Infosecurity Europe is a huge event, attracting hundreds of vendors to a melting pot of acronyms in the hope that they won’t just be talking to other vendors for three days.
At the most recent London conference in June, though, one acronym stood out above all others: GDPR. Every session on this topic was crammed with interested viewers, especially a keynote address from Peter Brown of the ICO, followed by a panel session which included Helen Rabe from Costa Coffee, Cameron Craig from HSBC and Steve Wright from John Lewis. In addition, there were numerous other full sessions on the GDPR, and many of the vendor stands had those four letters emblazoned on them in some form.
The interest isn’t surprising. The regulation was enacted 14 months ago and comes into force in 10 – and many UK firms are still not prepared. We have all heard of the headline penalty figures that have made the regulation so renowned, and about the reputational risk of non-compliance. What we hadn’t realized, though, was that data subjects themselves are also given the right to sue for any damages – and this has no penalty set ceiling! That provision has the potential to be worse than the fine AND the reputational harm.
Many overheard conversations at the conference repeated the generally held view that there will be an initial slew of punitive fines from the regulators who will be keen to ensure the regulation is taken seriously.
While Stuart Clarke of Nuix was keen to point out that the GDPR is mostly an update of the existing legislation – the Data Protection Act (DPA) here in the UK – the new regulation, which in contrast to the act must be uniformly applied across Europe, clearly states the intent of the changes are to enforce ‘Privacy by Design’ in all systems and processes that contain Personally Identifiable Information (PII).
Privacy by Design is essentially analogous to security by design. Ensuring that the collection, storage and use of PII data is done with users’ full knowledge, the implicit understanding is that it will be kept safe, used only for what the user has agreed to, and removed as soon as the user asks.
It was suggested that In the event of a breach the initial report to the ICO, which must happen within 72 hours after the breach has been identified, needs to include the following points:
- Cause of the breach
- What’s being done about it
- Impact on the data subjects
From listening to Stuart it was clear that identifying the cause can be a significant challenge, with the impacts possibly even more unknown. Without insight into the cause, identifying a solution will be problematic as well. Giving the ICO incomplete information at this early stage will not set a good start to the investigation.
To delve into a real-world example, the mass of digital transformation projects currently underway to enrich consumers’ lives now come with an obvious challenge. How do we safely collect, use and store highly sensitive information about consumers without adding additional friction to the process?
One answer specifically called out in the GDPR text is encryption. This technology solves numerous issues by rendering useless any data lost without the encryption key. As such, the likelihood of material impact on the data subject – and thus the need for regulatory and personal reporting – is removed. In this scenario, there is no need for reporting to the ICO all of the required information.
Many solution providers who support externalizing information outside of the corporate firewall also provide encryption, but as with any technology there are deeper considerations. For example, does each piece of content have its own key? Can you own the key? Is the content encrypted in storage, in transit AND in use? Can files stored anywhere be controlled without additional plugins? And where is this encryption applied – in Europe or in the US? Furthermore, are users subjected to additional irritating friction when working with encrypted content or is it a seamless process?
Still struggling with GDPR implementation? Read GDPR: Five Steps Towards Compliance for information on how to organize and accelerate a compliance program.