CS Jul-Aug 2023
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GDPR<br />
legislation in other parts of the world. Simply<br />
put, data regulations are here to stay. In<br />
addition to safeguarding corporate and<br />
personal data, protocols have also brought<br />
about significant organisational changes.<br />
Many have been forced to examine how<br />
well they are managing and using data and,<br />
like a ruthless spring clean, have been able to<br />
cut down on unnecessary data they were<br />
paying to store.<br />
"Regulation has also helped to level the<br />
playing field by ensuring data use is standardised<br />
and nobody can gain an advantage<br />
through its unethical use - for customer<br />
targeting, for example. GDPR has given<br />
companies the chance to tangibly show<br />
consumers they can be trusted and it's<br />
positive to see how hard they have worked<br />
to be compliant.<br />
"Going forward, the rise of AI-driven<br />
cyberattacks will make data protection all<br />
the more critical. Generative AI platforms<br />
have the ability to create cyber security<br />
attacks, which means even those with<br />
very little cybersecurity and computing<br />
experience can carry them out. To combat<br />
this, organisations must identify equally<br />
sophisticated methods to protect themselves<br />
and their information. At the same time,<br />
they must review their high-level accounts -<br />
who has access to them and when the<br />
passwords were last changed - taking a strict<br />
approach to Multi-Factor Authentication and<br />
Conditional Access.<br />
"New technology creates advanced avenues<br />
for bad actors and shutting these down as<br />
they emerge - or beforehand when possible -<br />
is always a big challenge. While AI may be<br />
the technology that's being talked about<br />
now, there will inevitably be another down<br />
the track and GDPR will need to be adapted<br />
in kind. Similarly, with so many businesses<br />
investigating the use of AI as a productivity<br />
tool, there may be a need for rules that<br />
dictate how data can be used by these<br />
different platforms. As some rely on user<br />
inputs to train the software, one wonders<br />
whether this would constitute a breach of<br />
GDPR, if a particular tool was used to<br />
reformat or analyse sensitive information."<br />
Gert-Jan Wijman, VP of EMEA, Celigo:<br />
"GDPR's introduction five years ago was an<br />
important step for data privacy in Europe,<br />
needed to keep up with technology's rapid<br />
sprawl and privacy concerns that had plagued<br />
consumers. With so much corporate<br />
and personal data moving between systems,<br />
regulating this exchange was inevitable.<br />
"But, in the years since, complying with<br />
new laws and updates to existing regulation<br />
has proven a challenge. Ensuring data use<br />
is compliant is hard enough when an<br />
organisation is only in one market - more so<br />
when it's spread across the continent and<br />
different rules need to be adhered to. Some<br />
countries have stricter enforcement than<br />
others, or differing complementary privacy<br />
laws, and relying on people to ensure<br />
compliance is sustainable. It's a job that's<br />
menial, repetitive and can be overwhelming,<br />
with any human errors putting firms at<br />
reputational and financial risk.<br />
"For example, if a business receives a<br />
request from a customer that they want to<br />
opt out of a service and request the right to<br />
be forgotten, removing their details from<br />
one system and having others automatically<br />
follow suit is more efficient and failsafe than<br />
individually finding and deleting their details<br />
on each and every system.<br />
"Integration ensures that data can be<br />
kept in sync and standardised across linked<br />
applications and departments, so customers<br />
can be assured their data is only being used<br />
in line with existing usage rights and hasn't<br />
unintentionally been fed into - or left out of -<br />
a particular platform. And if they ask for the<br />
personal data being stored on them, workers<br />
won't need to sift through different systems,<br />
because information should be the same in<br />
every system."<br />
Jean-Philippe Deby, director of Global<br />
Accounts at Genetec:<br />
"Coming from the public safety software<br />
industry, we'd often see companies treating<br />
privacy and security as a binary choice. I'm<br />
delighted to say the EU GDPR helped change<br />
that mindset, acting as a major catalyst for<br />
change in Europe and beyond. Part of its<br />
legacy is that we now have explicit legislation<br />
for data and privacy protection in 137<br />
countries around the world. It's now much<br />
more accepted that privacy can be ensured<br />
without compromising security.<br />
"In terms of improvements, I am surprised<br />
how little attention has been paid to the<br />
specific challenges of ensuring compliance<br />
for the operation of video surveillance, access<br />
control and other physical security systems.<br />
Any public or private organisations using<br />
CCTV to monitor public accessible areas<br />
should be concerned and operators need to<br />
focus on adopting privacy by design. Under<br />
the terms of the EU GDPR, data that is<br />
anonymised or pseudonymised is classified as<br />
lower risk. The appropriate use of encryption<br />
and automated privacy tools is, therefore, a<br />
logical first step. For example, video redaction<br />
that blurs out people's faces in video, unless<br />
there is a legitimate reason to reveal their<br />
identity, can minimise the dangers of having<br />
security cameras deployed in public spaces.<br />
"Don't forget, owners of on-premises video<br />
surveillance, access control or ANPR systems<br />
are responsible for all aspects of EU GDPR<br />
compliance, including securing access to the<br />
systems and servers storing the information.<br />
However, by working with an approved cloud<br />
provider, it is possible to offload some of<br />
these responsibilities and significantly reduce<br />
the scope of activities required to ensure<br />
compliance. It is also highly cost effective.<br />
"Nevertheless, it is important to realise that<br />
it isn't a full abdication of responsibility. You<br />
remain accountable for ensuring data is<br />
classified correctly, and share responsibility<br />
for managing users and end-point devices."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2023</strong> computing security<br />
27