Data to be thought of as plutonium, rather than gold
18 May 2017 | 0
Under the General Data Protection Regulation (GDPR), it would be safer for organisations to think of data containing personally identifiable information (PII) as more akin to plutonium than gold.
According to John Thompson, Ireland Regional Manager, Avnet Client Solutions, such data should be thought of as holding an immense amount of value, but only if handled carefully, and managed appropriately. If not handled carefully, such data, like the radioactive element plutonium, could present a hazard to the organisation, under GDPR.
In the past, said Thompson, organisations thought of data more as gold, it could be mined in a variety of ways, and then stored indefinitely to be examined and refined when needed.
The new regulation, he said, changes this and the nuclear analogy aids organisations in adjusting their culture and attitude to gathering, processing and storing data.
Data protection officers
Among an audience where, by a show of hands, there were few data protection officers, but almost all were in an organisation that had a DPO, the general state of GPDR readiness was that more than half started on the compliance journey and were making good progress. Just a handful reckoned they were well advanced or actually compliant. One audience member admitted that, bar having attended the event, their organisation had, as yet, done nothing,
Tom Hulton, chief compliance officer with An Post, said his organisation’s data protection officer was aided by a GDPR committee, to help in the overall compliance efforts. This was supported by Thompson, who said it was a good strategy and such committees should have representation from IT and other areas of the business. An audience member commented that from experience, Europol had such structures in place for many years.
A question from the floor addressed the issue of third parties processing data, particularly those form the US. The audience member said that they were shocked at how unprepared US service providers are for questions on GDPR and its implications.
Chris Butler, principal consultant, Cyber Resilience and Security, Sungard AS, said that third party assurance was vital, as there were many examples of where third parties were breached to get to someone else in the supply chain, and cited the Target has as an example.
Butler said that, once Privacy Shield goes, as it will when GDPR is enforced, there will be huge issues for organisations, and it is not entirely clear what will be done. It will be an interesting challenge, he said.
Among the expertise, the general consensus was that US response has been patchy and very much on a case by case basis, with little evidence of a broad awareness.
Another question from the floor was around C-Suite awareness, and what to do if it was in any way lacking.
Butler cited the business continuity (BC) example. He said BC does not have a regulatory pressure behind it, but is good practice, which is accepted by the board. Companies that have performed good risk management have plans and measures in place, based on the assessed risk. When it comes to compliance, said Butler, there is that extra pressure than ensures issues rise to the C-level.
Still, he admitted, there are those that will still try to go the cheapest route and not put in place optimised measures, but at the end of the day, non-compliance will be found out when a complaint is made and gets raised up by a DPO or a business division. And that will be formally processed.
But, said Butler, without those structures, whoever is in charge of achieving compliance should go back, once they have a grasp of what it means for the organisation, and make sure the board knows the importance and the impact.
Hulton pointed out that one of the protections built into the regulation is that if the DPO makes a recommendation that is not followed, they can put that in writing and show that the advice was given. The board will then have to explain to the DPC why they did not follow the DPO’s recommendations, he said.
Another question from the floor asked about data outside of the digital realm, and to what extent GDPR applied.
The entire panel agreed that data are data and where there is PII involved, GDPR applies, irrespective of the media.
It was pointed out that, anecdotally, there are already reports of companies encouraging the use of electronic note taking in meetings, as opposed to handwritten, to allow such data to be properly captured and stored, and available should it ever become the subject of a request.
An interesting point was raised by another question around where people inadvertently leave PII, either through unsolicited submission or incorrect routing of communication.
Butler pointed out that such data is not sought by the organisation and so, in all likelihood, GDPR did not directly apply. Thompson suggested that under the guidance of data minimisation in the regulation, such data is probably best deleted. An audience member pointed out that such information is often recorded on the likes of voice recording systems that have forensic storage for regulatory purposes. In such instances, deletion is not possible.
The panel did not have a direct answer in this case.