The IT Pro view: Data protection and GDPR
Our opinions on the challenges, and opportunities, ahead
With little over a year to go before GDPR takes effect, we believe there's no better time to discuss the importance of data protection, and why businesses need to be spending the next year getting their houses in order ahead of the new regulations.
GDPR will be the single biggest shake-up to data protection regulation since the introduction of the Data Protection Act in 1998.
Any organisation that handles EU citizens' personal data will fall under the GDPR, a set of tougher rules that intend to give people more control over how their data is handled and what it's used for, and which impose harsher penalties on organisations who fail to protect personal information adequately. It is an attempt to not only change the way businesses process data, but to foster an environment in which organisations are more open and honest with individuals.
At a time when cyber crime is on the rise and data breaches are an almost daily occurrence, accountability has never been more important. The regulations will attempt to put the user in charge of what their data is used for, and any businesses wanting to flourish beyond May 2018, when GDPR applies in the UK, should be ready and willing to embrace this.
Expect to hear more from us throughout the month on the issues, concerns, and opportunities businesses will experience with GDPR, as well as wider data protection challenges. For now, here's a series of thoughts from the IT Pro team:
Deputy editor Joe Curtis: Data protection doesn't have to be a burden
With a year to go until GDPR applies in the UK, around half of businesses are concerned they won't meet the new data protection standards, according to most of the studies we see. Even the data protection authorities meant to be enforcing compliance don't know what it will look like, if collaboration firm Box is to be believed, and our own one - the ICO - has hinted it'll need more resources to do a proper job. So where does that leave companies trying to protect customers' personal data from hackers and misuse?
The answer to that is; 'in a difficult position'. They need to scour their datasets to ensure these are all in line with the new legislation, and set up rigorous governance policies for how they treat any new data they collect - including making it easy to delete this information if customers ask them to - and get fresh consent for any ongoing data-gathering practices they previously didn't obtain a clear opt-in for.
However, the more stringent data protection rules don't have to be a burden on businesses - they can be a differentiator too. Firms should feel motivated to ensure compliance ahead of next May - it's an opportunity to prove to people that they understand the importance of privacy. Being able to talk about that will help people trust the business, and could help it win more clients.
Staff writer Zach Marzouk: Protection is equally important in the digital and physical worlds
Despite doing everything you can to protect your data, there seem to be more and more organisations trying to get hold of it, from the NSA reportedly accessing an interbank messaging system to the US border control thinking of forcing passengers to give them their passwords so they can inspect devices. Just yesterday the UK government was revealed to be giving itself the power to spy on people's data in real-time. Security firms need to stay on top of and up to date with the latest threats, both in the digital world and outside of it.
I had my phone stolen at gunpoint last November and nervously realised that if the thieves could guess my passcode, or break their way into the phone somehow, they would have access to all my information. The one I was most worried about was Microsoft OneNote, as I (stupidly) hadn't set up a password to the application, making all my to-do lists, book list and plan to take over the world available for anyone to see. When I finally got a new phone, I knew I had to protect myself if this was to ever happen again (please no), so I set up more passwords and authentication on my device. I should have done this from the start and have learnt a valuable lesson; make sure you protect your hardware too!
Staff writer Adam Shepherd: Time to broach the subject of breaches
Part of the incoming GDPR is a requirement for organisations to report data breaches within a certain period - both to the ICO and to affected individuals. This is going to be massively beneficial, not just for end users, but for businesses themselves.
At the moment, the tendency within most businesses seems to be to fail to report them for a long time, with the catastrophic Yahoo hacks being a prime example. Instead of promptly identifying their customers, shareholders and other industry peers, companies will simply keep quiet while they try and fix the problem - a process which can take years.
What they should be doing is coming forward about breaches immediately. Not only does it allow customers to quickly take steps to protect themselves, it also makes the industry as a whole more resilient. If breaches and attacks are immediately disclosed, the industry can start to identify patterns. This, in turn, will lead to better threat intelligence and the faster capture of malicious actors.
Hacks happen. It's a fact of life for anyone doing business in the 21st century, and your shareholders aren't going to immediately bail on your company just because you had a data breach. If anything, the backlash from concealing a breach from customers is going to be more harmful in the long run.
The more companies disclose breaches, the more comfortable other companies will be in doing the same. Cooperation on this is in everyone's best interests, and the sooner companies realise it, the better.
Features editor Jane McCallion: A level playing field benefits everyone
There's a lot of talk in the security industry about protecting customer data being "more important now than ever before".
This is wrong.
The fact is, protecting customer data has always been important, it's just that now businesses collect, store and process more customer data than they did previously. As a consequence, they will inevitably be collecting personal or sensitive data that we - sometimes whether they need it or not.
What's also changing, as alluded to by Joe and Adam, is the consequences of a breach. While a data breach involving sensitive data could already spell the end for many companies, through loss of reputation and business, as well as fines, some are big and brash enough that they could simply absorb both. One of the consequences of GDPR is to level this playing field by introducing percentage-based fines (up to 4% of global turnover, or 20 million, whichever is greater) - which is good news all round. There's no impenetrable fortress when it comes to data security, but at least we can ensure the guards aren't asleep on duty.
Staff writer Dale Walker: The human component may undermine data protection
Headlines over the past year would have you believe the greatest threat to your data is from hackers: a mysterious underground network working tirelessly to break through safeguards designed to protect your identity. Meanwhile, you assume companies care as much about your data as you do, that they take the time to ensure those safeguards are there in the first place.
Yet time and time again we hear reports of 'unauthorised individuals' gaining access to user data - 'hacks' that turn out to be something as simple as someone receiving the wrong email, or finding a memory stick left on a bus. In reality, the potential for an incompetent or disgruntled employee to misuse your data is as real a threat as the activities of an anonymous cyber criminal.
Whether it be employees at Dropbox re-using old passwords, a Boeing engineer mass emailing a spreadsheet full of co-worker details, or Capgemini inadvertently publishing job-seeker records to a publicly accessible web server - criminals are finding ways to access your data without the need of a hack.
And it's not only the businesses that you choose to give your data to - the very forces working to protect you from harm make blunders. You may be surprised to hear that London currently has over 30,000 registered rifle and shotgun owners - I certainly had no idea, at least until the Met police accidently leaked their details to a marketing agency earlier this month. In this case, knowing where to source a gun is a tasty nugget of information for a would-be felon.
With GDPR looming on the horizon, the threat of tougher sanctions for mishandling data will surely encourage businesses to be mindful of their commitment to customers. Yet no amount of regulations will prevent an accident, and it is important that businesses do as much as they can to ensure employees are fighting for the customer, and not handing everything over to the criminals.