November 28, 2019
The GDPR Act has caused a lot of problems with interpretation and implementation. Now, there is only one thing left for companies to do: obtain their own hard-encrypted systems.
Karl Bohlin, CEO of HansaWorld who has worked with digital security from different perspectives for over thirty years, says:
“Before going into how I think companies can address the current situation, I would like to state that with regards to GDPR; the EU wants to protect companies from having their information stolen without their permission, as well as protecting EU citizens from having their data exploited for profit. Two necessary goals that definitely need to be met.”
The model that constitutes the GDPR Act has caused some problems and Karl has identified the four main areas in which these problems have arisen.
On a mobile device, all the information that the mobile uses is stored; information that may need to be handled, according to GDPR. This means that if, for example, an employee calls his mother, his mother's phone number is saved. Karl explains:
“According to GDPR, the company must then have the mother's permission to store her number. This is an absurd situation, therefore, my recommendation is to establish very clear rules regarding the use of company mobiles and private devices; no private matters should be dealt with at all via the company mobiles and vice versa.”
GDPR also regulates email systems and if an email is to be stored by a third party—gmail, for example—there must also be a GDPR agreement with the email system provider that guarantees that all information is stored correctly.
“It is an impossible situation today because neither Google, Apple or other giants care about GDPR agreements with those who use their email system. They store the information in their own way and will not hesitate to process it in AI systems and resell it. The only way to get around it is to get your own hard-encrypted email system locally or in the cloud.”
There are a variety of apps that store information, such as parking apps. If you pay for parking with your company’s mobile, GDPR requires that the company then be responsible for how that information is stored.
“Many app companies such as these have no elaborate GDPR strategy which makes it illegal to use them. Large companies can check that the apps they allow their employees to use have approved GDPR systems, but for smaller companies it becomes unsustainable. I think we will soon see a GDPR certification that, for example, an app company can acquire to prove that they are handling information legally”, says Karl.
Many business systems that were installed before GDPR use low-encrypted cloud solutions, and when several customers use them at the same time, there is a great risk that competing companies may come across private corporate information.
“The only way for a company to comply with the GDPR Act, and to also protect itself from theft of information and data, is by retrieving the database or changing the business system to one that is hard-encrypted”, Karl explains.
Karl notes that GDPR goes hand in hand with the development of digital security and that the act has significantly raised the bar for the level of security a company must have.
“As digitalization has presented opportunities to steal and disseminate information quickly, society has had to make a choice; either release all information freely so that everyone has access to everything, or, to make everything secret. The EU has chosen the latter through GDPR."
Karl does not think that this choice will last long but believes that the GDPR Act will be reviewed in about 10 years. “I also think we had to choose this path first in the spirit of democracy”, Karl concludes.