CS Jul-Aug 2023

More documents

Recommendations

Info

GDPR Colum Lyons, ID-Pal: five years on from the introduction of GDPR and there is still a long road to go. Andy Robertson, Fujitsu UK and Ireland: going forward, the rise of AI-driven cyberattacks will make data protection all the more critical. the regulation went into effect - have forced companies to take privacy and security more seriously. And the impact is not just contained within Europe; GDPR has inspired more than 100 other regional privacy standards, including those in many of the individual US states. "Of course, with a regulation as complex as GDPR, there's still work to do, both for the governing bodies and the organisations that must achieve compliance. Learnings from the COVID-19 pandemic have raised concerns about new public health and data considerations that should be factored into future legislation. Additionally, the post-Brexit version of GDPR for the UK is still a work in progress, as is a firm stance on how data can be shared between EU member states and 'partner' countries. "For individuals, GDPR is making a difference in how their personal data in safeguarded. And, for CISOs and data protection officers, the work continues to ensure organisations achieve regulatory compliance in a way that minimises disruption to the core business, while ensuring employees, customers and partners have confidence in how their personal data is being managed." Eduardo Azanza, CEO, Veridas: "Without question, GDPR has revolutionised data privacy and protection, and now, with the introduction of biometrics, the regulation takes on even more significance, as it celebrated its 5th anniversary. As defined by Article 4 of GDPR, biometric data is a form of personal data - therefore, businesses must carefully and securely manage it. "Earlier in May, Mobile World Congress (MWG) was slapped with a €200,000 fine by GDPR after they had collected biometric data from show attendees. The organisers failed to demonstrate due diligence before collecting biometric data, therefore infringing Article 35 of GDPR, which deals with requirements for carrying out a data protection impact assessment (DPIA). "With the rise of biometrics and AI, the focus on data protection and privacy has never been more important. Questions should be asked of biometric companies to ensure they are following GDPR laws, and are transparent in how data is stored and accessed. Trust in biometric solutions must be based on transparency and compliance with legal, technical and ethical standards. Only by doing this can we successfully transition to a world of biometrics that protects our fundamental right to data privacy." Colum Lyons, CEO and founder of ID-Pal: "Five years on from the introduction of GDPR and there is still a long road to go. Even this week, Meta has been hit with a record €1.2 billion fine by the Irish Data Protection Commission (DPC) for violating a GDPR rule, proof that severe consequences are waiting for businesses, if the right GDPR-compliant measures are not in place. "Customers' personal data must be carefully managed and a lot of organisations still struggle to do this. As more and more industries are being asked to verify their customer identities, this is even more critical to get right when verifying identities as part of Anti-Money laundering (AML) or Know your Customer (KYC) processes. The onus is on the organisation to capture, verify and store their customer's personal data securely. Identity verification processes that use document verification, alongside biometrics and database means a solution meets regulatory guidelines in a more robust way, making the process more complex for fraudsters to outwit but makes the journey seamless for users." Andy Robertson, head of Enterprise and Cybersecurity Business, Fujitsu UK and Ireland "Once a compliance headache for businesses, GDPR has since been emulated by similar 26 computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk
GDPR legislation in other parts of the world. Simply put, data regulations are here to stay. In addition to safeguarding corporate and personal data, protocols have also brought about significant organisational changes. Many have been forced to examine how well they are managing and using data and, like a ruthless spring clean, have been able to cut down on unnecessary data they were paying to store. "Regulation has also helped to level the playing field by ensuring data use is standardised and nobody can gain an advantage through its unethical use - for customer targeting, for example. GDPR has given companies the chance to tangibly show consumers they can be trusted and it's positive to see how hard they have worked to be compliant. "Going forward, the rise of AI-driven cyberattacks will make data protection all the more critical. Generative AI platforms have the ability to create cyber security attacks, which means even those with very little cybersecurity and computing experience can carry them out. To combat this, organisations must identify equally sophisticated methods to protect themselves and their information. At the same time, they must review their high-level accounts - who has access to them and when the passwords were last changed - taking a strict approach to Multi-Factor Authentication and Conditional Access. "New technology creates advanced avenues for bad actors and shutting these down as they emerge - or beforehand when possible - is always a big challenge. While AI may be the technology that's being talked about now, there will inevitably be another down the track and GDPR will need to be adapted in kind. Similarly, with so many businesses investigating the use of AI as a productivity tool, there may be a need for rules that dictate how data can be used by these different platforms. As some rely on user inputs to train the software, one wonders whether this would constitute a breach of GDPR, if a particular tool was used to reformat or analyse sensitive information." Gert-Jan Wijman, VP of EMEA, Celigo: "GDPR's introduction five years ago was an important step for data privacy in Europe, needed to keep up with technology's rapid sprawl and privacy concerns that had plagued consumers. With so much corporate and personal data moving between systems, regulating this exchange was inevitable. "But, in the years since, complying with new laws and updates to existing regulation has proven a challenge. Ensuring data use is compliant is hard enough when an organisation is only in one market - more so when it's spread across the continent and different rules need to be adhered to. Some countries have stricter enforcement than others, or differing complementary privacy laws, and relying on people to ensure compliance is sustainable. It's a job that's menial, repetitive and can be overwhelming, with any human errors putting firms at reputational and financial risk. "For example, if a business receives a request from a customer that they want to opt out of a service and request the right to be forgotten, removing their details from one system and having others automatically follow suit is more efficient and failsafe than individually finding and deleting their details on each and every system. "Integration ensures that data can be kept in sync and standardised across linked applications and departments, so customers can be assured their data is only being used in line with existing usage rights and hasn't unintentionally been fed into - or left out of - a particular platform. And if they ask for the personal data being stored on them, workers won't need to sift through different systems, because information should be the same in every system." Jean-Philippe Deby, director of Global Accounts at Genetec: "Coming from the public safety software industry, we'd often see companies treating privacy and security as a binary choice. I'm delighted to say the EU GDPR helped change that mindset, acting as a major catalyst for change in Europe and beyond. Part of its legacy is that we now have explicit legislation for data and privacy protection in 137 countries around the world. It's now much more accepted that privacy can be ensured without compromising security. "In terms of improvements, I am surprised how little attention has been paid to the specific challenges of ensuring compliance for the operation of video surveillance, access control and other physical security systems. Any public or private organisations using CCTV to monitor public accessible areas should be concerned and operators need to focus on adopting privacy by design. Under the terms of the EU GDPR, data that is anonymised or pseudonymised is classified as lower risk. The appropriate use of encryption and automated privacy tools is, therefore, a logical first step. For example, video redaction that blurs out people's faces in video, unless there is a legitimate reason to reveal their identity, can minimise the dangers of having security cameras deployed in public spaces. "Don't forget, owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of EU GDPR compliance, including securing access to the systems and servers storing the information. However, by working with an approved cloud provider, it is possible to offload some of these responsibilities and significantly reduce the scope of activities required to ensure compliance. It is also highly cost effective. "Nevertheless, it is important to realise that it isn't a full abdication of responsibility. You remain accountable for ensuring data is classified correctly, and share responsibility for managing users and end-point devices." www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security 27
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6: news Gary Barlet, Illumio. IBM EXPA
Page 9 and 10: DON’T SaaSSS GET YOUR KICKED! ! T
Page 11 and 12: ansomware WHY BEING AGILE MATTERS W
Page 13 and 14: privacy crisis an inconsistent pict
Page 15 and 16: Infosecurity Europe Matthew Syed's
Page 17 and 18: Computing Security Secure systems,
Page 19 and 20: workplace welfare within the cybers
Page 21 and 22: identity & access may cause operati
Page 23 and 24: managed services Unfortunately, man
Page 25: GDPR that bridges the gap between t
Page 29 and 30: AI enhance SOAR with a generative A
Page 31 and 32: cyber strategy SECURITY BY DESIGN N
Page 33 and 34: ansomware attacks While laws could
Page 35: Computing Security Secure systems,

CS Jul-Aug 2023

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?