Look ahead, for a moment, to May next year. Around 425 daysโ time. Business is booming with customer interactions transformed by funky cloud applications.
But imagine someone in authority being dissatisfied by the unstructured data you hold on your customers โ Twitter exchanges with disgruntled consumers or amusing pictures from happy ones. The authority is also unimpressed that your company has no system for confirming to consumers all the personal details you hold on them โ or even how you delete them. The authorityโs head of compliance says they could fine you 4% of annual turnover for these missteps.
[easy-tweet tweet=”For many mid-size companies or public organisations, thereโs no escaping the GDPRโs remit” hashtags=”Data, cloud”]
A misunderstanding? Security overkill by Whitehall? No, itโs the EUโs General Data Protection Regulation (GDPR) that puts the citizenโs right to data privacy at the heart of our digital economy across Europe. And itโs coming to all organisations of 250 or more people from May 2018.
This regulation goes beyond previous notions of privacy. GDPR builds in principles of โaccountabilityโ, and a citizenโs โright to be forgottenโ into EU law โ changing all aspects of business and social interactions for any organisation with a digital and cloud footprint.
For many mid-size companies or public organisations, thereโs no escaping the GDPRโs remit, because it applies to those supplying goods and services to the EU from inside or outside. It becomes law in each EU state without legislation and will take effect a year before Britain can make its earliest Brexit: โUK plcโ will need different GDPR compliance regimes before and after leaving Europe.
The directive will massively affect commerce, especially areas like e-commerce or manufacturing supply chains that regularly draw on and re-use multiple data sets. Thatโs because when two partners agree contracts next May, they will need to determine if a contract involves consent from a citizen or data subject, to the handling of their personal data โ even if it isnโt needed for the contractโs performance.
But arenโt these doom-laden scenarios the latest over-reaction to the sort of Brusselsโ bureaucracy that saw Britain decide to withdraw? No โ for three main reasons.
First, the GDPR will affect organisationsโ day-to-day operations since organisations operating in the EU will become liable for managing all the unstructured personal data held on their networks and in the cloud โ a big challenge.
Second, Britain will still need a close imitation of the GDPR to keep trading with European partners; Government ministers, the technology sector and legal commentators broadly agree on this.
Thirdly, GDPRโs compliance and penalty clauses are harsh. Non-compliant organisations could be fined up to 4% of their turnover.
How can companies deal with such a far-reaching directive?
Unsurprisingly, boards will take a strategic approach, designing compliance frameworks, reviewing privacy standards and involving all employees. But policy-led approaches quickly run up against the continuing phenomenon of the 21st century Internet: explosive growth in required data processing levels. As companies embrace cloud-based processes, bring-your-own-device (BYOD) programmes and social networks, IT teams have little or no visibility of the extent of their data assets – or their final uses. Practical GDPR planning begins with finding out who does what to your organisationโs data and when does it leave your jurisdiction.
The GDPR compliance picture is evolving quickly but we can set out broad principles for boards, CIOs and security professionals to build a compliance framework that keeps core business systems flowing:
- Boards must be responsible for systems that will meet data subjectsโ future requests under GDPR, such as the right to be forgotten or access to copies of relevant data held about them
- Organisations must start to design data security into products or services by default
- UK companies must design data security and auditing processes that notify stakeholders of a data breach โ and make suppliers document their own information security processes
- Companies over 250 employees, or whose operations are based on data handling, will need a Data Protection Officer to scrutinise their IT processes, data security and privacy systems
- Boards must operate Data Protection Assessments (DPAs) and train their IT and security personnel, as a starting point, on compliance.
No team of IT suppliers currently provides a complete GDPR compliance solution but suppliers such as Cloud Access Security Brokers (CASBs) are making breakthroughs such as integrating corporate network and application monitoring systems (achieving data and application visibility) and implementing enterprise-wide sanctioning and control of IT applications. Encouragingly, these cloud services and hardware technologies will transform organisationsโ processing and network monitoring power โ with those services becoming readily available to CIOs as flexible, managed services.
Weโre counting down those 425 days but smart organisations are already beefing up network monitoring and data processing. Companies that questioned the wisdom of adopting cloud on an enterprise-wide scale or putting sensitive data in the cloud may find that the GDPRโs sheer scope will force them to accept sophisticated cloud services unequivocally in the future.
Teneo is a specialist integrator of next-generation technologies.
Marc Sollars is CTO of Teneo, a specialist integrator of next generation technology, offering global organisations the strongest mix of optimisation solutions for networks, security, storage and applications. Teneo designs its solutions by understanding through consultancy and delivering through managed services.
Marc is Chief Evangelist and plays a key role in identifying technologies that are early to market and can be integrated into the companyโs services portfolio.