GDPR: Firms outline the compliance challenge - data discovery and consent
IT leaders from Ladbrokes Coral, University College London and Forcepoint explain what's currently keeping them up at night when it comes to the impending General Data Protection Regulation
With the EU's General Data Protection Regulation (GDPR) set to come into force in the UK in May 2018, several organisations have outlined the challenges they face in ensuring compliance.
And with the data protection regulator the Information Commissioner's Office having already clarified that the GDPR or equivalent set of laws will apply in the UK irrespective of the country's European membership status, these challenges are set to persist.
Speaking at today's IT leaders forum event from Computing 'Getting ready for the GDPR', Richard Giles, CTO at Ladbrokes Coral, the UK's largest betting firm, explained that his biggest task is around data discovery.
"We've always taken security quite seriously, with separate information security teams and DPOs [Data Protection Officers]," said Giles. "So in many ways it's business as usual, but we're in the business of managing risk and attracting customers, so we gather a lot of information. We integrate with hundreds of partners to create products, so our customer data permeates a lot of systems.
"The biggest challenge is understanding where all that data is, which parts of the business are holding it, and following those trails right down to individual databases which may sit with our partners," said Giles.
He also said that the right to be forgotten, and the need for individuals to opt in to having their data gathered (rather than the existing rules where the opt in is assumed) is a significant challenge.
"These are new concepts. We have a large number of connected systems we need to extract data from if users want to be forgotten, and that's before we even start to think about backups."
The challenge at University College London (UCL) is similar, but based around user profiling, explained Bridget Kenyon, head of information security at the university.
"One of our challenges is working out what to do with profiling as we're increasing it," said Kenyon. "We use profiling for alumni relations, identifying organisations or individuals who might want to invest in the university.
"Profiling is also increasing in student welfare," she continued. "If a student is struggling with their course, there are indicators. To find and track those indicators, we use profiling. So we identify where students are struggling early on, and then prevent them failing. We have to look at consent as it's in the student's interests and we need them to opt in."
She explained that she'll be running a series of workshops with top management at UCL over the next month to identify and fix process issues.
"If the process is fixed then everything new that happens will be okay," Kenyon added.
Neil Thacker, deputy CISO at Forcepoint sounded a positive note, arguing that the GDPR will focus the board on security issues, and make the job of securing budget less arduous.
"It's good for infosec in general as for years we've had to work without much buy-in from the board."
He added that as a security firm, the GDPR brings with it different challenges, as hackers are unlikely to be inclined to consent to having their activities profiled and monitored.
"We process huge amounts of threat intellignece. I can't request and gain consent from a threat actor," he said, adding that the regulation will allow for legitimate use in cases such as this, where consent would be unlikely to be given.