Following the news that the government is set to introduce a new Data Protect Bill that will give people the right to have all their personal data deleted by companies, IT security experts commented below.
Justin Coker, Vice President EMEA at Skybox Security:
David Emm, Principal Security Researcher at Kaspersky Lab:
It is important that the general public embraces this new freedom and recognises the value of personal data – not just to ourselves but to would-be cybercriminals. New dataprotections laws are designed to make organisations more careful with our data, but regardless of this, it is important that we on an individual level know what information is being kept and how it’s being handled – which will also reduce the likelihood of it falling into the wrong hands. Being vigilant online – whether when using a work computer, home laptop, mobile or tablet device – should be second nature. Undertaking simple steps, like regularly changing passwords, reviewing default settings on social media and using anti-virus software across all devices can significantly help protect data.”
Peter Carlisle, VP of EMEA at Thales e-Security:
As the number of data breaches continues to rise, businesses must ensure that they are able to control where and how their data is stored – and have robust cybersecurity strategies in place to protect that data.
With the introduction of these new laws and the upcoming GDPR, it is essential that organisations are taking all the necessary steps to ensure that they are compliant with these regulations or else risk facing devastating consequences, not only from a financial perspective but for their reputation too.”
Greg Day, VP and Chief Security Officer EMEA at Palo Alto:
Patrick Booth, VP UK & Ireland at Big Data Specialists Talend:
“A failure to comply with the new regulations could be costly. Businesses will need to track and trace each piece of potentially sensitive data, and determine how it is processed across their entire information supply chain – from their CRM and HR systems to their data lakes.
“Compliance with the new proposals will also depend on the organisation’s data agility, as it mandates transparent communication with data subjects on their personal data and grants those subjects rights for data access, as well as rectification and erasure at any time.
“This can be a challenge for large, complex or geographically dispersed organisations where data is often siloed, duplicated and distributed across many different sites and likely stored in multiple places. Any delays to answer requests from the UK government can be a major problem for businesses if they don’t have a clear process and widely accessible system to compile the requested information. And that could in turn leave them in a tough position.”
Iain Chidgey, VP and General Manager International at Delphix:
The introduction of punitive sanctions shows the UK is serious about protecting the public and enforcing data best practice. Companies that don’t do enough toprotect consumers personally identifiable information (PII) face genuine penalties that will make them think twice. In fact, it is planning to go even further than the legislation put in place by the EU’s General Data Protection Regulation (GDPR).
People’s demands for the data privacy have changed. With data breaches and criminal hacking an everyday part of modern society, the public expect their datato be protected. However, change won’t happen overnight.
Current data protection laws were created in 1998, before the smartphone, social media, online banking and ecommerce rose to prominence. This means businesses and governments are scrambling to establish processes and technology so they can care for PII and be seen as taking data security seriously. However, it’s only achievable if organisations have clear guidelines to follow and adequate time to replace or amend systems to comply with it.
With 90% of data held in test, reporting and analytics systems, UK companies must put in place the ability to mask personal data. Not only will this protectindividuals, it will also remove the compliance requirements for these systems as the data will no longer be personally identifiable. This has the added benefit that companies will not need to invest time, money and resources on complying with a right to be forgotten in these secondary systems.
In order to move fast and survive, global businesses need rapid and secure access to data. However, it can’t be at the expense of consumer privacy. In a datadriven world, security and privacy issues will define the winners and losers.”
Rashmi Knowles, GDPR Expert and Field CTO EMEA at RSA:
Previously, the DPA only protected PII, and had a much narrower definition of what this constituted. Companies who are already complying with the DPA, or those who have already started on their GDPR journey, have a head start but there is a long road ahead. It is vital companies understand the changes and prepare accordingly to ensure they manage their business risk. For instance, under the new regulations PII will encompass areas like ethnic, genetic, and pseudonomiseddata – i.e. data that can be easily unscrambled to determine PII, such as an email address, IP addresses, or biometrics.
The biggest challenge is going to be process; particularly around issues such as data availability and consent. This is not an annual audit that companies need to comply with, the audit can come at any time so businesses need to be focused on continuous compliance, which is a huge task – technology alone is not the answer. For anyone who was in doubt that GDPR will impact them come May 2018, this move by the government is a clear indication that it will – regardless of Brexit.”
If you are planning a longer analysis piece, we would be happy to arrange a call with Rashmi, who is able to speak about a lot of issues that companies will be facing including:
- Why the old Data Protection Act (DPA) had to be replaced
- The expanded definition of Personally Identifiable Information (PII)
- How companies can manage the issue of consumer consent
- The role of data processors vs. data controllers under the new legislation
- The data governance and process burden that this places onto companies
- The ability of companies to challenge fines and rulings
- What would potentially constitute a breach
- The problem of grey areas and definitional issues with the new legislation
- The problem of tracking sensitive data in the cloud and across the enterprise
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.