Enterprises around the world are preparing to comply with GDPR, one of the toughest data privacy regulations in the world, when it takes effect on May 25 2018.
Businesses in the Middle East need to be aware that GDPR applies to companies worldwide, no matter where they are based, if they handle data concerning European citizens.
The definition of data is broad and applies to any that can be used to identify individuals – meaning hardly any personal data won’t be covered by GDPR.
Those organisations collecting data or employing third parties to do this on their behalf will need to make sure they can demonstrate compliance regarding how it will be used and if they use it for an unsuitable purpose they will be made to stop.
GDPR also requires public authorities that are processing personal data to appoint a data protection officer to monitor how it is being used and many businesses will need to do this too.
The regulations will require compulsory PIAs (Privacy Impact Assessments) to take place where there is a high risk of a data breach and threre is also a requirement to report data breaches to the local data protection authority within 72 hours of it being found.
All software and systems will need to deal with stringent audit requirements which mean that they will need to have the ability to amend and permanently delete data if requested by the data subject.
Finally, data cannot be used for any other purpose other than the one for which explicit (not implied) consent was obtained.
Some technology companies, such as Commvault, are helping businesses comply with GDPR regulations.
For instance, it has announced a new analytics portfolio of applications, capabilities, solutions and services.
This new portfolio includes applications and an application framework, new capabilities, solutions, and packaged service offerings created to help customers obtain better data insights for compliance.
Commvault’s analytics portfolio will empower its customers to simplify management of growing amounts of data, and activate this data to reduce risk and improve business outcomes.
The first application in the portfolio is for information governance and data privacy, and was demonstrated at Commvault GO 2017.
Fully integrated into the Commvault Data Platform, the new application offers customers the ability to identify, manage and reduce data privacy risks in compliance with the European Union’s General Data Protection Regulation (GDPR).
Commvault’s new data privacy application can address many GDPR compliance challenges, enabling enterprises to better understand what personal data they have, respond to customer requests and meet GDPR obligations regarding the collection, storage and handling of personal data.
“Transforming enterprise data into a strategic asset that can be used to cut costs, improve customer service, reduce risk exposure and otherwise increase stakeholder value is no longer a nice competitive advantage. It’s a requirement of success for today’s digital businesses,” said N. Robert Hammer, chairman, president and CEO of Commvault.
“With the introduction of the new Commvault Data Analytics Portfolio and its first application, we are delivering on our vision to push Commvault further into the analytics space while providing customers with the mission critical data capabilities needed to solve their real-world business challenges.”
The general release of Commvault’s information governance for data privacy is expected to be available by the end of December.
At Commvault GO Intelligent CIO spoke to Dr Jacqui Taylor, founder of flyingbinary.com, about the challenges Middle East businesses face in complying to GDPR.
Are Middle Eastern countries likely to think that they don’t need to comply with GDPR?
I think it’s probably right. We as Europeans have a view on what I call the Foundations of the Privacy By Design principles. I think that is a European-centric view. However, with this regulation there is an opportunity – so I would say if that’s true in the Middle East (an unwillingness to comply) they are missing a trick.
The reason being the service I’m here to talk about, the RegTech service, which is built from a compliance point of view, transforms organisations from a transactionable point of view taking more of a regulationary viewpoint and using that as a foundation for change.
The clients that are taking those services are actually readying themselves for the Internet of Things (IoT) because the changes that we will experience as part of the compliance will actually be very similar to the changes that you will need to leverage IoT.
So the European Commission has given me leave to explain what the RegTech opportunity is in Europe. When you add this to an IoT offering this can be a two times multiplier in terms of investment. If you can show three times on the dollar for IoT you can access venture funding and from a territorial point of view that’s an inward investment opportunity that the Middle East is not looking at.
You can think about the threat of a fine of 4% of global turnover but actually what you are not understanding is that this is the next layer. This regulation can be used to move from DT (Digital Transformation) to IoT if you’re smart about it so they are passing up that opportunity to do that – so if the rest of the world are looking at this I would say the Middle East are a smart bunch and I wouldn’t think they would want to be the second or last to do it. Just to view GDPR’s threat landscape, which is what people are talking about, is missing the point. It’s an opportunity to leverage IoT.
Can you explain the link between complying to the GDPR regulations and leveraging for IoT?
A RegTech solution for GDPR, such as FlyingBinary’s industry leading cloud service incorporating Commvault technology, has already architected the foundation for the move from DT to IoT. This is because it has democratised the data beyond the IT department and has delivered a self service model for non data specialists to demonstrate compliance of a complex and onerous regulation as a cloud service provision. IoT services can only be provided using cloud technology in order to provide the scale required. To move from this DT approach to IoT does not need a new cloud service to be purchased, merely extended to include the additional data from IoT and additional security controls for the IoT data to be streamed into the RegTech service.
Can you explain what RegTech is?
RegTech is technology specifically built to demonstrate compliance to regulatory or legislative change. The technology design considers what will be required for auditors to be satisfied that compliance has been achieved.
How would you persuade companies in the Middle East to comply?
The first thing I would use is the threat landscape because it’s the one that reasonates with boards, and particularly CFOs. The fines are 4% of global turnover or 100,000 Euros for an SME.
If you are processing any European data you are already liable. Under the old legislation if you were data controller what the data processing was doing was not your problem – it is under GDPR whether you like it or not.
If you are relying on European data you are already involved. To be unsighted on this I would say is a risk you can’t take.
Number two. In order to meet this regulation, to prove what is quite an onerous audit requirement, you actually have to take an IoT approach. IoT only works on cloud, you can’t do it any other way so you would take a cloud first approach, you would implement the requirements of the regulation – that’s the beginnings of your IoT leverage. The opportunities are the two times to 60 times multiplier – would you turn that down?
So I would say focus on the threat landscape- as a CIO your job probably depends on it – but I would focus on the fact it is an opportunity to create a technical landscape that is IoT driven and then the leverage from that is beyond.
How would people demonstrate compliance?
I don’t believe you can do this piece of work without technology, it’s a technical lever you are going to pull and one of the core components we have is a compliance engine to know whether you are compliant or not but then that has to be surfaced to an auditor by an analytic service so it’s a cloud stack that is purpose built in order to meet the 12 areas of compliance that needs technology.
The existing software in Europe is focused on a transaction – this is about personal data so a transaction does not cut it . How do you respond to an auditor who walks through the door saying ‘we believe you have a data breach and we want to see what you’re doing’? You’ve got to be able to put this together from a people point of view.
When you look at the audit requirement a European citizen can disagree with what you are doing with their data and want it changed. So now you have to know from cradle to grave everything that has happened to that data for that citizen and you have to know it for 365 days a year, seven days a week, 24 hours a day – that is a real problem.
It’s mandated from May 25 2018 but what I say to CXOs is ‘this is a 20 year proposition’, this is not a day this is forever. But if you take this RegTech approach to this regulation you’ve effectively created your base IoT service.
I think the misunderstanding that it’s not something we have to bother with is the thing I’d question first. Do you know that? Because if someone knocks on your door as a data processor, you might not be the originator of the data but you are using it.
My other question to Middle East companies would be: ‘Are you using any social web data?’ If you are you don’t necessarily know that’s European. What would you use instead of social web data? What are you going to use for insight and contextualising what you are doing as a web company?
Where does the jurisdiction come from for the EU to fine companies outside of Europe?
Because it is predicated on what we call the data value chain, it doesn’t matter at what point in that value chain that the breach is known – the information commissioners have the mechanisms to follow that through with a full audit.
My worry with Middle Eastern companies is they will be unsighted and the knock on the door comes completely out of the blue because before if you were the data controller you didn’t need to know what all the data processes were doing – downstream was not your concern, it is now.
So if that European data is in any way finding itself into Middle Eastern organisations they are going to be even more unsighted because it is going to be as part of a breach or a set of changes that ICO (Information Commissioner’s Office) wants when it finds itself at the door of a Middle Eastern country that didn’t even know that they were involved.
As a territory the Middle East might think ‘it’s one of those European things’ but the awareness of this is really important.
Is GDPR effectively the first data protection law?
I think from a European point of view we have taken the view that our laws and regulations just can’t keep up. The web is outstripping our national jurisdictions and legal frameworks. The Privacy by Design principles which these regulations were born from are more web centric rather than from a territorial point of view.
I see this as a new governance model for the web – the way in which privacy should exist on the web. This is about our web world legislation and regulation, not really being a tool that we can put in place quickly or flexibly. I think it’s the new governance model for privacy which is why I don’t think it’s just a European thing.
As I’ve travelled around the world I’ve had discussions where people have been saying ‘actually this is doing the right thing’ and saying ‘this is a governance model that we should consider because isn’t this going to be what our citizens expect’.