Look ahead, for a moment, to May next year. Around 425 days’ time. Business is booming with customer interactions transformed by funky cloud applications.
But imagine someone in authority being dissatisfied by the unstructured data you hold on your customers – Twitter exchanges with disgruntled consumers or amusing pictures from happy ones. The authority is also unimpressed that your company has no system for confirming to consumers all the personal details you hold on them – or even how you delete them. The authority’s head of compliance says they could fine you 4% of annual turnover for these missteps.
A misunderstanding? Security overkill by Whitehall? No, it’s the EU’s General Data Protection Regulation (GDPR) that puts the citizen’s right to data privacy at the heart of our digital economy across Europe. And it’s coming to all organisations of 250 or more people from May 2018.
This regulation goes beyond previous notions of privacy. GDPR builds in principles of ‘accountability’, and a citizen’s ‘right to be forgotten’ into EU law – changing all aspects of business and social interactions for any organisation with a digital and cloud footprint.
For many mid-size companies or public organisations, there’s no escaping the GDPR’s remit, because it applies to those supplying goods and services to the EU from inside or outside. It becomes law in each EU state without legislation and will take effect a year before Britain can make its earliest Brexit: ‘UK plc’ will need different GDPR compliance regimes before and after leaving Europe.
The directive will massively affect commerce, especially areas like e-commerce or manufacturing supply chains that regularly draw on and re-use multiple data sets. That’s because when two partners agree contracts next May, they will need to determine if a contract involves consent from a citizen or data subject, to the handling of their personal data – even if it isn’t needed for the contract’s performance.
But aren’t these doom-laden scenarios the latest over-reaction to the sort of Brussels’ bureaucracy that saw Britain decide to withdraw? No – for three main reasons.
First, the GDPR will affect organisations’ day-to-day operations since organisations operating in the EU will become liable for managing all the unstructured personal data held on their networks and in the cloud – a big challenge.
Second, Britain will still need a close imitation of the GDPR to keep trading with European partners; Government ministers, the technology sector and legal commentators broadly agree on this.
Thirdly, GDPR’s compliance and penalty clauses are harsh. Non-compliant organisations could be fined up to 4% of their turnover.
How can companies deal with such a far-reaching directive?
Unsurprisingly, boards will take a strategic approach, designing compliance frameworks, reviewing privacy standards and involving all employees. But policy-led approaches quickly run up against the continuing phenomenon of the 21st century Internet: explosive growth in required data processing levels. As companies embrace cloud-based processes, bring-your-own-device (BYOD) programmes and social networks, IT teams have little or no visibility of the extent of their data assets – or their final uses. Practical GDPR planning begins with finding out who does what to your organisation’s data and when does it leave your jurisdiction.
The GDPR compliance picture is evolving quickly but we can set out broad principles for boards, CIOs and security professionals to build a compliance framework that keeps core business systems flowing:
- Boards must be responsible for systems that will meet data subjects’ future requests under GDPR, such as the right to be forgotten or access to copies of relevant data held about them
- Organisations must start to design data security into products or services by default
- UK companies must design data security and auditing processes that notify stakeholders of a data breach – and make suppliers document their own information security processes
- Companies over 250 employees, or whose operations are based on data handling, will need a Data Protection Officer to scrutinise their IT processes, data security and privacy systems
- Boards must operate Data Protection Assessments (DPAs) and train their IT and security personnel, as a starting point, on compliance.
No team of IT suppliers currently provides a complete GDPR compliance solution but suppliers such as Cloud Access Security Brokers (CASBs) are making breakthroughs such as integrating corporate network and application monitoring systems (achieving data and application visibility) and implementing enterprise-wide sanctioning and control of IT applications. Encouragingly, these cloud services and hardware technologies will transform organisations’ processing and network monitoring power – with those services becoming readily available to CIOs as flexible, managed services.
We’re counting down those 425 days but smart organisations are already beefing up network monitoring and data processing. Companies that questioned the wisdom of adopting cloud on an enterprise-wide scale or putting sensitive data in the cloud may find that the GDPR’s sheer scope will force them to accept sophisticated cloud services unequivocally in the future.
Teneo is a specialist integrator of next-generation technologies.