Walking the line
High-risk industries such as financial services and healthcare require full transparency and protection of business-critical data in the borderless enterprise in order to protect the details of the individual citizens whose data they hold. Personally identifiable information (PII) is very valuable in the wrong hands and this data is at its most vulnerable when in transit.
Undoubtedly there is a role for us as citizens to up our security game. Becoming familiar with security features, backing up our data and keeping up with the latest versions of security software, operating systems, apps and web browsers – these are just some of the precautions everyone should take on every device. When we don’t do these basics, or when we download and hand over personal information through the latest must-have app without being sure of its source, we are quite simply taking a big risk with our own details. While there has been growing awareness of what we should, as consumers, do to secure our data, how can we be assured our data is being appropriately cared when we hand over information to companies?
Gaining trust
By properly respecting the privacy of users / customers, firms can enable their trust. However it’s essential that terms such as “respecting privacy” or “creating trust” are propped up by the right policies, training and technologies. In other words, customer trust needs to be earned. This is a big technical challenge for business leaders, chief privacy officers and IT management because of the rapid growth in data integration.
Data is shared across the open Internet between organisations that hold it (whether we are talking about the social media giants like Facebook or more modest businesses holding data on EU citizens) and the service providers they interact with, like payment processors, IT subcontrators, insurance companies, government agencies and cloud service providers. And in the borderless enterprise, that data needs to be kept safe no matter where it goes.
Borderless controls
The GDPR and the Safe Harbour pact are both examples of laws designed to protect personal data once it’s out of the hands of the consumer or citizen and in the realm of corporations and public organisations. Meeting data protection regulation in the context of the borderless enterprise means thinking beyond perimeter defense.
The lines are blurred when it comes to defining who is “inside” and who is “outside” the perimeter, with many external service providers being quite legitimately tasked with duties that require them to have credentials akin to those of highly privileged insiders. What’s more, in many industries, data must move outside its trusted network. Healthcare data is a case in point and the dizzying number of healthcare data breaches goes to show the scale of the challenge. Encryption is the best means of limiting access to protected data, since only those with the encryption key can read it. But once data is in transit there are other factors to consider, particularly when compliance with GDPR or specific industry legislation is a requirement.
What data protection compliance will mean for businesses
For companies that are starting to grapple with GDPR compliance the message is clear: expect to make significant investments in order to achieve compliance. According to a survey my company conducted amongst 300 European IT professionals, nearly 70% said they’d need to invest in new technologies or services to help prepare the business for the impact of the GDPR. Those technologies were: encryption tools (62%), analytics and reporting (61%), perimeter security (53%) and file sharing solutions (42%).
Two thirds of those surveyed said that keeping up to date with changing data protection regulation was a burden on their business. There is a fine balancing act in aligning data protection measures to keep up with modern data sharing practices in the context of the globalisation of data. It is clear that compliance for most comes at a price both in terms of technology investment but also in the time taken to train staff. However, when we consider the underlying rationale for that data protection burden is to keep us as citizens safer from unscrupulous cyber attackers, then I would venture that the benefit of compliance balances out against the cost.