Huawei hosted a webinar comprising an expert panel to discuss the lessons learnt on data protection in 2020 and the trends to watch out for in 2021. The speakers included Felix Wittern, Partner at a multinational law firm, Fieldfisher; Ramses Gallego, International Chief Technology Officer, Cyber Security at global software & IT company, Micro Focus and Joerg Thomas who leads the Data Protection Office at Huawei. The panel offered a comprehensive view, providing the legal, technical and business implications of growing changes and stricter enforcements in data protection laws on corporates in the telecoms industry. Citing the dangers of increased litigation, the panel highlighted how co-operation, focus on technology and transparency would help corporates prepare for future challenges.
The shifting sands of the data protection landscape in 2020 and what it means for 2021
2020 was a challenging year for data protection -COVID-19 digital contact tracing and general health surveillance added to an already complex human rights and privacy laws landscape. The SchremsII judgment and a looming Brexit put in play some key changes that will fully unravel in 2021. Added to this were governments' data sovereignty strategies, stricter enforcement of General Data Protection Regulation (GDPR) not to mention the impact of new technologies such as 5G and artificial intelligence (AI).
Elaborating on the challenges, Felix Wittern, Partner, Fieldfisher said, "There's never a dull day in privacy! Take for example, the Schrems II ruling that was announced in July last year -it poses one of the biggest challenges around international data transfers, outside the European Economic Area (EEA). As regulators themselves make sense of the evolving situation, MNCs that do not tread carefully will be liable for hefty fines. In fact, while COVID-19 actually slowed down enforcements, going forward, I predict a lot of litigation in this space. Corporates will do well to co-operate with regulators as a common ground is reached rather than take a confrontational stance."
He further touched upon issues such as data localisation -i.e if data doesn't leave the EU, the challenge of companies dealing with their subsidiaries in other countries still warranted attention. On the subject of Brexit, he mentioned how the final solution was still at least six months away as bridging to adequacy requirements were put under the test.
Technology: increasing the challenges but providing the solutions too
Ramses Gallego, International Chief Technology Officer, Cybersecurity, Micro Focus provided a good overview on the technology front. He explained how data protection is not just one dimensional but encompasses three arenas-who (identity), what (data) and how and when access is granted (application).
He said, "Living in a cloud-generation era, we are increasingly dealing with the emergence of shadow IT or shadow data where content is backed up on multiple clouds, without the knowledge of data compliance departments. Corporates need to understand the dangers in this -legal departments cannot effectively protect what they don't know exists! Only when corporates build an ecosystem that automates and orchestrates authentication, authorisation and appropriate access can we hope to create a systematic and systemic solution to the issue of data protection."
He emphatically stated that technology itself would help create trust circles beyond which data should not be visible or active. He spoke about encryption and tokenisation as effective risk mitigation strategies that corporates could adopt and that could stand up in a court of law in the unfortunate incident of a data breach.
He concluded by saying that we as we move from 2020 to 2021 organisations will need to transition from cybersecurity to cyber resiliency where they build the capacity to anticipate threats, withstand and resist attacks, recover quickly and evolve to the next stage.
Practical advice for businesses
Summing up a to-do list for undertakings, Joerg Thomas, Director, Data Protection Office, Huawei added, "We may witness an increase in class action-style lawsuits in the personal data space in 2021-22 as aggravated parties view judicial remedy as a potentially faster way to get redress when their data rights are violated.
Businesses need to be transparent about the transfer locations of personal data and the types of data being transferred, and take into account the legal requirements in the receiving jurisdiction. A return to "basics" is essential -records of processing activities (RoPa), privacy notices and cookies should always be up-to-date and compliant with governing laws. From a long-term sustainable point of view, organisations will need to adopt data minimisation and privacy by design and default, and at all times ensure that business continuity management (BCM) plans are in place."