Think of GDPR as help, not hassle
By Digital News Asia July 24, 2018
- Many see GDPR as a hindrance, but they can represent good data management practices
- Provides an opportunity for companies to develop better relationships with their customers
GIVING your private data to a company should be a bit like lending your car out; you expect them to take good care of it and if anything goes wrong they should tell you straight away. That was the analogy made by Thomas Fisher (pic), an independent consultant who specialises in data protection and compliance, as he addressed the crowd at the 30th annual conference of The Forum of Incident Response and Security Teams (FIRST) in Kuala Lumpur recently.
Companies have always assured customers that their private data will be well-taken care of, but with the advent of the EU's General Data Protection Regulation (GDPR), more companies are now feeling the pressure to comply.
"'Why should I bother with being regulated, that's just going to make me do more work'," is the unfortunate stance heard by Thomas Fischer, a consultant specialising in data privacy and compliance. "That's the attitude that you face sometimes because they don't see the additional value."
The irony is that instead of being an odious obligation, the GDPR can provide companies – whether or not the regulation applies to them – a roadmap of how they should manage personal data.
Defining personal data
For starters, GDPR helps companies understand what personal data is: any data that helps you identify an individual directly or indirectly. And the obligation of the companies is to mitigate risk when managing that data.
If companies are genuinely interested in keeping personal data secure, one way of mitigating risk is to reduce the size of the footprint. "What you want to do is to only collect the minimum amount of data you actually need," explained Fischer. "Over time you want to erase it."
Gant Redmond, IBM Resilient programme director for Cyber Security and Privacy, said that context plays a large part. For example, a bank account number does not necessarily identify an individual if found on a scrap of paper on the side of the road. But if the person who picks it up works for the bank, then they would be able to find out who it is.
"The definition of personal data is evolving," said Fischer, highlighting that it now includes information like CCTV footage or recordings of Help Desk activities (even if collected for training purposes).
Assessing threats to your data
Fischer also gave another example of how companies should see GDPR has a help, not hindrance. "When people say GDPR isn't really helping because it's just so messed up and confusing, (GDPR) gives you things like this in Article 35 which is very detailed and very precise."
The article covers protection and threat assessment of data, and goes through the steps from describing processes, to getting companies to be explicit as to why they're collecting data, assessing risks, and come up with measures to address them.
"You're helping your whole organisation because you've documented that risk of the personal data," stressed Fischer.
Where this preparation work can pay off is when, for example, a company needs to respond to a data breach.
The GDPR mandates that data breaches need be reported within 72 hours. Redmon says this kind of mandatory requirement helps in that it takes away a lot of guesswork of how to respond to emergencies, including understanding what data they have that is affected.
"Some (organisations) have actually no idea why they're collecting that data," agreed Fischer. "You could simply resolve that by (creating) a data flow map."
In fact, much of this documentation can be automated to generate reports on-demand, leaving companies free to focus on the actual attack and mitigating it.
Another thing GDPR has done is to raise awareness among the public about good data security.
Fischer called it a "cultural shift", while noting that the European Data Commissioner said that GDPR was an opportunity to identify new ways of providing services, with a new level of trust between business and the consumer.
"You're building a better bridge," he continued. "We potentially have a chance to retain more customers, we have the chance to give better service to customers."
Redmon agreed. "Now that customers send letters with regularity either asking for a testation of your ability to not get them in trouble or data processing agreements that carve out your liability," he said, noting the pressure on companies to respond. "The customer driver is as is an amazing catalyst."