The EU’s General Data Protection Regulation (GDPR) that comes into effect in May 2018 is a subject that has moved to the top of many a list of priorities and is going to have a major effect on how we handle personal data.
Over the last year, I’ve spoken with businesses about their data security, how to avoid data loss, leaks and insider threats. However, over the first 3 months of this year (2017) this conversation, driven by GDPR, has shifted to compliance and privacy.
However, it’s evident that not everyone is either aware of the forthcoming changes or how to build privacy and security policies to deal with the complex problems it presents.
Over the last few months I’ve been pretty absorbed in the world of GDPR and thought it’d be useful to share a few of the things I’ve learned that may help you with your own privacy and security strategy.
GDPR is a complicated bit of legislation, its scope is vast and too some degree we will all be affected, whether as organisations having to sort out our compliance or as individuals whose data will fall under the scope of the regulation, we will see lots of changes.
Remember it is a complex bit of legislation, which leads to…
Good news, GDPR is not an IT problem
It’s true, it’s a legal and compliance issue, not an IT one, just because we are talking about data, an organisation cannot say, “it’s data so can’t IT just sort it out?”
Absolutely not, IT will be a critical partner for helping to deliver compliance, but only in the same way the Board, HR, Finance or anyone who touches data is going to be a key partner in maintaining compliance.
Is your organisations view of GDPR that it is only an IT problem? If it is then you need to look at how you educate them, quickly, that it isn’t!
Roughly what is it?
We’ve heard what it isn’t so what is it?
In its simplest form it is updated legislation, replacing the EU’s data protection directive, but it goes beyond updating, growing in scope and potential penalties for noncompliance.
To quote the EU ;
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
The goal of GDPR is too ensure the personal data held about us can only be used for the purposes it was gathered for and is treated with due care to ensure it is not abused by those who would wish to exploit it.
It’s privacy, not security
One of my go to people when it comes to data privacy is NetApp’s Sheila Fitzpatrick, Sheila is a data privacy attorney with nearly 35 years’ privacy experience and is NetApp’s data privacy officer and global privacy counsel.
Sheila makes the point that data security, IS NOT data privacy.
Data privacy is much wider in scope than just security, Sheila likes to use the example of a data privacy wheel, where security is just one spoke on that wheel.
When designing data privacy solutions, we should understand the full lifecycle of the personal data we collect, assess, process and use, from the minute we collect it until we finally destroy it.
If your organisation is looking at GDPR and saying, “isn’t that just more of that IT security stuff” then it’s time to educate again, it’s so much more than just security.
Will it affect me? Does it matter if I’m not in the EU?
Both valid and common questions, the answer, pretty much every time is a resounding yes. It doesn’t matter is you are inside or outside of the EU.
Location is irrelevant, if you hold data on EU citizens, regardless of where you are based, then you will fall under the scope of GDPR.
What about putting data in the cloud?
Cloud presents an interesting issue, as actually does the placing of data with any 3rd party, as the data controller, you are ultimately responsible for what happens to it. The general advice is to ensure two things, if you are passing your data to someone to process ensure that you have a clear contract in place with them.
If you are looking to a cloud provider, then ensure they have appropriate data privacy policies and safeguards in place so that you are not exposed to risk.
What should I do?
What are some steps you should be taking?
Dealing with GDPR is going to be a constant challenge so it’s important to get started, here’s where I’d start;
- What are my current policies and are they appropriate?
- Understand your current data, where is it, how much do I have, who has access, what does it contain?
- Why do you have that data and why do you collect it.
- Educate your business, so that from top to bottom people understand the importance of data privacy and the impact that this new regulation will have.
- Deliver your GDPR compliance plan.
You’ll notice there is very little technology highlighted in those initial steps, maybe something to help you to understand your current data sets, but apart from that, it’s policies, procedures and education.
Technology will have a place, in reality, you are going to find it hard to remain compliant without some technical tools and resources to help you do it.
What have I learned?
There is lots too learn!
It’s complex, it’s not a technical problem with a “silver bullet” to fix it. It is a business legal and compliance issue.
The most interesting thing I’ve discovered though, is even if GDPR wasn’t something we had to comply with, it is something that contains such a level of good and sensible practice it is something that we would want to adopt anyway.
Because in the end, it’s all about our data, let’s keep it secure and private.
For more GDPR resources try out some of the following;
You can also check out a friend of mine, Mark Carlton and an excellent GDPR post he recently published.
I also did a series of podcasts to support a recent event that we ran, they cover GDPR in broad terms as well as looking at some specifics on data management and how to work with your people, feel free to check them out;