EXECUTIVE SUMMARY
As your company seeks new ways to make sense of vast data sets for precious business insights, it is becoming harder for Information Security and Privacy professionals to protect the data. At the same time your customers have become concerned how your organisation will collect, store and use Personally Identifiable Information (PII). Vendors are not making things any easier and have been continually introducing new services and features making impossible to track and asses impact on PII or Data Protection for that matter. On the other hand, many of those vendors out there have promised to prevent data theft and breaches but managed just to create more problems and confusion. This paper aims to help you navigate waters of Legal & Regulatory and point the way how Blockchain can help you design effective Data Protection and Privacy enhancing controls for your organisation.
Key Points
- Earn customers’ loyalty and trust by protecting their data as an extension to your own organisational data
Neglect and ignorance is unacceptable when it comes to protection of confidential personal data. Ignorance can cost you dearly not just as a fine from the regulators but from the fact that the customer can take his business and go to your competitor. Your organisation is no longer just a custodian of customer personal data - personal data and insights based on it, form one of the key assets for your organisation's competitive advantage.
- The sheer volume of data to control and protect is stupendous
Be diligent and get ready for the changes ahead. Navigating and protecting Yottabytes of dispersed, unstructured data is increasingly difficult and daunting responsibility and you will need privacy-enabled technologies to help you along the way.
- Best data security and privacy assurance is achieved by utilising a good blend of business & tech-led initiatives
The recent European Court of Justice ruling on inadequacies of Safe Harbor privacy principles reinforces the need for privacy-enhancing technologies combined with business and process transformation efforts to embrace technology and achieve compliance.
- Privacy and Data Protection is now firmly anchored in the space of non-negotiable, mandatory control obligations
The consumer/customer data forms a key ingredient to your company success. You must know your data in order to protect it. If you don’t have a holistic Data protection and Privacy plan, act now and make sure you create Data Protection policies and oversight that matter to your organisation, in sync with laws and regulations. After three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the final draft of the EU General Data Protection Regulation (GDPR). The new regulation will significantly affect businesses in all industry sectors - be ready for the changes ahead.
"When you hear arguments about privacy, they tend to come from older people." Referring to how his daughters use the Internet, he continued, "When I talk to them about online privacy, they don't know what I'm talking about."
NON-COMPLIANCE IS NOT AN OPTION
Don’t blame the regulators, they are just trying to bring order in place. However, at the same time businesses are being pushed off the cliff and left to figure out how to land in the water. With the cliff getting higher and the water getting deeper, the major EU privacy reform is expected to take effect mid 2018 and your organisation will have two years to implement controls and new rules.
Depending on the nature of your business, typically you’ll be faced with the following two broad groups of Data Protection regulations:
- Regulations focusing broadly on the individual’s right to privacy regardless of industry - such as the EU Data Protection Directive (Directive 95/46/EC), forthcoming EU Privacy reform, and country-specific privacy laws such as the Data Protection Act (DPA) in the UK
- Industry-specific regulations - such as the US Health Insurance Portability and Accountability Act (HIPAA)
The cross-industry regulations are broadly vague when it comes to specifics of Data Protection controls, and the fact it would mandate an “appropriate technical and organisational measures” won’t help you to establish whether you have the necessary control in place to comply.
The recent ruling of the European Court of Justice that the EU-US Safe Harbor agreement is effectively invalid puts another layer of pressure for organisation to understand the implications and comply. The tough stance of the EU court has only confirmed what EU information security and privacy experts have been advising for ages:
- Safe Harbor “self-regulation” means no regulation at all
This effectively puts a stop on a false privacy practices where an organisations in US can claim compliance and never undergo to an audit to verify that their Data Protection processes match their claims. For example, have a look at one of the recent cases of 13 US companies have been charged, falsely claiming compliance with Safe Harbor Framework
- Unfettered mass surveillance is unacceptable
The Edward Snowden case and the NSA PRISM revelation have drastically raised privacy concerns.
With the effect of the new regulations, your organisation will have to abide to the following rules, without exception:
CONCLUSIONS
Privacy and Data protection requires contribution from everyone
Privacy and Data Protection is not exclusively a problem of the Privacy and Information Security professionals, it is everyone’s. It is time to paint a picture of the “data universe” by asking simple questions (not an extensive list) across all your business functions:
- How do we verify accuracy, quality, completeness and integrity of data?
- Who needs access to data, from where, and how?
- For what purposes and how long the data is kept for?
- Do we have permission from individuals for intended use of data?
- Do we have flows of all data crossing different access channels, networks, devices, applications and user populations?
- Can we rely on data management platforms and third parties to manage our data?
Reassess Privacy and Data Protection processes, controls and oversight
Re-evaluate your Data Protection and Privacy strategy to support business goals. This requires an assessment of Privacy and Data Protection laws and regulations from around the world that will affect the definition of your enterprise security policies. On the general threat landscape front, review and address the inside threats, intrusions, and data exfiltration threat scenarios. You must avoid building policies without the clear understanding of feasibility, context and purpose within the business. Ask yourself, what products and services can help us automate Data Protection controls?
Establish new relationships and inspire people to champion Data Protection
To achieve wider company success, introduce a culture of Privacy and Data Protection. Information Management, Security and Privacy functions are traditionally linked to Governance, Risk, Compliance and Legal Counsel and it would usually end there. Keep existing relationships but expand further and make others such as Digital Marketing and Innovation teams your closest allies to stay ahead of the curve.
Why Blockchain?
Blockchain assures Authenticity and Integrity of Data, the same Data that is at the heart of the Digital Economy. It offers capabilities to keep you one step ahead of ever so changing threat landscape and Data Protection Laws and Regulations. Blockchain enables Digital Economy by removing uncertainty and assuring data authenticity at the atomic level of all your company Intellectual Property assets whether it’s a recipe, an algorithm, code or a design.
You wouldn't drink water from a contaminated water-well, would you? If Data would be water, then Blockchain would be able to supply you with an indefinite supply of clean, purified and certifiably safe water to drink.
Dragan Pendić