Data privacy is shaping up to be a key concern in 2016. The start of this year saw the adoption of the long-anticipated overhaul of the EU data protection laws, the General Data Protection Regulation (GDPR).
Just a few weeks later, the same issues were marked globally in Data Privacy Day. Hot on its heels came the news of Safe Harbour 2.0 - ‘Privacy Shield’ - the new EU/US agreement on the handling, processing and movement of personal data between the two regions.
A balancing act
High-risk industries such as financial services and healthcare require fully transparency and protection of business-critical data in the borderless enterprise in order to protect the details of the individual citizens whose data they hold. Personally identifiable information (PII) is very valuable in the wrong hands and this data is at its most vulnerable when in transit.
Undoubtedly there is a role for us as citizens to up our security game. Becoming familiar with security features, backing up our data and keeping up with the latest versions of security software, operating systems, apps and web browsers – these are just some of the precautions everyone should take on every device.
When we don’t do these basics, or when we download and hand over personal information through the latest must-have app without being sure of its source, we are quite simply taking a big risk with our own details. While there has been growing awareness of what we should, as consumers, do to secure our data, how can we be assured our data is being appropriately cared when we hand over information to companies?
Gaining trust
By properly respecting the privacy of users/customers, firms can enable their trust. However it’s essential that terms such as “respecting privacy” or “creating trust” are propped up by the right policies, training and technologies. In other words, customer trust needs to be earned. This is a big technical challenge for business leaders, chief privacy officers and IT management because of the rapid growth in data integration.
Data is shared across the open internet between organisations that hold it and the service providers they interact with, like payment processors, IT subcontractors, insurance companies, government agencies and cloud service providers. In the borderless enterprise, that data needs to be kept safe, no matter where it goes.
Borderless controls
The GDPR and the Safe Harbour pact are both examples of laws designed to protect personal data once it’s out of the hands of the consumer or citizen and in the realm of corporations and public organisations. Meeting data protection regulation in the context of the borderless enterprise means thinking beyond perimeter defense.
The lines are blurred when it comes to defining who is “inside” and who is “outside” the perimeter, with many external service providers being quite legitimately tasked with duties that require them to have credentials akin to those of highly privileged insiders. Encryption is the best means of limiting access to protected data, since only those with the encryption key can read it. But once data is in transit there are other factors to consider, particularly when compliance with GDPR or specific industry legislation is a requirement.
What data protection compliance will mean for businesses
For companies that are starting to grapple with GDPR compliance the message is clear: expect to make significant investments in order to achieve compliance. According to a survey Ipswitch conducted amongst 300 European IT professionals, nearly 70% said they’d need to invest in new technologies or services to help prepare the business for the impact of the GDPR. Those technologies were: encryption tools (62%), analytics and reporting (61%), perimeter security (53%) and file sharing solutions (42%).
Two-thirds of those surveyed said that keeping up to date with changing data protection regulation was a burden on their business. It is clear that compliance for most comes at a price both in terms of technology investment but also in the time taken to train staff. However, when we consider the underlying rationale for that data protection burden is to keep us as citizens safer from unscrupulous cyber-attackers, then I would venture that the benefit of compliance balances out against the cost.