Keeping up the balancing act: data protection and privacy invasion in the digital enterprise

Michael Hack, senior vice president at Ipswitch examines how organisations can engender customer trust through their data protection means.

  • 8 years ago Posted in
Data privacy is shaping up to be a key concern in 2016. The start of this year saw the adoption of the long-anticipated overhaul of the EU data protection laws, the GDPR (General Data Protection Regulation). Just a few weeks later, on 28 January, the same issues were marked globally in Data Privacy Day. Hot on its heels came the news of Safe Harbour 2.0 - ‘Privacy Shield’ - the new EU/US agreement on the handling, processing and movement of personal data between the two regions.

 

Walking the line

High-risk industries such as financial services and healthcare require full transparency and protection of business-critical data in the borderless enterprise in order to protect the details of the individual citizens whose data they hold. Personally identifiable information (PII) is very valuable in the wrong hands and this data is at its most vulnerable when in transit.  

 

Undoubtedly there is a role for us as citizens to up our security game. Becoming familiar with security features, backing up our data and keeping up with the latest versions of security software, operating systems, apps and web browsers – these are just some of the precautions everyone should take on every device. When we don’t do these basics, or when we download and hand over personal information through the latest must-have app without being sure of its source, we are quite simply taking a big risk with our own details. While there has been growing awareness of what we should, as consumers, do to secure our data, how can we be assured our data is being appropriately cared when we hand over information to companies?

 

Gaining trust

By properly respecting the privacy of users / customers, firms can enable their trust. However it’s essential that terms such as “respecting privacy” or “creating trust” are propped up by the right policies, training and technologies. In other words, customer trust needs to be earned. This is a big technical challenge for business leaders, chief privacy officers and IT management because of the rapid growth in data integration.

 

Data is shared across the open Internet between organisations that hold it (whether we are talking about the social media giants like Facebook or more modest businesses holding data on EU citizens) and the service providers they interact with, like payment processors, IT subcontrators, insurance companies, government agencies and cloud service providers. And in the borderless enterprise, that data needs to be kept safe no matter where it goes.

 

Borderless controls

The GDPR and the Safe Harbour pact are both examples of laws designed to protect personal data once it’s out of the hands of the consumer or citizen and in the realm of corporations and public organisations. Meeting data protection regulation in the context of the borderless enterprise means thinking beyond perimeter defense.

 

The lines are blurred when it comes to defining who is “inside” and who is “outside” the perimeter, with many external service providers being quite legitimately tasked with duties that require them to have credentials akin to those of highly privileged insiders. What’s more, in many industries, data must move outside its trusted network. Healthcare data is a case in point and the dizzying number of healthcare data breaches goes to show the scale of the challenge. Encryption is the best means of limiting access to protected data, since only those with the encryption key can read it. But once data is in transit there are other factors to consider, particularly when compliance with GDPR or specific industry legislation is a requirement.

 

What data protection compliance will mean for businesses

For companies that are starting to grapple with GDPR compliance the message is clear: expect to make significant investments in order to achieve compliance. According to a survey my company conducted amongst 300 European IT professionals, nearly 70% said they’d need to invest in new technologies or services to help prepare the business for the impact of the GDPR. Those technologies were: encryption tools (62%), analytics and reporting (61%), perimeter security (53%) and file sharing solutions (42%). 

 

Two thirds of those surveyed said that keeping up to date with changing data protection regulation was a burden on their business. There is a fine balancing act in aligning data protection measures to keep up with modern data sharing practices in the context of the globalisation of data. It is clear that compliance for most comes at a price both in terms of technology investment but also in the time taken to train staff. However, when we consider the underlying rationale for that data protection burden is to keep us as citizens safer from unscrupulous cyber attackers, then I would venture that the benefit of compliance balances out against the cost.

 

By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at...
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...