What happens when you directly or indirectly enroll your email to receive a newsletter or bank statement? When you make an online purchase, have you ever considered where your credit card information has ended up or been uncomfortable with your home address being shared with an online vendor? In a world where we pay bills, shop for groceries, socialize and book travel online, a shocking amount of personal information is shared daily and inconsistent interpretations of laws on what information can be shared has become a global issue. GDPR has arrived and is putting control back in the hands of the consumer.
The General Data Protection Regulation (GDPR) was recently introduced in the European Union to govern privacy and extend individual control over personal data, clarify and enforce certain security and control measures meant to protect data and ensure transparency in the use of personal data.

The GDPR is a legal act slated to replace the current legal act (Directive 95/46/EC) enacted in 1995, which has been inconsistently interpreted by the various EU states. Enacted by the European Parliament and the Council (Regulation (EU) 2016/679), GDPR was adopted in April 2016 and officially goes into effect on May 25, 2018, providing more digital age-appropriate and transparent rules meant to strengthen data protection and give internet users more control over any personal information processed by companies.
The term “personal data” has a very specific scope of coverage which seems to be in flux depending on where you are in the world and who you are interacting with. GDPR will simplify and streamline this definition and make it uniform across the EU. To take the term down to bare bones, “personal data” is any personal information used to identify a natural person or individual.

A person’s passport number, address, phone number, IP address, email address, account number or drivers license number are considered “personal data.” In addition, any medical, physical, genetic, economic, photographic or cultural information is also considered “personal information” if it can be used to specifically identify a natural person directly or indirectly.
If you offer goods or services (paid or unpaid) to citizens of the EU, GDPR effects your business, regardless of where it is headquartered. Extended control over personal data collection is given to EU consumers while the task of compliance with the new regulations is placed squarely with businesses and corporations. GDPR has several obvious far reaching implications for the IT sector but also for the marketing and sales industries.

Gone are the days (for EU citizens) of inquiring about a specific product or service and receiving bulk emails or newsletters advertising extended options or unrelated products. Companies are responsible for obtaining clear consent from consumers for the way personal data is used, processed and stored for each individual transaction. Now, an inquiry about a router is simply that, and not an open invitation for email blasts about the latest fad diet or dog food.
Failure to comply with the GDPR, as determined by authorities who will be performing data protection audits, could potentially mean fines upwards of €20,000,000 or up to 4% of an organization’s worldwide annual turnover, whichever is higher. Bankruptcy could be in the cards for those who ignore the directive or refuse to comply.
Step 1: Know Your Business - Data Inventory Audit
Businesses are becoming increasingly diversified, presenting new challenges in the field of data inventory. In order to protect personal data you need to understand what data you have stored currently and where the data is located. Organizations supplying goods and services in the EU with suppliers or headquarters outside the EU should be increasingly aware of any stored data existing in the other regions (like Asia).

Step 2: The Sword and Shield - Data Protection
While some businesses previously shirked their data protection responsibilities due to added cost, with increasing responsibility for data protection allocated to businesses, you can no longer afford to put data protection on the sideline. After you’ve performed a data inventory audit, you must evaluate your current security system to determine whether your existing technology can provide a suitable defense for data should it come under attack. Apart from the required technology, skilled people and professional support are also a MUST for building up an effective protection system for personal data.

Step 3: Master of the Data Flow - Control
Ideally, now you know where your data is located. The next step is to monitor and control the data access and processes. Control over data flow will be of paramount importance in determining where the data will be located in the future, who can access what type of data, how the data is processed and how processing will be controlled. GDPR means mastery of your data flow is imperative if you want to be in full compliance.

Step 4: Be Aware of your Surroundings - Response
Under GDPR regulations, organizations will have 72 hours to report any data breach to the authorities and the data subject.
To comply with GDPR you need to protect personal data throughout the entire data lifecycle. Sangfor can help you with collection, storage, processing, transfer and eventually erasure. Sangfor will also assist you to integrate your current security protection technology and system into each stage of the data lifecycle and also identify any gaps in the data protection in each stage. Contact Sangfor Regional Sales Office to discuss products and services that will keep you compliant and ahead of the GDPR curve!
Sangfor provides a comprehensive defense system which helps secure personal data and prevent the data breach. Our 2-product line of security and cloud computing provides for asset access control, advanced threat detection, prevention and quick risk response.
Security Product
Collect 1. Encrypt the PII data collection
2. Customizable terms of use (notify user how to use & store data)
Store 1. Encrypt PII data storage in IAM (In development) 1. Port and weak password scan, report potential risks
2. Real time vulnerability analysis
3. Threat Intelligence sharing with CNCERT, Google Virus Total, etc.
4. Cloud based sandbox detection
5. DLP policy. Set PII data protection policy
6. SQL injection protection
8. Encrypt PII data storage in NGAF (In development)
Process 1. Policy based access control
a. Restrict server access for unauthorized staff or guests
b. Ingress by policies like OS, anti-virus software installation, files, etc.
c. Key based authorization of access report center
2. Granular admin rights control, authorization of individual users with individual access rights
3. Audit and logging for user access
1. Policy based access control in different zones
2. Ransomware defense
Transfer 1. Restricting the upload of files to cloud drive
2. Audit user behavior, including file upload, email, IM, etc.
3. IPsec VPN & Sangfor VPN for encrypted
4. BA DLP leakage risk analysis
5. Encrypted data transfer from internal to external server
1. VPN encrypted transfer between branches/locations
2. Restricting the upload of files to cloud drive
3. Audit user behavior, including file upload, email, IM, etc.
Destroy 1. Guidance for customer on PII data deletion process 1. Guidance for customer on PII data deletion process
Cloud Product
Store 1. aSAN provides data storage and policy automation
2. Data storage encryption (in development)
1. Data storage and policy automation (example: administrator unable to view screen via console).
2. Enables user data encryption
Process 1. aSV/aNET provides policy creation and enforcement for access control with distributed firewall and ACL policy
2. Audit and logging for user access
3. Multi-user separation
1. Policy creation and enforcement
2. Logging and auditing for all VM operations
3. Hidden watermark in screenshots
4. Anti- screenshot
Transfer 1. SSL VPN enables data encryption in-transit 1. Enables built-in data encryption in transit, remote access and migration
2. Data export audit logging & disable USB data export
Destroy 1. Virtual machine data deletion 1. Virtual machine & personal data deletion
Time is limited before GDPR takes effect and it’s never too late to build up protection for your existing data and network. Check out our website for more information about our one-stop solutions for network security and cloud computing: http://www.sangfor.com
Founded in 2000 and recently listed as an IPO (STOCK CODE: 300454 (CH)), Sangfor is a leading vendor of IT infrastructure solutions specializing in Cloud Computing & Network Security.
International Recognition and Cooperation
Continuous Investment in Research & Development
Strong Technical Support
Strong Technical Support
Google Plus
Google Plus