More than four years after the European Union started its journey toward new privacy rules, the EU Parliament adopted the final text of the new EU General Data Protection Regulation (GDPR) last week. The EU will complete the long and controversial process that led to the new rules next month, publishing the Regulation in the Official Journal of the European Union, but no changes can be made at this point. This leaves businesses with a two-year period in which to get ready for its implementation. Some EU countries, like France, will implement the new rules before 2018.
As a security and risk professional, you must start working now to assess what the new rules mean for your organization and make the necessary changes to technology, processes, and people. As you approach the task, keep in mind that the GDPR introduces important changes, such as:
Yesterday, Proofpoint announced it will acquire social risk and compliance (SRC) vendor Nexgate for approximately $35 million.
The Acquisition Signals The SRC Market Is Maturing
This acquisition points to a budding and rapidly evolving SRC market. With the proliferation of social media, organizations face a slew of emerging regulatory challenges, brand threats, and security vulnerabilities – just look at recent incidents with Cole Haan, Zarbee’s, US Airways, British Gas, among countless others, even including our own US military. While once a niche market helping financial services firms meet FINRA obligations, SRC solutions now offer more than just compliance support, helping organizations better manage today’s wide gamut of social risks with social threat detection, account protection, and risk monitoring.
Proofpoint Has To Prove The Sum Is Greater Than Its Parts
It’s no longer just your marketing team that uses social media for business purposes. Employees across the entire organization use social media for personal and professional reasons, leveraging social to drive real business for your company. The opportunities to enhance your brand, deepen customer relationships, and glean new customer insights are all too valuable to ignore -- but the risks are real too.
Moreover, the legal and regulatory landscape is evolving rapidly, complicating the ways in which you can manage social media and the myriad reputational, security, and privacy risks (among others) that expose your organization. To take advantage of these opportunities and still protect your company, you need new tools and technology to do this effectively.
The recent Computers, Privacy & Data Protection Conference (CPDP) showcased a series of innovative projects that are based on big data. Big data is one of the four imperatives that shape the age of the customer — one of Forrester’s main focus areas — and the changing regulatory framework of data protection in Europe has big implications for big data initiatives.
Central to data protection is the existing EU Data Protection Directive, which legislators have been trying to update for years to reflect the changing online realities. The proposed Data Protection Regulation focuses on a redefinition of the concept of “consent.” User consent now has to be freely given, specific, informed, and explicit.
This new definition forces businesses to be more transparent about how they gather, use, disclose, and manage customer data in the form of the principles of privacy notice and purpose limitation. Complying with these new privacy principles is a challenge in the age of the customer, as privacy regulation affects:
My esteemed colleagues Renee Murphy and Nick Hayes joined me in a fully collaborative, marathon evaluation of 19 of the most relevant GRC platform vendors; we diligently pored through vendor briefings, online demos, customer reference surveys and interviews, access to our own demo environment of each vendor’s product, and as per Forrester policy, multiple rounds of fact checking and review. The sheer amount of data we collected is incredible.
While the consumerization of IT marches on, in its footsteps lurks the specter of unknown risk. We live in a world of zero-sum games of litigation where suffocating regulations are the norm, and failure to comply can draw millions in fines and lawsuits. Technology diversity multiplies the challenge of maintaining compliance — it’s no wonder so many IT shops take a one-size-fits-all approach to workforce computing and forbid bring-your-own-device (BYOD). But it doesn't have to be this way. It’s possible to craft an approach that brilliantly achieves the conflicting goals of embracing BYOD and consumerization while slashing the risks and costs at the same time. Our recent research on the topic comes from working with lawyers and auditors who specialize in technology law and compliance reveals that it can indeed be done.
You Still Have to Act But the Cure is Often Worse Than the Disease
The technology attorneys we interviewed for this research agree — once you learn that BYOD is happening in your organization, you have a legal obligation to do something about it, whether you have established industry guidance to draw on or not. The answer is seemingly simple: Take action to stamp out the risk. However, the answer isn't that straightforward because:
The more restrictions you put in place, the more incentive people will have to work around them and the more sophisticated and clandestine their efforts will be.
There is no data leak prevention tool for the human brain, so arguably the most valuable and sensitive information walks around on two legs and leaves the building every night. Accepting this is important for keeping a healthy perspective about information risk on employee-owned devices.
It should come as no surprise that regulators and organizations alike struggle to set and enforce guidelines for social media activity. It’s not just that the rise of social media is rapidly transforming the way we interact with people, customers, and brands; but also how many ways this transformation is happening.
The core issue is that social media alters the way we as individuals share who we are, merging our roles as people, professionals, and consumers. As we share more of ourselves on a growing number of social networks, questions quickly surface:
How frequently and on what social networks should we post?
When should we present ourselves in our professional role versus sharing our personal opinions?
Is it okay to be social media friends with co-workers, clients, or your boss?
These are complicated matters for individuals, and absolute conundrums for organizations concerned with how employees behave and interact with others in, and outside of, the workplace. Their questions are even more complicated:
Can organizations dictate how their employees use social media?
Can they monitor social media conversations or use it to learn more about prospective job applicants?
When does the personal connection allowed by social media tools cross the line from business to personal?
SaaS vendors must collect customer insights for innovation and compliance.
As of the end of last year, about 30% of companies from our Forrsights Software Survey, Q4 2011, were using some software-as-a-service (SaaS) solution; that number will grow to 45% by the end of 2012 and 60% by the end of 2013. The public cloud market for SaaS is the biggest and fastest-growing of all of the cloud markets ($33 billion in 2012, growing to $78 billion by the end of 2015).
However, most of this growth is based on the cannibalization of the on-premises software market; software companies need to build their cloud strategy or risk getting stuck in the much slower-growing traditional application market and falling behind the competition. This is no easy task, however. Implementing a cloud strategy involves a lot of changes for a software company in terms of products, processes, and people.
A successful SaaS strategy requires an open architecture (note: multitenancy is not a prerequisite for a SaaS solution from a definition point of view but is highly recommended for vendors for better scale) and a flexible business model that includes the appropriate sales incentive structure that will bring the momentum to the street. For the purposes of this post, I’d like to highlight the challenge that software vendors need to solve for sustainable growth in the SaaS market: maintaining and increasing customer insights.
The rise and rise of cloud has been dominating the headlines for the past few years, and for CIOs, it has become a more serious priority only recently. People like cloud computing. Well - at least they like the concept of cloud computing. It is fast to implement, affordable, and scales to business requirements easily. On closer inspection, cloud poses many challenges for organizations. For CIOs there are the considerable challenges around how you restructure your IT department and IT services to cope with the new demands that cloud computing will place on your business - and often these demands come from the business, as they start to get the idea that they can get so many more business cases over the line for new capabilities, products and/or services, as they realize that cloud computing lowers the costs and hastens the time to value.