Data has always been the ultimate battleground and competitive bargaining chip for telecommunications operators. Already under pressure to reduce mobile data costs amid a rising #datamustfall chorus from consumers, they now face data headaches of a different kind.
The European Union’s General Data Protection Regulation (GDPR) and South Africa’s Protection of Personal Information Act (POPIA) will soon govern how telcos collect, use, store and delete personally identifiable information in the wake of rising cyber-attacks. And with the GDPR deadline upon us, organisations are finally waking up to the reality that compliance is no longer up for negotiation.
Telcos typically have millions of customers on their systems and keeping their personal information secure is already a challenge.
Email is especially prone to GDPR violations, given its role as a medium for communicating and for sharing and storing personal data, as well as its vulnerability to cybercriminal exploits. While having a compliant email system is only one aspect of a holistic compliance strategy, it’s a good place to start. Telcos need to start thinking beyond defence-only security to improve their overall cyber resilience.
Preparing to fail?
Compliance with GDPR is a mammoth task and there’s no one-size-fits-all approach. So, it’s not surprising that not all organisations are prepared.
A new study by Vanson Bourne and Mimecast found that only 29% of surveyed South African organisations are ‘completely confident’ that they will be compliant with GDPR, come the 25 May 2018 implementation deadline. Only 22% have implemented procedures to comply, 54% plan to, and 17% have no timeframe in place to implement compliance procedures.
GDPR in a nutshell
GDPR gives European residents control over how their personal information is used. The law is extraterritorial and applies to organisations that process the personally identifiable information of EU residents, regardless of whether the business operates from within or outside the EU. Any telco will most likely have collected the data of EU citizens who live in South Africa or have simply visited the country.
Consumers will have the right to stop telcos from using their personal information, to have it transferred to another service provider, or deleted. The onus will be on the telco to not only dispose of the information correctly and securely but also to keep records of how this was done, for audit and compliance purposes. They must be able to show that they have proper controls and processes in place governing how personal data is secured, used, stored, updated, accessed, transferred and removed.
In South Africa, three-quarters of respondents to our research were very-to-somewhat concerned about the implications of not being GDPR compliant, which include a fine of €20 million (R300 million) or 4% of annual revenue, whichever is higher. Not many businesses can recover from such a large financial blow.
No matter what stage telcos are at in their GDPR compliance journey, there are some key provisions they need to be aware of.
Privacy by design and default
In preparing for compliance, telcos may have to overhaul their processes and adopt new technology solutions to help them process, manage and secure personal data. Privacy should be automated within processes and systems, and all personally identifiable information should be encrypted and secured by default. If a customer requests that their data be deleted, telcos should be able to instantly access it and erase all information belonging to that person – and keep an audit trail.
By implementing a robust data lifecycle management framework with built-in functionalities for easy data protection, detection, modification, portability and deletion, telcos will have taken the biggest step towards compliance.
Right to be forgotten
Telcos need to specify how long they intend keeping an individual’s data. As soon as they no longer need it, the data should be deleted from every repository – active, archives and back-ups – as if the individual never existed.
But data often resides in many different repositories within an organisation.
Email systems, for example, hold a huge amount of personal data, including email addresses, phone numbers and other information needed for marketing purposes and to provide customer support. Telcos need to be able to efficiently search, find, extract and delete data in their email systems, as well as their back-up and archived repositories, when requested to do so by a customer.
Explicit opt-in consent
Ask first. That’s ultimately what GDPR comes down to. Telcos need to have clear consent from customers before they use their information. They also need to specify what they’re using the information for, and for how long.
One benefit of having a customer opt into communications is the assurance that they want to hear from the telco. This gives the telco access to an engaged audience – the perfect opportunity to improve the customer experience and build loyalty and trust.
Strict data breach rules
Telcos have 72 hours to inform the regulator and affected customers of a breach. This makes data security and effective breach detection and response processes crucial for compliance.
Mimecast research found that, of the organisations surveyed, 62% concede that somebody in their organisation has sent sensitive data to the wrong person, either by accident or as a result of malicious activity, in the past year. And 59% said it was ‘likely’, ‘extremely likely’ or ‘inevitable’ that their organisation will suffer negative business impact from an email-borne attack in 2018.
Defence is not enough
Unfortunately, with the increase in cybercrime, the possibility of confidential data landing up in the wrong hands is becoming more and more likely. If telcos want to avoid a major data breach, they need to have the right threat protection in place, as well as the adaptability to stay ahead of attacks, durability to continue with business as usual, and recoverability to ensure that data is always and easily accessible.
Compliance with GDPR is not a simple process. But the consequences of non-compliance – hefty fines, customer churn and reputational damage – far outweigh the cost and effort needed to get systems in order.
By Brian Pinnock, cyber resilience expert at Mimecast