CS Nov-Dec 2020
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
GDPR<br />
THE GOOD…<br />
AND THE BAD<br />
LACK OF CLARITY AROUND CERTAIN NEW TECHNOLOGIES IS HITTING<br />
MANY LAW-ABIDING COMPANIES TRYING TO BE COMPLIANT WITH THE GDPR<br />
More than two years after the EU<br />
introduced the General Data<br />
Protection Regulation (GDPR),<br />
a report from the European Commission on<br />
the regulation’s progress makes for interesting<br />
reading. In it, the commission speaks of the<br />
many positives delivered. "Citizens are more<br />
empowered and aware of their rights. The<br />
GDPR enhances transparency and gives<br />
individuals enforceable rights, such as the right<br />
of access, rectification, erasure, the right to<br />
object and the right to data portability<br />
Individuals also have the right to lodge a<br />
complaint with a data protection authority<br />
and to seek an effective judicial remedy."<br />
Today, around 69% of the population above<br />
the age of 16 in the EU are said to have heard<br />
about the GDPR and 71% of people about<br />
their national data protection authority,<br />
according to results published in a survey from<br />
the EU Fundamental Rights Agency. "The GDPR<br />
has empowered individuals to play a more<br />
active role in what is happening with their<br />
data in the digital transition."<br />
While GDPR has been widely celebrated -<br />
and even mirrored in some countries, like the<br />
United States with the California Consumer<br />
Privacy Act - it's also clear that the EU needs<br />
to take additional steps to make it a more<br />
effective deterrent, according to Chris Harris,<br />
EMEA technical director at Thales.<br />
"Since its inception, there has been murmurs<br />
about its effectiveness, due to lack of clarity<br />
on compliance and fears around the resources<br />
and power each data protection authority<br />
(DPA) has to track and investigate the number<br />
of breaches that occur in their country. This is<br />
something that should have been sorted from<br />
the start, and not something that we are still<br />
talking about more than two years later - four<br />
plus, if you include the transition period!"<br />
Harris acknowledges that there have been<br />
some hefty fines justifiably dished out, which<br />
have caught the headlines and impressed.<br />
But he also points to how, as organisations<br />
continue to digitally transform, the lack<br />
of clarity around new technologies like<br />
blockchain and AI is actually mostly hitting<br />
law-abiding companies that are just trying<br />
to be compliant. "We need to ensure GDPR<br />
operates as the protective bubble around<br />
personal information that we all want, without<br />
restricting the innovation and development<br />
that the world needs from these disruptive<br />
technologies.<br />
"Smaller companies may have found<br />
compliance harder, not only due to the<br />
complexity and potentially onerous nature<br />
of the requirements, but because many<br />
vendors with GDPR-focused solutions were<br />
understandably scaling their offerings for the<br />
larger organisations. With a continued increase<br />
in the migration to the cloud, this has perhaps<br />
now become simpler with the advent<br />
of solutions such as cloud-agnostic key<br />
management solutions and subscription-based<br />
data-protection-on-demand services."<br />
In order to be truly effective, the EU needs<br />
to give clearer instructions on how to be<br />
compliant that are consistent across each<br />
country, he adds, "while giving local DPAs<br />
more resources to pursue heavy penalties<br />
against companies that are intentionally<br />
putting their customers' data at risk".<br />
Chris Harris, Thales: we need to ensure<br />
GDPR operates as the protective bubble<br />
around personal information.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2020</strong> computing security<br />
31