Data Protection Day: Keeping your Data Protection Watertight

This Data Protection Day, businesses are most likely in a very different position to where they were this time last year. In early 2020, the pandemic was yet to truly arrive in the UK. It was business as usual, offices were full of employees at their desks, and cybersecurity was often focused on these contained environments. Fast forward 12 months, and those same offices are very likely empty, with many traditionally desk-based workers now logging in from home.

Suddenly the parameters of data protection had to change overnight, and now there is a much greater focus on endpoint security, access management, and educating employees about how to keep their home digital environments secure. Cybersecurity Magazine spoke to eight technology experts to find out how businesses should approach their data protection this year, and what events are most likely to make an impact.

A top priority for 2021

As Jay Ryerse, VP of Cybersecurity Initiatives at ConnectWise puts it: “The age of data privacy and security is now. We are continuing to educate colleagues and our customers that data privacy should be built into everything we do. Service providers need to fully immerse themselves into the threat landscape and the best practices associated with securing data. Without cybersecurity, there is no such thing as privacy. This deep dive includes the governance aspect of data protection as well as the technical and physical controls necessary for the confidentiality, integrity, and availability of data.

“Consumers and businesses need to start asking the tough questions of their vendors. They need to understand the supply chain for the services they outsource and what those companies are doing to provide the best in class cybersecurity protections. If those vendors don’t believe they are at risk, then it may be time to find a new provider.”

“The last twelve months have been a turning point for digital transformation,” identifies Animesh Chowdhury, founder and CTO at Goodtill. “Particularly in the hospitality sector, organisations have needed to move fast to maintain continued operations in the face of a constantly changing business environment. For many organisations, this has meant – for the first time – deploying new software tools and platforms to facilitate click and collect, table ordering or online purchases.

“For pubs, restaurants and cafes this has proven hugely successful – and not just in terms of keeping businesses afloat during the pandemic. This transition will bring innumerable benefits for businesses, but it will also come with new challenges. The expression noblesse oblige is an apt one on Data Protection Day for those organisations suddenly collecting, storing and using the data of hundreds – perhaps even thousands – of customers.

Animesh continues, “Managing this data can be a tough job for organisations not already familiar with protecting this kind of information, so selecting a technology partner that can help make this as easy as possible – likely by keeping customer data securely in the cloud – is crucial.”

With this Data Protection Day marking the 40-year anniversary of the 1981 Council of Europe treaty that was the first step to protecting personal data, Caroline Seymour, VP Product Marketing at Zerto details what this means today.

“As we move into 2021, the rights this treaty established are more important – and higher up the corporate agenda – than ever before. With the accumulated digital universe of data now upwards of 44 zettabytes – or 40 times more bytes than stars in the observable universe – and growing more than 10 times every year, protection should be the mandatory starting point for any interaction involving data. 

“For businesses, this means ensuring the right tools are in place to protect and secure personal data from disruption – whether that’s avoiding outages and downtime that could expose data or preventing unauthorised access by third parties. A robust data protection strategy – including continuous availability as well as application and data mobility – is essential in the digital, data-driven age we now live in.”

Brexit and GDPR should be front of mind

The recent pandemic hasn’t been the only international event that is changing the way data is used, stored and shared. As Terry Storrar, MD at Leaseweb UK explains, Brexit is going to lead to new legislation and clarification: “Now that Brexit has moved on to the next phase of maturity, I believe we should continue to see more clarity and comfort in terms of how data is managed and protected as it enters, or leaves, the UK.

“Rather than following one set of GDPR rules, we will certainly have to consider both UK and EU regulations to make sure that contracts reference the correct and most appropriate terms for use. Ultimately it’s in everyone’s interest to ensure that data is protected and can flow freely in order for a business to thrive on an international stage.”

Jakub Lewandowski, Global Data Governance Officer at Commvault reinforces that new regulations are coming, but also that there is personal responsibility that all businesses must take now. “One area that is creating confusion over data protection is the cloud. It’s not so much the cloud itself, but rather the responsibility of protecting data that resides in the cloud. Many organisations assume that putting data in the cloud means that the provider is responsible for protecting it, but this is rarely the case. Most write into the small print that users are responsible for arranging their own protection. Though an increasing number of businesses are getting onboard with managing this, increased regulations may be on the horizon that would more clearly define the responsibility that the cloud providers should hold.

“In the meantime, the onus is on businesses to become familiar with new data regulations as they are introduced – understand who is affected, what is required, whether your business currently meets this standard or if changes have to be made.”

Vicky Withers, Head of Compliance at Node4, also emphasises the importance that Brexit will have on EU and UK data, and the existing GDPR: “We’re currently waiting for a big post-Brexit announcement concerning data protection from the EU to grant the UK Adequacy, allowing data flow across the EU to continue. While we have no crystal ball to help us predict the future decision making of the EU, we can certainly prepare for the possible outcome.

“Future changes to GDPR I foresee will be a greater awareness from consumers to know and understand their rights concerning their personal information. Organisations will be faced to make ethical decisions on how personal data is collected, processed, stored and shared to ensure that they are not in breach abusing an individual’s rights. Consequently, board rooms will be expected to report and monitor privacy breaches and support compliance to embed data protection within the organisation.”

“Over the last 12 to 18 months we’ve seen the world move towards adopting more of a GDPR stance,” adds Hugh Scantlebury, founder and CEO at Aqilla, “prompted by a continued increase in awareness among consumers regarding privacy rights. In the US for example, website and web-based services now also use cookies to offer assurances, which is a good thing.

“While this also gives websites the ability to provide functionality for the benefit of users, it does reduce the commerce sector’s ability to track online user behaviour in the way they’d prefer. It means that users can now opt not to subscribe to default behaviours that may allow Google and other third parties to track online activities, which provides opportunity for individuals to better protect their data and identity. In my view this combination of increased consumer awareness and regulation will see data ethics become a driver for decision making this year.”

Top tips to take away

To conclude, JG Heithcock, GM at Retrospect, shares his top tips for organisations to keep data out of harm’s way. “As business leaders look to secure their data, an arsenal of standard practices will protect sensitive and important information from ransomware and other cyberattacks. By maintaining proper password hygiene and vigilance around suspicious email addresses, requests and links, employees can reduce the risk of phishing and other data privacy violations. When organisations incorporate the added layer of maintaining an effective backup strategy with a 3-2-1 backup rule, organisations are better equipped to store sensitive information, which can be recovered quickly, easily and safely to avoid disruption.”