Datasec to examine new EU law impact


Harry Leech

The DataSec 2017 conference takes place in the RDS Concert Hall, Dublin, on Wednesday
The DataSec 2017 conference takes place in the RDS Concert Hall, Dublin, on Wednesday

Leading Irish and international experts on privacy and data security will debate the impact of the forthcoming General Data Protection Regulation (GDPR) at the DataSec 2017 conference which takes place in the RDS Concert Hall, Dublin, on Wednesday.

The GDPR, which comes into effect in May 2018, will bring in significant changes in how consumer data is stored and protected - with serious fines for non-compliant organisations.

The event will be opened by Communications Minister Denis Naughten. Data Protection Commissioner Helen Dixon Senior Counsel Paulien Walley and Stewart Thompson, Privacy Manager, IBM Watson Health, will address the day-long forum. Ticket sales have been strong and leading legal firms will be attending, including strong representation from a cross-section of tech and expert companies.

The GDPR will replace all current data protection regulations, resulting in significant changes in how the public and private sectors across the European Union and beyond deal with consumer data. Questions for businesses include whether the GDPR could spell the end of remote working. While smartphones and laptops have made working remotely a common practice in most Irish companies, if organisations do not have robust security procedures in place to address potential dangers when the GDPR comes into effect, the practice could become a thing of the past.

While much of the attention relating to data breaches involves large companies whose online security has been breached by hackers, research has consistently shown that the major cause of data protection breaches are employees who take data out of the office.

A recent survey conducted by specialist market research company Vanson Bourne found that almost a third (29pc ) of UK companies had experienced a data breach as a direct result of mobile working. An urgent analysis of working practices are required to identify where serious gaps in processes lie. This analysis should not take a particularly long time according to Jonathan Armstrong, co-author of Managing Risk: Technology & Communications and one of the most influential figures on data security in Europe.

"There is no need to get tied down in a comprehensive analysis that takes a year to complete - for one thing they don't have that time," said Armstrong. "Most companies know where the risks are if they are honest with themselves and they have to fix those risks now. For example, if you let people work from home and they take files with them, and they have an unencrypted laptop, you don't need a massive all-encompassing analysis to tell you that you need to fix that, and fix it soon."

While the prospect of a client taking sensitive files home with them, whether they be hard copies or electronic data, and absent-mindedly leaving them on a bus or in a café may seem like a case of negligence, the reality is that it happens all of the time. But businesses can't afford to take that chance, risking fines of up to €20m if they fail to adequately protect data.

According to Armstrong, there are often unintended consequences of allowing staff to use their own computers whilst working from home, even where the staff member has the best of intentions.

"We've had quite a few cases in the UK where employees are working from home on their own laptops, which have anti-virus software built in which backs up into the cloud as an automatic practice," he said. "If you have a social worker typing up a report on an at-risk child, do you really want a copy of that file in the control of an anti-virus company in a backup vault somewhere in the cloud? We can't assume that the greatest care is being taken with that data, so for the parent or guardian of that child, or the child him or herself, that is obviously a really concerning situation".

It's clear that the GDPR is raising uncomfortable questions for Irish organisations about how they handle consumers' data. Starting the process of making your organisation GDPR compliant should be a priority. Given the severe consequences of non-compliance, there is no other option.

The DataSec 2017 conference takes place on May 3 in the RDS in Dublin. The event will provide expert speakers, information and insight to help businesses comply with GDPR and get the most out of the legislation. Full line-up and details of ticket sales are available on independent.ie/datasec or call 01 7055397