GDPR: not a picture of doom, but an opportunity

Are you scared of GDPR? Or not sure exactly what this General Data Protection Regulation means for you, and what you need to change before 25 May 2018? Are you reluctant to invest time and money in preparing for this date because you don't think you'll have any issues with lost or stolen personal data? That's understandable, but it would be wiser to grasp the new regulations as an opportunity to change and improve your approach to protecting your data, IT systems and products.

Privacy & security by design

Professor Bjorn De Sutter recently spoke in favour of 'privacy and security by design' at the roundtable session we held during our 'Co-Thinking about the Future' event with Ghent University. Taking the security and protection of personal data into account from the very first design stages in the development of services, products and systems means they're embedded in the concept from the start.

'Be prepared for your products or systems to be attacked at some point,' said Prof. Bjorn De Sutter.

And yes, this preparation can be expensive, but it's still much cheaper and quicker than having to mop up afterwards. This was confirmed by IT managers from several companies who shared their thoughts with him and one of our security experts.

Could blockchain be good for you?

In certain sectors, such as notary services, blockchain is no alternative for a central register where your data is kept securely in insured storage. But blockchain can be very interesting for parties that don't really trust each other and for whom anonymity isn't a problem. Its main benefit is that it costs too much money to tamper with and for example delete or change data without the right authorisation, which greatly reduces the risk of privacy incidents.

Good and bad news

The legal liability that is unavoidable for suppliers of security software or other products or services that definitely need robust protection is a double-edged sword. But it's still something that your company or organisation needs to look at. By 25 May 2018, anyone who gathers data or sells products and services needs to be able to offer guarantees that this data or these products and services are well protected. Your customers and potential customers will demand this too. We're heading the direction of the aviation industry, where a subcontractor for an aircraft manufacturer can only be a supplier if they have a certificate to prove they won't be a weak link in the aircraft's construction.

Doing it yourself doesn't mean doing it better

A final piece of advice from Prof. De Sutter is that it's best to get support from a professional security specialist. Be prepared for all kinds of different scenarios and different ways of dealing with possible disasters. Build on generally accepted principles and don't contrive your own constructions. You're not the only one who still needs to act before 25 May, but there are definitely others before you who have already taken the lead.

About measuring and seatbelts

Let there be no doubt: GDPR is a good lever for more security. We already needed this without GDPR, right? Security is becoming like wearing a seatbelt: if you don't do it, you'll be called out for it because it's no longer acceptable. There's already ample knowledge available about how you can protect yourself better. Furthermore, there are already tools for checking that you're adequately protected and seeing where your weaknesses are, so you can reinforce them before a hacker or careless employee forces you to face facts the hard way.