Inside Track: Data protection—good for all
The General Data Protection Regulation (GDPR) has been described as the most important change in data privacy regulation in 20 years. Approved by the EU in 2016, it comes into enforceable law in May 2018.
To date, most of the media coverage around the GDPR has focused on the fines that breaching the regulation could result in, and it’s not hard to see why. Being found flaunting the GDPR could ultimately cost a company as much as €20 million or ‘four per cent of the annual worldwide turnover of the preceding financial year, whichever is greater’.
The goal of the regulation is to force companies to become more accountable for what they do with data and to protect the rights of individuals. But according to Catherine Doyle, enterprise sales director for Dell EMC Ireland, the key to being compliant is approaching the GDPR as a business issue rather than a tech issue.
“GDPR is a process and procedure change within the compliance aspect of the business. It can be complied with using IT, but effectively it is a process and requires a cultural shift in terms of how companies think about data and about being compliant,” she said.
“It concerns any personal identification information that is collected, and one of the big challenges is that it introduces this new concept of making people accountable for telling consumers that they are collecting their data.”
According to Doyle, this covers aspects of data collection that many companies will be unaware of, such as closed circuit TV.
“CCTV monitoring comes under personal information identification. Think about that for a second—there are cameras all over our world and now they’re going to be covered by the GDPR. When I talk to companies and mention CCTV, they’re generally shocked,” she said.
Right to be forgotten
A big issue will also be companies complying with the consumer’s right to be forgotten, and to have their data deleted if they request it. The problem here is that 99% of company’s systems are geared up to collect and store data—not remove it.
“If you want to be forgotten or erased from a company’s record, if they’ve created a database with a trending analysis and you’re part of that, is that included? There are a lot of complications around actually enforcing the whole regulation when it comes to understanding where all the data is,” said Doyle.
According to Nigel Tozer, solutions marketing director for EMEA at Commvault, the degree of readiness among Irish companies for the GDPR varies wildly.
“It’s a pretty mixed bag if I’m honest. Some companies are taking it very seriously and they’re looking at their processes and analysing what measures they need to take. I would say that’s probably around a quarter of the businesses I’ve dealt with in recent months,” he said.
“There’s a big chunk of companies in the middle who know it’s coming and know the ramifications, but are a little bit unsure of what to do. Then there’s another chunk at the other end of the spectrum that are adopting a wait and see attitude.”
While Tozer professes to be surprised by this, he thinks some companies are waiting to see what happens when the first test cases are taken.
Tested in law
“As with all legislation, what you find is that it needs to be tested in law. Some people are a little unsure of just how aggressive the regulator is going to be. Even when the first cases are brought, there’s probably going to be some pushback and appeals that will go into court,” he said.
But Tozer is not convinced of the wisdom of companies waiting to see what enforceable regulations will come out of the courts.
“Personally, I think there’s going to be some fallout, and possibly some big names are going to lose out from a reputation perspective, as well as having to pay big fines,” he said. “Just look at what happened to TalkTalk in the UK when it was hacked—it lost 100,000 customers in the first week afterwards.”
Commvault is making it clear from the outset that while it sells tools and services that can help companies become compliant, the actual compliance is a matter of the company’s own policies and process.
“They have to look at how they collect and use personal data, and what they do with it. They need to really make sure that they understand the way data flows through their organisation,” he said.