Innovative data protection projects funded by the Information Commissioner’s Office (ICO) are making a real difference to public trust and confidence in privacy issues. The projects were the first to receive money as part of the ICO’s grants programme, which facilitates innovative, independent research focused on privacy and data protection issues. It aims to increase the public’s trust and confidence in how their personal data is used.
Now, three of the grant recipients have spoken for the first time about how they’ve used the money. On Data Protection Day 2019 (which took place on Monday 28 January), the ICO offered the chance for businesses and individuals alike to follow the stories of Javier Ruiz Diaz (from the Open Rights Group), Dr Jim Longstaff (of Teesside University) and Professor Sonia Livingstone OBE from the London School of Economics.
Information Commissioner Elizabeth Denham said: “Our grants programme is an excellent example of how the ICO supports innovation in tackling data protection issues. Information Rights are evolving all the time and a lot has happened since we launched the inaugural grants programme. The new data protection laws, along with high-profile cases and incidents, have meant that privacy issues and concerns about how people’s personal information is used have never been more prominent.”
To further celebrate the 13th annual Data Protection Day, the ICO also highlighted people’s information rights in a social media campaign, focusing on the new individual rights under the General Data Protection Regulation (GDPR).
Denham added: “In these data-driven times, and when public trust in how personal data is used is low, organisations must seize the opportunity to have a positive and direct impact on consumer and citizen trust.”
Raising awareness, promoting good practice
Commenting on Data Protection Day, Spencer Young (regional vice-president for the EMEA at Imperva) said: “The past year has seen vast changes impacting the UK’s data protection landscape, not least due to the European Union’s (EU) GDPR officially coming into play. The regulation means that, regardless of the industry or location, any business that holds and processes personal data must prioritise data protection. The fines associated with non-compliance are hefty to say the least, with potential damage to a brand’s reputation can be even costlier. Yet we have seen big brands including the likes of Google tripping up on their data protection journey. Where are companies going wrong in making sure data protection is right?”
As Young correctly states, data protection is complex and involves multiple teams, technologies and systems working together. One of the first hurdles IT teams face is in conducting a Data Assessment Report, which requires organisations to locate any personal data they’re holding and document how that data’s collected and processed. This detailed assessment must be kept current and ready for regulatory inspection or compliance audits.
“However,” asserted Young, “many businesses find it challenging to locate that data. When you’re a large enterprise, this can take more than just a call to the IT Department. It can take weeks – even months – of investment.”
Perhaps most significantly, the GDPR requires any company that experiences a data breach to publicly acknowledge that breach and notify the local Data Protection Authority (DPA) in the Member States where the people affected by that breach reside. Businesses must notify DPAs within 72 hours of identification or confirmation of the breach. They must be able to tell them what data was breached and how many records were taken as well as provide a Member State-specific report around the infringement.
“This requirement means all businesses need to be able to understand who accessed the data, what activity they performed and when they performed it. Any organisation without strong technology solutions in place will struggle to provide the requested information within the 72-hour window.”
Limiting access to certain information and making sure that access is authorised and reflects any changes within the business is a critical step in data protection that many companies tend to neglect. Young observes that it’s important to analyse policies on data collection, handling, test data usage, data retention and data destruction. At each point, access must be on a need-to-know basis. Users should not be allowed to accumulate access rights as they’re promoted or move laterally within an organisation. Privileged accounts should be carefully monitored to ensure they’re not used as a means to bypass policies.
In conclusion, Young explained: “There may be many reasons why an organisation’s data protection strategy isn’t up to par, but they will reside somewhere within having inadequate or ineffective processes, people and technology. It’s critical to be aware of potential pitfalls and actively work towards more robust data protection practices. GDPR or not, Data Protection Day should be every day in the modern data-driven business landscape.”
Data power shift
Jasmit Sagoo, senior director for Northern Europe at Veritas, feels that 2018 marked a pivotal change for data privacy and protection across the globe. For a long time, personal data has been leaked, shared, tracked and analysed without consumers’ prior knowledge or consent, but the introduction of the GDPR has offered individuals in the EU an olive branch: more control over their data.
“For years, organisations have failed to understand the real value of their data or the repercussions of mishandling it,” said Sagoo. “Our Truth in Cloud research found that most UK businesses (75% of those surveyed, in fact) export full responsibility for data protection to their cloud providers, with over half (52%) wrongly assuming their cloud providers are responsible for complying with data privacy regulations. We also found that 42% of companies’ total data environments are either stale (ie they haven’t been modified in the last three years) or ancient (ie they haven’t been modified in the last seven years).”
Sagoo suggests that the change in data privacy regulations has served as a much needed wake-up call for organisations. Beyond the hefty fines for regulatory non-compliance, companies have begun taking notice of the real reputational damage that could result from a lack of responsibility for protecting and managing their data. Veritas’ research has revealed that UK consumers would punish organisations who don’t protect their data by shopping elsewhere or by attacking their brand reputations.
“Meanwhile, the potential benefits of investing in effective data protection and management are vast, such as the ability to personalise and improve customer service and create information-centric business models that give way to new revenue streams. In addition, nearly half (46%) of UK consumers say they would spend more money with organisations they trust to look after their data, with over a fifth (21%) willing to spend up to 25% more with businesses that take data protection seriously.”
Today, more and more companies are beginning to realise the importance of not only protecting their data, but also understanding exactly what data they hold, where it sits, who has access to it and how quickly they can retrieve it. Businesses must now be able to automatically classify large volumes of digital data, scanning and tagging it in a granular and intelligent manner in order to ensure that information is managed effectively and can be accessed efficiently and on-demand.
“Technology aside,” concluded Sagoo, “businesses must also instil a culture of digital compliance and responsibility among their employees. There’s no question about whether this is needed: an overwhelming majority (91%) of organisations admit that they lack a culture of good data governance. With a three-fold approach to managing data which includes technology, processes and people, organisations will be in strong position to reap the rewards associated with protecting and managing data and building customer confidence in today’s digital economy.”
Why data protection is so important
Why is data protection so important in 2019? Last year we saw some immense upsets, from the British Airways data breach to the Cambridge Analytica scandal. The range of consumer-facing breaches in 2018 proved that cyber security is the last line of defence for personal security. In addition, since the last Data Protection Day there has been the introduction of the GDPR.
David Francis, information security consultant at KCOM, asserted: “The first question a business should ask yourself today is: ‘Do you know when you’ve been attacked?’ It takes companies an average of 206 days to discover a breach, so the answer is ‘probably not’. The threat doesn’t just have to be external: you could have sleeper agents placing time bombs in advance. They don’t necessarily need to be on site at the crucial moment. It could be a developer with a grudge placing a time bomb in the system to erase crucial Intellectual Property, or even an outgoing executive quietly deleting things in the background. If done quietly over a period of time, you could lose your back-ups as well, with no way of tracing the culprit. This is in addition to the huge GDPR fines you would face. Companies need to have measures in place to track data movement and prevent this kind of insider threat.”
Are companies paying sufficient attention to the news around the GDPR? “If 2018 was the year of compliance, 2019 will be the year of retribution for everyone’s favourite data privacy regulation. The period of grace is drawing to a close, and we’re already seeing the ICO taking its first high-profile scalp over treatment of personally identifiable information, with Google being the first to fall in France. This has set the precedent by which all further cases are judged, letting companies know along the way just how strictly enforced the rules are going to be and how heavy the fines. Now is the time to check compliance levels.”
Francis believes that, if 2019 is anything like 2018, consumers are going to be in the firing line. On that basis, it’s time for companies to re-evaluate their security plans and consider: Does this plan put the customer first? Is your security system tracking insider threats? Are you aware of which employees have access to what data? Are you really GDPR compliant? If your organisation can safely answer ‘Yes’ to all of these questions then congratulations. However, that doesn’t mean it’s time to stop evaluating your systems. In today’s security landscape, you can never be too safe.”
*Read a detailed statement on Data Protection Day 2019 by Catherine De Bolle (executive director of Europol)