If you’re a CIO you’ll be hard pushed not to already feel the pressure of the General Data Protection Regulation (GDPR) encroaching on your plans for the year ahead. I have read countless articles debating and deliberating its potential consequences as organisations start to prepare for its arrival in May 2018. However, despite a plethora of column inches devoted to GDPR, I was surprised to read that according to recent research undertaken by Symantec, 96% of companies surveyed still do not understand GDPR.
The most prominent GDPR soundbite relates to the financial implications of not being fully compliant by 25th May 2018. For the uninitiated among us, organisations that fail to properly protect customer data can be fined up to a maximum of €20m or 4% of their total worldwide annual turnover, whichever is higher. Given the consequences it’s easy to see why a feeling of impending doom has descended upon the Chief Information Office community and, moreover, why professional services giant KPMG is warning CEOs not to stall on preparing their businesses for the arrival of GDPR. This despite uncertainties around how its contents will apply to UK organisations in the wake of the June 2016 Brexit vote.
There are also differing opinions on which organisations will actually thrive under a GDPR environment. In one corner you will hear that GDPR will almost certainly work in favour of the cloud computing giants because they have the resources to be able to withstand the onerous bureaucratic burden GDPR will impose. Under that rationale smaller providers will almost certainly struggle. There is however the counter argument that it is not size that will be the determining factor in deciding which cloud providers thrive under GDPR. Instead, the definitive attribute will be whether a company has a culture of information security instilled within the business.
So, to try and provide some clarity amongst the GDPR confusion, I would like to briefly discuss three of the key aspects which I believe urgently demand attention.
Data Sovereignty in the Cloud
Where data is stored is a key factor. If you are storing data with a cloud software provider there are a number of things to consider. Firstly, from the moment your data goes into the cloud you typically allow the provider to take responsibility for how the data is stored, protected and accessed. The risk is that you now have to trust the provider and their infrastructure, staff, policies and procedures. Often there is little or no visibility of where the data is, who could potentially have access to it, and how secure it is. This is not to say that cloud providers aren’t trustworthy, it is rather that there are now new risks that need to be managed, due diligence to be put in place, and GDPR requirements on data processing to be met.
The most time spent on GDPR will likely be the ongoing management of growing volumes of personal data. Once GDPR is in force data audit trails will become obligatory, encompassing all personal data from when the data was first retrieved, the permission that was gained for businesses to hold the data, when it was entered into the system, when it was accessed and by whom, and with whom that data is shared. If a person then unsubscribes, the audit trail will need to show that request being made, received, implemented within the document management system, and adhered to.
The GDPR Brexit Myth
Any debate over whether or not GDPR will affect the UK is inconsequential. Although Prime Minister Theresa May announced that she will commence the Brexit process by the end of Q1 2017, the UK is unlikely to leave the EU before the middle of 2019, which is after GDPR comes fully into force. It is therefore abundantly clear that GDPR will be part of UK law until such point that the government decides to repeal some of the EU laws which apply in the UK, and that will take yet more time.
‘Brexit means Brexit’, but it is unthinkable that when it happens, bilateral trade and the cross-border marketing of goods and services with the EU will cease at that precise moment. Whilst the decision to leave the EU has long-term implications for the legislative framework in the UK, this will not affect the need for organisations to adopt the General Data Protection Regulation (GDPR).
The General Data Protection Regulation (GDPR) has to be on the agenda for 2017. Its impact goes well beyond the IT team; it has wide-reaching implications at board level and any organisation that does not begin serious preparations in 2017 will struggle to meet the May 2018 deadline and put itself at serious business risk.
The fact remains that the UK is going to continue to do business with Europe and vice versa. In order for British businesses to share information and provide services for EU consumers the law has to be equivalent. Therefore even if the EU’s GDPR code no longer applies directly to UK institutions, the state of affairs will be maintained by making the relevant articles of UK law a virtual mirror of EU law.
In order to be ready for the GDPR deadline organisations need to begin preparing now. The first step must be to examine data privacy compliance and to understand not only how data is collected, stored, used and deleted, but what data is actually needed to manage the business and employment relationships. Taken one step at a time GDPR is perfectly manageable. The key is not to get distracted and not to delay what will in the end be inevitable.
By Frank Krieger, Director of Compliance, iland
Photo Credit: JISC
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.