Data is powerful and, without firm rules, the private information it contains can be left unsecured and vulnerable. When it comes to an individual’s right to privacy through data protection, although the premise seems simple, putting privacy rules into practice is far more complex.
To cement current regulations and to shore up any vague areas, earlier this year the European Union approved a new regulation relating to data protection. This regulation, proposed jointly by the European Parliament and Council, focuses on the processing that personal data is subject to as well as how it is circulated. This law will become mandatory from 25th May 2018, with potential fines for violation reaching up to 4% of a company’s worldwide annual business turnover.
The impact of the new rules on companies is tremendous, requiring significant organisational and cultural changes. Companies that do not currently handle data protection compliance as a matter of course, with an appointed data protection officer or with an internal compliance group, will have to make structural changes to their internal processes to ensure that data protection is integrated in all business areas and decision making procedures.
The regulation introduces the concepts of 'privacy by design' and 'privacy by default', in effect forcing organisational change. Dialogue between lawyers, compliance officers and IT teams should be encouraged to kick start the necessary adaptations that will protect companies from liabilities arising from these stringent new rules.
The technical challenges that come with adapting to this new set of rules will see some companies struggle. Mandatory changes will take place on a structural level and internal processes will need to be revised. It will be necessary to identify sensitive information and its exposure to risk. Preventive actions to mitigate those risks should be identified and the execution of periodic auditing sessions (by internal or external entities) made mandatory. As such, a company is required to have a near perfect understanding of its own internal IT structures and architectures. Beyond IT, all of a company’s business areas, external entities, its CISO (Chief Information Security Officer) and end-users all have an important role to play under the new requirements.
All of this means that conforming to data privacy rules can no longer be looked at as optional. The price to pay for not fulfilling requirements properly will be severe. Privacy should be proactively dealt with as standard at the early stages of process and system design with an end-to-end vision that considers the full data protection lifecycle. Companies need to work towards transparency in order to be checked for conformance by external entities/internal teams in an effective way. User data should be at the centre of this ecosystem to ensure that both privacy and security are achieved at the same time. These elements contribute to ‘privacy by design’.
CISO’s role in organisations that process people’s data will be crucial, not only to ensure compliance with the new regulations, but also to effectively design privacy policies and processes that are feasible and realistic, both in terms of time and budget. As part of this, formal documentation concerning data manipulation, risk assessments and preventive processes should be designed and thought through properly before any security or privacy issues arise.
Besides keeping information safe, mechanisms that break the bond between data and owner should ensure a proper context to manipulate information within, avoiding hard security constraints. This is called ‘data anonymisation’.
Finding an effective way to implement new data privacy laws will require important changes across many business levels. New security processes should be designed and existing ones should be updated. Data security policies will need to shift from simply ensuring that data is extremely difficult to access without authorisation, to implementing auditing and traceability features to justify and clarify who did what to which bit of data, and why.
By Hugo Mendonca, Principal Engineer at CRITICAL Software, and Daniel Reis, Partner and Head of PLMJ TMT.