Safety through regulation

More than a year since it came into effect, the talk around GDPR has died down significantly. But that doesn’t mean that the regulations have been ineffective. The first few months of it saw many Data Protection Authorities (DPAs) starting with exploratory investigations, offering recommendations and guidance for those companies that had been breached.

After that, several fines have been issued to companies across Europe, both large and small, while in some cases, certain companies in the EU have been issued a temporary or indefinite suspension of data processing.

To give one example, the Dutch DPA sanctioned the country’s tax authorities for using their national identification number as part of the Vat return number for the self-employed.

After finding the purpose has no foundation in law and increases the risk of identity fraud, the DPA prohibited the Dutch taxman from doing so from 2020 onwards.

Even if you haven’t necessarily heard GDPR being referenced in the past year, it has been working in the background and has served a greater good by making companies more responsible, says Michael Conway of Renaissance.

“Regulation and compliance are driven forward,” he said. “GDPR is there, it’s a great thing because it was designed to protect people and to stop people from doing stupid things. The whole idea is that it’s there for a good reason, but we see a lot of other compliance [measures] driving things. From a financial services regulatory point of view, the central bank . . . is more focused about driving compliance, and they’re not just putting regulations in, they’re enforcing them, policing them and reviewing them.

“You see stuff like the European EU regulation which is driving all around the integrity and capabilities of the critical national infrastructure, there are critical industries [that need] to be resilient and safe.”

Conway’s point is that initiatives and regulations like this are driving the industry forward, as staying still isn’t an option any longer. No longer can companies hope for a time where an antivirus and firewall combination is deemed sufficient protection. Instead what you’re trying to defend is a living, evolving organism, one that becomes more complex the more that is added to it. There will be greater complications when the Internet of Things (IoT) hits the mainstream, likely through corporate or government initiatives instead of personal.

“The issue is when you go to manufacturing distributions, all of the control systems that we have in terms of logistics, in terms of health services, utilities, smart metering, these are all now threat vectors,” Conway said. “We’re seeing the integration of OT and IT and the overlap of those and how people are going to look at those, because OT is going to be a threat because unless it’s managed and controlled.

“Even if IoT doesn’t become the type of service people have envisioned, there will still be enough developments in existing technologies to make this a reality. If you look at how the likes of cars, TVs and other devices are getting smarter capabilities built into them, it’s probably no surprise that such things are going to become more complicated as time goes on.

“Both software and hardware companies are always under pressure to add new features, expand capabilities and find new revenue streams to continue growth. That can mean changes can occur at a rapid pace as new services come up with new ways of using data. The ability to opt in applies under GDPR, yet it highlights the ever-evolving nature of technology and how data is used.”

Conway believes that if we look at where the cyber landscape and compliance landscape are three to five years later, we will see a more complex environment. The convenience and benefits they bring have to be complemented with secure, robust security measures, and regulations are there to help guide businesses through this landscape, not hinder them.

“It’s designed to provide services to people, but it has to be done in a secure, safe and managed way,” he said. “It’s not [for the sake of] saying we’re compliant [with] the likes of GDPR, the objective for them is to make life good, easy and safe for everyone, and they shouldn’t really be criticising them.”

If you need an example to show how regulations can help businesses in the long run, you only need to look at safety regulations in areas like construction. Changing the behaviours of those in the industry would have seemed like a hindrance when safety regulations first came in, but as the industry became accustomed to them, injuries and fatalities have continued to fall year-on-year.

Another more practical example would be the inclusion of seatbelts in cars. At one point, they weren’t the norm and were treated by some as a hindrance rather than a help. Once people see why something is introduced and what it prevents, a shift occurs and they become more likely to adopt it. The same will hopefully apply to cybersecurity, although how close we are to that change is open to interpretation.

“[When] the norm changes, the protections are appropriate and relevant [and they] will evolve and change,” said Conway. “The one thing in the cyber area is it’s a dramatic and moving place, and it’s not necessarily the good guys, it’s that the bad guys are dramatic and moving. The bad guys are good technically . . . and you won’t keep ahead of them, you have to try and keep up with them and that’s it – the world keeps changing.”

Change may seem difficult, but the initial effort you put in now will mean less effort in the future. If you have to choose between major change every so often and minor changes regularly, the latter will always be the better option. Less cost and less stress will allow your business to keep up with changes, and make such changes digestible.