General Data Protection Regulation part I
9 March 2017 | 0
“What we are seeing is that senior business leaders do not yet realise what a big deal it all is. Perhaps it seems like an IT issue, but it is not. At its starting point, it is about any individual’s personal information. Then the solutions will be largely delivered by IT, but it is an IT solution to a business problem. The key is to realise what needs to be done, form a plan, prioritise it and make progress.”
Rigorous change management will be essential, Stollery says, because organisations are faced with considerably more than just another EU regulation: “The GDPR is obligatory and it has sharp teeth. Will an organisation have to be absolutely compliant by 25 May 2018? Personally, I doubt that many will be. But if it clearly has made and is continuing to make the necessary system changes and provisions, it is probably unlikely to be sanctioned in the early stages as GDPR is bedding in across Europe.
“Courts like the concept of ‘reasonable’, so if you are taking reasonable steps to comply they are likely to accept that. On the other hand, an actual data breach that occurs because of failure to implement an obvious aspect of the regulations is likely to be pounced on by the relevant data protection regulator.”
Is Brexit relevant? Not greatly, Stollery believes. “The UK will still be firmly in the EU when GDPR comes in next year, for a start. Then we can expect that even after Brexit is finalised the UK will continue to be aligned with the EU in its law generally as well as best data protection practices. The UK Parliament could change that but I don’t see it happening. In fact, I can see GDPR and its principles and framework becoming the global standard for the rights associated with personal information in our digital world. It will become a stable, reliable regulatory platform on which to build, if necessary, individual variations in any country. It will become, in a sense, the digital version of comprehensive and proven health and safety rules — just applied to personal information rather than warm bodies.”
Confusion and worry
Arkphire is finding a lot of worry and confusion in the Irish market about GDPR, says CIO Howard Roberts. “They do not understand what the obligations are, to what extent they are new and exactly what they should do. They are also aware that this is a regulation and will be enforced, so that adds to the anxiety. There is really no simple checklist in simple terms for business out there, so managements are not sure where to begin.”
“Our traditional through line in IT services is data management, which of course is the element of IT most closely relevant to GDPR in many respects. Robust data protection policies and systems, back-up and disaster recovery are all things that underpin compliance with GDPR. In a real sense, personal information could be anywhere in the data storage systems — live database or archive, for example, on premise or on cloud.
“The problem for most organisations is getting some form of structure to apply to data that is naturally unstructured. Formal databases like billing systems, CRM and so on, are, by and large, relatively easy. But elements of personal data could be in file shares, archive, back-up copies, etc. So in broad terms, the challenge is putting manners on unstructured data.”
There is also the question of where the data is stored, he points out. “Many if not most organisations today use hybrid solutions, so data may be in various forms of cloud as well as on physical spinning disks you own. The question than arises: can you search all of that comprehensively, for specific information, in a way that will ensure GDPR compliance? It is comparable to e-discovery, but potentially even more onerous.”
Two methods are being offered at the moment by vendors in the market. “Identification and deletion of the data is one approach while the other is based on identifying the data and then making it inaccessible, usually by encryption, on the basis that would fulfil the GDPR requirement,” says Roberts. “But it is still a moot point, so there is a lot of ambiguity about what exactly would fulfil the regulatory requirement. Despite a large volume so far of published legal and legalistic documents, there is nothing that translates the principles down to basic IT specifications and practical steps.”
“There are undoubtedly going to have to be test cases before we can really fine tune what is to be done in practical IT terms. That is a worry, because there are potentially huge costs in retrofitting rigorously compliant systems in the context of even larger potential penalties—2% to 4% of total annual turnover! But in many cases the policy is to being building robust data protection policies and systems but wait for the early test cases to make the solutions definitive — or to ensure they already are in fact.”
“The sheer financial gravity of possible fines is certainly generating management concern about GDPR and what to do,” says Keith O’Leary of Sungard AS. “We now work closely with our clients and prospects to help them ensure that from the policy, procedure and technology perspectives they can comply with the requirements of GDPR. The clock is ticking and there is a wide-ranging exercise that must be gone through by all organisations, of any size, that handle personal data of EU citizens in any way.”