GDPR: Is time running out?
The General Data Protection Regulation (GDPR) will overhaul how organisations store, secure and manage their customers’ data. EU citizens will have extended rights that include the right to know what information is held about them, the right for that data to be removed, the right to data portability, and the right to be informed if there is a data breach. This data is known as PII (Personally Identifiable Information).
Alongside that, the Network and Information Systems (NIS) directive applies to operators of essential services, such as water, energy, transport and health providers and is aimed at ensuring they safeguard data against cyber-attacks. Like GDPR, the penalties for non-compliance are extremely high.
Yet according to research published this year by the Department for Digital, Culture, Media and Sport (DCMS), only 38% of UK businesses said they had heard of GDPR – and among those that are aware of it, only a little more than a quarter have made any changes in readiness for the new regulations. However it’s not too late to do something. The authorities know compliance is an ongoing process, and want to see organisations showing willingness to comply.
Understanding the data assets your organisation collects, holds and processes is the essential step in the planning stages to GDPR readiness. Once you have identified all the data types and sources you hold, you need to understand where it is stored and who can access it. Printed copies should be securely stored, with regular reviews to ensure the copies are still required. If not, securely destroy them.
Electronic storage within a structured database should be relatively easy to recognise, maintain and protect. The larger problem is unstructured data and knowing where PII, or personally sensitive information, is stored. Data discovery tools can search all mappable drives to find sensitive files (.docx, .xlsx, .pdf’s etc) that may contain the data that you are searching for - e-mail addresses, phone numbers, credit card details, National Insurance numbers, etc.
Once you know where your un-structured sensitive files are stored, move them to a central repository from which you can defend access. Set up processes and procedures to be able to respond in a timely fashion to Data Subject Access Requests (DSARs). Finding a Citizen within your paper records will require a physical search. Finding a Citizen within your CRM or other database should be accommodated from the application. The same tool that helped your organisation find sensitive files, ought to discover specific subjects within un-structured data, allowing an organisation the ability to respond to DSARs within the 30 days prescribed.
Ian Kilpatrick, EVP Cyber Security for Nuvias Group
China Takes Additional Step to Control Big Tech’s Data
China’s new Data Security Law will take effect on September 1st, allowing the government major control over the collection, use, and transmission of data. Tech companies have grown exponentially in terms of market size and overall power, and the Chinese government has no interest in alternative power hubs—especially those that belong to private enterprise.
With its Thursday legislation, companies will face extravagant fines if they export data outside of China without authorisation. The Chinese government claims that this will create a legal framework and help companies from taking advantage of citizens, but according to analyst Ryan Fedasiuk from Georgetown University’s Centre for Security and Emerging Technology, “China’s push for data privacy...is yet another move to strengthen the role of the government and the party vis-à-vis tech companies.”
How Do Other Countries Approach Data Privacy?
- Europe: The EU Charter of Fundamental Rights assures EU citizens the right to data protection. The bloc’s General Data Protection Regulation (GDPR), passed in May of 2018, put stringent restrictions on commercial data collection.
- Canada: 28 federal, provincial, and territorial laws govern consumer data privacy; DLA Piper ranks the country’s data protection legislation as heavy, in comparison to Russia (medium) and India (limited).
- The United States: As usual, the States doesn’t have a single comprehensive federal law for data privacy. Instead, its lawmakers have passed hundreds of local and state acts, many of which are seen by the Federal Trade Commission (FTC).
China, in contrast, thinks data should be a national asset and has written data collection into its five-year plan. Although its new legislation will help curtail private access to consumer data, the government may be the final beneficiary.
What Will China Do With the Data?
According to advisors, consumer data can mitigate financial crises and viral outbreaks. It can protect the interest of national security—no surprise—and help the government with criminal surveillance. Right now, Chinese regulators have summoned 13 major tech firms, including Tencent, JD.com, Meituan, and ByteDance, to meet with China’s central bank. Communist Party Chief President Xi Jinping can shut down any companies found violating the new privacy laws, as well as hit them with a fine of up to 10 million yuan—US$1.6mn.
How Will Laws Affect Foreign Firms?
Now, foreign firms must store data on Chinese soil, a practice that many companies protest will infringe on their proprietary data. So far, Tesla will comply: in late May, the electric car manufacturer promised to build more Chinese factories and keep the resulting information within Chinese borders. In fact, businesses hoping to start China-based businesses—such as Citigroup and BlackRock—will have to comply with the “data-localisation laws”.
The Chinese government has framed data as a critical source of intelligence for the party and central government. “You have the most sufficient data, then you can make the most objective and accurate analyses”, Mr Xi told Tencent’s founder, Mr Ma. “The...suggestions to the government in this regard are very valuable”.
Greater digital control is coming, that’s for sure. Mr Xi has named big data as an essential part of China’s economy, right up there with land and labour. “Whoever controls data will have the initiative”.