Cyber Security - Sponsored by Micro Focus
Executive Editor ’s Interview
....with David Kemp Executive Editor’s interview (Extract) with David Kemp, Specialist Business Consultant with Micro Focus which imposes a penalty of up to 4 per cent of your global revenue or 20 million euros, whichever is higher. 2. Secondly, we can look at client audit. If you had to encapsulate these issues in relation to privacy in one word, it would be “trust”. Can I trust a product provider or service provider, bank, insurer, or even a transportation company, with my information? Many retail consumers are asking, are you GDPR effective? In Australia, the same question is being asked: are you compliant with Australian privacy laws? If not, you don’t get their business. This is a day-to-day occurrence, compared to a fine or a regulatory hit, which might impact only a few entities.
By Chris Cubbage EXECUTIVE EDITOR
View & Listen
There are two fundamental aspects to the GDPR:
General Data Protection Regulation: Insights into the fundamentals, ramifications & opportunities: The European Union’s General Data Protection Regulation comes into effect on 25th May. In March, David Kemp, Specialist Business Consultant with Micro Focus was in Australia to examine the Australian market against three key propositions: 1. To what extent does GDPR impact Australian entities handling the personal data of EU residents? 2. Are the lessons learned over the last two years, relating to GDPR in the United Kingdom, lessons that can be carried across to the Australian market and what is their relationship to the Australian Privacy Act 1988 and subsequent amendments. 3. GDPR is a catalyst for addressing bigger issues, both in relation to security and data lifecycle management – like yin and yang, they are inseparable, in terms of ensuring data privacy. So, we want to see what else Micro Focus can do for the Australian market. In explaining the business benefits of adopting the GDPR Compliance framework, David highlights, “There are several major benefits that we have found in Europe, which we are validating here in Asia. 1. First, the pure compliance piece, making sure you are being a good citizen as a corporate or government agency, and that you are avoiding the reputational damage if you get it wrong, along with any relevant fines. Here in Australia, the fine is $2.3 million compared to GDPR,
44 | Australian Security Magazine
1. The data type – people think this is just about dealing with emails or Word documents. However, it is any data: audio, visual, alphanumeric, and social media data. I was looking at an advert for the OCBC Bank in Singapore last week and they have a capability called voice banking. Both voice and facial recognition data types are also PII. So, Pandora’s box is already open; when I press the button in Europe and say I want to be forgotten in 28 days, you are going to have to find all of it. That’s just one axis. 2. The second axis is very important and it’s about location of data. Regulators seem to think that it’s about where your laptop is or where your Exchange server is hosted, but it’s not just that. It’s all endpoint devices. I was talking to the senior IT architect of a global bank and he said, “the mobile phone is our prime means of communication with our retail customers.” Sponsored I think most people know Focus by Micro that anyway, especially millennials, so from that point of view, where is the data? It could be an endpoint device, a mobile phone, a laptop, stored in a PC, or even a records management system, in an archive, in a backup or stored as hard copy in Iron Mountain. When I press the button to be forgotten with my bank, they need to look in every one of those silos, which is incredibly difficult. These are the two fundamental challenges that lie behind the ability to provide security and data lifecycle management. Regulation & Enforcement Will the regulators in Europe have the manpower and scope to enforce these laws? In David’s view, “They have the power, but this an important point: do they have the resources? I come from a banking background, with over 19 years’ experience, and I have found that regulators rarely have the capability to pursue and audit everyone. But they can carry out selective audits, and they are already warning organisations and government departments in Britain and Ireland that they will be audited by the 25th May. Regulators teach by example. The other issue is to what extent are regulators being
