24 March 2017
Blogs by author: Guus van Es, GM Security Consulting Worldwide, BT.
BT’s security consultants have long advised customers to design security and data protection into their core processes. Innovation and security are two sides of the same coin. This combined ‘outside-in’ and ‘inside-out’ approach to security makes sense in a threat environment that is changing so rapidly.
But, as of May 2018, when the EU’s General Data Protection Regulation (GDPR) comes into effect, “Privacy by Design” will be legally enforceable. Guus van Es, Manager of BT’s Worldwide Security Consulting division, explains why the GDPR is not to be underestimated.
Guus, tell us about your role at BT?
I’ve been at BT since November 2013, starting in sales, later moving to contract management and the Benelux Country Executive Team accountable for Marketing, Portfolio and Sustainability.
For the past two years, I’ve managed our Security Consulting division, first at a European level and currently worldwide. In the role, I lead a global community of approximately 500 consultants, and I’m responsible for our collective capability, assets and business impact.
Together, we believe we have the opportunity and responsibility to help our customers get, and stay, ahead of the threat curve. I love working at BT; there’s tremendous ambition and great opportunity for professional development at this company.
What’s happening in the security field right now? What do you want to bring to the attention of CIOs?
Today, I would like to highlight the implications of GDPR, the EU’s General Data Protection Regulation that’s coming into force on 25 May 2018. Organisations clearly want to protect their customers and their brand, but I think a lot of them underestimate what’s required to effectively do that. And, associated with that, I think many organisations underestimate the potential impact of this regulation, and what’s required to be prepared.
Countries around the world and in Europe have different ways of protecting their citizens’ personal data. Most have some measure of protection, but that protection is not uniform internationally. Such fragmentation has made it difficult for companies who process personal data to comply with privacy regulations. However, for citizens of the EU, that will soon change. The implications for companies that hold personal data of EU citizens are profound — and, I think, underestimated.
Why is that? Can you summarise the implications of GDPR?
The GDPR stipulates that all EU citizens own, and have the right to control, their personal data. Companies that collect or hold your personal data must let you know what data they hold and for what purposes they will use it. As a citizen, you can demand that your data is deleted and you can contest decisions that have been made based on algorithmic decision making.
Basically, all EU citizens will have consistent rights pertaining to their personal data, and companies will have additional duties. For example, in case of a data breach, companies must notify a supervisory authority within 72 hours — and if there is any impact regarding people’s data, they must notify the individuals concerned.
While the GDPR does simplify the regulatory environment — and therefore, in principle, makes it easier for international companies to comply with regulation — the penalties for non-compliance are particularly severe. Fines can reach up to four per cent of annual worldwide turnover. For multinational companies, that’s an immense sum of money; it could wipe out a company’s annual profit.
What should companies be doing to prepare for GDPR?
The core implication of this regulation is that companies must design data protection into their business processes. In fact, GDPR makes explicit reference to this point. Companies must demonstrate that they have the necessary capability and controls in place to protect personal data.
Managing risk is, more than ever, a process; it is a task without an end-point. Companies obviously must embrace digital innovation, but at the same time they should address upfront all security and privacy questions related to any new initiative. Unfortunately, many companies still struggle with this. I think most companies understand these principles, but that does not mean they have the capabilities to manage security accordingly.
Let’s look at an example in the financial sector. Most of us would like to use our smartphones to access banking services and dispense with cumbersome authorisation steps such as the use of a card reader. The question is, how? How can banks create an easier customer experience without adding more risk? We think it is possible, but you must design data protection into business processes, upfront. Trying to secure a product or service after you have scaled it up is much harder.
Is there a risk that the GDPR will stifle innovation?
It really shouldn’t, and might even lead to innovation. We’ve always looked at IT and security as enablers of innovation, not obstacles. Our job at BT Security Consulting is to help customers translate their strategic priorities into IT security strategy, design and operations — in a technology-agnostic way to leverage legacy investments where possible. And our goal is to keep you ahead of the threat curve as you continue to innovate and leverage the opportunities of digitalisation.
How can BT help?
The GDPR has certainly created a sense of urgency among customers, that they must get their house in order. At BT Security Consulting, we’ve set up a dedicated Data Security Practice, specifically to help customers prepare for GDPR. We help customers assess where they currently stand, what their end-state should be, and what they need to prioritise to get there.
The hard part is mapping exactly where and how data flows through your organisation. For example: what happens when someone registers for one of your newsletters? Where is that person’s data stored? Is it used in other business processes? Who in the organisation has access to this data? Where are the potential leaks? How will you detect a data breach? And are you capable of reporting a breach if and when it happens?
The problem is that most companies have set up all sorts of data flows without taking account of personal data protection. I think the recently exposed vulnerability of connected devices makes that point quite clearly.
Our advice is based on experience, not just theory. BT is a large, multinational, networked IT provider. In our decades of protecting BT and our customers, we’ve experienced many of the same challenges that our customers face.