Today marks exactly one month until the EU General Data Protection Regulation comes into force – making now the time to reflect on the changes both businesses and consumers should expect to see as a result of the legislation overhaul.
As part of our security experts comments series, security experts from McAfee and Yoti commented below.
Nigel Hawthorn, Data Privacy Expert at McAfee:
“Data protection is not a responsibility for the IT department alone. It should be a coordinated task for departments such as legal, marketing and HR in partnership with IT. Becoming GDPR compliant requires a combination of knowledge, processes, policies, technology and training, as well as detailed understanding of data flows to and from third parties and any cloud services you may have. Despite the regulation being just one month away, our recent research showed that only half of IT decision makers are confident that all of their cloud providers have a plan in place for GDPR compliance.
“The GDPR is not intended to be considered an add-on set of policies and procedures changing how data is handled. Instead, all new systems must be designed from the ground up to take into account best practices for data minimisation. “Data protection by design and by default” mandates consideration of such things “at inception”, so building in security and privacy – while taking care only to collect the data required for the process involved – is essential.”
Emma Butler, Data Protection Officer at Yoti:
“Despite often being portrayed as a burden for businesses, clearly the GDPR is also a welcome change for consumers – one YouGov report found that 87% of people are worried, to some extent, about the security of their personal data online. Following the implementation of the GDPR, I’m especially keen to see organisations encourage an environment where data transparency and engagement with consumers comes first.
“With the explosion of digital technologies, organisations are sweeping up vast quantities of data about consumers’ activities, often without them being fully aware. This volume of data could end up being a headache for many companies if not properly managed. Businesses will have to report on all data held, as well as any data gathered from then on – so it would be wise to only start collected the data you actually need. The IT team will also then need to review the technology used to keep this data secure, implementing measures to mitigate risk of data loss – for this, the regulation specifically calls out encryption. Though investment in technology measures such as this may be an investment upfront, gaining consumers’ trust and confidence in the use of their data will increasingly become a vital source of competitive advantage.”