- Informazioni sulla sicurezza
- Online Privacy
- How the GDPR Will Trigger a Shift in Enterprise Operations
More and more enterprises, across different industries, have been integrating data analytics into their business operations. A 2017 market study showed that 53 percent of companies surveyed were using big data analytics, a large leap from only 17 percent of companies in 2015. Digging into data undoubtedly provides valuable insight to enterprises, helping them build successful strategies for the future and tailor their products and services for their market. However, some types of data collected by these enterprises can be sensitive, such as personal data. In response, legislators in some countries have put regulations in place to ensure that enterprises can continue using such data while at the same time protecting the data and its owners.
The EU’s General Data Protection Regulation (GDPR) is one such regulation, and it has set new requirements that will impact the data policies of organizations across the globe. Importantly, even though an EU regulation, the GDPR has a long arm that stretches across geographical and industry lines, affecting any company collecting and processing EU citizen data. For example, organizations that sell manufactured goods to consumers in the EU are affected by the GDPR if they have personal data about their customers, even if they don’t have a facility in the EU. It also impacts multiple aspects of enterprise operations. For example, the “monitoring” of a customer’s behavior will be regulated by the GDPR, as well as common collection of data through online portals.
We dive into three different industries to illustrate how wide the reach of the GDPR is, and what enterprises in different fields can do to improve their data protection policies.
Many in the manufacturing industry have embraced big data, using smart solutions and Industry 4.0 technologies to improve their operations as well as their bottom line. The use of data has increased with analytic tools which give manufacturers valuable and actionable insight.
Manufacturing enterprises also hold different types of data from the extensive network of people and organizations they deal with — subcontractors from around the world, global shipping services, third-party suppliers, and numerous employees. Of course, customer data is also collected, sometimes through the very products they purchase.
Holding all types of information, as well as using different processing and analysis techniques, manufacturers who manage EU citizens’ data need to be more cognizant about protecting their data. The many data breaches and attacks on unsecure industrial control systems show that data protection is a necessary investment for this sector. Unfortunately, manufacturing systems are particularly hard to secure.
In many new manufacturing facilities, the attack surface is broadening as more systems are being brought online. There is actually a large number of exposed industrial cyber assets — devices and systems easily found and accessible on the public internet without any security protecting the infrastructure. And for many of these factories, systems are specifically developed per manufacturer, calibrated and tailored to its needs, making security solutions hard to integrate.
Manufacturers can function as controllers and processors under the GDPR, which generally means that they both collect data and also analyze it. They should follow the rules and perform specific responsibilities for entities collecting and processing the data — from appointing a data protection officer (DPO) to providing employees and customers with more access and control over their data.
Manufacturers also have to upgrade their security systems to make sure they can meet all the requirements laid out by the GDPR. There needs to be integrated privacy features installed to make sure that the personal data and the processing of that data is secure. In particular, since manufacturers work with many suppliers, protecting the supply chain and employing secure third parties are essential.
Aside from that, manufacturers should also adopt the policy of “privacy by design,” a key concept of the GDPR. This means that privacy should be built into the infrastructure — a big investment that might mean customized security applications for systems, but a necessary investment. Privacy should also be embedded in each application, device, or product made — any hardware and software created should protect the user by default. New features should not simply be added on after the fact; privacy must be part of the design process from the very beginning. Not only is this a necessity for compliance (it is part of the GDPR’s provisions, and the regulation will be enforced on May 25, 2018), but it will help manufacturers manage and protect their data, and the data of their customers, better.
To get an idea of effective layered security and privacy, manufacturers can look at defensive strategies for Industrial Control Systems (ICS). There are also network solutions that can be installed to help keep manufacturers compliant with the GDPR, as well as security solutions that can be installed on manufacturing ICS and SCADA devices to protect them from vulnerabilities that could be exploited to breach the organization.
Trend Micro provides a variety of solutions which can be used to protect ICS and SCADA devices, enabling the monitoring of traffic to and from these systems. These solutions are good options for devices running non-standard operating systems or those that cannot support an agent.
Trend Micro provides a variety of solutions which could be installed on ICS and SCADA systems.
Many in the manufacturing industry have embraced big data, using smart solutions and Industry 4.0 technologies to improve their operations as well as their bottom line. The use of data has increased with analytic tools which give manufacturers valuable and actionable insight.
Manufacturing enterprises also hold different types of data from the extensive network of people and organizations they deal with — subcontractors from around the world, global shipping services, third-party suppliers, and numerous employees. Of course, customer data is also collected, sometimes through the very products they purchase.
The transportation sector is relying more and more on data to create smooth and comfortable experiences for travelers. Airlines track passengers as they move from connecting flights and “smart ticketing” allows transport organizations to see personal passenger details as well as location. Suppliers along this mobility supply chain are also privy to passenger information. Agencies can share data to create mobility-as-a-service networks, and third parties (like retailers and advertisers) sometimes use passenger data to craft special sales or travel deals. This opens up questions on accessibility — who can see sensitive traveler information? Is the data properly secured?
Also, in certain cities there has been a move to build intelligent transportation systems (ITS), which is the application of emerging and advanced technologies to improve the efficiency of urban transportation. A part of ITS is collecting data on the movement of vehicles and commuting passengers, then analyzing traffic flow and transit times. These systems create a more efficient and organized system, but they are also open to different types of cyberattacks. Last year, storage devices that record data from Washington D.C. police surveillance cameras were infected with ransomware, and some European railway systems were affected by the WannaCry outbreak.
A host of different threats can impact modern transportation enterprises, which necessitates better security. The data managed by these companies — including travel patterns, real-time location, passport details, visa information and travel plans — should be collected and protected properly. One big step in the right direction would be complying with the GDPR. Most travel organizations will have to comply with the GDPR since they will inevitably handle EU citizen’s data, so the processing, sharing, and collection of this data should follow the requirements outlined in the regulation.
It is important, since the transportation industry is still adopting new technologies, to adopt “privacy by design.” From the ground up, new applications and systems need to be built with privacy in mind. As connected cars gain traction in the automotive sector, applications and built-in systems that use geolocation data for drivers should be designed to keep the data secure. There should be security features that allow drivers to opt out of any geolocation sharing outside of driving purposes, and the automotive companies that store and process the geolocation data should comply with GDPR standards on securing that information.
And since many transportation entities share data, they also have to make sure each organization they work with is aware of and compliant with privacy and data protection standards as well. Under the GDPR, an organization can still be held liable for a data breach from a supplier who processes data for it.
[Read: Avoiding Traffic Violations on the Road to GDPR Compliance]
Of course, there are necessary state-of-the-art security solutions that have to be applied to the servers and networks that contain personal data.
The transportation sector is relying more and more on data to create smooth and comfortable experiences for travelers. Airlines track passengers as they move from connecting flights and “smart ticketing” allows transport organizations to see personal passenger details as well as location. Suppliers along this mobility supply chain are also privy to passenger information. Agencies can share data to create mobility-as-a-service networks, and third parties (like retailers and advertisers) sometimes use passenger data to craft special sales or travel deals. This opens up questions on accessibility — who can see sensitive traveler information? Is the data properly secured?
Data collection and analysis is an integral component of digital marketing today. Marketers are increasingly able to profile their users through the data they collect, and then tailor or automate their marketing strategies to gain a bigger audience. This has become such a widespread practice that the GDPR has already specified rules limiting automated decision-making and profiling of individuals and outlined stricter guidelines for objecting to being profiled for direct marketing.
Marketers have come up with many different ways to gather personal information—online sign-up forms, scanning badges in tradeshows to quickly get details, asking for contact details in exchange for content, and others. Not only is this data collected and processed, but it is sometimes shared with third parties.
Given the number of high-profile data breaches that have occurred, from the Yahoo breach to the Uber and Equifax incidents, securing data becomes a brand issue as well as a security issue. It is a hit to an enterprise’s reputation if a breach occurs, and on the other hand, promoting a more secure data protection system will draw in customers who are looking for better privacy.
The GDPR outlines strict rules on how data should be collected and processed, so digital marketers might need to revise and rethink some of the strategies they implement. Specifically, these areas need to be considered:
Digital marketing companies have to shift to a more privacy-centric standpoint. Their operations have to comply with all GDPR requirements: adopting new policies for collection, setting up new deletion and retention policies, making sure third parties are secure (particularly third-party apps aiding automated marketing), building in-house apps with privacy in mind, and much more. Although it seems like a major overhaul and a definitive shift from what was done in the past, GDPR compliance is a necessary step to take. More than ever, customers are becoming aware of privacy rights and are looking for improvements in security.
Apart from developing more secure processes, marketers should also use effective security solutions that can be applied to the servers and endpoints that contain personal data.
Data collection and analysis is an integral component of digital marketing today. Marketers are increasingly able to profile their users through the data they collect, and then tailor or automate their marketing strategies to gain a bigger audience. This has become such a widespread practice that the GDPR has already specified rules limiting automated decision-making and profiling of individuals and outlined stricter guidelines for objecting to being profiled for direct marketing.
Adding new security layers to an enterprise takes time and effort, especially for multinational companies that have to deal with extensive networks and large amounts of data. But it is a much-needed change — there are malicious actors taking and profiting from data caches, customers are more keen on data protection, and more regulations are coming up that require tighter protection for personal data. Approaches and attitudes towards cybersecurity have to evolve and keep up with the tools and practices that enterprises are so quick to adopt.
For an example of what enterprises can do to comply with the GDPR and build better data protection policies, you can find Trend Micro’s journey documented here.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.