The invalidation of the Safe Harbour agreement – which had allowed US companies storing EU customer data to self-certify – brought an issue to wider attention that those of us within the industry have known for some time. The difference between Europe and the US in terms of prevailing attitudes about data protection and legislation is as different as night and day. However, 2016 has kicked off with some encouraging signs that both sides of the Atlantic are prepared to take the necessary steps to properly manage data throughout its lifecycle.
Any time now, the European Parliament and the European Council will formally adopt the General Data Protection Regulation, which gives individuals greater control over their personal data and promises harsh fines for those organisations that fail to remove their data. Notably, the new privacy law’s jurisdiction will apply not only to businesses based in the EU but also any company based outside of Europe that wants to offer services in the region.
Furthermore, hot on its heels we have the EU-US Privacy Shield, a new framework for trans-Atlantic data flow, which brings us one step closer in ensuring both individual and company data is protected. It’s significant as the US has for the first time committed to a redress mechanism administered in the US by some form of Ombudsman, reflecting a growing awareness of the importance of this issue.
I certainly don’t envy the job of those security legislation policymakers trying to keep up with the ever-increasing pace of technological advancement. However, the measures now being introduced have been needed for some time. After all, to say there is a lot of information in the digital universe is an understatement.
Even back in 2012, IBM reported that 2.5 billion gigabytes of data were generated every day. Just think about how much sensitive personal information that entails and the consequences of it falling into the wrong hands. For individuals and governments, that could be personal usernames and passwords, financial details, credit card numbers, health records and so much more. And for private sector organisations we’re talking about the intellectual property that underpins their very existence.
The task of safeguarding the data that does need to be stored is a significant one. However, most organisations, public and private, are making that task even harder than necessary by failing to responsibly dispose of information that is no longer required. Only about 20 per cent of major organisations are wiping their devices properly and much of this comes down to a lack of understanding about how these tasks should be carried out.
Unless an organisation knows everywhere its data is being stored – on servers, on physical devices and in the cloud – it is impossible to carry out the right processes. There also needs to be a lot more education to ensure organisations aren’t relying on data deletion methods that don’t work. Many are relying on the equivalent of restoring to factory settings, which is reversible and therefore insecure. Only true data erasure can destroy all information so that consumers are given the protections they demand.
Our responsibilities as IT professionals
The implications of new regulations such as the EU GDPR extend well beyond the IT department. Companies will need to break down the internal departmental silos that exist inside their organisation to ensure all stakeholders – marketing, sales, legal, finance, compliance, C-level and board level executives – are working together to properly manage data throughout its entire lifecycle.
Compliance will require investment in new processes, training, education and a thorough audit of existing technologies (and ones that still need to be implemented). It’s vital that we as corporate IT professionals push for these things to happen and for the appropriate resources to ensure that they succeed.
Doing so means communicating the importance and value of data protection in the context of how it will impact business growth and revenue. Some of that will come down to spelling out the negative repercussions should a data privacy violation occur; not just immediate losses, but also the long term erosion of customer trust, reputational damage that can be tough to recapture and even employee turnover.
However, there is also a positive message to be told about treating these new regulations as a starting point, rather than a finishing post. Against a backdrop of hardening attitudes towards data protection, going the extra mile to show organisations value their customers’ privacy – and making this a key point of differentiation over competitors – simply makes good business sense. For example, when a consumer invokes their ‘Right to be Forgotten,’ a verifiable tamper-proof certificate says far more than a few empty platitudes.
The current situation – regulatory and in terms of public opinion – gives us the perfect opportunity to elevate issues of data privacy and realise meaningful positive changes. However it requires far more than expounding on best practices from afar. We have a duty to work closely with others in the private sector and government to change the security landscape in Europe, in North America and across the globe.
Pat Clawson, CEO, Blancco Technology Group