Decisions: Data protection — status quo
Has much changed in data protection tools and services lately? A range of experts talk to PAUL HEARNS
27 February 2019 | 0
It is impossible to talk about tools services in data protection without addressing the elephant in the room: General Data Protection Regulation (GDPR). It is the biggest shake-up of data protection in recent years and so can be said to have an influence on all aspects of the discipline.
Thankfully, Mazars, with McCann Fitzgerald, have a survey from late last year among Irish organisations to gauge overall GDPR preparedness. There are 73 respondents from a range of organisations and industries. (The full report is available for download here).
The broad findings were that “Irish businesses are optimistic about compliance with the GDPR as 88% say they are confident that they have correctly interpreted their GDPR obligations while 84% of organisations are satisfied that they are materially compliant with GDPR.”
“Despite 68% of businesses finding it challenging to put the necessary GDPR compliance structures in place, there is also a shared belief that the introduction of GDPR has been a positive development for society with 82% of businesses agreeing or strongly agreeing that GDPR has been beneficial for individuals.”
This is fairly optimistic, but needs qualification, says one of the survey report authors, Liam McKenna, partner, consulting Services, Mazars.
“Where organisations have focused in on this, they have certainly put a good basis in place for compliance. But when people say compliance is high, what they are really saying is we feel comfortable that we are no different to others,” said McKenna.
Undoubtedly, there have been high levels of activity in terms of initial compliance and operation under the regulations. The survey also found that the vast majority (84%) of Irish organisations said they were going to spend on technology as a result of GDPR in 2019. A poll on the online home of TechPro, TechCentral.ie, asked if organisations had invested in data protection tools or services since the GDPR deadline. Just less than half (44%) of the 48 respondents said yes, while half said no. The remainder were don’t knows.
McKenna said what they observed in the market were people focused on policies, procedures and managing activities through spreadsheets “in order to fall over the line on May 25, 2018 and subsequently they took a breath and said ‘OK, how are we going to get this thing right going forward, and it’s not going to be through all of this [spreadsheets]?’”
He said there were two broad categories of technology that clients were talking to them about, firstly those that help people understand their compliance, and meet the accountability challenge the GDPR requires. These are tools that allow organisations to log breaches, manage subject access requests (SAR), store records of processing activity and everything that a data protection officer (DPO) would need to be confident in expressing the state of compliance and being able to prove such to the data protection commissioner (DPC), if and when they ask.
There are a whole new set of applications, said McKenna, that are based around Governance Risk and Compliance (GRC) tools, some are using or adapting standard tools for GDPR and others are brand new to market.
Where organisations have complexity within them, where there is decentralisation and they are quite large, we are seeing a lot of interest in those tools, he said. Obviously for smaller organisations, he added, they are trying to achieve the same through spreadsheets and file shares to show people they have control of things.
The second category, said McKenna, are ones that actually reduce risk. Information security, for example, and its requirements have not changed as a result of GDPR, but the business case for information security tools has changed significantly.
“What we are seeing is that before people were willing to accept a certain level of risk around security threats, they are now re-evaluating, with more assessments of the technology solutions that can address security risks,” said McKenna.
In the view of another data protection practitioner, the tools and services have not changed much since the GDPR deadline.
According to Lanre Oluwatona, data protection consultant, DataPriv, and advisor with the Irish Computer Society, uptake of these tools has been slow, “but I believe we will see significant changes in attitudes towards adoption of tools in the not too distant future once organisations become fully conversant with the workings of GDPR and the Irish Data Protection Act.”
“The first year of GDPR implementation has been a learning curve for most organisations, particularly among small and medium sized organisations. I think a priority for most, in the first year, is to understand the dynamics of data flowing in and out of each organisation, thus requiring a sound understanding of data processing activities including classification, themes, locations, access etc. Process automation may be considered when the privacy landscape is fully understood and manageable,” said Oluwatona.
This is a point broadly agreed by David Keating, group security sales director, DataSolutions.
“It’s still debatable how well bedded in GDPR is,” said Keating, “or if data protection tools and services have changed that much since its introduction. However, organisations are starting to acknowledge that they need to get a better handle on their data and assessing their key data protection requirements. Organisations are now questioning what kind of data they possess, what info it contains, where it is stored, how long it is stored for, and who is responsible for its security.”
“However, for most mid-size businesses,” he said, “the GDPR deadline really just got them to understand how much unstructured data most of them had and the size of the problem they need to tackle. For many, this was a scary realisation.”
With broad agreement that the tools and services have not really changed post deadline, has utilisation or attitudes changed?
Yes and no, says Keating.
“While there is a greater awareness and interest in implementing data controls, there are still time and financial constraints holding back adoption. Traditional data protection or data loss prevention (DLP) tools are expensive to implement and require major 6-12-month projects (where all the data is identified, then categorised and then a policy developed to allow its movement in and out of the organisation). Thus, implementation is still out of reach for a lot of smaller and mid-sized Irish organisations. While they would like to do something, they are struggling to find something they can afford to implement.”
Oluwatona agrees and adds “but we have seen a remarkable increase in client requests for DPO as a Service (DPOaaS) given the challenges that come with implementing a privacy programme.”
McKenna said that awareness among larger organisations has meant much more activity and preparation, but that awareness among smaller organisations is still poor.
“There are probably a whole host of mostly smaller organisations who are thinking this does not apply to me,” said McKenna.
“It would probably not be until there is a focus on such organisations that the message will start to resonate.”
As the Mazar’s survey shows, most organisations seem to think that the regulations have been good for citizens. Has that prompted greater expectations from them in terms of their data handling and how they expect to be treated by businesses?
“For end users, who are rightfully aware of the rights conferred on them under the regulation,” said Oluwatona, “yes, there is a huge expectation; more so when remediation is now considered a right. Organisations who process personal data have an obligation to demonstrate accountability by taking necessary and appropriate measures to protect personal data.”
Keating said they have seen behaviour changes as more organisations are starting to tackle the issue of unstructured data by implementing data auditing tools that can allow them to better understand how data moves around the organisation.
In terms of future developments, in the shorter term, Oluwatona expects there to be further difficulty as the range of regulations and compliance obligations increase.
“The myriad of arrangements and extra legislation (Privacy Shield, DPA 2018, Health Research Regulation, the data sharing bill) on top of GDPR, introduces layers of complexities that most organisations may have difficulty keeping up with in an uncultivated privacy environment,” he said.
“Organisations must put in place plans to periodically review the fitness of purpose of their data processing activities, update their policies and procedures, but most importantly inculcate the data protection principle of accountability. This, in my view, is the focal change for most organisations in the short to medium term.”
Keating reckons that specialist service providers may emerge, in light of regulation.
“GDPR has become a buzz word [such] that many existing vendors have re-messaged their current solutions around to try and address the new concerns. There is a need in the sector for more specialist vendors to address this — ones that have evolved specifically for this task rather than adapting existing technology. The move towards data auditing that we are starting to see seems to add credibility to this view point,” said Keating.
McKenna foresees the need for specialist training and education, focused on specific tasks, such as HR, finance and marketing etc.
The implication for Irish organisations remains that the tools and services available currently can help an organisation meet its compliance obligations, but culture, training and a deep knowledge of the organisation’s use of data are all still critical in any data protection strategy.
Data Management and Privacy Solutions for 2019
Information management and privacy strategies are essential at every level of your organisation but are they being implemented correctly and does everyone in your organisation understand their importance?
Data breaches continue to occur despite the introduction of new laws and regulations. These breaches are the result of various factors including the volume of data that organisations are managing; the disregard for implementing the right data management and privacy solutions; the lack of training and awareness; as well as the litany of outside factors such as cybercrime and technology failures.
Regulations: In 2018 the General Data Protection Regulation (GDPR) became law and organisations increased their knowledge and understanding of data usage and rights and the regulations required for their business. The GDPR means that organisations must ensure that trust and transparency are maintained, and that privacy and security risks are reduced. This year the ePrivacy Regulation is set to add additional rules for protecting privacy and confidentiality, specifically in the vast space of electronic communications. While the GDPR has significant sanctions associated with breaches, where organisations are expected to pay 4% of their total worldwide annual turnover or a fine of up to €20 million, the ePrivacy Regulation is expected to be more complex and will include architectural compliance and integration.
So how can you ensure that your organisations data governance and management is compliant and at the right level for your business, and what solutions can be implemented to support them?
Data Privacy: All organisations should examine their obligations under relevant privacy legislation. European organisations will of course be subject to the EU General Data Protection Regulation (GDPR), where their operations require the processing of personal data. Data privacy is about understanding how your information assets should be managed with respect to the legislation, particularly around areas such as understanding the need for Data Protection Impact Assessments (DPIAs), handling Data Subject Access Requests (DSARs), the right to be forgotten and other key components of the legislation. Undertaking a review or gap analysis ensures there are no issues which could be prevented by a proper understanding of their current position and the development of a roadmap to achieving alignment.
Legislation in this space may also mandate organisations to appoint full-time personnel to ensure that legislation is implemented and that the rights of the data subject are safeguarded. Not every organisation has the ability to hire the right and suitably qualified personnel and whilst they may be mandated to do so, may not actually have a full-time role for them. Consideration at this juncture should be given to employing a Data Protection Officer (DPO) as a service offering. Doing so will allow the organisation to enjoy the removal of the ‘key person dependency risk’ associated with an internal DPO, reduce the overhead costs associated with employing an internal DPO as well as being able to quickly access specialised, skilled and experienced advisory in the event of a personal data breach. If one technology should be employed to ensure data privacy it should be encryption. As data traverses through the data security lifecycle where data is created, stored, used, shared, archived and destroyed then each of these data phases should be encrypted to minimise the reputational damage should the data be egressed. An additional consideration from an encryption perspective is the traversal of the data across devices whether they be endpoints, network or cloud based.
Data Loss Prevention (DLP): Data loss can occur as a result of malicious or negligent activity and can expose an organisation to regulatory fines, negative publicity, customer dissatisfaction, or even possible litigation. It’s essential that your organisations information stays within the boundaries set by your business. Ideally, a systematic methodology should be in place to minimise the threat posed by data loss. Classification schemes and user awareness can contribute to the success of a data loss program, as well as DLP systems such as cloud access security brokers which can help automate the process of policy enforcement. In order to mitigate against these potential outcomes, technology should also be leveraged to ensure data is protected in line with company policies. As per industry recommendations, if organisations are using cloud-based data repositories, then they should be using cloud to cloud-based backups to protect the data.
Forensic requirements in the event of a data breach: Organisations should also have in place a resource or partner organisation to utilise in the event of an incident which is regarded as a major or sophisticated breach. Service organisations in this space will typically provide you with the ability to triage an incident, provide forensic information aiding in root cause identification as well as offer a path to remediation. Proactive measures such as non-tamperable audit trails, log management, 24×7 incident response capability and Security Information and Event Management (SIEM) integration should be taken to assist investigations, provide evidence and aid root cause analysis should the need arise.
Delegates attending the BSI International Cyber Resilience Exchange on 26 March 2019 at The Convention Centre Dublin can learn more about the data management and privacy solutions offered by BSI Cybersecurity and Information Resilience. The Exchange offers a unique opportunity to become acquainted with the latest cybersecurity innovations and solutions with an agenda that features keynote addresses by industry leaders, panel discussions, case studies and interactive workshops from leading technical solution partners. For more information visit bsicyberexchange.com
Stephen Bowes is head of Technology at BSI Cybersecurity and Information Resilience
Don’t demonise data
The data revolution was never going to be without its challenges with concerns around the exploitation of personal data not going away any time soon.
Recent headlines have focused on the use of personal data to influence democratic elections and referendums, fuel “fake news” and make millions in advertising. But we shouldn’t start by simply demonising big data with Big Brother references and warnings about the potential for social control or unsavoury commercial practices.
While we must pay due attention to the possible consequences of its inappropriate use, we also need to consider its benefits and embrace it. It’s important to remember that cutting-edge data analysis has seen, and will be, at the heart of positive transformation in both the public and private sectors for a long time.
From smart cities across Europe to revolutionary changes in healthcare and environmental policy, it is not an overstatement to say that big data holds the key to many of our futures. But what about when personal and sensitive data is in question? Data-led initiatives are most commonly demonised in cases where the compromised information is of a delicate or significant nature. Medical records are a notable example and scandals throughout Europe of governments selling patients medical records for profit have been making headlines for the past decade.
The accountability procedures by organisations handling sensitive information can be improved. It’s critical that companies are not disingenuous in the way that they request data. They must be very clear as to what is being requested and why.
We shouldn’t think of big data as synonymous with illegality, because it isn’t. To change that perception, we need to develop technology responsibly and ensure those that don’t are held accountable. Data has the transformative power to change lives for the better, and not harnessing this power would be doing it an unfortunate disservice.
Philip Brady is director and head of Canon Ireland
2018 felt like it was all about the GDPR. ‘Millennium bug’ style horror stories around marketing, led to many businesses virtually halting traditional forms of marketing altogether, rather than risk data breaches and the shame of regulator fines.
Data breaches are becoming more regular across all industries. Public sector bodies, educational establishments and charities are pushing a virtual panic button and, it is now a huge concern for all types of organisations.
With organisations becoming more aware of their obligations, it’s more important than ever that they find services that fulfil their needs. The ITAD (Information Technology Asset Disposition) industry provides solutions for organisations to destroy data either by physical destruction or by overwriting with certified software, which are really the only ways to guarantee that data cannot be recovered.
When the term data breach is mentioned, people associate it with online hacking, but what many don’t realise is that when companies lose or misplace USBs, hard drives or other IT data-bearing devices, it is classified as a data breach and may be susceptible to GDPR fines.
ITADs such as AMI provide a robust, process-led approach to data destruction, guaranteeing secure, certified data destruction, without having a negative environmental impact. Working closely with leading providers of National Cyber Security Centre (NCSC) approved software, like Blancco, to ensure accurate, quality-controlled and fully documented procedures. AMI guarantee that 100% of data is permanently erased and unrecoverable from all data-bearing devices, whether through software overwriting or shredding into debris.
Faye Thomas is chief commercial officer with AMI DiskShred
The GDPR is complex with many provisions that relate to not just technology, but an organisations’ policies, systems and people behaviours. However, as the GDPR has a fundamental goal of ensuring that private data is kept secure, there are some key principles that will be common to any data protection plan with the goal of protecting data across the entire life cycle.
Know your personal data – Understand what personal data you collect and any retention rules you must adhere to.
Assess your data security – Assess whether the level of security offered by current policies and procedures is adequate to offer protection against unauthorised processing and data loss.
Embed privacy – Ensure that the technologies embed privacy and processes are built protecting the individual’s privacy.
Protect personal data – Ensure full risk management from people who have access, where it is located, how it is used and that it is protected through strong information risk management and security.
Control transfers of personal data – Transferring personal data out of the European Economic Area (e.g. in the cloud), will be subject to increased regulatory scrutiny.
Review any breach notification processes to ensure that your company has tools on hand to investigate the extent of any compromise within a 72-hour notification deadline.
Technology is not the answer to all your GDPR concerns, but the appropriate use of technology will assist you gain and maintain compliance. The appropriate technology solutions are very mature and include:
- Security Information and Event Management – you
can’t manage what you don’t measure so by having network activity visibility,
you can identify unwanted behaviour such as exfiltration of personal data.
- Data loss prevention and data encryption solutions
from Symantec and CheckPoint will help discover, monitor and protect your data.
- Data classification solutions from Boldon James
and Symantec will help your users classify their documents so that you can
apply the appropriate controls.
The big challenge organisations face is deciding what the appropriate technologies for their environment are and how to deploy them in an effective and efficient manner. To this end, they need to ensure they are working with a trusted data security partner.
John Ryan is CEO of Zinopy, a Trilogy Technologies company