If you’re a CIO, you’ll be hard pushed not to already feel the pressure of the General Data Protection Regulation (GDPR) encroaching on your plans for the year ahead. I have read countless articles debating and deliberating its potential consequences as organisations start to prepare for its arrival in May, 2018. However, despite a plethora of column inches devoted to GDPR, there is still quite a bit of uncertainty about how to plan for it.
The most prominent GDPR soundbite relates to the financial implications of not being fully compliant by 25th May 2018. For the uninitiated among us, organisations that fail to properly protect customer data can be fined up to a maximum of ˆ20m or 4% of their total worldwide annual turnover, whichever is higher. Given the consequences it’s easy to see why the Chief Information Officer community is concerned and, moreover, why professional services giant KPMG is warning CEOs not to stall on preparing their businesses for the arrival of GDPR. All of this is despite uncertainties around how its contents will apply to UK organisations in the wake of the June 2016 Brexit vote. One of the definitive attributes of organisations that will actually thrive under a GDPR environment will be whether a company has a culture of information security instilled within the business coupled with management backing to ensure compliance – and that they work with a cloud services provider who also has that same culture instilled.
So, to try and provide some clarity amongst the GDPR confusion, I would like to briefly discuss three of the key aspects which I believe demand attention in the months ahead.
Data Sovereignty in the Cloud
Where data is stored is a key factor. If you are storing data with a cloud provider there are a number of things to consider. Firstly, from the moment your data goes into the cloud you typically allow the provider to take responsibility for how the data is stored, protected and accessed. The risk is that you now have to trust the provider and their infrastructure, staff, policies and procedures. Often there is little or no visibility of where the data is, who could potentially have access to it, and how secure it is. There are now new risks that need to be managed, due diligence to be put in place, and GDPR requirements on data processing to be met. Additionally, you should be asking the cloud provider how your data is managed and be able to audit that function to ensure proof of compliance.
Governance
The most time spent on GDPR will likely be the ongoing management of growing volumes of personal data. Once GDPR is in force, data audit trails will become obligatory, encompassing all personal data from when the data was first retrieved, the permission that was gained for businesses to hold the data, when it was entered into the system, when it was accessed and by whom, and with whom that data is shared. If a person then unsubscribes, the audit trail will need to show that request being made, received, implemented within the document management system, and adhered to.
The GDPR Brexit Myth
Any debate over whether or not GDPR will affect the UK is inconsequential. Although Prime Minister Theresa May announced that she will commence the Brexit process by the end of Q1 2017, the UK is unlikely to leave the EU before the middle of 2019, which is after GDPR comes fully into force. It is therefore abundantly clear that GDPR will be part of UK law until such point that the government decides to repeal some of the EU laws which apply in the UK, and that will take yet more time.
‘Brexit means Brexit’, but it is unthinkable that when it happens, bilateral trade and the cross-border marketing of goods and services with the EU will cease at that precise moment. Whilst the decision to leave the EU has long-term implications for the legislative framework in the UK, this will not affect the need for organisations to adopt the General Data Protection Regulation (GDPR).
Conclusion
The General Data Protection Regulation (GDPR) has to be on the agenda for 2017. Its impact goes well beyond the IT team; it has wide-reaching implications at board level and any organisation that does not begin serious preparations in 2017 will struggle to meet the May 2018 deadline and put itself at serious business risk.
The fact remains that the UK is going to continue to do business with Europe and vice versa. In order for British businesses to share information and provide services for EU consumers the law has to be equivalent. Therefore even if the EU’s GDPR code no longer applies directly to UK institutions, the state of affairs will be maintained by making the relevant articles of UK law a virtual mirror of EU law.
In order to be ready for the GDPR deadline organisations need to begin preparing now. The first step must be to examine data privacy compliance and to understand not only how data is collected, stored, used and deleted, but what data is actually needed to manage the business and employment relationships. Taken one step at a time GDPR is perfectly manageable. The key is not to get distracted and not to delay what will in the end be inevitable.
