GDPR – Companies Unprepared, Don't Know Where Data Is
Companies don’t understand how to search data, as regulators predicted to issue fines for ‘second awakening’ of GDPR.
Speaking at a Juniper press event in Amsterdam, Lee Fisher, head of security business for EMEA at Juniper Networks, said that there is a “changing demand on security for data in lifecycle” and that if you capture information, what is "duly necessary" to be captured?
“We estimate that 50-60% of businesses don’t know where their data is, and there is a misunderstanding of how to use data and they don’t know how to protect appropriately and don’t understand where it is or have the means to get it”, he explained. Fisher added that these challenges are providing different situations on what users are trying to achieve, and this is especially problematic as "the bad guys only need to get it right once."
“You can get digitally pickpocketed by criminals as they know when you’re not looking and if you’re a businessman trying to manage solutions and keep up to date, it is an easy trap to fall into.”
Speaking to Infosecurity, Fisher said that the lack of knowledge on where data "is massive" as "you’ve got to let people know in a certain amount of time" when it comes to subject access requests.
“I ran a seminar on Monday and the concept of those things, they were saying ‘have I got to find it on someone’s laptop’ and I said yes, same with cloud and back-ups on tape, and it is an enormous task,” he said. “There are those negatives associated with it, but under no circumstances – I am becoming a fan of GDPR every day – as it comes down to common sense, as if I am a business and I cannot legally say to you where your data is, how can I expect you to transact with me? Why would I want to give you my information if I had no idea how you would be using it and for what purpose?”
Fisher argued that fundamentally it all comes down to how you have chosen to give your information to a certain entity, and whether I want to use that data to improve services. The other part, he said, was how much access and use was reasonable, and how much access is there to data and changes in future.
He claimed that there is a move to "data protection by design" and users are still learning, and will still be learning until after May 25 2018, as the European Union tried to set it up but you see each different state figuring out its own version of it. “It is closer to the old data protection directives, it is just implemented in different ways and I think we will get there,” he said. “What I think will happen is unfortunately, reality will get in the way and we all know it is something we should be doing.”
Fisher predicted that we will see a large push to get things ready for May 25 2018 to minimize the impact, and then the data protection regulator will issue a large fine for a ‘second awakening’. “If I was at the ICO now or one of the data protection regulators across the EU, I would be thinking I would make an example out of someone so that I don’t have to do this all of the time.”
Source: Information Security Magazine