GDPR & Compliance in the Cloud Dinner
Achieving visibility of data-related risk
The GDPR & Compliance Dinner took place on 20 March 2018 at the Ham Yard Hotel, London. It was held in partnership with Forcepoint to discuss unresolved risks around cloud-based platforms and the necessary tools to combat these liabilities.
Forcepoint offers security software which takes a new approach. With a focus on intelligence and human behaviour, Forcepoint provides a new perspective on security with the intention to make an impactful difference in the cyber security space, to safeguard users, data and networks from internal and external threats.
Topics of discussion included:
· What are the principal unresolved risks presented by cloud-based applications and services as the GDPR deadline looms?
· What do we mean by ‘adopting a human-centric approach to security’ and how can this help address Cloud security and GDPR concerns?
· Which strategies and tools would be of greatest value in helping to quantify and manage digital risk and compliance to the business?
· Balancing competing priorities: how do you deliver robust security alongside the pressures of rapid digital transformation?
Loss of Trust
Cambridge Analytica has grabbed the world’s attention due to its unethical data practices. Earlier this week, stories broke regarding Cambridge Analytica’s unlawful access to Facebook users’ data, impacting tens of millions of users. Understandably, there has been an uproar surrounding Facebook’s security practices and confusion around how they allowed this to happen.
The backlash Facebook is facing is indicative of individual’s changing perspective on platforms which can access their data. People no longer trust Facebook in the same way they used to and are becoming more scrupulous about who can access their data.
Organisations can no longer approach users with the default expectation of trust.
GDPR and the Cloud
GDPR is set to be implemented throughout the UK in May, bringing with it stipulations on how citizens’ data should be protected. Cloud providers offer platforms that can organise a company’s data and ensure their practices are GDPR compliant. Because cloud services are often easy to use, individuals might not understand data processing practices. Cloud platforms can provide greater visibility on how data is being used, as well as pinpointing potential risks in the system that need to be addressed.
Conversations around GDPR also highlighted the need for a new approach to how data is collected and presented to consumers. Individuals now understand the consequences of data collection and the necessity of data security.
Fair Value Exchange
A fair value exchange needs to be explicit; companies need to clearly state what they are doing, what data they need from individuals, as well as what individuals will get in return for sharing their data. The way this exchange is presented will be incredibly significant in how companies operate post-GDPR.
For example, a bank is more likely to gain an individual’s consent to track their location if it’s seen to protect them. If the bank sees a purchase being made far away from the individuals’ location, they can flag this as fraud. If, however, banks abuse this knowledge to send targeted ads to customers, they would be less likely to consent. If customers understand the value they are gaining from providing their data, they will be more likely to share this with businesses.
A potential solution for the future could be creating a key, similar to blockchain, that an individual has complete control over. They can determine what data they want to share with who, and take back their data at their own will. In this situation, data should be stored in a public record, as opposed to a private space, and not ‘owned’ by any corporation. But this solution is technically difficult as it requires the data is not copied.
In addition to enabling a fair value exchange, GDPR is also speeding up the need to embed consequence management within an organisation’s culture. If a team mishandles one’s data, there must be procedures in place to discipline the transgressors to ensure it does not happen again. There should also be practices in place to ensure a company fulfils its obligations to consumers to ‘forget’ them if they choose to have their data removed.
Security procedures surrounding data must start at the outset of the data collection process. There’s a common misconception that a company can either have rapid digital transformation or security, but both must be in place. Companies must ensure they have security embedded in digital transformation from the beginning.
Future of Data
GDPR has already created culture change and better awareness. While this may have happened without GDPR, the new law has surely accelerated the change.
Currently, GDPR is in an interim period, where the challenges and complications surrounding compliance are intensely felt. But the future of data to be realised by the change is unclear. Will everyday life be altered by how much data an individual is willing to share? Will the amount of data you provide impact the amount of services you can receive in return?
Twenty years from now, these conversations may be viewed as irrelevant, as data protection and security will be taken as a given. GDPR is mainly seen as a compliance issue; but it can also be used to tailor services better and make sure that stored data is relevant and useable. Work around GDPR should not stop at compliance, it should be viewed as an impetus to revamp and improve your data strategy in general.
GDPR is creating a set of requirements that may seem challenging today, but correlates with a future of increasing personalisation by giving people back control over their data. GDPR is just the first step in humanising this approach towards data.