The EU’s forthcoming General Data Protection Regulation (GDPR) offers plenty of challenges to CIOs and CISOs – but opportunity too, says Micro Focus' David Kemp.
It’s fair to say there hasn’t been a mass rush to handle the drive to comply with the EU’s General Data Protection Regulation (GDPR). We hope that not all countries are like Italy where, according to recent research, 25 percent of CISOs and Data Protection Officers (DPOs) hadn’t even heard of the regulation and 25 percent had but were not aiming to do anything about it.
David Kemp, specialist business consultant for Micro Focus EMEA, spends his time dealing with companies trying to get to grips with the demands of GDPR, what it will mean to the way that they run their businesses and how technology can help.
He’s certainly seeing a wide divergence of attitudes and preparation – both by countries and by organisations – as well as seeing plenty of signs that some business leaders don’t know what’s about to hit them.
“Some countries have certainly prepared and have, have already implemented legislation meaning that companies bidding for government contracts have to comply with applicable law and be GDPR compliant,” he says.
However, he goes on to say, there are still gaps in companies’ plans. He highlights some of the uncertainty revolving around the nature of compliance and how many organisations are failing to grasp the size of the task at hand:
“There’s a difference between what organisations think GDPR means and what it actually is,” he says.
That’s because there is a misunderstanding around how you interpret the requirements of GDPR, and then put them into practice.
“If you sit and read 80 pages of regulation it sounds like another piece of compliance but it’s much more complex than that: it impacts on business as well…it is not just about compliance,” he says, pointing out that part of the problem is that, according to research reports, the majority of businesses think compliance and security are the same thing. Whereas in practice, there is a major component of records and information life cycle management involved.
He says that this misunderstanding manifests itself in many ways. First of all, there is the problem of identifying what personal data is– something that is very clearly defined by GDPR.
“Finding the personal data particularly if you’re multinational is complex. I’ve been talking to companies in the mid-West, Brazilian banks, Hong Kong finance companies all of whom have personal data on European residents.” And, he stresses, the resident part is important as GDPR applies to anyone in Europe, whether they are a European citizen or not.
What this means most of all, however, is that companies should use GDPR as a massive opportunity. Do not think of it as an imposition, advises Kemp, but rather a chance to rationalise much of your infrastructure.
Embrace GDPR - by reducing your data lake
“Reducing the “data lake” of information in numerous locations, formats and even languages will greatly assist making the identification and management of personal data achievable. Within any organisation you’re going to be handling what’s called ROT (redundant, obsolete, trivial) data – and about 40 percent of corporate data is probably of that nature. What’s the point of keeping all that stuff?”
And, for the CIO, there are a couple of important issues. “First of all, he needs to reduce this data to meet GDPR objectives. And secondly, there’s the effect that this data has on the company infrastructure. It’s costing him in terms of storage, power and backup recovery.”
This is where GDPR is truly beneficial to organisations. Kemp describes how a major British bank, going through what it calls ‘application retirement’, found that GDPR accelerated the process, creating a return on investment.
Data records management is absolutely crucial, something that has not always been expertly managed by large corporations. And, as Kemp says, GDPR is going to put business policies processes, and procedures for such management under the microscope.
“This is a crucial part of GDPR: it goes to the heart of any entity that has to be compliant to the regulation. Organisations have huge amount of archived material, archives that could still exist only in paper form,” he says.
The task of achieving both the security and records management standards that the GDPR actually entails is so gargantuan that large organisations are unlikely to be compliant by 2018, says Kemp.
“What you can do is to have main board engagement, set up a steering committee, formulate a programme based on a sound risk assessment with legal guidance and then take it to the regulator and say “this is what I’m planning to do.”
The Micro Focus consultant outlines an example of the type of problem faced by organisations, “I asked a major insurer to find all David Kemp’s personal information within four weeks. They had no chance to find all that information in a data lake created over 25 years. That information could be in any format - a tweet, audio, video, a blog, a call centre Wave file etc – and could be in any language. Under GDPR, you have to encrypt that information – [and] they’d have to find it first.”
It’s not so long until May 2018. Assuming your company’s not one of those waiting until the last minute, how should it be preparing for GDPR?
“The best advice is to get consensus at board level. And start now, the clock is already ticking. Technology is a must: some organisations are so huge that the only way to tackle the work is using technology to support the policy and procedure aspects of compliance.”
There’s also going to be a major recruitment drive as companies take on board the need to employ data protection officers (DPOs), something that hasn’t impacted on many companies so far. “In most cases, DPOs don’t exist – they have to be trained up and given the role. They could come from many professional backgrounds [anywhere] but I suspect that many will be found from internal audit, as that’s a role that’s all about enforcing rules.
Above all, however, it’s the responsibility for everyone within an organisation. “GDPR effectiveness is not simply the task of compliance officers -- data protection is every employee’s task.”
This means that action on GDPR should start immediately and it’s not just about making the right hires or adopting the most appropriate technology. “Overhaul your policy and procedures here – technology can then enable their enforcement.”
There’s a tight time scale until May 2018 and the largest companies will have their work cut out to achieve appropriate standards of GDPR effectiveness by then but as Kemp says, even if a company hasn’t got everything prepared, it needs to be making headway. “At least, It’s a demonstration to the regulator that you’re taking action,” he says.
Related article: How does the General Data Protection affect non-European companies?