In an exclusive in-depth interview, Fran Howarth, a senior analyst at Bloor Research shares her opinion on the future face of data protection, compliance, and why GDPR is welcome but not a silver bullet.
Balabit: Let’s begin with the question everybody talks about: GDPR. How is it different from other compliance regulations, in what do you see its importance?
FH: GDPR is one of the most wide ranging regulations in that it affects so many organisations. Anyone who collects or processes information on EU citizens, no matter where they are based or where the data is housed, is subject to the regulation. Many other regulations affect particular industries or types of organisation, such as public sector only.
It also differs from previous data protection legislation in the EU in that it is a regulation, rather than a directive. This means that each individual country does not need to ratify it into its own local law before compliance is expected. Rather, compliance is expected by all from the day it becomes law in May 2018.
This will make data protection laws uniform across the region, so multinationals will no longer have to abide by differing interpretations among member states and varying levels and likelihood of sanctions.
How do you expect it to affect the daily operations of a company?
Every organisation will need to improve its capabilities for tracking and monitoring all personal data that it collects and processes, across all devices and places it is stored. They must ensure that strong controls are placed around who can do what with what data to ensure that it cannot be inappropriately accessed. This will include data stored on personally-owned devices and in file sharing applications. To prevent the use of unsanctioned applications, corporate-approved alternatives should be provided and users made aware of policies regarding application use.
Organisations will also have to be able to discover all data in the event of a breach, which requires quick notification. This will be an onerous task for those that have not taken and keep up to data an inventory of all personal data collected and stored, along with the controls that are in place regarding who can access data and what they can do with it. They must implement strong access controls and have an audit trail to prove that they are effective. Previously, in most member states, data controllers who decide what data to collect and how to process it were the only ones held liable for data protection compliance. However, this has now been extended to those that merely process data, even on behalf of others. All must ensure that they have robust technical and operational safeguards for protecting data, although these are not specified in the regulation, with the exception of encryption and pseudonymisation.
We can expect to see a lot of change when it comes to power. How will current data leakage procedures change?
The need for more effective data leakage procedures is leading to a resurgence of interest in DLP technologies. Often seen as highly complex to implement, more user-friendly technologies are now available that are easier to implement, not just for large organisations any more, but for smaller as well.
And how do you see the market now? Has it already begun to take the necessary preparations?
Surveys prior to agreement on GDPR showed that many organisations were taking a wait and see attitude, especially since it was unclear what the final regulation would contain. It was four years in the making and many changes were made along the way, right up until agreement was reached. There were also two different versions—one prepared by the European Parliament and the other by the EU Council.
Polls that have been done during recent webinars suggest that many people are still trying to work out how to implement the necessary controls for GDPR and what those are. However, there is now much greater clarity in terms of the information being published and the main changes over previous legislation are much clearer. Most, if not all, will at least now be budgeting for making the necessary changes. At this point, I believe few would say that they are already fully compliant.
If that is so, transition to the after GDPR era will not be an easy one. How do you expect the transition to be: a step-by-step, gradual one, a sudden sea change, or somewhere in between?
It remains to be seen, but I don’t think that the authorities will take draconian measures from day one. The sanctions for non-compliance can be extremely high in the event of a serious data breach and any organisation suffering a catastrophic breach could be made a scapegoat as a warning to others to get their house in order. But, there is also provision for organisations to be handed warnings for first or less serious breaches. I imagine we will see the use of warnings as a deterrent, initially.
However, it also remains to be seen how uniformly the legislation is enforced across the EU. National data protection authorities will still be charged with enforcement in their own territories and there are some aspects that are still open to interpretation. For example, what constitutes a serious data breach? The guidance is limited in that regard. Having looked at the differing levels of enforcement action taken by various member states, it is clear that some states are more liberal than others. Whilst there will be a pan-European data protection authority, that will likely only be involved in large disputes. Most enforcement will continue to be done on a national level.
What do you expect to be the main challenges of implementation?
One of the key challenges is the sheer volume of data that is collected and processed these days, and that volume is growing rapidly. Keeping track of all that data across all systems will be a challenge, especially when the use of mobile devices, cloud services and social media is thrown into the mix.
Another main challenge is that the rights of data subjects have been expanded, including the redress that is available to them. One of the changes that has been much talked about is the right to be forgotten. Should that right be invoked, it will be a challenge to find all instances of where personal data is held in some circumstances. Organisations will need to ensure that they have the systems in place to not only discover all instances of data, but to ensure that it can be securely and effectively deleted.
It is always difficult to predict the future, but what do you expect the long term benefits of GDPR to be?
In the longer term, higher levels of data protection across the EU and encompassing all those that do business with the EU is likely to lead to improvements across the board in terms of the technical and operational safeguards that organisations have in place for protecting data. Data breaches are seen as inevitable, with mantra being “it is not if or when, but how often,” but it is to be hoped that the most serious breaches will be curtailed. There will be greater transparency regarding the collection and use of personal data, which is a good thing for all citizens, but transgressions will still arise and security incidents will still occur. Whilst GDPR is to be welcomed, it is no silver bullet.
About the author
Fran Howarth is senior analyst at Bloor Research specializing in the field of information security, but with a keen interest in physical security and how the two are converging. Her other main areas of interest are new delivery models, such as cloud computing, information governance, web, network and application security, identity and access management, and encryption.
She has written for a number of publications, including Silicon, Computer Weekly, Computer Reseller News, IT-Analysis and Computing Magazine. Fran is also a regular contributor to Security Management Practices of the Faulkner Information Services division of InfoToday.