CS Jul-Aug 2023

More documents

Recommendations

Info

GDPR BELATED HAPPY BIRTHDAY, GDPR! GDPR - THE GENERAL DATA PROTECTION REGULATION - HAS REACHED A MEMORABLE LANDMARK: IT IS NOW FIVE YEARS' OLD. HOW SUCCESSFUL HAS IT PROVED SO FAR? How do you measure the success of something as complex and far-reaching as the General Data Protection Regulation (GDPR), which was brought into existence five years ago to replace the 1995 Data Protection Directive used across various European countries. "After the internet becomes commonplace, the EU parliament decided they needed a new guideline that adapts to a more connected world where data is the common currency. The GDPR is designed to better fit modern technologies and practices," states Inspired eLearning. "The 1995 data protection law allows each country to control and customise its own privacy laws. This makes it harder for businesses to introduce their service between countries, since they'd have to refer to multiple privacy requirements and keep up with all of them." The GDPR eliminates all this, since now businesses only need to refer to one guideline and requirement to do business across all EU member states. It has also undergone several changes in the past few years. "Notably, in 2021 the GDPR introduced major changes to its terms," adds Inspired eLearning. "For one, GDPR removed the Privacy Shield that was put in place to make it easier for US companies to do business with EU citizens. The other major change introduced in 2021 would be the regulations for cookie consent, as GDPR now prevents companies from blocking access to content, unless a user consents to cookies." However, there is much debate about how effective this last change is proving, as many companies are making it extremely hard for people to refuse cookies, often making refusal difficult and/or pushing them to accept with various 'inducements'. The UK's GDPR, not to be confused with the EU General Data Protection Regulation, is a standard based on the EU version created by the UK Information Commissioner's Office (ICO) and included within their 2018 Data Protection Act. "This data protection law serves as a substitute for the EU version after Brexit. If you regularly process data of Europe-based customers, you'd have to adhere to both European data protection laws. As a result, the overall sum of fines significantly increases month after month." For the 12 months up to 1 March 2023, 1,576 fines were recorded in the CMS Enforcement Tracker database (an increase of 545 on 2022), amounting to around EUR 2.77 billion in fines (up 1.19 billion in comparison to 2022). The tracker also indicates1.446 fines have been issued since 2018. "One might think that the companies who receive fines maliciously mishandled data, yet in reality compliance is a complex process," points out Inspired eLearning. "When it comes to GDPR implementation, there are several grey areas as the provisions cover many different activities and were designed to withstand continual innovation. Meaning GDPR compliance is certainly not an easy box to check off on a company's to-do list. "Statistically, the violations with the most fines are related to data processing noncompliance. Against this background, luckily, there are tools put forward by GDPR itself that businesses can implement to increase their safeguards and, ultimately, reduce legal uncertainty and the risk of fines. In this context, codes of conduct (Art. 40) are one of the instruments GDPR has introduced to optimize and harmonise its implementation. "The EU Cloud Code of Conduct is a tool 24 computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk
GDPR that bridges the gap between the general provisions of the regulation and their concrete implementation across the whole cloud industry. Since its approval in 2021, the Code has been playing a key role when it comes to cloud compliance, fostering the application of robust technical and organisational measures throughout the sector. How has the GDPR gone so far within the industry? We asked several interested parties and here are their responses: Sylvain Cortes, VP of Strategy, Hackuity: "Compliance is essential, but we urge organisations to take the opportunity to think beyond baseline requirements to develop a culture of continuous cyber improvement. It's important to remember that achieving compliance shouldn't be treated like 'exam-cramming' with last-ditch efforts to achieve annual or quarterly audits. The goal is to achieve more than the minimum requirements and move away from the tick-box mindset. GDPR compliance is necessary, but it is far from sufficient for modern organisations." Rick Hanson, president, Delinea: "I've been in the cyber community since the mid-90s and one consistency over the years is that personal data has always been paramount. However, even though the industry often understood what needed to be done to protect personal data, it was frequently deemed to be too costly or complex to implement. "Five years ago, I applauded the EU for taking a stand, and providing guidelines and a framework to ensure that personal data and privacy were protected with GDPR. Yet even as this legislation passed and privacy advocates celebrated, many businesses were very concerned, due to perceived burdensome and costly efforts that would be required of them to be compliant. Looking back on this anniversary, I am very encouraged that the technology community has innovated and evolved to solve many of these issues and challenges quickly. My belief is that it sets a solid foundation that the rest of the world can follow, as we continuously work to protect our personal data and privacy. "We have come a long way since the early days of cyber and GDPR makes a significant impact, yet it does not solve the cybersecurity threat. It offers a framework that helps classify and protect - yet these policies are public, giving any attacker a roadmap on how to circumvent the policy. As good as GDPR policy is, it does not mean our personal data is completely secure. We must continue to educate and innovate to solve these ongoing data privacy and security challenges." Paul Brucciani, cyber security advisor, WithSecure "The European Commission is criticised for many things, but GDPR is the one thing where it can hold its head up high and say, 'We've led the world in this'. As regulatory milestones go, it's the equivalent of climbing Everest. And it seems to be working, as other jurisdictions are following suit. "Internet fragmentation, driven by the quest for digital power, is creating regulatory complexity and the EU has an important role in leading the world through this. For example, AI is the next big field that will need regulating and the EU has again made a head start on this with its proposed AI Act, a legal framework that is intended to be innovationfriendly, future-proof and resilient to disruption." Michael Covington, VP of Strategy, Jamf: "The EU's GDPR has had a tremendous impact on how organisations around the globe handle personal user data since the regulation went into effect five years ago. The threat of substantial fines - including the almost €3 billion that have been levied since Paul Brucciani, WithSecure: AI is the next big field that will need regulating and the EU has again made a head start on this. Eduardo Azanza, Veridas: trust in biometric solutions must be based on transparency and compliance. www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security 25
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6: news Gary Barlet, Illumio. IBM EXPA
Page 9 and 10: DON’T SaaSSS GET YOUR KICKED! ! T
Page 11 and 12: ansomware WHY BEING AGILE MATTERS W
Page 13 and 14: privacy crisis an inconsistent pict
Page 15 and 16: Infosecurity Europe Matthew Syed's
Page 17 and 18: Computing Security Secure systems,
Page 19 and 20: workplace welfare within the cybers
Page 21 and 22: identity & access may cause operati
Page 23: managed services Unfortunately, man
Page 27 and 28: GDPR legislation in other parts of
Page 29 and 30: AI enhance SOAR with a generative A
Page 31 and 32: cyber strategy SECURITY BY DESIGN N
Page 33 and 34: ansomware attacks While laws could
Page 35: Computing Security Secure systems,

CS Jul-Aug 2023

Create successful ePaper yourself

Delete template?

Save as template?