As we kick off the New Year, it feels like we are officially on the countdown to GDPR, the advent of a new era in data protection, which starts May 25th 2018.
Of course, with every piece of new legislation the immediate focus is on compliance and getting ready in time. Some sectors are already used to this, (financial services for example) but still have the challenge of trying to implement the necessary and complex changes in time. Other sectors will have to take a deep breath whilst considering the far reaching implications of GDPR – which go a lot further than most previous national data protection acts. How many retailers ask for personal data which they don’t really need (I’ve taken to using a standard “false” birthday as I am so fed up with pointless requests for my birth date when registering on a site)? Given I am still being called by the telco, I left over 6 years ago, how many customer records are they retaining for no good reason? I am also regularly called by companies who are purporting to help with a traffic accident I never had – are they ready for GDPR?
Public Sector is another interesting area – on the one hand they are used to Freedom of Information requests – concerned citizens and interested journalists all looking for something. On the other hand, we know that just being a public agency doesn’t mean that they are the best at holding onto our information, data breaches being just one example. And GDPR is so much more than just protecting against hackers, what about the “data minimisation” – how to implement that in complex, legacy systems? Public sector systems tend to capture a lot of information (do you really need to know my marital status to process my council tax payment?). How do you change your systems development philosophy to be “secure by design”.
This is where I think CIOs and CISOs can use GDPR as an opportunity to innovate. From insider threats to identifying where personal information data is held – there’s a startup out there who is trying to solve your problem. Here are just a few examples of how they can help*:
- Data Mapping and Classification – Identifying and mapping PII on structured and unstructured data can be a timely and work intensive process. Innovative start-ups utilise data science and AI in order to automatically map vast amounts of data and identify the location of PII
- Incident Response and Investigation – Reporting a breach in time is a major pillar of GDPR which could lead to significant fines if not handled properly. Utilising behavioural analytics, AI and Automation allows startups to greatly reduce the time for detection and investigation of a breach.
- Continuous security assessments – Automated pen testing tools allows for continuous real time security assessments of an organisation’s security status and posture.
- Consent management and right to be forgotten – new vendors utilise technologies such as Blockchain, in order to track and manage customer consent and the right to be forgotten.
GDPR is an opportunity not a threat. So why not use it to find a way to engage with the new? It’s not a magic plug and play solution – but navigating the process of working with new, smaller and innovative companies may be the start of something bigger and could transform the way that “traditional” companies and government agencies work.
See this post on LinkedIn: GDPR – Finding innovation in compliance.