs and even social media posts are potentially classified as personal data under GDPR. Recital 26 states:

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

This personal data term directly applies to all the 28 states in the European Economic Area (EEA)

Is Personally Identifiable Information (PII) the Same as Personal Data?

The term ‘Personally Identifiable Information’ doesn’t appear anywhere in the GDPR; however, it does have a definite meaning in US privacy law. Therefore the term in itself is likely to cause confusion to anyone seeking to comply with GDPR. For a concept that has become ubiquitous in both technological and legal colloquy, PII is surprisingly hard to define. In a nutshell, PII refers to any information that can be used to distinguish one individual from another. This includes any information that can be used to re-identify anonymous data. This can solely refer to data that is regularly used to authenticate/identify an individual, this may be averse to information that violates the privacy of on individual, that is, reveal sensitive information regarding someone. The US interpretation of the term is undeniably incongruous with what is relevant for a proper GDPR assessment since it pre-selects a set of identifying traits.

To put it bluntly, all PII can be considered personal data but not all personal data is Personally Identifiable Information. Developing a solid GDPR compliance program demands that IT architects and marketers move beyond the restricted scope of PII to examine the full spectrum of personal data as defined by the EU.

Handling Personal Data in Accordance With GDPR

The first step to GDPR compliance in matters pertaining personal data is undoubtedly the risk assessment of how existing data is being stored and accessed, the level of risk attached to it, and whether it contains any PII. The data might be stored on server file systems, databases or even on an end user’s physical storage or cache. Becoming GDPR compliant will mean that you are not only protecting more data types in the future but will also involve dissipating more effort in the identification of existing data that initially wasn’t considered personal data. It is important to note that you cannot limit your scope to the data you hold as if it were a closed system. Nowadays, people typically interact with interconnected systems, and GDPR mirrors that. In such scenarios, organizations should focus outward, and infer who in their ecosystem can connect with an attribute to another, from the multiple varying paths to re-identification within their ecosystem.

Additionally, GDPR requires that a document ‘opt-in’ consent must be provided by each individual. The consent has to explicitly pinpoint the data collected, how it is going to be used and how long it will be retained. Organizations also have to provide participants with an option to remove their consent at any given time and request their personal data be permanently deleted. Participants should have the ability to get factual errors amended, and even request their personal data for review and use.

The General Data Protection Regulation sets a new standard in the protection of personal data. Its efforts aim to grant data subjects more control over their data while ensuring the transparency of operations. FileCloud provides a set of simple features that can help organizations meet GDPR requirements.

Click here for more information.

Author: Gabriel Lando

Image courtesy of