I recently had the privilege of attending a GDPR Microsoft Partner event held in Brussels. The venue was at Rue Montoyer, neighbouring the European Parliament.
Being in Brussels, at the heart of where Europe’s business issues are debated, decisions made, and regulations set, I couldn’t help but feel a sense of awe.
After all, this is the place where GDPR —like many other European regulations before it — was created with its impacts far reaching and crossing many jurisdictions. What makes GDPR special is it is the first European Privacy regulation that is truly global in outlook.
At the heart of this regulation is the protection of data of EU citizens. The framework set in place by the European Council means that companies all over the world regardless of where they are located, i.e., within the EU or outside, will be subject to these standards when they process personal data of customers who are EU citizens. The GDPR data protection regulation should come as no surprise considering the amount of data that companies process as consumers globally are set to increase exponentially. This is directly as a result of the growth of digital enterprises, and cloud based storage solutions offered by global IT Vendors to retail businesses who manage and store their consumer data.Consequently the EU general data protection regulation has been eagerly anticipated by controllers internationally beyond Europe, with Asia likely to follow suit in adopting equivalent standards in addition to the US.
With the explosion of Social Media and on line channels for business from global companies including Facebook, Microsoft, Google and AWS managing ever larger volumes of personal data, tighter regulation to reflect the changing landscape was a natural evolution.
Microsoft’s VP of EU government affairs, John Franks, reminded us of the privacy obligations companies like Microsoft face toward its customers spanning US and EU jurisdictions. One significant development was following the Charlie Hebdo terrorist attack in Paris. In this instance, the French government asked for Microsoft’s help in the release of personal data retained in Microsoft’s European Regional subsidiary office in Dublin via formal U.S. Government channels in Washington. Following the request for access, the personal data had to be channeled from Washington ultimately to Microsoft HQ in Seattle to be approved for release and subsequently fed back officially via Washington to Dublin and finally shared in Paris. Microsoft is now trying to negotiate with the EU to foster closer links and cooperation for automatic flow of sensitive data of citizens between the US and EU jurisdictions without it being such a formal and protracted process between authorities and corporations. This is to promote faster communication sharing in the aftermath of such serious events.
The changes that are required from the EU data protection law, GDPR is set to cause a revolution in the way that companies have to deal with customer data. The implications are that operations are becoming increasingly customer-centric with regulations defining how customer data must be processed, stored, and protected.
Our Forrester analyst at the event - Enza Iannopollo made it clear that EU general data protection regulation is an extremely complex subject. Whilst it will be a legal requirement from May 2018, few expect that this will be the end of the journey. In fact, this is a false economy as it is expected to be just the starting point. GDPR data protection is not a one-off exercise and compliance will be an ongoing exercise with a combination of process and IT changes. Furthermore, GDPR compliance after the implementation date will be continuously monitored.
A recent survey on GDPR readiness conducted by researchers found that only 30% considered themselves to be ready. In all truth, even the ones that considered themselves to be ready have been overly optimistic with some conceding that data discovery, data classification, and data mapping are still in progress. Another significant statistic collated from a Forrester survey is that the proportion of information/IT security spend as a percentage of the overall IT budget has increased from 22% in 2014 to 28% in 2016 and is still expected to rise from data collected at the end of 2017. The importance of reputational damage from data breaches was emphasized which costs companies a loss of profits and customers. One case in point was TalkTalk whose data breach cost the company £80m with its shares dropping by 10.7% and a loss of 250,000 customers. The cyberattack resulted in profits falling by 50%.
The good news is that there are multiple products available for GDPR compliance with the starting point being the use of an assessment tool. These tools are invaluable in breaking the GDPR problem down for clients.
What is suggested is that the first conversation to have with clients is understanding what they are doing with their data before applying any GDPR tool.
Tools that can assist clients include scanners to uncover different systems to identify personal identifiable information (PII) at the discovery phase. There are also tools available to classify files with different levels of sensitivity which persist with the document. Document labelling is made possible with metadata written into document files.
Another great enabler is the production of a questionnaire to help answer Qs and evaluate the clients’ position. With every Q there will be a technology or process answer. It is clear to convey that GDPR is not a product solution, it is, however, about EU data protection applied to process, technology, and ultimately people.
The most interesting outcome of the event in Brussels for me was the consensus that it doesn’t matter who you speak to, what is important to most clients is that they need a partner to guide them through the EU GDPR summary and offer support in their GDPR journey. This places our company in a great position to help on GDPR given we are already on our customers journey.