trending Market Intelligence /marketintelligence/en/news-insights/trending/dx0ghu3xol9z465fgp1eqq2 content esgSubNav
In This List

Infosecurity Europe: GDPR rules help to make privacy by design the new normal

Podcast

Next in Tech | Episode 50: InfoSec spending up, again…

Blog

Broadcast deal market recap 2021

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud

Blog

Volume of Investment Research Reports on Inflation Increased in Q4 2021


Infosecurity Europe: GDPR rules help to make privacy by design the new normal

As companies and organizations ramp up investment in cybersecurity, in the wake of Europe's increased data privacy controls, industry executives said that creating a privacy-conscious culture will be more crucial for compliance.

Cybersecurity experts at the annual Infosecurity Europe conference in London agreed June 6 that, while meeting regulatory demands is the top priority, businesses must steer clear of simply ticking boxes and instead pursue a system where transparency and accountability become second nature.

Speaking during a keynote, Baroness Martha Lane Fox, co-founder of online travel shopping site Lastminute.com NV, and co-founder and executive chair of think tank Doteveryone, said businesses would need to put ethics and morals at the heart of their digital infrastructure.

"There is huge unease in the public sphere about online privacy, security and how data is being used. We cannot have a robust society if technology is undermining our democratic institutions," Lane Fox told delegates.

"I believe it's crucial to keep liberal values at the heart of our digital world and infrastructure," she added.

Echoing this view, Vivienne Artz, chief privacy officer at Thomson Reuters, said that by forcing many organizations to engage in a data mapping exercise for the first time, GDPR is helping to ensure that "privacy by design" the need to take all stakeholders' privacy and security interests into account becomes the "new normal."

After years in the making, the European Union's General Data Protection Regulation, or GDPR, came into effect May 25. Introducing a swathe of legislative changes designed to strengthen rules around how EU citizens' data is stored, shared and managed, GDPR also brings EU regulators' legislative reach up to speed with the digital ecosystem and the rapid pace of technological change.

The U.K. is also implementing a new Data Protection Bill, which will largely adopt all the provisions of the GDPR, with some minor changes, once the country formally exits the EU next year.

Given that the U.K.'s Data Protection Act had been in place for two decades prior to GDPR, the new data privacy framework is simply "evolution, not revolution" and an extension of the old playbook, Nigel Houlden, head of technology policy at the U.K.'s Information Commissioner's Office, said on a panel.

What has changed, however, is the increased emphasis on the rights of individuals.

"This is the new landscape we now live in," Houlden told delegates.

As a result, the protection of personal information is getting stricter. For instance, companies and organizations operating in Europe will be required to notify users and authorities of any data breaches within 72 hours, among other obligations.

New measures under GDPR also include the possibility of steep sanctions for noncompliance, including fines of €20 million or 4% of annual turnover for the most serious breaches.

With companies racing to meet more stringent rules, Johnnie Konstantas, senior director of the Enterprise Cybersecurity Group at Microsoft Corp., said that automating data processes, which have historically been very manual tasks, and streamlining activities such as the breach notification process would become necessary going forward.

The pace at which companies are generating and processing data, and all of the "potential hotspots of non-compliance or mishandling" that this creates, will make automation key, she said.

And with the number of job listings for data protection officers, or DPOs, up by 709% in two years, according to recruitment firm Indeed, finding the talent to meet GDPR demands is another hurdle companies face.

Because there has not been enough time for DPOs to gain experience since GDPR was ratified in 2016, a lot of firms are still "scrambling around" for talent in a limited pool of candidates, according to Artz.

"I suspect there are DPOs out there who are not as familiar or as able as they should be," she said.

Additional Infosecurity Europe coverage:

Fear for large-scale cyber warfare may be largely overblown

Diversity key to closing UK's cybersecurity skills gap