Despite only two years passing since the General Data Protection Regulation (GDPR) came into effect in the EU, the world could not be more different today. Coping with the COVID-19 pandemic has placed unexpected stress on privacy and security solutions. While some business leaders advocate relaxing enforcement to support the increased use of data to combat the crisis, this is the time for organisations to take privacy more seriously.
The GDPR accelerates trust
Since the pandemic began, the GDPR has come under threat. A recent report from Brave highlights that few fines have been handed out because the GDPR enforcement is lax. The recent calls for reducing the stringency of the GDPR requirements further undermine the trust between organisations and individuals. If the populace believes that companies are resisting the GDPR, it will make them question their commitment to protecting their private information. If either the regulations or enforcement are scaled back, people will lose confidence in both government and private sector organisations.
Standards like the GDPR create a basic level of trust between both individuals and organisations, so everybody can move more quickly. The GDPR provides a shared social understanding by establishing a data privacy and security baseline. Without the GDPR, consumers would be even more cautious about sharing personal information with organisations because they would not know what to expect. Meanwhile, businesses would be constantly adjusting their standards in response to lawsuits, press coverage, and competition. Still, standards can only build trust if people believe that they are being met through rigorous monitoring and enforcement. With the current pandemic-driven challenges, trust has never been more important. Therefore, as we confront a changing world with COVID-19, the GDPR will create stability and trust as businesses and people adapt to the ‘new normal’.
Supporting the ‘new normal’
Most businesses were not prepared to handle a global pandemic. The sudden transition to working from home has led to challenges in managing and protecting our now remote workforce. Whilst tools such as Microsoft Teams and Zoom help connect people, employees working at home will likely share files across messaging applications and save files on local laptops. Both the transmission and retention could violate privacy regulations, and many won’t even know. Even worse, remote workers are prone to cyber threats that can access critical data that no longer sits in a secure hub. Businesses therefore must ensure data is shared and saved – securely.
Since private data will play a fundamental role in reopening the workplace, organisations will face even greater privacy challenges. With increased investment in wide scale contact tracing and testing, companies will store data about every employee, contract worker, and customer that comes on site. The data involved will be highly complex, including CCTV footage, health vitals, and location. The amount and variety of new data will overwhelm businesses, unless they can follow clear guidance on what to retain and for how long.
Meanwhile, individuals will be torn between privacy, health, and leaving their homes. Governments are evaluating regulations that allow individuals to engage in more social activities only if they use tracing applications. While people understand the tradeoffs, ceding privacy is a cause of concern to many individuals. They will ask businesses and governments to show them the amount and type of data they collect about them, so it’s vital organisations implement a clear, automated data management strategy. The ‘new normal’ will require more transparency and trust.
Enter: The new GDPR management strategy
Whilst it might seem like the data management path is rocky, it doesn’t have to be. For businesses opting to get their data management strategies in place, meeting the demands of increased data loads and ensuring the safety of customers and employees need not be a debilitating challenge. GDPR provides guidance on what does and does not need to be done, so they can focus on implementation.
Businesses can begin by consolidating their data management into one place. Even before the pandemic, the increased use of IoT devices, and edge computing meant that data sprawl was already part of their world. Data was created and stored in thousands of devices, subject to multiple regional legislations. Centralised “data centre” storage was already impossible, and privacy had become that much harder to manage. These organisations had begun adopting cloud solutions for gathering data regionally with centralised governance.
The pandemic has accelerated the use of cloud for data management, including GDPR compliance. Businesses can efficiently and affordably access data from multiple locations, extract metadata – information about data – and manage access control, search and retrieval. Because they expect the interest in privacy to increase, they use the metadata search to automate Right to Access and Right to be Forgotten requests, which minimises time, effort, and manual errors.
Our day-to-day lives have changed drastically within the space of several short months. As well as presenting considerable challenges to our new ways of working, there is some misguided pressure to reduce our commitment to privacy and security. However, as we approach the two-year anniversary of GDPR, it reminds us of the value of building trust between individuals and organisations. This is not the time to relax the rules around GDPR. It’s time for businesses to accelerate their data management automation so they can comply, for new and existing workloads. To act with speed and confidence, there needs to be trust between individuals, governments, and businesses. GDPR provides the baseline for that trust.
Author: Stephen Manley, Chief Technologist, Druva