We asked some of the leading figureheads and thought-leaders in the field of cybersecurity and privacy to give us their thoughts about what 2019 has in store for us when it comes to privacy and data protection, just days before the Data Protection Day (or Data Privacy Day as it is called in the US). We received more than 100 replies that cover the widest possible spectrum and show how important and critical that field has become for the wider tech community.
So why the Data Protection day is so important?
Mike Turner, Head of Compliance at Mojo Mortgages, gives his thoughts
It’s the first data protection day since GDPR implementation last year – It is great to see the transition hasn’t been the nightmare some predicted it would. I think Data Protection Day is of particular importance this year for awareness reasons.
DP day provides the opportunity to bring governments, parliaments, and regulators and specific DP bodies together to raise awareness of what rights individuals have, specifically relating to personal data and privacy. The day opens up the floor for active discussions about how we can better protect and guard the data across a variety of industries, as well as the tools and strategies to put them in place.
With that being said, the awareness behind data protection should be permeated to society every day. Yes, Data Protection Day serves a timely reminder of individual privacy, however distributing awareness surrounding data protection should be instilled in every companies strategy.
Nonetheless, Data Protection Day gives a chance for a diverse number of organisations to come together to acknowledge the trust customers put in organisations to protect their data and stresses how important safeguarding customer data will be if business are to be successful.
Is it actually necessary to have such an event in 2019?
Colin Truran, principal technology strategist, Quest answers
We should ask ourselves, is an arbitrary day to simply raise awareness of data privacy really necessary in 2019? In the era of GDPR, multi-million dollar lawsuits, and career-ending data breaches, awareness of data privacy is higher than ever. It may sound cliché, but every single day of the year should be a day for businesses and individuals to do more to protect personal data.
Data Privacy Day has been a fixture of the calendar since 2007, and I believe it needs to evolve to stay relevant with the rapidly changing data landscape. Beyond raising awareness, the 28th January needs to become a day where businesses are genuinely held accountable for their data protection practices.
To celebrate a day like this, we should be calling on all organisations to be transparent and publish exactly what they’re doing to safeguard their customers’ data, making Data Privacy Day an annual check-in on the health of data protection and to ensure there are no hiding places for data misuse. The day is an opportunity for organisations to demonstrate how competitive they are in upholding the rights of the individual and protecting their data.
How does trust factor in to data protection?
Mark Barrenechea, CEO at OpenText, elaborated
Over 2.5 quintillion bytes of data are created each day. This pace will only continue to accelerate as automated cars, sensors, drones, and the Internet of Things (IoT) introduce new formats at a rapid-fire pace. Clearly, we are in store for an information-infused future. This data is to a business or to an individual, as blood is to the body. Its foundation: trust.
Banish data, or the trust to protect it, and the world falls apart: all commerce would cease; bank accounts would have zero balances; planes would fall out of the sky; cars would halt in their tracks; power and water would stop flowing. Data, business and life are inseparable, and as indispensable as water, air and electricity. More profoundly, data and systems are so advanced that we can begin to see our human and cognitive form in our own digital data trails. Every day we are building, brick by brick and bit by bit, a digital copy of ourselves, whether we are aware of it or not.
The nature of the data has changed, as today’s data goes well beyond what you can find in the phone book of a decade ago. In this digital era, your modern data now includes your behaviours (friends list, what you read, pictures, a recording of all your phone calls, etc). But what is the real difference when a bad actor steals 135 million people’s data from a credit aggregator or when a social media company sells 85 million people’s data to a political consulting firm? The actors are different, but the consumer impact is the same. Trust is broken. Whether it be governments, individuals or businesses, when trusted with data, it is job Number 1 to defend and protect that which is entrusted. This trust transcends products or services.”
Why data protection has becoming increasingly complex and the regulatory framework is more significant now more than ever before?
Darren Barker, VP & General Manager UK&I of Hitachi Vantara
Data is fast becoming a new global currency, perhaps the most powerful in history, and businesses mine, collect and safeguard it. Yet unlike gold or oil which is made valuable by its scarcity, data is in abundance – and it is the sheer volume of it that makes it so challenging to govern. Businesses are often overwhelmed by their data, which is typically disparate and scattered across departments and even geographies. It’s not just small companies that are struggling in a new data-saturated world. If anyone needs a reminder of the pertinence of data protection, just last week, Google was handed a £44 million fine in France for alleged GDPR breaches.
Unlike a traditional currency, you can’t hand data over to a bank or lock it in a vault. Rather than a bank manager, businesses increasingly entrust their data to the Chief Data Officer. Still, companies live under the constant shadow of stringent regulation. This isn’t a bad thing – imagine today’s world if banks didn’t exist. Yet, while many are anxious about how their data is being used, everyone – individuals and corporations alike – stand to benefit from leveraging insights from their data. Hence data protection is more than just a business imperative, it is a social issue. However, the onus is on businesses first and foremost to handle their data responsibly, regaining the trust of a public that is increasingly wary of how their data is used.
Describe the data power shift you have seen between businesses and consumers post-GDPR?
Jasmit Sagoo, senior director, Northern Europe at Veritas, observed
2018 marked a pivotal change for data privacy and protection across the globe. For a long time, personal data has been leaked, shared, tracked and analysed without consumers’ prior knowledge or consent. But the introduction of the General Data Protection Regulation (GDPR) has offered individuals in the EU an olive branch: more control over their data.
For years, organisations have failed to understand the real value of their data, or the repercussions of mishandling it. Our Truth in Cloud research found that most UK businesses (75%) export full responsibility for data protection to their cloud providers, with over half (52%) wrongly assuming their cloud providers are responsible for complying with data privacy regulations.
We also found that 42% of companies’ total data environments are either stale (i.e. have not been modified in the last three years) or ancient (i.e. have not been modified in the last seven years).
However, the change in data privacy regulations has served as a much needed wake-up call for organisations. Beyond the hefty fines for regulatory non-compliance, companies have begun taking notice of the real reputational damage that could result in a lack of responsibility for protecting and managing their data. Our research revealed UK consumers would punish organisations that don’t protect their data by shopping elsewhere or by attacking their brand reputations.
Meanwhile, the potential benefits of investing in effective data protection and management are vast, such as the ability to personalise and improve customer service and create information-centric business models that give way to new revenue streams. In addition, nearly half (46 per cent) of UK consumers say they would spend more money with organisations they trust to look after their data, with over a fifth (21%) willing to spend up to 25% more with businesses that take data protection seriously.
Today, more and more companies are beginning to realise the importance of not only protecting their data, but also understanding exactly what data they hold, where it sits, who has access to it and how quickly they can retrieve it. Businesses must now be able to automatically classify large volumes of digital data, scanning and tagging it in a granular, intelligent manner to ensure that information is managed effectively and can be accessed efficiently and on-demand.
Technology aside, businesses must also instil a culture of digital compliance and responsibility among their employees. And there’s no question about whether this is needed: an overwhelming majority (91%) of organisations admit that they lack a culture of good data governance. With a three-fold approach to managing data which includes technology, processes and people, organisations will be in strong position to reap the rewards associated with protecting and managing data and building customer confidence in today’s digital economy.
What are the key questions businesses should ask themselves on data privacy day?
David Francis, Information Security Consultant at KCOM
So why is data protection so important in 2019? Last year we saw some immense upsets, from the BA data breach to the Cambridge Analytica scandal. The range of consumer-facing breaches in 2018 have truly proved that cyber security is the last line of defence for personal security. In addition, since the last Data Protection Day, we have seen the introduction of the GDPR.
The first question you should ask yourself today is: Do you know when you’ve been attacked? It takes companies an average of 206 days to discover a breach, so the answer is ‘probably not.’ And the threat doesn’t just have to be external: you could have sleeper agents placing time bombs in advance. They don’t necessarily need to be onsite at the crucial moment.
It could be a developer with a grudge placing a time bomb in the system to erase crucial intellectual property, or even an outgoing executive quietly deleting things in the background. If done quietly over a period of time, you could lose your backups as well, with no way of tracing the culprit. This is in addition to the huge GDPR fines you would face. Companies need to have measures in place to track data movement to prevent this kind of insider threat.
The next question to ask yourself today is whether you have been paying attention to the news around GDPR. If 2018 was the year of compliance, 2019 will be the year of retribution for everyone’s favourite data privacy regulation. The period of grace is drawing to a close, and we’re already seeing the ICO taking its first high-profile scalp over treatment of personally identifiable information, with Google being the first to fall in France.
This has set the precedent by which all further cases are judged – letting companies know along the way just how strictly enforced the rules are going to be, and how heavy the fines. Now is the time to check your compliance levels. If 2019 is anything like 2018, consumers are in the firing line. With these scenarios in mind, on Data Protection Day, it’s time to re-evaluate your security plans and consider: Does this plan put the customer first? Is your security system tracking insider threats? Are you aware of which employees have access to what data? Are you GDPR compliant?
If your organisation can safely answer yes to all these questions, congratulations, you have had a successful Data Protection Day. However, that doesn’t mean it’s time to stop evaluating your systems, in today’s security landscape, you can never be too safe.
What advice can you give to security teams that look to safeguard business and customer data in the long-term?
Chris Hodson, EMEA CISO, Tanium, suggested
There is no doubt that analysing the effectiveness of the regulation will dominate. For me, as a CISO, there are many common misconceptions of GDPR. Firstly, we must remember that approximately 80% of GDPR isn’t directly within the CISO’s purview. The whole business, most notably the DPO, must be responsible for driving data privacy across the enterprise.
The security function can certainly help with the “how” of data protection and must be responsible for putting the processes in place to ensure that data is safeguarded. However, we are often very little use in ascertaining the “why” of data collection. For a security team or CISO, it’s about ensuring that controllers (and processors) carry out data processing in a transparent fashion.
It’s about making sure that information is not left lying around in servers ad infinitum. That’s why the best defence is a model for qualification and assurance. That means having real-time visibility of the data stored across your network and where threats and vulnerabilities exist.
But it also means taking a role in educating our boards, executives, and fellow employees on their role in protecting data: choosing systems and practices that support GDPR principles and maintaining practices that safeguard customer data in the long-term.
Isn’t data protection expensive and complex though?
Steve Abbot, the CEO of DocAuthority, chimed in
Data Protection Day represents a transition in how data is now viewed by the international business community. In years gone by data has been more synonymous with the wild west. Businesses took a reckless attitude to the storage and effective management of data, investing very little, if anything, in the area at all. As a result, most businesses have very little understanding of what data they hold and where to find it.
However, following a string of high-profile data breaches, stringent data privacy regulations such as the General Data Protection Regulation (GDPR) have made it an obligation for businesses to take responsibility for their data. This week Google became the first company to receive a major penalty under GDPR, being fined $57 million by French regulators. This in turn has triggered more awareness about the importance of data management and protection. Understanding the universe of information being stored and managed by a business, is a critical step to being able to evaluate risk from breaches, compromise or loss. How can you effectively protect your data, if you don’t know what you have?
This lack of transparency means that security is typically approached in completely the wrong way. Most businesses invest a lot of money in broad-brush security strategies, protecting by file location rather than by the sensitivity of the documents that resides there. This is not only expensive, but ineffective. It makes the assumption that documents of the same level of value and risk to the business are stored in the same places.
Ultimately only 5% of a business’s data is absolutely critical and must be protected. The rest might be anything from previous versions of documents, to cafeteria menus. So why do we apply the same levels of security to all information? We need to rethink our approach to cybersecurity and protect individual files by the true value they represent, rather than simply where it lies on the system.
Data identification tools are getting smarter and can be used to enable a more strategic approach to data protection. By categorising documents by value, these tools can help businesses identify the data their organisation stores, delete irrelevant or toxic information and make improved decisions around the management and protection of a smaller, business-core set of data. This can then be protected with confidence, and at far less expense.
Did the quest for maximum data security affect other aspects of business?
Peter Majeed, VP for Customer Success and Field Services at Delphix, added
An effective means to managing data security is to put in place automation processes that build in controls prior to distributing data to consumers. This process, also known as DataOps allows effective control of data security, whilst allowing for data agility and portability to end users of data. In the past, data protection has often come at the cost of data agility and speed, however with effective use of DataOps processes and tools, organisations can proactively focus on growth whilst being compliant to regulations and avoiding data breaches.
Should businesses limit the amount of data they require from customers?
Emma Butler, Data Protection Officer at Yoti, noted
Personal information is valuable and we all need to take steps to keep it safe. Every individual should be able to confidently share their personal information without feeling like they have to compromise their privacy or security. We should be able to share only the necessary information – for example, just our name and age – without having to reveal additional information that is unnecessary, or that could be sensitive. This will help strike the right balance between protecting individuals’ privacy, while making sure companies are compliant and have the details that they need.
Whether opening a new bank account, applying for a job, or even buying alcohol, we’re all faced with routinely having to prove our identity. While this will inevitably continue, we need to regain control of our data. It makes no sense that while our lives are becoming more digital, the way that we prove who we are remains stagnant. At some point today we should all take a moment to reflect on who has access to our information, why they need it and what it is being used for.”
How can businesses achieve better data protection?
Elodie Dowling, Corporate VP EMEA General Counsel at BMC Software, advised
Companies are able to achieve better data protection in today’s IT ecosystem through four critical measures. Visibility – IT needs the tools to know where sensitive customer data resides, how it is being processed, and by whom. Security – DevOps teams must be aligned to maintain security and compliance. Integrity – IT must validate structured and unstructured data automatically, and ensure that stored data is intact. Recovery – Organisations must ensure data is recoverable in a timely manner in the event of any physical or technical incidents.”
What can consumers do to better protect their privacy online?
Matt Bird, General Manager at InLinkUK, stressed
In today’s digital age, the majority of us now expect internet connection to be a standard and seamless feature in our everyday lives. More often than not, one of the first questions anyone asks when they walk into a café, hotel or restaurant is: “What’s your Wi-Fi password?” In fact, a recent survey revealed that a massive 70% of tablet owners, and 53% of smartphone and mobile phone owners use public Wi-Fi networks across the UK. A freely available shared Wi-Fi password can be just as insecure as an open network!
It’s important that users and network providers alike take steps to protect data on the go. An encrypted network connection, which is unique to each device, is that extra step to ensure Wi-Fi networks are safe for confidential browsing, accessing online accounts or making payments. Encrypted Wi-Fi networks work as a barrier against personal or sensitive data being compromised.
The good news is that tech and telecommunications companies are pushing towards an improved climate for public access, our InLinks for example are currently available in 18 cities across the UK and offer ultrafast encrypted Wi-Fi.
Edward Whittingham, Managing Director at The Defenceworks, added as a conclusion: Data Protection Day approaches 12 years old this year. And, much like most approaching their formative teenage years, we’re really starting to see Data Protection Day finally gaining its own identity. For years, we’ve seen these day pass by without often a lot of noise, but very little notice paid by the ordinary person. Thankfully, times are a changin. More than ever, we’re seeing people genuinely starting not just to want to protect their data, but understand exactly why it’s so important to do so.
People are finally waking up to the fact that their data has been abused by large organisations the world over and, only recently, are we starting to see that shift in power back towards the user, the customer or the employee. We’ve all got a duty to help Data Protection Day celebrate this latest marker and to ensure it celebrates becoming a teenager in spectacular fashion. We owe it to Data Protection Day as it comes of age but, more importantly, we owe it to people worldwide.