Tech experts discuss the three-year anniversary of GDPR
It’s been three years since the GDPR was enforced. Compliance with the EU data privacy regulation remains an ongoing challenge for organisations as do raising cyber security expectations and threats. Industry experts in the technology and software space share their reflections.
Today marks the three-year anniversary of the enforcement of GDPR in the UK. Compliance with the EU data privacy regulation remains an ongoing challenge for organisations as do raising cyber security expectations and threats. The anniversary provides the perfect opportunity to reflect on how increased consumer and business reliance on online services, during the pandemic, has meant the integrity of data has become more important than ever.
Since inception, European data protection authorities have delivered approximately 700 enforcement actions. The UK’s Data Protection Authority, the Information Commissioner’s Office (ICO), has just recently published data covering 1st July 2020 to 31st October 2020, revealing that the ICO received 2,594 data breach notifications. This provides clear evidence that demand amongst cyber criminals for consumer data is showing little sign of easing.
In this article, tech industry experts explore the core components of data governance and protection in today’s cyber business landscape and offer advice on how an organisation must act if a data breach occurs.
Handling sensitive data
Faisal Abbasi, MD EMEA at Amelia explains how organisations must manage the process of handling sensitive data. “For customer-facing organisations across finance, banking and insurance industries – and increasingly in healthcare too– data-related challenges are only becoming more complex, as more data is generated to define business needs, and more people now conduct their work and home lives from personal devices. But the failure to securely manage personal data can have costly and damaging implications in the event of a possible breach.
“That’s why in many regulation-heavy industries, like banking and insurance, we’re seeing an uptick in the number of organisations deploying AI-powered digital employees to augment the ability of human employees when handling sensitive data. Trained to follow specific rules and processes, and quickly adaptable to comply with new regulations, digital employees can act as whisper agents to guide their human counterparts through processes that are fraught with privacy risks to help reduce any chance of human error and prevent the unauthorised sharing of data.”
Strengthening citizen trust
Liz O’Driscoll, Head of Innovation, at Civica discusses the importance of maintaining citizen trust through data privacy. She says “Be it personal banking details or mRNA vaccine codes, personal data is extremely valuable, making privacy all the more important. Through increasing innovation, we’re getting better at protecting that data and using it as a force for good. This is improving citizen trust at a time when the pandemic has fuelled government reliance on data to get critical information and services out to the general public.
“Data privacy is critical for maintaining this trust and helping citizens to understand the benefits that come with sharing their data. When GDPR was introduced three years ago, it ensured that organisations put data privacy front of mind, which helps built trust. In strengthening citizen trust, person-centric services will become more important. These services can adapt and respond to our preferences and provide earlier interventions for those most in need.”
Putting the work in
Declan Dickens, Senior Manager, Northern Europe at Checkmarx says there is still a lot of work to be done when it comes to widespread action and accountability surrounding data privacy. He says “A new report noted that over 661 fines have been issued since GDPR became enforceable, totalling €292 million – a concerning number. It’s important that both law makers and organisations don’t become complacent in this critical effort. Issues surrounding fragmentation and grey areas still exist with the GDPR, which continue to create a variety of problems. GDPR, and data privacy protections more broadly, should be a living, breathing initiative, being consistently updated to reflect changes in end user needs, evolutions in regulatory requirements, and more.
“Organisations that develop applications in particular must ensure they’re aligning with the GDPR requirements. The articles relating to this (25, 32, 33, 34 and 35) reaffirm the steps needed when securing data flowing through applications, in addition to what needs to be done in the event of a data breach. For those looking to remain compliant, we suggest they firstly follow the ‘privacy/security by design’ rule – ensuring data security and privacy are considered during the planning stage of any product or solution, as opposed to during development – to safeguard data from attackers by default. For existing operations, organisations need to work to discover any weak points in how data flow is processed and handled by performing gap analysis to find what works and what needs to be worked on or removed.”
Managing the move to remote working
Chris Huggett, Senior Vice President, EMEA & India at Sungard AS says the move to remote working has provided new challenges when it comes to data privacy. He says “The huge growth in remote working during the pandemic has seen a dramatic increase in cloud spending to keep organisations operationally effective. While hybrid and public cloud solutions have been the natural choice in this case, organisations need to be aware that a distributed model of data storage presents a challenge to one of the key facets of GDPR compliance: knowing exactly where data is. As a result, businesses looking to migrate data from on-prem data centres to the public or hybrid cloud must have the diligence to ensure visibility is not sacrificed.
“The this need for visibility in distributed cloud systems is driving demand for so-called ‘sovereign’ cloud solutions, which provide the fundamental benefit of ensuring all data is stored on servers located on UK soil. The GDPR is now driving uptake of managed sovereign cloud solutions, along with other factors such as cyber security and the uncertainty around data transfers post-Brexit. Such solutions are critical for helping close the widening gap between operational flexibility and regulatory compliance, provide businesses with peace of mind when migrating to the cloud.”
The value of data
Adam Mayer, Senior Manager at Qlik, summarises it well when he discusses the value of data to modern businesses. He says “Real-time data is one of the most valuable resources for modern businesses, empowering organisations to make the right decisions in the right moment according to customer needs. However, this need for speed cannot be at the expense of their customers’ privacy. Businesses need a clear data governance strategy on how they collect, use and store data, particularly personally identifiable information (PII), as well as ensuring that access is carefully managed. Understanding the data lineage, managing access through a data catalogue, as well as providing data literacy education so employees understand how to responsibly draw from and use different data sources, are all key to ensuring that operating at the speed of business won’t contribute towards creating new compliance concerns.
“However, as the volume of and speed at which we consume data grows, we must look beyond the traditional approaches to governance and think about how analytics itself can support compliance. Analytics programmes can help IT teams visualise and manage who has access to what information and if that remains relevant to their role. For instance, this could be through bringing together disparate data sets on user access controls and HR lists of leavers, starters and changers to ensure that there are no anomalies where people retain access to information that is no longer appropriate to their role.
“Analytics can also help proactively manage data retention policies, so personal data isn’t held for too long, i.e. when it is no longer needed after form processing, or held without consent. Analytics platforms can assess when to dispose of personal data in a timely and safe manner. This can ultimately help businesses introduce real intelligence into the management of data privacy to reduce the risk of human error and streamline processes for IT teams.”