close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      Policies Need Enforcement to Help Compliance

                                      Mar 09 2018
                                      Tags
                                      CASB
                                      Cloud Security
                                      GDPR
                                      GDPR Compliance

                                      The EU General Data Protection Regulation (GDPR) places considerable responsibility on both controllers and processors concerning keeping documentation, providing information to data subjects and demonstrating accountability.

                                      In order to enforce compliance with the principles of GDPR, controllers need to turn their attention inwards and ensure that they have in place appropriate policies and procedures. At the same time, they need to turn their attention outwards towards the relationship that they have with processors of all shapes and sizes to ensure that adequate contractual controls are in place between the controller and each processor. Also, when looking outwards, the controller needs to have regard to the transparent information or privacy notices being directed at data subjects.

                                      The processors equally have to attend to the enforcement of compliance with GDPR by addressing their contractual terms with their clients (who will be controllers) as well as understanding that as a processor they will need to support the compliance of the controller, put in place their own record keeping procedures, information security standards, and data protection impact assessments. Furthermore, each processor that is caught by GDPR may well be a controller in its own right in relation to the data that it holds about its own employees in the EU and also its own processing of personal data that is not under the instructions of its controller clients.

                                      As we begin to develop appropriate accountability policies and procedures, so the list grows. It is not unusual now to see that list includes:

                                      • External facing website privacy notice
                                      • Internal privacy notice and data protection policy
                                      • Cookie statement
                                      • Information security policy
                                      • Bring your own device policy
                                      • Email and internet policy
                                      • Social media policy
                                      • Monitoring in the workplace policy
                                      • CCTV policy
                                      • Incident response and data breach policy
                                      • Privacy by default/design policy
                                      • Legitimate interests assessment policy
                                      • Data protection impact assessment policy
                                      • Subject access requests policy
                                      • Data Subject rights handbook – right of erasure – data portability – profiling
                                      • Supplier/processor due diligence procedure
                                      • Standard controller to processor/sub processer terms
                                      • International data transfer solutions
                                      • Data Protection Officer appointment
                                      • Record of processing activities template
                                      • Data destruction policy
                                      • Data retention policy
                                      • Compliance training policy

                                      As controllers and processors that are caught by GDPR look to provide plain and intelligible transparent information notices to individuals, they will need to consider how to encapsulate in plain and intelligible language a considerable amount of detail that is mandated by GDPR, namely:-

                                      • Name and contact details of the controller/processor/representative.
                                      • A description of the purposes of processing activities.
                                      • Where a lawful ground for processing is legitimate interests then an explanation of those legitimate interests.
                                      • A description of categories of data subjects.
                                      • A description of categories of personal data.
                                      • The categories of recipients to whom personal data have or will be disclosed, including recipients in third countries.
                                      • Details about international data transfers and appropriate safeguards that are in place.
                                      • Details of the Data Protection Officer (if required).
                                      • A general description of the technical and organisational security measures.

                                      Regarding information that needs to be made available to individuals, there will need to be innovation as to how that data is displayed particularly where access to the information is through devices and via apps. It may no longer be possible to display lengthy legalistic terms and may be better to consider the use of layered privacy notices, so that the essential information is given at the start of the relationship or journey and that the individual can then “see more” in terms of the key information statements.

                                      Where information notices are aimed at children, and where parental or guardian consent is not expressly required, then it may be necessary to consider the language or icons that could be used to ensure that the information given is also understood.

                                      Because individuals have enhanced rights under GDPR such as the right to object to certain processing or the right of erasure in relation to certain personal data, so controllers and processors will need to have in place the technical and organisational ability to track touchpoints with individuals in relation to the exercise of their rights, so that opt-ins and opt-outs for particular processing activities can be tracked and retained.

                                      In demonstrating the ability to handle the rights of data subject, controllers, in particular, will need to look at legacy personal data to see if they can demonstrate an audit trail of the lawful grounds for processing. Dependent upon the quality of previous record keeping and data management this may be a manageable task or maybe a significant task. In addition to legacy personal data, systems will need to be implemented now to ensure that going forward permissions from data subjects are appropriately managed and that the rights of data subjects can be adhered to by controllers and their processors.

                                      When information notices have been updated, record keeping is in place, and policies and procedures have been developed, then in order to enforce compliance, roll-out and monitoring of adherence to such policies and procedures and the training in respect of the same are critical. There is no point in having policies and standard operating procedures if nobody knows that they exist or that there is no evidence that has been adequately communicated to staff.

                                      author image
                                      Robert Bond
                                      Browse recent articles by Robert Bond, one of the contributors at Netskope. Discover the latest trends and updates within the cloud and network space.
                                      Browse recent articles by Robert Bond, one of the contributors at Netskope. Discover the latest trends and updates within the cloud and network space.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog