Alban Schmutz, senior vice president for development and public affairs at OVH, takes a look at the forthcoming GDPR regulations and considers whether they go far enough.

When the EU’s General Data Protection Regulation (GDPR) comes into effect in May 2018, it will provide some much-needed consistency in setting out tougher regulations to govern the treatment of personal data across the continent. By way of reminder, the GDPR is a regulation by which European instances are looking to strengthen and unify data protection for all individuals in the EU and update the rules of data export outside of the Union’s boundaries. The regulation applies to both data controllers (collectors of personal data) and processors (organisations that process this data).

OVH and other industry players have long campaigned for such changes to regulations around data security and data privacy, but now the question is, do they go far enough?

It’s encouraging to see data privacy being placed at the top of the agenda at the most senior levels in businesses of all shapes and sizes. The challenge is now set for companies to prepare for the new regulations ahead of the deadline. Our view is that we also need to start looking beyond this initial implementation phase and consider where data privacy and security need to go next.

The software data protection challenge

One of the first agenda items, at a tactical level, will be data protection as it relates to software offerings and suppliers, and not just hardware. GDPR is a move in the right direction but does not go far enough in relation to the extra layers associated with where data is captured and stored.

GDPR is a move in the right direction but does not go far enoughClick To Tweet

European service providers are already in discussions with government agencies to address a wide range of software-related issues and identify potential solutions, and a big step forward is anticipated by the end of 2017.

As IT infrastructure and provisioning become increasingly complex, it’s not enough to simply secure the data centre or the desktop. Cyber-attackers employ ever more sophisticated methods to access sensitive data at several levels, and much more needs to be done to counter these. As industry and government work together to combat ever-evolving cybercrime, we need to be sure that software and services are not left out.

Towards a ‘digital single market’?

Right now, a company doing business in Europe may need to address 20 different markets, each with different rules and regulations around data privacy and security. Any business looking to scale geographically requires a unified IT strategy that meets all the national regulations of each individual market. Putting this in place is an incredibly complex and demanding task – especially for smaller, growth companies.

Building a digital single market European would overcome this fragmented structure and help create a level playing field. It would not only help businesses scale faster and become more competitive

Unlike in countries with a large internal market, such as the USA and China, Europe’s businesses are held back from scaling quickly enough and steal a march on their competitors. Building a digital single market European would overcome this fragmented structure and help create a level playing field. It would not only help businesses scale faster and become more competitive, it would also help create jobs and increase the number of businesses investing in R&D in Europe. In short, it would strengthen the business ecosystem across the continent.

Such a digital single market will require the collaboration of all countries in Europe: a single weak link in the chain would undermine the whole approach. Delivering the true benefits of free data flow within Europe requires higher levels of security and better infrastructure than outlined in GDPR, which only addresses personal data protection.

What’s needed is a definition of the infrastructure needed to underpin data security and privacy. A basic framework for this already exists if we combine GDPR, the Data Protection Code of Conduct for Cloud Service Providers, and the European Secure Cloud Label which was launched in December 2016. But there is still work to be done.

In summary, GDPR is certainly a step in the right direction in focusing minds on the importance of data protection and security, but will likely only scratch the surface of what’s needed to enable true ‘free trade’ in data and keep one step ahead of cybercriminals. The good news is that the wheels are already in motion among service providers and government agencies, who are working together to build on GDPR. Our industry needs to ensure these conversations keep moving as we strive for an all-encompassing solution for Europe – a single digital market is our ambition, and we will continue to work to make it a reality.