Let’s be honest. We all know that GDPR is the original Data Protection Act with teeth. The act has always told us to keep the public’s data safe and secure, however, despite that 7th principle stating that organizations should take "appropriate technical and organizational measures … against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." Recent events would suggest that we’re not doing this as well as we could.
GDPR continues the theme of safety first, albeit in a slightly more didactic style, but maybe we, as a sector, needed that push, or the greater clarity in how to do it. It can’t be a bad thing to be held to explicit behaviors in how we safeguard our industry and consumers.
From Disney being held to ransom over the new Pirates of the Caribbean film, to the NHS being badly shaken by an unprecedented and confidence-shaking cyberattack, it’s clear that big businesses continue to be at risk in their physical protection of data access. Hacks aren’t new, but they do grow in sophistication. The latest figures show that Ransomware alone has affected 150 countries across the world.
If we are to safeguard against attacks properly, we must invest in knowing what data we’re gathering, how we’re gathering it, and how we’re keeping it safe, at rest, in use and in motion.
So what chance do brands have if even the US government are struggling with stemming the flow of information? Back to GDPR and common sense prevailing, it gets all specific again in what we should be doing in terms of documentation.
I don’t think any of us would disagree with the sentiment of clear documentation giving us the short cut to knowing what we’ve got, what we’re doing with it and therefore where our weaknesses are. It’s a sensible thing to do, but do we really have it all to hand?
As it stands, in the context of security, GDPR is going to make you prove that you do. And in my view, quite right too.
- Document where data is. How do you know where to check for security patches?
- Document what data is being used for. Which business critical processes are using which sources? Whether that’s commercially critical or because of the consumer experience
- Document audit trails. What systems/databases are talking to each other?
- Find out where the potential weaknesses in the flow of data are. Plus, are you able to get to it quickly?
If brands don’t have this documentation easily to hand and aren’t able to identify where the weaknesses are, it would be problematic, to say the least.
If we are to safeguard against attacks properly, we must invest in knowing what data we’re gathering, how we’re gathering it, and how we’re keeping it safe, at rest, in use and in motion—up front—not just investing in how we solve the problem after the fact.
What these cyberattacks will hopefully do for brands, will be to bring, somewhat sensible guidance, into sharp relief, as well as, I suspect, highlight just how many of their data processes aren’t documented, understood, audited, or owned by specific individuals.
—Sue MacLure is head of data at PSONA.