Over the past two years, the majority of us have become much more aware of who we are giving our data to, and how it is used because of the General Data Protection Regulation (GDPR). Put into place two years ago to protect our security and privacy, the GDPR has heightened our awareness of how our data is being used and given us a chance to execute our right to be forgotten.
Now, in the midst of a global pandemic, conversations around privacy have increased ten-fold. On one side, some have asked whether the GDPR rules ought to be relaxed to support the tracking and processing of individuals’ personal data in the battle against COVID-19. Organisations are relying on their data sets to monitor the health of employees, participate in tracing initiatives, and contribute to the common goal of better understanding the disease. Others point out that, by collecting so much more personal data, we need to increase the commitment to privacy. While the pandemic will pass, the compromise to personal privacy may never be undone.
Given the debate, GDPR has never been more important than it is right now. People on both sides of the argument are taking increasingly extreme positions. In times of crisis, regulations like the GDPR can help to maintain a feeling of trust and safety within the world that we live in. To bring people together, we need to commit to an organisation’s responsibility to protect its customers and employees according to the GDPR.
Challenges of implementing GDPR
Whilst it is not time to relax the rules around the GDPR, it is time to make sure businesses have the support they need to manage such rapid change and increased data challenges.
Firstly, with more of us working remotely than ever before, everything is decentralised. Communications have shifted from in-person meetings to messaging tools like Slack, Zoom and Microsoft Teams. Instead of being stored in a data centre, sensitive, and sometimes private data, is stored on a local laptop. The traditional approaches to data protection, security, and privacy do not apply to the new world. The distributed environment is more likely to violate privacy regulations than the well-structured data centre. Meanwhile, if an organisation gets a request through the GDPR, storing data in remote locations makes it difficult and expensive to process comprehensively.
Secondly, as we progress toward some return to work, there will be new privacy challenges. Organisations will be required to hold personal health data for its employees, external visitors and other workers entering the building, and this data will need to be managed sensitively. Organisations require clear guidance for how long they can store this data for, what type of data they can store and where this data ought to be kept.
As conversations around privacy and health become more intertwined, we are going to rely on the GDPR to ensure we’re getting it right – meaning, relaxing the rules would be damaging to businesses in the long run.
A safer future
As the situation we find ourselves in continues to change rapidly, the challenge for businesses is to ensure that they are equipped to store, retrieve and delete personal data quickly, regardless of the working location, conditions or environment. Whilst doing this may be harder than times gone by, using GDPR as the baseline keeps the requirements clear.
If organisations did not yet have an automated data management strategy, now is the time to implement one. First, create a standard data management process that centralises management while distributing the data storage because remote workers, IoT devices, and data residency laws make it impossible to store data in one data centre. Second, leverage the cloud to connect to the various data sources in their local regions. Third, extract and enrich the metadata, so you can manage access control, search, and retrieval, while storing the data as inexpensively as possible.
The data management strategy enables organisations to automate and scale compliance with the GDPR. With rapidly accessible metadata, organisations can build tools to search and retrieve information to return it to the requester or delete it. By automating the right to access and right to be forgotten, companies remove the intense manual labour involved in searching through every record and piece of data associated with one individual. Automation is the only way to handle the increasing amount of scrutiny around privacy over the next 12-18 months.
None of us expected that we’d be navigating the data management and regulation during a pandemic, but regulations like the GDPR provide stability and confidence in times of crisis. There are many things to consider right now, but we cannot forget the importance of data privacy. As we approach the two year anniversary of the GDPR, let’s not debate the value of privacy. Instead, let us capitalise on the opportunities to build greater trust with employees and customers, so we can navigate an unknown landscape together.
Chief Technologist
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.