Written by Mark Adams, David Kruger – iComply365, BPA’s strategic GDPR Partner.
GDPR’s operational launch in 2018 has put into motion a global tide that will change the management of personal and sensitive data forever. Sensitive data for the purposes of this discussion is anything that that presents risks to data holders, whether private concerns or government agencies. GDPR has presented a case, not just to the EU but to the world that data can and should be properly managed. Time will tell how easy this will be or how well it will be policed, but the concepts embodied in the GDPR change expectations in a way we believe will have a lasting effect on global commerce, politics, economics and ethics.
The major trends we see developing this year include:
1. Compliance and Regulation Landscape
A quick look back and forward, with a focus on topics and trends that will drive the shape of compliance, the compliance market and the growth of RegTech.
1.1 GDPR will underpin similar global privacy frameworks
Most of the EU has made a good start to adopting GDPR, compliance measures to the standard will be tested at all levels in 2019, with fines and actions intended to show both carrot and stick. Actions taken by regulators (like Frances £44m fine on google this month) and commercial class actions (driven by public sentiment) against global tech giants like Google and Facebook and others will ripple through all markets, increasing pressure for all to manage data in a consistent and provable manner.
Much work is still needed to refine what global adequacy might look like, including the launch of the related e-Privacy Regulation, but the core principles will quickly become sufficiently refined to spawn new regulations and standards.
To facilitate this, the tech world needs to develop broad, scalable solutions and services that allow compliance to be operationalised and affordable for organisations of all sizes.
Aligning regulations currently include California’s CCPA and Brazil’s LGBD, Japan, South Korea, Mexico, other US states and the US federal government, Canada, New Zealand and portions of Asia and Africa are considering broad reaching privacy regulations. Tech giants such as Microsoft are working to get ahead of the curve by influencing standards, implementing more compliance-enabling privacy and security controls into their products.
Smart organisations should leverage their GDPR process investments to ease their compliance with these global initiatives and so gain commercial advantage.
1.2 Brexit Effect
With all the talk surrounding Brexit and the various scenarios that could happen, it is useful to look at the potential effect on data transfer and what that might mean for organisations and their IT systems. This article from Tim Hyman on Brexit is quite instructive – Data protection and your IT Systems.
Elizabeth Denham, the UK Data Commissioner, state in December: “the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.” Here’s a link to the ICO’s recently published guidance about Brexit and what it means for data protection compliance.
1.3 From Compliance to a Culture of Care
Data is now a risk as well as an opportunity. This requires a shift in mindset for organisations. For the data protection officer, simply implementing better data protection and management may not be enough. In the 21st century, success will increasingly depend not on mere compliance, but developing a genuine sense of stewardship for the personal data under their care.
1.4 State and politically motivated attacks
State-influenced cyber attacks on organisations, journalists, dissidents, voting systems and politicians will continue to grow. All nation states attempt to steer the voting patterns of both their allies and their enemies—and they always have.
A worrying and growing trend is states monitoring their own citizens for political purposes as played out in the case of Saudi journalist Jamal Khashoggi. Indeed, some technology firms appear to be focusing on exporting surveillance technology purpose-built to aide governments in spying on their own citizens. There is little doubt there will be more calls for this behaviour to be regulated. The surveillance state and privacy proponents have always clashed, but the fight is likely to be noisier and more public than in the past.
1.5 Nations will “try” to establish cyber warfare rules
Even in physical warfare, most nations have agreed upon a basic set of rules, such as the Geneva convention. Some nations are acting as they can do almost anything with impunity. “Digital borders” are being tested and tensions are rising. Expect more calls for a “negotiated peace” in the form of treaties designed to reign in digital warfare.
The situation will continue to get worse unless global geopolitics starts to take this seriously.
1.6 Compliance and the Supply chain
Organisations are increasingly integrated into their supply chain, associates, suppliers, client portals, external IT service providers and more. A large proportion of breaches occur due to weakness in the supply chain. Whilst privacy legislation processes, supplier contracts, and advances in encryption and other security solutions are making incremental improvements, this area remains high risk and needs more attention.
Data ethics emerged in 2018 is a priority for many leading organisations, stung by security breaches and that then reflected to be breaches of public trust. 2018 was in some ways the year where data mishandling, and trust hit rock bottom and now organisations must rebuild trust.
2019 should see organisations step up efforts to ensure ethical data use and ethical data practices. Forbes suggest that demand for corporate data ethics and greater data responsibility is increasing. Data ethics is not just good citizenship, it’s a good business practice. It looks like organisations will add new roles and governance approaches to address this issue over the next year.
1.8 DPOs/CSOs/CISOs—Do they have the skills?
Cyber security and data management training will continue to mature, as a new generation of degrees and certifications are developed to bridge the current skill gap. Many of these will be post-graduate courses designed for senior professionals needing to augment their existing knowledge. “Master’s” degrees in data management and cyber security” will start to be mainstream with more and more companies looking to hire DPO’s/CSOs/CISOs with cross-disciplinary skills.
This means a complicated job will continues to get more so. Technology providers will need to step up to keep workloads down.
2. Operationalising Compliance
Central to our own business strategy is how do we leverage both compliance and IT know how to help operationalise compliance and data management. It needs to be made as agile, efficient, transparent and as cost effective as possible. The section below touches on technologies and topics we believe will contribute to the success of these goals.
2.1 Complexity and economies of scale is driving operationalisation
Technology researchers at Gartner, Inc. have noted that security detection and response, rather than just preventative measures is a now a top priority for organisations. With a worldwide shortage of nearly one million security professionals, we must automate routine processes to amplify the impact of trained human beings. Gartner predicts that by 2021, security and privacy automation will be high on the list for organisations.
2.2 Cloud Computing
The cloud continued its march toward domination in 2018. Two Deloitte surveys, for example, indicated that 90% or more of global executives are adopting, considering, or already using the cloud. Amazon Web Services, Microsoft Azure, and Google Cloud are all growing rapidly.
They are increasingly adding software and data management capabilities to their clouds, including enterprise data warehouses, DevSecOps, DataOps, advanced analytics, various forms of AI, Internet of Things, blockchain and robotics applications.
Security and Compliance as a Service will start to mature from vendors like Microsoft, whose Advanced Threat Protection (ATP), Azure Information Protection (AIP), Compliance Manager are designed to operationalise compliant working. These facilities example how CSP can help organisations to intelligently assess their compliance risks, to govern and protect sensitive data and provide data lifecycle management to effectively respond to changing and overlapping regulatory requirements. Check out this 2-minute video.
Many organisations are adopting a shared risk, cloud-only model for information management as the most sensible way to balance capability, agility, risks and benefits, and the expenditure of time and money.
McAfee Lab’s Threats Report suggests that malware exploiting software vulnerabilities grew by 151% in the second quarter of 2018. The volume of these attempts leads us to believe that the only way to address them is by using AI/machine learning for cyber-threat intelligence, detection, and resolution. The question is whether the good guys or the bad guys master AI first.
Though far from a perfect solution, most websites and online services will abandon password-only access and offer additional required or optional authentication methods. For a while, the different forms of multi-factor authentication will likely confuse and frustrate users. Ultimately authentication will be hardened and mandated globally for all online transactions to provide the level of trust needed for eCommerce to continue and grow.
Like malware, spear phishing becomes even more targeted, Attackers know that the more data they have about you, the more likely a phishing campaign against you will succeed. AI in the hands of bad actors will further undermine traditional trust-based financial transactions by using detailed knowledge of prior transactions to dupe users.
Insecure email needs to be replaced by more secure communication for high risk transactions.
2.4 AI impacts – Blending, People, Process and Automation
From an operational perspective, cloud services are investing heavily in artificial intelligence and machine learning, as they look to support and complement “the humans” who ultimately run organisations. We see increasing numbers of organisations adopting a growing range of AI technologies to optimise the respective capabilities of humans and machines.
It’s a case of marrying use cases with the most appropriate AI technology solution in a manner that enables humans to stay in control whilst reducing risk.
Data Operations (DataOps & DevSecOpps) is rapidly emerging in organisations that must manage data as a shared business asset. A core goal of GDPR is to implement Privacy-by-Design as such these methods need to be more widely adopted. DataOps brings engineering principles borrowed from the DevSecOps software development movement. The intent is DataOps is to deliver “rapid, comprehensive, and curated data” to business analysts and decision-makers. Forbes expect 2019 to be a breakthrough year for DataOps as organisations strive derive value quickly and efficiently from their data assets, but with less risk.
Encryption is now available in so many forms, that organisations can no longer justify breaches or operate insecure solutions due to implementation or cost constraints.
We will shortly be providing more guidance on Encryption strategies.
2.6 Managed Compliance Services
A recent ResearchAndMarkets.com report suggests that the compliance-related managed services market is likely to grow as much as 25% Compound Annual Growth Rate (CAGR) in the US over the next 4-5 years. We believe growth in other regions will be similar as the commercial consequence for none-compliance ripple outwards.
Managed Compliance Services include: data management, data discovery and mapping, data governance, API Management, GDPR readiness assessment, data subject risks assessment and DPIA, DPO-as-a-Service, and GDPR-related training and certification.
2.7 Compliance Apps and Solutions
Just like Compliance Managed Services, specific compliance solutions will be needed in one form or another to simplify and operationalise local compliance activities. Very few organisations will want to re-invent the wheel by developing solutions from scratch if they can lower compliance lifecycle costs by using off-the-shelf solutions that fit their needs, work well and are reasonably priced.
We can find little specific data on this segment but given the number of vendors entering the market and the depth and breadth of solutions on offer, the market is significant and vendors that gain market share quickly should benefit geographically as compliance goes mainstream.
Solutions cover a wide gamut: endpoint security, legal, risk and compliance solutions, consent management, specific encryption solutions, enhanced authentication products and services, network security products and strategies, security analytics, intelligence, response and orchestration, secure storage and general security products.
2018 represented a year of major advancement in the use of blockchain technology to enable identity and supply chain trust. Finance, asset management, and healthcare are taking the lead in adopting blockchain. Increasingly rapid development and adoption of blockchain technology bodes well for personal data protection, but some work is needed to blend this with other technologies and apply it to mainstream use cases.