BJ Jenkins, President & CEO said he thought over the next year is government and security companies starting to work together to improve regulations to protect companies and individuals.
A survey conducted by NW Security Group finds only 22 percent of schools, colleges and universities believe their data protection policies are up to scratch in the run-up to GDPR’s deadline
Despite high levels of awareness regarding the incoming EU General Data Protection Regulation (GDPR) only 22 percent of schools, colleges and universities of the 500 surveyed felt their data protection policies were compliant. Furthermore, 70 percent said that if they fell foul to a data breach, they wouldn’t be able to evidence that the correct procedures were in place.
The survey was conducted by NW Security Group. The research sought the feedback of head teachers, governors, IT, security and facility managers in the North West of England to determine their awareness levels of, and adherence to, the GDPR. The main findings were:
- Only 22 percent of respondents believe their data protection processes are GDPR compliant
64 percent are aware of the GDPR but require further information regarding its impact
- 11 percent of schools, colleges and universities have experienced a data breach and not informed the Information Commissioner’s Office (ICO)
- If made aware of a data breach, 14 percent of respondents would ignore the issue and hope the problem resolves itself
- 31 percent of respondents don’t believe their employees and contractors are adequately trained in data protection
The survey also highlighted that only 16 percent of educational institutions had fallen victim to a data breach, despite a rapid increase in attacks in recent times targeted at the sector. This seemingly low figure, in contrast to wider industry trends, was of particular interest and might be explained by respondents struggling to identify what constitutes a data breach.
A data breach could include: emailing data to the wrong recipient; openly discussing Personally Identifiable Information (PII); leaving hard-copy materials in plain view; or the loss or theft of unencrypted data. These could all lead to the loss of PII and are breaches of GDPR.
Nigel Peers, Security and Risk Management Consultant at NW Security Group, said, “These findings are concerning, especially considering GDPR’s imminent deadline. This is putting educational facilities at great risk of severe fines and reputational damage. There appears to be a large amount of confusion regarding the regulations, and with 64 percent of those who’d heard of the GDPR still requiring further information, it is clear more work is needed to propel educational facilities towards full compliance.
“Employees are a school, college or university’s first line of defence and if they are unable to identify what a data breach is, the likelihood of achieving GDPR compliance is dramatically reduced. That is why it was a concern to learn that, according to our survey, 31 percent of respondents didn’t believe their employees and contractors were adequately trained in data protection”.
These results are synonymous with NW Security Group’s own experiences conducting Organisational Readiness Assessments for education customers seeking to determine their progress on the journey to GDPR compliance. During those assessments, it was observed that although many facilities believed their processes were up to scratch, the reality was a somewhat different picture. Outdated policies and a lack of documentation were frequent failings indicating low levels of GDPR compliance throughout the education sector.
IBM’s iX Automotive, Aerospace and Defence Chief Digital Officer and digital entrepreneur Dele Atanda warned that when the General Data Protection Regulation comes into effect on 25 May 2018 the context in which businesses and their customers collect, share and use data will change forever.
He is setting up a personal data wallet and marketplace dubbed MetaMe which takes advantage of the “Clean Data” economy that the new law inspires.
Atanda said that GDPR would allow for a rebalance regarding the relationship between data seekers (businesses for example) and individuals. Finally, individuals – customers – will have more say over how their personal information is captured and processed. Companies will have to ensure the data they hold is valid, confidential and fit for purpose.
Under GDPR notions of privacy, consent, transparency and accuracy become paramount. And while these new regulations will enforce businesses to reset how they operate, it’s clear that this redistribution of power will enable them to innovate and allow for new equitable and sustainable opportunities.
Atanda said the Clean Data economy is underpinned by privacy, individual ownership and mutual benefit for individuals and businesses from the use of personal data in contrast to the nefarious tracking and exploitative data acquisition practices of the surveillance led ‘Dirty Data’ economy. In the Clean Data economy, businesses pay individuals for their data creating a more fair and equitable relationship between both.
Clean Data is made tangible by MetaPods (mPods), which are crypto information objects that use artificial intelligence (AI) to enable granular, precise and minimum units of data to be isolated and encrypted based on an intention – buying or selling health insurance for example. mPods are shared and traded privately and contextually in exchange for Krypto Koins, MetaMe’s currency.
Atanda said: “To give an example of how mPods can revolutionise the digital sphere, let’s use the burgeoning wellness industry as a demonstration.
“mPods are efficiently like digital cards – they serve information. Each card has a colour code and a score. The colour code – or RAG status – relates to how identifiable the data stored on each card is. So a green card shows that no information on that card can be used to identify the individual. An amber card means some information could be identifiable. A red card indicates that some or all of the information is confidential.
“The score signifies how sensitive the information is. So the m-Exercise card has a rating of two out of ten because it contains no sensitive material – this information (exercise activity, steps are taken) is similar to data captured by any standard activity tracking device such as a Fitbit. The card is green because it contains no identifiable information.
“MetaMe’s system makes it easy for people to understand how sensitive their information is and therefore how careful they need to be with it. Moreover, the more sensitive the information, the more value it has to companies operating within the wellness sphere and thus the more people can expect to be paid for sharing this information with brands in our marketplace.
“As a non-identifiable and low sensitivity card, the m-Exercise pod could also be shared with a personal trainer. The trainer could check how well an individual was maintaining a fitness programme. If required, the trainer can provide remote coaching, intervention, support or motivation according to an individual’s performance.
“At all points, the value of an mPod is couched contextually. Sharing health or exercise information with an insurer will command more value when looking for life insurance. This is key. The value of an mPod is based upon identifiability, sensitivity and context. The value of an mPod fluctuates depending on who’s enquiring for its information.
“If you want to maintain a healthy lifestyle for example you could share the m-Diet, m-Exercise and m-Health Plan cards with companies you know will provide you with healthy products. These companies will pay you for this information to better understand you as a customer and better tailor their products and services to your needs. By selling these mPods to relevant companies, you can receive tailored offers seamlessly and transparently. You only need share the minimum amount of information required to achieve your goal – in this case earning money and getting healthy products and services tailored to you.
“You can take this further and use these mPods to receive concierge services from your trainer, nutritionist and the marketplace based on your wellness behaviour and data. The choice is always in your hands. You choose how much – or how little – information you share and you will only receive information or offers that are relevant to your requirements.
“Only companies that meet ethical and responsible data usage criteria that agree to abide by the rules of MetaMe’s marketplace will be able to access your mPods. You won’t even have to manage mPods on an individual basis. You can put rules on your data, and only companies that meet your criteria will be allowed to access your mPods. You can do this holistically or individually by mPod.
“With MetaMe you retain complete sovereignty of your information. You’re just allowing third parties to access your data as and when the need requires based on rules that benefit you and brands you like and trust. Your information is no longer scattered across the web; it’s in your data store under your control.
“And while this might seem like a giant leap into the dark, it isn’t really. In the digital era, we are used to sharing things on social media and getting recommendations based on previous purchases. This is no different. That photo you shared on Facebook is a piece of information. The like you received on Twitter for your latest playlist is of value. Recommendations can only be served because of data companies hold about you.
“The critical objective of mPods and MetaMe, the app used to make them, is to create a framework whereby people can be paid and fairly rewarded for sharing this data safely without having to think about it. The culture of sharing information and receiving recommendations is well established, and the ecosystem is in place. It is just that the value exchange is out of balance. It’s not a huge cultural shift or massive behaviour change for people to be rewarded for the sharing they already do regularly. We’re simply applying behavioural patterns already embraced in a slightly different and more personally beneficial manner.
“The big social media companies are making billions of dollars on the back of people sharing information. What MetaMe aims to achieve is the same, but making that exchange, that transaction more equitable.”
Dele Atanda continued: “MetaMe’s primary commercial model is to enable people and businesses to share information with each other in a mutually beneficial manner, creating a virtual circle that encourages both sides to share more with each other.
“This eliminates wastes by ensuring that businesses are ultimately matched with people who value their services. People can find products and services they require or desire, but more importantly, it lays a foundation for the fair and ethical use of data and artificial intelligence to benefit people, companies and society as a whole.
“This fundamental alignment of interests is not only more responsible and sustainable for business in general; it is essential to the establishment of a fair, safe and trustworthy digital economy that does not expose us to rampant manipulation and exploitation.”
A new study from analytics firm SAS shows that 93 percent of firms have not met all of the demands posed by GDPR. This is despite the fact that it comes into force next month.
Less than half of respondents (49 percent) said they would be compliant before the May 25 deadline. European companies seem to be more prepared for the law, though.
Currently, 53 percent of EU and 54 percent of British organisations are expected to meet the deadline, compared to just 30 percent in the United States.
UK SAS’s GDPR technology head David Smith said that despite the long run-up to GDPR, the vast majority of UK organisations still don’t have processes in place to manage their data in compliance with the new rules
“At this point, senior leadership needs to take ownership of getting the whole company on board, from IT to operations, to make sure that all personal data is accurately located and appropriately handled.”
While the study shows that most businesses are struggling to meet the deadline, 93 percent said they are working on plans to become compliant.
Most see GDPR as a good thing, with 84 percent of respondents saying they expect GDPR to improve their data protection abilities. And 68 percent believe that the law will enhance customer trust.
In other findings, 58 percent of respondents said they had developed a structured plan to become GDPR-compliant, but 15 percent of US respondents and 4 percent of EU respondents said they have no such plans at all.
Smith added: “There’s a great opportunity contained within the challenge of GDPR. Organisations that gain greater control and understanding of their data will be better able to provide their customers with the services they want, in the manner that they wish to them.
“Those companies that can innovate through GDPR will gain a significant advantage over competitors who get stuck in the long grass of compliance.”
Beancounters at IDC have added up some numbers and divided them by their shoe size and reached the conclusion that only 29 percent of European small business and 41 percent of midsize companies “have taken steps to prepare” for GDPR.
Among non-European SMBs, the share of prepared firms falls to nine percent among small firms and 20 percent of midsize companies. Oddly a fifth of small businesses in the UK and Germany “are not aware” of GDPR and probably think it is a train service.
This means they have seven weeks before the EU’s privacy legislation comes into force on 25 May.
IDC senior research analyst Carla La Croce said: “When looking at GDPR in western Europe, adoption is moving ahead as expected. Bigger companies move faster than smaller companies, and at a country level, Nordic countries are implementing GDPR faster than other western European countries.
GDPR compliance and implementation has been identified as the top security priority.”
The EU claims that by making data protection law identical throughout member states, companies will make savings of £2million annually.
However, the potential penalties for failing to meet these requirements are severe: up to £17.5m or four percent of annual revenues.
SMB research VP at IDC Raymond Boggs added: “As SMB around the world increasingly looks to grow revenue by reaching out to new customers, the importance of global expansion increases.
“But so does the need for first-rate security and data protection, which is why GDPR compliance is important, not just to avoid fines, but to ensure that vital customer information is secure and protected.”
For those who came in late, GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
It was thought that the rush to become compliant would create a bit of a bonanza for those selling security, data management and authentication tools.
Cisco has discovered that far from rushing into buying fresh technology, two thirds of those businesses quizzed were reporting sales delays because of customer data privacy concerns.
Cisco’s Privacy Maturity Benchmark Study found that some of the public sector verticals, including health and government, are suffering the longest delays because of the stricter standards they are working towards.
The Cisco study also exposed the level of losses with what the vendor termed as “privacy-immature” companies being hit the hardest.
A lot of the concerns stem from doubts that products and services purchased will have the privacy protections that are required under GDPR.
As well as delaying spending it also reveals the levels of confusion that still exist around just what will be required to become compliant.
Research from Clearswift looked at the preparations for GDPR in the UK, US, Germany and Australia found that only 21 percent of middle management felt they were ready for the compliance regulations.
The firm found a disconnect between the board and middle management, with the more senior executives more optimistic about the ability to take right to be forgotten requests.
Canalys said that GDPR data regulations are going to lead to revenue for the channel particularly from the SME customer base.
Forecasts from Canalys have highlighted the security spending that is going to come across Europe as firms get themselves compliant with the data protection regulations.
The analyst house is predicting a 16 percent increase in the Western and Central Eastern European security market, reaching $11.5 billion in 2018.
Some customers are better prepared than others with the channel heartlands of the SME community needing a bit of help from resellers.
Canalys senior analyst Nushin Vaiani said large businesses are well informed on information security regulations, with resources in place to ensure compliance.
“With ransomware threats such as WannaCry causing havoc, shareholders will be more willing to accept increased data security and compliance budgets to protect their long-term investment,” Vaiani said.
“SMBs naturally have fewer resources, putting constraints on implementation. But there are potentially massive fines for non-compliance with GDPR, putting SMBs under threat of bankruptcy. Businesses must take action now to safeguard from this danger,” Vaiani added.
Beancounters at Gartner have added up some numbers and divided by their collective shoe size and worked out that when the GDPR goes live on 25 May 2018 more than half will eligible for fines of up to €20m – or four percent of turnover – for non-compliance.
Gartner research director Bart Willemsen said that the GDPR will affect not only EU-based organisations, but many data controllers and processors outside the EU too.
“Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”
All this opens the way for the channel to step in and provide customers with the advice they so desperately need.
They need someone to tell them their role under the GDPR. Outfits need to appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.
Most will have to hire a data protection officer (DPO). This is especially important when the organisation is a public body, is processing operations needing regular and systematic monitoring, or has large-scale processing activities.
Gartner said that too few organisations have found every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to keep compliance in future personal data processing activities.
Organisations must prove an accountable ground posture and transparency in all decisions regarding personal data processing activities. Outside parties must also follow relevant requirements that can affect supply, change management and procurement processes. It is important to note that accountability under the GDPR needs proper data subject consent acquisition and registration. Prechecked boxes and implied consent will be in the past. A clear and express action is needed that will require organisations to implement streamlined techniques to obtain and document consent and consent withdrawal.