Enterprises around the world are preparing to comply with GDPR, one of the strictest data privacy regulations in the world, when it comes into play on May 25th, 2018. Businesses throughout Europe should be aware that GDPR applies to companies worldwide, wherever they may be based, as long as they are handling data concerning European citizens. Those organisations collecting data or employing third parties to do so on their behalf will need to demonstrate their compliance with GDPR in regard to how they are exercising the requirements.
GDPR also requires public authorities and businesses who process personal data to appoint a data protection officer to monitor it’s use. The regulations will require compulsory PIAs (Privacy Impact Assessments) to take place where there may be a high risk of a data breach and it is also a requirement to report data breaches to the local data protection authority within 72 hours of discovery.
All software and systems will need to deal with stringent audit requirements, meaning they are required to amend and permanently delete data if requested by the data subject.
Finally, data cannot be used for any purpose other than the one for which explicit (not implied) consent was obtained. Technology companies such as Commvault are helping businesses comply with GDPR regulations. For instance, Commvault have announced a new analytics portfolio of applications, capabilities, solutions and services for GDPR. This new portfolio includes applications and an application framework, new capabilities, solutions, and packaged service offerings created to help customers obtain improved data insights for compliance.
Commvault’s analytics portfolio will empower its customers to simplify management of growing data amounts, and activate this data to reduce risk and improve business outcomes. The first application in the portfolio is for information governance and data privacy, and was demonstrated at Commvault GO 2017. Fully integrated into the Commvault Data Platform, the new application offers customers the ability to identify, manage and reduce data privacy risks in compliance with the European Union’s General Data Protection Regulation (GDPR).
Commvault’s new data privacy application can address many GDPR compliance challenges, enabling enterprises to better understand what personal data they have, respond to customer requests and meet GDPR obligations regarding the collection, storage and handling of personal data.
“Transforming enterprise data into a strategic asset that can be used to cut costs, improve customer service, reduce risk exposure and otherwise increase stakeholder value is no longer a nice competitive advantage. It’s a requirement of success for today’s digital businesses,” said N. Robert Hammer, chairman, president and CEO of Commvault. “With the introduction of the new Commvault Data Analytics Portfolio and its first application, we are delivering on our vision to push Commvault further into the analytics space whilst providing customers with the mission critical data capabilities needed to solve their real-world business challenges.” The general release of Commvault’s information governance for data privacy is expected to be available by the end of December.
Intelligent CIO spoke to Dr Jacqui Taylor, founder of flyingbinary.com about the challenges European businesses might face in complying with GDPR.
How will countries in Europe manage to adopt the principles of GDPR?
Each of the European nation states have been preparing for GDPR legislation since the regulation was ratified by the European Parliament. This two-year window which closes on 24th May, 2018 has been used across Europe by regulators to provide guidance on what to expect and how to prepare. From 25th May, 2018, GDPR will be mandated for the management of personal data of all European citizens. Based on my involvement in the preparations of both organisations and the Information Commissioner’s Office, the readiness varies across the European countries. From a UK perspective, Brexit will have no impact on this transition as the UK is preparing to adopt and even reinforce the protections for citizens provided by GDPR.
Do European businesses understand the link between complying with the GDPR regulations and leveraging for IoT?
I believe that the predominant focus on GDPR has been on the reach this regulation has across the data value chain and of course, the size of the fines. My company, FlyingBinary, are Internet of Things (IoT) specialists and have been deploying our IoT technology in the UK since 2012, and worldwide since April 2014. Based on the challenges we have responded to for organisations, we have seen an additional opportunity as a result GDPR.
The IoT requires a new approach to data management, particularly in the security space where we work. The GDPR work for our clients has required us to provide fully managed private cloud services, the same base services required for IoT. A number of those clients have used these GDPR capabilities to start their IoT journey. IoT is an engineering challenge which means few companies supply secured accredited private cloud services in this domain. From a CIO viewpoint, we have been able to demonstrate between two and sixty times return on that investment. This has unlocked a new style of IT provision and a strategic opportunity for the CIO to reorganise an innovation-led agenda.
Are European countries likely to take advantage of RegTech solutions?
As we approach the implementation of GDPR, organisations are faced with a serious challenge. In order to comply with GDPR, an organisation will need to demonstrate compliance to a regulator and meet the stringent audit requirements. This means that businesses must be aware of where their data is stored and how to index it.
FlyingBinary’s answer to meet this challenge is a RegTech service which does not take a transaction-based approach but is focused on indexing all data wherever it might be, and providing state-of-the-art analytics to manage that data, including personal data. This self-service approach to GDPR creates a European citizen centric view of the indexed data that can securely manage not just personal data, but all data. Importantly, the RegTech service can be demonstrated to an auditor and used to meet the stringent audit requirements of GDPR.
RegTech solutions are not focused on the date the regulation is mandated, but rather the next 20 years as we move to leveraging IoT. Regarding take up of RegTech services, we are seeing traction across Europe which has accelerated as CIOs understand the opportunity in their hands.
What do you think the likelihood is of businesses complying with the GDPR requirements and regulations?
FlyingBinary have particularly focused on Europe over the last 18 months and we have launched a GDPR compliance service specifically to address the health and smart city sectors. At a landscape level, there is a real focus on compliance in each nation state. From our work, we see that GDPR readiness varies across individual sectors, so compliance is likely to be patchy.
One interesting change we are seeing as we approach the mandating of GDPR is the interest from outside of Europe. GDPR gives individual citizens more of a say over how their data is used and why. At the same time, it expands the definitions of “data” and “processing”, so if you store any data anywhere, you are almost certainly a data controller or processor and subject to the regulation.
Companies outside of Europe are now looking closely at the data value chain which may make them a data processor under the new regulation. We have organisations in Asia and America working to prepare for the changes GDPR brings to their use of European personal data.
One key area of GDPR compliance that I would like to signal is the need for companies to transform their use of social web data. Companies are using European citizen’s data exhaust from social platforms such as Twitter, Facebook, etc. often as part of customer engagement strategies. In the European Commission, we have not used this data in any projects since early 2017. FlyingBinary has informed consent services who we deploy for clients, to replace the use of social web data for a GDPR regulated market. This is an area that seems to have received little focus as part of the compliance preparations.