As we settle in to 2018, we are officially on the countdown to GDPR; the advent of a new era in data protection, which starts May 25th, 2018.
Of course, with every piece of new legislation the immediate focus is on compliance and getting ready in time. Some sectors are already used to this, (financial services for example) but still have the challenge of trying to implement the necessary and complex changes in time. Other sectors will have to take a deep breath whilst considering the far-reaching implications of GDPR, which go a lot further than most previous national data protection acts. How many retailers ask for personal data which they don't really need? I've taken to using a standard "false" birthday in response to pointless requests for my birth date when registering on a site. Given I am still being called by the telco I left over 6 years ago, it makes you question how many customer records are being retained for seemingly no reason? I am also regularly called by companies who are purporting to help with a traffic accident I never had - are they ready for GDPR?
The Public Sector is another interesting area; they are used to Freedom of Information requests from concerned citizens and interested journalists. but this doesn't mean that they are the best at holding onto our information, data breaches being just one example. And what is very clear is that GDPR is so much more than just protecting against hackers.
Public Sector organisations must consider implementation within complex, legacy systems. Typically, these systems capture a lot of information that when really considered may not be necessary. Do you really need to know that I am divorced to process my council tax payment? The important question to consider is, how do you change your systems development philosophy to be "secure by design".
This is where CIOs and CISOs can use GDPR as an opportunity to innovate. From insider threats to identifying where personal information data is held - there's a start up out there who is trying to solve your problem. Here are just a few examples of how they can help*:
Data Mapping and Classification
Identifying and mapping PII on structured and unstructured data can be a timely and work intensive process. Innovative start-ups utilise data science and AI to automatically map vast amounts of data and identify the location of PII.
Incident Response and Investigation
Reporting a breach in time is a major pillar of GDPR which could lead to significant fines if not handled properly. Public Sector organisations should look to utilise start-ups for behavioural analytics, AI and Automation to greatly reduce the time for detection and investigation of a breach.
Continuous security assessments
Automated pen testing tools allows for continuous, real-time security assessments of an organisation’s security status and posture.
Consent management and right to be forgotten
New vendors utilise technologies such as Blockchain, to track and manage customer consent and the right to be forgotten.
With just over 4 months to go, it’s time to harness the opportunity that GDPR presents for the public sector. It is an opportunity to engage with the new. Working with new, smaller and innovative companies may be the start of something bigger and could transform the way that "traditional" companies and government agencies work.