SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Huawei: Corporates must focus on data minimisation and business continuity
Thu, 21st Jan 2021
FYI, this story is more than a year old

 Huawei is urging corporates to focus on data minimisation and business continuity management to mitigate data security challenges.

The company hosted a webinar comprising an expert panel to discuss the lessons learnt on data protection in 2020 and the trends to watch out for in 2021. The speakers included Felix Wittern, Partner at multinational law firm, Fieldfisher; Ramses Gallego, International Chief Technology Officer, Cyber Security at global software - IT company, Micro Focus and Joerg Thomas who leads the Data Protection Office at Huawei.

The panel offered a comprehensive view, providing the legal, technical and business implications of growing changes and stricter enforcements in data protection laws on corporates in the telecoms industry. Citing the dangers of increased litigation, the panel highlighted how co-operation, focus on technology and transparency would help corporates prepare for challenges going forward.

The shifting sands of the data protection landscape in 2020 and what it means for 2021

According to Huawei, 2020 was a challenging year for data protection - COVID-19 digital contact tracing and general health surveillance added to an already complex landscape of human rights and privacy laws.

The Schrems II judgment and a looming Brexit put in play some key changes that will fully unravel in 2021. Added to this were data sovereignty strategies of governments, stricter enforcement of General Data Protection Regulation (GDPR) not to mention impact of new technologies such as 5G and artificial intelligence (AI), it says.

"There's never a dull day in privacy! Take for example the Schrems II ruling that was announced in July last year - it poses one of the biggest challenges around international data transfers, outside the European Economic Area (EEA)," says Felix Wittern, partner, Fieldfisher.

"As regulators themselves make sense of the evolving situation, MNCs that do not tread carefully will be liable for hefty fines. In fact, while COVID-19 actually slowed down enforcements, going forward I predict a lot of litigation in this space," he says.

"Corporates will do well to co-operate with regulators as a common ground is reached rather than take a confrontational stance."

During the webinar, Wittern further touched upon issues such as data localisation - i.e if data doesn't leave the EU, the challenge of companies dealing with their subsidiaries in other countries still warranted attention. On the subject of Brexit, he mentioned how the final solution was still at least six months away as bridging to adequacy requirements were put under the test.

Technology: increasing the challenges but providing the solutions too

Ramses Gallego, International Chief Technology Officer, Cybersecurity, Micro Focus provided a good overview on the technology front. He explained how data protection is not just one dimensional but encompasses three arenas - who (identity), what (data) and how and when access is granted (application).

"Living in a cloud-generation era, we are increasingly dealing with the emergence of shadow IT or shadow data where content is backed up on multiple clouds, without the knowledge of data compliance departments," Gallego says.

"Corporates need to understand the dangers in this - legal departments cannot effectively protect what they don't know exists! Only when corporates build an ecosystem that automates and orchestrates authentication, authorisation and appropriate access can we hope to create a systematic and systemic solution to the issue of data protection."

During the webinar, he emphatically stated that technology itself would help to create the circles of trust - beyond which data should not be visible, nor active. He spoke about encryption and tokenisation as effective risk mitigation strategies that corporates could adopt and that could stand up in a court of law in the unfortunate incident of a data breach.

Gallego concluded by saying that we as we move from 2020 to 2021 organisations will need to transition from cyber security to cyber resiliency where they build the capacity to anticipate threats, withstand and resist attacks, recover quickly and evolve to the next stage.

Practical advice for businesses

Summing up a to-do list for undertakings, Joerg Thomas, director, Data Protection Office, Huawei adds, "We may witness an increase in class action-style lawsuits in the personal data space in 2021-22 as aggravated parties view judicial remedy as a potentially faster way to get redress when their data rights are violated.

"Businesses need to be transparent about the transfer locations of personal data and the types of data being transferred, and take into account the legal requirements in the receiving jurisdiction," he says.

"A return to “basics” is essential - records of processing activities (RoPa), privacy notices and cookies should always be up-to-date and compliant with governing laws. From a long-term sustainable point of view, organisations will need to adopt data minimisation and privacy by design and default, and at all times ensure that business continuity management (BCM) plans are in place."