The EU mandated General Data Protection Regulation (GPDR) that will come into force next May arrives at an interesting time for the UK as its enters its Brexit phase and following the recent high profile Wannacry cyber-attacks, writes Curtis Peterson, the senior vice president of cloud operations at RingCentral.
As the most ambitious piece of pan-European security and privacy regulation ever created, the current text has several ambiguities and, in part, contradictions when compared to other national data protection laws. Yet, many of the hurdles that EU companies face have a familiar ring to US managers and technologists that have had to deal with rules such as Privacy Shield, Safe Harbour, HIPAA and myriad other similar laws over the last two decades.
What has made GDPR such a wake-up call is the scope of the potential fines. Even by the litigious nature of the US legal landscape and sometimes egregious prosecutions, the 2% of global revenue as potential fines is a seriously big stick. Although much has already been written about the tenants of GDPR, what is less well understood is the type of changes to corporate culture that the new rules are likely to foster. In the US, the multitude of federal laws along with state wide regulations, and even rules for certain cities, has led to organisations above a certain size almost automatically employing teams of compliance people that work across different business units.
Although notionally focused around data protection, the interconnected nature of technology means that GDPR can’t just be considered an IT problem. As US healthcare organisations found when the Health Insurance Portability and Accountability Act was introduced in 1996 and later strengthened with additional rules to regulate the use and disclosure of Protected Health Information (PHI) – the knock on effect can impact every aspect of the organisation. From simple things like which questions must be included on forms, which telephone calls must be recorded, where this data is kept, who has access to which systems and what information they can and must not see – all these questions are relevant to both regulations.
GDPR and possibly the UK’s likely post Brexit Data Protection Act replacement are non-proscriptive about how organisations enact controls, but instead focus on the end results, proving due diligence and ultimately redress when individuals want to ascertain the state of the personal data held by an organisation. This broad nod towards culpability is a status that US organisations have architected entire legal departments around. There is a likelihood that post 2018 as the first legal prosecutions test the teeth of GDPR, organisations will need to consider strengthening aspects such as auditing and testing to ensure they have a defensible position.
What can organisations do today to get ready for GDPR? There are many paths but what is clear is that there is no magic software solution or fancy hardware device that can solve a conundrum that mixes technology, policy, process and corporate governance. Firstly, organisations need to start bringing together teams of expertise, both from internal stakeholders and potentially external experts to enact new policies around how data is captured, stored and used. However, technology must be ready for change and this foundational step should form the basis of potential technology realignment.
Organisations should start conducting audits of what systems they have within their estates that are likely to be impacted by GDPR. From this point, it is worth asking key technology suppliers across areas such as communications, storage, security and the critical line of business applications if they have a position and guidance on how their particular element can fit into a plan to meet and retain GDPR compliance. Older, inflexible systems are likely to be the most troublesome while platforms that have embraced the cloud and open API’s are probably going to be easier to adapt. With the deadline for compliance less than nine months away, simply ignoring the issue is the perfect way to court disaster.
If the US regulatory journey around digital data has taught us anything, an important lesson is the ability to adapt. With the 4 year cycle of presidential and state governor elections plus rapid technology advancement – the regulatory framework has continually shifted. It is always best to assume that today’s law will likely move the goal post in a few years. As such building flexibility is an absolutely essential philosophy to have when travelling into the land of GDPR.
