Following the news that the government is set to introduce a new Data Protect Bill that will give people the right to have all their personal data deleted by companies, IT security experts commented below.
Justin Coker, Vice President EMEA at Skybox Security:
“Organisations are in the midst of GDPR compliancy work so the government restating the European legislation will be UK law is welcome. It also gives a clear signal that the UK government wants to set a high standard for cybersecurity and this should drive innovative approaches to protect and secure data. However, as consumers and citizens are given new powers to be forgotten, businesses do need to overhaul their own systems to keep pace with this change. Too often organisations have been caught out because they don’t have full visibility of where the threats and vulnerabilities are. And, they have been hamstrung by an overload of security management tasks. So, the bill should be a further catalyst to the use of smarter security analytics and automation.”
David Emm, Principal Security Researcher at Kaspersky Lab:
“The drafting of a new Data Protection Bill would grant unprecedented rights for consumers to force social media websites and online companies to delete their data and take back control of their personal information. In combination with the incoming GDPR regulations being implemented by the European Union, there will be widespread changes in the coming years to the way organisations collect, store and process data.
It is important that the general public embraces this new freedom and recognises the value of personal data – not just to ourselves but to would-be cybercriminals. New dataprotections laws are designed to make organisations more careful with our data, but regardless of this, it is important that we on an individual level know what information is being kept and how it’s being handled – which will also reduce the likelihood of it falling into the wrong hands. Being vigilant online – whether when using a work computer, home laptop, mobile or tablet device – should be second nature. Undertaking simple steps, like regularly changing passwords, reviewing default settings on social media and using anti-virus software across all devices can significantly help protect data.”
Peter Carlisle, VP of EMEA at Thales e-Security:
“These reinforced regulations highlight the importance of data protection today, not only for organisations who possess significant amounts of data, but also to ensure that consumers are safe in the knowledge that their data is secure.
As the number of data breaches continues to rise, businesses must ensure that they are able to control where and how their data is stored – and have robust cybersecurity strategies in place to protect that data.
With the introduction of these new laws and the upcoming GDPR, it is essential that organisations are taking all the necessary steps to ensure that they are compliant with these regulations or else risk facing devastating consequences, not only from a financial perspective but for their reputation too.”
Greg Day, VP and Chief Security Officer EMEA at Palo Alto:
“This is a crucial time for cybersecurity in Europe as organisations implement GDPR. The UK government’s statement of intent on a Data Protection Bill, expected to be released in September, gives welcome certainty and direction to the country’s business and cybersecurity leadership. Organisations of all types have demonstrated a determination to advance cybersecurity and preserve digital trust, particularly in light of recent high-profile cyberattacks. The UK’s forthcoming bill, which will serve to implement GDPR within the UK, makes it clear that this country wants to be a beacon of excellence for how organisations protect and secure personal data, including by preventing successful cyberattacks, and give individuals control over how their personal data is used. Based on the details released today by DCMS, we expect this bill can also contribute to how the UK economy will leverage digitisation to grow and innovate, with greater assurance in the years ahead. We look forward to seeing more details in the autumn.”
Patrick Booth, VP UK & Ireland at Big Data Specialists Talend:
“The proposed changes will require businesses to sharpen up their data protection processes. Organisations need to take action now to ensure they are adequately capturing, integrating, certifying, monitoring and of course, protecting their data.
“A failure to comply with the new regulations could be costly. Businesses will need to track and trace each piece of potentially sensitive data, and determine how it is processed across their entire information supply chain – from their CRM and HR systems to their data lakes.
“Compliance with the new proposals will also depend on the organisation’s data agility, as it mandates transparent communication with data subjects on their personal data and grants those subjects rights for data access, as well as rectification and erasure at any time.
“This can be a challenge for large, complex or geographically dispersed organisations where data is often siloed, duplicated and distributed across many different sites and likely stored in multiple places. Any delays to answer requests from the UK government can be a major problem for businesses if they don’t have a clear process and widely accessible system to compile the requested information. And that could in turn leave them in a tough position.”
Iain Chidgey, VP and General Manager International at Delphix:
“The golden age of free data is over and the Data Protection Bill means the regulator finally has teeth. Data privacy is emerging as a basic human right.
The introduction of punitive sanctions shows the UK is serious about protecting the public and enforcing data best practice. Companies that don’t do enough toprotect consumers personally identifiable information (PII) face genuine penalties that will make them think twice. In fact, it is planning to go even further than the legislation put in place by the EU’s General Data Protection Regulation (GDPR).
People’s demands for the data privacy have changed. With data breaches and criminal hacking an everyday part of modern society, the public expect their datato be protected. However, change won’t happen overnight.
Current data protection laws were created in 1998, before the smartphone, social media, online banking and ecommerce rose to prominence. This means businesses and governments are scrambling to establish processes and technology so they can care for PII and be seen as taking data security seriously. However, it’s only achievable if organisations have clear guidelines to follow and adequate time to replace or amend systems to comply with it.
With 90% of data held in test, reporting and analytics systems, UK companies must put in place the ability to mask personal data. Not only will this protectindividuals, it will also remove the compliance requirements for these systems as the data will no longer be personally identifiable. This has the added benefit that companies will not need to invest time, money and resources on complying with a right to be forgotten in these secondary systems.
In order to move fast and survive, global businesses need rapid and secure access to data. However, it can’t be at the expense of consumer privacy. In a datadriven world, security and privacy issues will define the winners and losers.”
Rashmi Knowles, GDPR Expert and Field CTO EMEA at RSA:
“The current Data Protection Act came into force in 1998; so much has changed since then that we are long overdue an update. The new refresh will give consumers much more control over what data they are handing over to companies and how this will be used, which is a positive step not just for consumers but for companies too. Companies can now start afresh and have an opportunity to cleanse their data and engage customers. Yet this is not to say the changes will be easy to implement.
Previously, the DPA only protected PII, and had a much narrower definition of what this constituted. Companies who are already complying with the DPA, or those who have already started on their GDPR journey, have a head start but there is a long road ahead. It is vital companies understand the changes and prepare accordingly to ensure they manage their business risk. For instance, under the new regulations PII will encompass areas like ethnic, genetic, and pseudonomiseddata – i.e. data that can be easily unscrambled to determine PII, such as an email address, IP addresses, or biometrics.
The biggest challenge is going to be process; particularly around issues such as data availability and consent. This is not an annual audit that companies need to comply with, the audit can come at any time so businesses need to be focused on continuous compliance, which is a huge task – technology alone is not the answer. For anyone who was in doubt that GDPR will impact them come May 2018, this move by the government is a clear indication that it will – regardless of Brexit.”
If you are planning a longer analysis piece, we would be happy to arrange a call with Rashmi, who is able to speak about a lot of issues that companies will be facing including:
- Why the old Data Protection Act (DPA) had to be replaced
- The expanded definition of Personally Identifiable Information (PII)
- How companies can manage the issue of consumer consent
- The role of data processors vs. data controllers under the new legislation
- The data governance and process burden that this places onto companies
- The ability of companies to challenge fines and rulings
- What would potentially constitute a breach
- The problem of grey areas and definitional issues with the new legislation
- The problem of tracking sensitive data in the cloud and across the enterprise
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.