On Monday 13 November the event “Midnight at the Crossroads: Regulating the Intersection of Cybersecurity and Privacy” took place at WeWork Paddington. Our chair, Silvi Wompa Sinclair (Willis Towers Watson), led our panel consisting of Ryan Johnson (Access Partnership), Judy Krieg (Shepherd and Wedderburn), Mark Lubbock (Ashurst) and Shadi Razak (CyNation), through a fascinating discussion on the challenging times that lie ahead for companies worldwide who need to grapple with the complexities that increasing data privacy demands and cybersecurity threats bring upon them.
The discussion was broken down into 4 stages: first, the panellists provided a macro perspective of cybersecurity and privacy today. Then, they discussed their place in the context of terrorism, warfare and diplomacy. The panel then moved on to a discussion on how companies should use this opportunity to create value and gain resilience by adopting an adequate approach and availing themselves of the right technology. Finally, panellists offered their view of what companies should be doing going forward not only survive, but succeed in an increasingly complex regulatory environment.
Macro perspective of cybersecurity and privacy
Nowadays, all companies are data companies and their value is in their data. As such, the GDPR – EU’s landmark data protection regulations – affect everything companies should be doing. “It’s a game changer”, one of our panellists noted, “the forced marriage between privacy and cybersecurity”. At this stage in the game, companies have no choice but to understand their responsibilities under GDPR and start taking the necessary measures to ensure the value of their data. It is clear that old solutions will not suffice; a new approach to data governance is needed. Businesses need to take this seriously and start acting now. The risks of not doing so are far too great.
GDPR and increasing calls for data privacy worldwide often come face to face with governments’ plans. World leaders across the globe have tried to clamp down on the strength of encryption used by corporations and individuals. This raises concerns from the perspective of the violation of human rights this entails. Further, companies that don’t observe high security standards risk noncompliance with data protection and privacy regimes, such as the GDPR, that do not allow for “back doors”. The issue is not a simple one: people are increasingly protective of their personal data; however, at the same time, most are sympathetic with governments’ goal to fight terrorism. Clearly, we will continue to be faced with challenging and controversial cases where the determination of where to draw the line is far from clear.
This type of situation calls for actors from all fronts to come together and collaborate to find a solution. There is a clear need for harmonization between different countries’ approach to privacy and cybersecurity. It is also essential for businesses to get involved and ensure there is sharing of intelligence and collaborative insights. This new state of affairs is giving the world the opportunity to work together. And, to an extent, this is already happening. In the context of the GDPR, for example, we’re already seeing many countries that want to comply with these regulations and are looking for adequacy decisions that will ensure free data flow across borders between them and the EU.
Business resilience – how to use cybersecurity to create value
We’ve all heard it: data is the new oil. If companies want to continue looking at their data centres as revenue centres, they need to take the right steps, set cybersecurity and privacy benchmarks, and gain customers’ trust. This will be essential to secure investments and business opportunities. Investors now realize the impact of poor cybersecurity and privacy management and are looking at these issues when evaluating companies. Even board members paying attention now as they realize the tremendous impact that poor privacy and cybersecurity strategy could have on the value of the business.
It must be clear to companies that cybersecurity and privacy are two sides of the same coin and both fall within companies’ wider data governance. And, the solution does not lie in building walls to keep the bad guys out. Companies must re-think their approach to these issues and use technology to their benefit. Businesses that see this and that start taking the right steps now are far more likely to be successful in navigating increasingly complex waters.
Regulatory and compliance
All this will have clear practical implications in companies’ day-to-day interactions. For example, we will increasingly see discussions on cybersecurity and privacy on service level agreements: before signing contracts, parties will want to see evidence of companies’ cybersecurity posture and approach to GDPR (data privacy/protection more generally), from all along the supply chain.
Companies need to take action immediately. Having a risk-based approach to compliance with GDPR and other similar instruments may make things easier. However, it would be a mistake for companies to focus only on the risk of being fined. They should take this as an opportunity to put in place a well thought-through strategy that helps them gain a competitive advantage. The point is clear: your company’s data is valuable as long as you’re following the rules and can extrapolate that value. If you haven’t done what you need to, no one will want to buy your company because your data will be ‘tainted’ (which means that sooner or later it will have to go through cleansing work). And there will no ‘one size fits all’ solution either. To derive the most value of these data governance strategies, companies will need to look at their specific circumstances.
These issues are here to stay… and will only become bigger. The GDPR is turning the use of data by businesses on its head; and it’s raising a very high-water mark for rest of the world. This is just the beginning the privacy and cybersecurity journey: stay tuned.
Author: Erika Barros Sierra, Access Partnership