RiskXtraSeptember2018
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
x<br />
RISKXtra<br />
Smart GDPR Assurance for a Smarter World<br />
Something needs to<br />
change when you’re<br />
confronted by the<br />
present situation<br />
whereby devices<br />
professing to be<br />
‘Smart’ or part of a<br />
‘Smarter System’ ask<br />
for personal data, but<br />
are then easily hacked<br />
into by criminals such<br />
that valuable personal<br />
information can be<br />
stolen. In an exclusive<br />
article for Risk Xtra,<br />
James Willison and<br />
Sarb Sembhi examine<br />
stakeholder roles in<br />
achieving data<br />
protection (and<br />
security) by design<br />
and default in ‘Smart<br />
Projects’ with Internet<br />
of Things (IoT) devices<br />
We’ve just published a new approach to<br />
the European Union’s General Data<br />
Protection Regulation (GDPR) for<br />
security professionals and the stakeholders<br />
whom they deal with on a daily basis. The 40-<br />
page White Paper, which is sponsored by Axis<br />
Communications, stands out because, until<br />
now, many colleagues in the security world<br />
have lived under the mistaken assumption that<br />
GDPR compliance isn’t something that falls<br />
within their remit, but is instead managed<br />
either by legal, IT or compliance professionals.<br />
At least in part, this is based on the belief<br />
that their security teams are not data<br />
controllers or processors. As far as they’re<br />
concerned, the lengthy 200-plus pages of<br />
legislation issued by the EU isn’t something<br />
they need to worry about.<br />
However, the in-house security manager can<br />
often be described as a project manager in a<br />
large-scale surveillance system<br />
implementation, for example, and will therefore<br />
need to ensure that the devices and systems<br />
duly deployed are secure by both design and<br />
default. He or she should also work closely<br />
alongside others involved with the project to<br />
guarantee that the systems and devices<br />
employed harbour data protection (ie privacy)<br />
by design and default.<br />
In the first half of the White Paper, which is<br />
entitled ‘Smart GDPR Assurance for a Smarter<br />
World’, we cover in some detail the different<br />
ways in which the Internet and the increasing<br />
volume of data which connects to IoT systems<br />
has meant that personally identifiable<br />
information is now placed at a higher risk than<br />
it was back in the 1990s.<br />
As Professor Klaus Schwab, CEO of the World<br />
Economic Forum, has stated on page 59 of his<br />
book entitled ‘The Fourth Industrial Revolution’<br />
(published in 2016): “The digital<br />
transformations of industry mean that<br />
businesses will need to invest heavily in cyber<br />
and data security systems in order to avoid<br />
direct disruption by criminals and activists or<br />
unintentional failures in digital infrastructure.”<br />
This has led to the GDPR being written for<br />
the protection of the individual’s data privacy<br />
and security. It also usually means that the<br />
systems involved – and, indeed, those who<br />
manage them – often need to demonstrate<br />
compliance through the transaction of Data<br />
Protection Impact Assessments (DPIA) because<br />
of their large-scale nature and the use of<br />
innovative technologies such as biometrics and<br />
CCTV in ‘Smart Buildings’.<br />
IoT ‘Smart’ environments<br />
In our new White Paper, we’ve deliberately<br />
dedicated a chapter to those technologies,<br />
products and services related to large-scale IoT<br />
‘Smart’ environments and briefly outline some<br />
that have provided greater functionality, but<br />
that have also created increasing concerns in<br />
terms of the data collected (or around what<br />
that data is used for).<br />
This includes a consideration of key areas<br />
such as Big Data analytics, cloud computing,<br />
Artificial Intelligence, machine learning,<br />
sensors, medical devices, physical security<br />
systems, surveillance monitoring and Security<br />
Information and Event Management services.<br />
We then proceed to introduce scenarios such<br />
as ‘Smart Vehicles’ and ‘Smart Buildings’<br />
because these are prime examples of how<br />
stakeholders are involved in the protection of<br />
high volumes of data and, given the connection<br />
here to the individual (whether that’s a<br />
passenger or consumer), their privacy and<br />
security is vulnerable to attack from those with<br />
criminal intent on their minds.<br />
For the various owners of large IoT<br />
installations such as ‘Smart Buildings’ or<br />
‘Smart Cities’, for instance, processing data in<br />
compliance with the GDPR becomes something<br />
of a complex procedure since there’s a vast<br />
number of suppliers who contributed to the<br />
final working solution and may not have known<br />
20<br />