We asked some of the leading figureheads and thought-leaders in the field of cybersecurity and privacy to give us their thoughts about what 2019 has in store for us when it comes to privacy and data protection, just days before the Data Protection Day (or Data Privacy Day as it is called in the US). We received more than 100 replies that cover the widest possible spectrum and show how important and critical that field has become for the wider tech community.
So why the Data Protection day is so important?
Mike Turner, Head of Compliance at Mojo Mortgages, gives his thoughts
DP day provides the opportunity to bring governments, parliaments, and regulators and specific DP bodies together to raise awareness of what rights individuals have, specifically relating to personal data and privacy. The day opens up the floor for active discussions about how we can better protect and guard the data across a variety of industries, as well as the tools and strategies to put them in place.
With that being said, the awareness behind data protection should be permeated to society every day. Yes, Data Protection Day serves a timely reminder of individual privacy, however distributing awareness surrounding data protection should be instilled in every companies strategy.
Nonetheless, Data Protection Day gives a chance for a diverse number of organisations to come together to acknowledge the trust customers put in organisations to protect their data and stresses how important safeguarding customer data will be if business are to be successful.
Is it actually necessary to have such an event in 2019?
Colin Truran, principal technology strategist, Quest answers
Data Privacy Day has been a fixture of the calendar since 2007, and I believe it needs to evolve to stay relevant with the rapidly changing data landscape. Beyond raising awareness, the 28th January needs to become a day where businesses are genuinely held accountable for their data protection practices.
To celebrate a day like this, we should be calling on all organisations to be transparent and publish exactly what they’re doing to safeguard their customers’ data, making Data Privacy Day an annual check-in on the health of data protection and to ensure there are no hiding places for data misuse. The day is an opportunity for organisations to demonstrate how competitive they are in upholding the rights of the individual and protecting their data.
How does trust factor in to data protection?
Mark Barrenechea, CEO at OpenText, elaborated
Banish data, or the trust to protect it, and the world falls apart: all commerce would cease; bank accounts would have zero balances; planes would fall out of the sky; cars would halt in their tracks; power and water would stop flowing. Data, business and life are inseparable, and as indispensable as water, air and electricity. More profoundly, data and systems are so advanced that we can begin to see our human and cognitive form in our own digital data trails. Every day we are building, brick by brick and bit by bit, a digital copy of ourselves, whether we are aware of it or not.
The nature of the data has changed, as today’s data goes well beyond what you can find in the phone book of a decade ago. In this digital era, your modern data now includes your behaviours (friends list, what you read, pictures, a recording of all your phone calls, etc). But what is the real difference when a bad actor steals 135 million people’s data from a credit aggregator or when a social media company sells 85 million people’s data to a political consulting firm? The actors are different, but the consumer impact is the same. Trust is broken. Whether it be governments, individuals or businesses, when trusted with data, it is job Number 1 to defend and protect that which is entrusted. This trust transcends products or services.”
Why data protection has becoming increasingly complex and the regulatory framework is more significant now more than ever before?
Darren Barker, VP & General Manager UK&I of Hitachi Vantara
Unlike a traditional currency, you can’t hand data over to a bank or lock it in a vault. Rather than a bank manager, businesses increasingly entrust their data to the Chief Data Officer. Still, companies live under the constant shadow of stringent regulation. This isn’t a bad thing – imagine today’s world if banks didn’t exist. Yet, while many are anxious about how their data is being used, everyone – individuals and corporations alike – stand to benefit from leveraging insights from their data. Hence data protection is more than just a business imperative, it is a social issue. However, the onus is on businesses first and foremost to handle their data responsibly, regaining the trust of a public that is increasingly wary of how their data is used.
Describe the data power shift you have seen between businesses and consumers post-GDPR?
Jasmit Sagoo, senior director, Northern Europe at Veritas, observed
For years, organisations have failed to understand the real value of their data, or the repercussions of mishandling it. Our Truth in Cloud research found that most UK businesses (75%) export full responsibility for data protection to their cloud providers, with over half (52%) wrongly assuming their cloud providers are responsible for complying with data privacy regulations.
We also found that 42% of companies’ total data environments are either stale (i.e. have not been modified in the last three years) or ancient (i.e. have not been modified in the last seven years).
However, the change in data privacy regulations has served as a much needed wake-up call for organisations. Beyond the hefty fines for regulatory non-compliance, companies have begun taking notice of the real reputational damage that could result in a lack of responsibility for protecting and managing their data. Our research revealed UK consumers would punish organisations that don’t protect their data by shopping elsewhere or by attacking their brand reputations.
Meanwhile, the potential benefits of investing in effective data protection and management are vast, such as the ability to personalise and improve customer service and create information-centric business models that give way to new revenue streams. In addition, nearly half (46 per cent) of UK consumers say they would spend more money with organisations they trust to look after their data, with over a fifth (21%) willing to spend up to 25% more with businesses that take data protection seriously.
Today, more and more companies are beginning to realise the importance of not only protecting their data, but also understanding exactly what data they hold, where it sits, who has access to it and how quickly they can retrieve it. Businesses must now be able to automatically classify large volumes of digital data, scanning and tagging it in a granular, intelligent manner to ensure that information is managed effectively and can be accessed efficiently and on-demand.
Technology aside, businesses must also instil a culture of digital compliance and responsibility among their employees. And there’s no question about whether this is needed: an overwhelming majority (91%) of organisations admit that they lack a culture of good data governance. With a three-fold approach to managing data which includes technology, processes and people, organisations will be in strong position to reap the rewards associated with protecting and managing data and building customer confidence in today’s digital economy.
What are the key questions businesses should ask themselves on data privacy day?
David Francis, Information Security Consultant at KCOM
The first question you should ask yourself today is: Do you know when you’ve been attacked? It takes companies an average of 206 days to discover a breach, so the answer is ‘probably not.’ And the threat doesn’t just have to be external: you could have sleeper agents placing time bombs in advance. They don’t necessarily need to be onsite at the crucial moment.
It could be a developer with a grudge placing a time bomb in the system to erase crucial intellectual property, or even an outgoing executive quietly deleting things in the background. If done quietly over a period of time, you could lose your backups as well, with no way of tracing the culprit. This is in addition to the huge GDPR fines you would face. Companies need to have measures in place to track data movement to prevent this kind of insider threat.
The next question to ask yourself today is whether you have been paying attention to the news around GDPR. If 2018 was the year of compliance, 2019 will be the year of retribution for everyone’s favourite data privacy regulation. The period of grace is drawing to a close, and we’re already seeing the ICO taking its first high-profile scalp over treatment of personally identifiable information, with Google being the first to fall in France.
This has set the precedent by which all further cases are judged – letting companies know along the way just how strictly enforced the rules are going to be, and how heavy the fines. Now is the time to check your compliance levels. If 2019 is anything like 2018, consumers are in the firing line. With these scenarios in mind, on Data Protection Day, it’s time to re-evaluate your security plans and consider: Does this plan put the customer first? Is your security system tracking insider threats? Are you aware of which employees have access to what data? Are you GDPR compliant?
If your organisation can safely answer yes to all these questions, congratulations, you have had a successful Data Protection Day. However, that doesn’t mean it’s time to stop evaluating your systems, in today’s security landscape, you can never be too safe.
What advice can you give to security teams that look to safeguard business and customer data in the long-term?
Chris Hodson, EMEA CISO, Tanium, suggested
The security function can certainly help with the “how” of data protection and must be responsible for putting the processes in place to ensure that data is safeguarded. However, we are often very little use in ascertaining the “why” of data collection. For a security team or CISO, it’s about ensuring that controllers (and processors) carry out data processing in a transparent fashion.
It’s about making sure that information is not left lying around in servers ad infinitum. That’s why the best defence is a model for qualification and assurance. That means having real-time visibility of the data stored across your network and where threats and vulnerabilities exist.
But it also means taking a role in educating our boards, executives, and fellow employees on their role in protecting data: choosing systems and practices that support GDPR principles and maintaining practices that safeguard customer data in the long-term.
Isn’t data protection expensive and complex though?
Steve Abbot, the CEO of DocAuthority, chimed in
However, following a string of high-profile data breaches, stringent data privacy regulations such as the General Data Protection Regulation (GDPR) have made it an obligation for businesses to take responsibility for their data. This week Google became the first company to receive a major penalty under GDPR, being fined $57 million by French regulators. This in turn has triggered more awareness about the importance of data management and protection. Understanding the universe of information being stored and managed by a business, is a critical step to being able to evaluate risk from breaches, compromise or loss. How can you effectively protect your data, if you don’t know what you have?
This lack of transparency means that security is typically approached in completely the wrong way. Most businesses invest a lot of money in broad-brush security strategies, protecting by file location rather than by the sensitivity of the documents that resides there. This is not only expensive, but ineffective. It makes the assumption that documents of the same level of value and risk to the business are stored in the same places.
Ultimately only 5% of a business’s data is absolutely critical and must be protected. The rest might be anything from previous versions of documents, to cafeteria menus. So why do we apply the same levels of security to all information? We need to rethink our approach to cybersecurity and protect individual files by the true value they represent, rather than simply where it lies on the system.
Data identification tools are getting smarter and can be used to enable a more strategic approach to data protection. By categorising documents by value, these tools can help businesses identify the data their organisation stores, delete irrelevant or toxic information and make improved decisions around the management and protection of a smaller, business-core set of data. This can then be protected with confidence, and at far less expense.
Did the quest for maximum data security affect other aspects of business?
Peter Majeed, VP for Customer Success and Field Services at Delphix, added
Should businesses limit the amount of data they require from customers?
Emma Butler, Data Protection Officer at Yoti, noted
Whether opening a new bank account, applying for a job, or even buying alcohol, we’re all faced with routinely having to prove our identity. While this will inevitably continue, we need to regain control of our data. It makes no sense that while our lives are becoming more digital, the way that we prove who we are remains stagnant. At some point today we should all take a moment to reflect on who has access to our information, why they need it and what it is being used for.”
How can businesses achieve better data protection?
Elodie Dowling, Corporate VP EMEA General Counsel at BMC Software, advised
What can consumers do to better protect their privacy online?
Matt Bird, General Manager at InLinkUK, stressed
It’s important that users and network providers alike take steps to protect data on the go. An encrypted network connection, which is unique to each device, is that extra step to ensure Wi-Fi networks are safe for confidential browsing, accessing online accounts or making payments. Encrypted Wi-Fi networks work as a barrier against personal or sensitive data being compromised.
The good news is that tech and telecommunications companies are pushing towards an improved climate for public access, our InLinks for example are currently available in 18 cities across the UK and offer ultrafast encrypted Wi-Fi.
Edward Whittingham, Managing Director at The Defenceworks, added as a conclusion: Data Protection Day approaches 12 years old this year. And, much like most approaching their formative teenage years, we’re really starting to see Data Protection Day finally gaining its own identity. For years, we’ve seen these day pass by without often a lot of noise, but very little notice paid by the ordinary person. Thankfully, times are a changin. More than ever, we’re seeing people genuinely starting not just to want to protect their data, but understand exactly why it’s so important to do so.
People are finally waking up to the fact that their data has been abused by large organisations the world over and, only recently, are we starting to see that shift in power back towards the user, the customer or the employee. We’ve all got a duty to help Data Protection Day celebrate this latest marker and to ensure it celebrates becoming a teenager in spectacular fashion. We owe it to Data Protection Day as it comes of age but, more importantly, we owe it to people worldwide.
social experiment by Livio Acerbo #greengroundit #techradar http://www.techradar.com/news/data-protection-day-2019-privacy-firmly-in-the-limelight