The future for data protection – Why GDPR will matter even when the UK leaves the EU

Ever since the UK held its vote on whether to leave the European Union in June 2016, there has been a huge amount of debate around what the impact will be on business operations and the IT that underpins them.

One of the main issues that will affect businesses of all sizes is around data protection with the EU's General Data Protection Regulation or GDPR. GDPR will cover how companies handle data on any customer that is based in the European Union and will come into force on the 25th of May 2018.

Since the vote, IT teams at UK companies have been concerned around whether they will have to implement GDPR-compliant data protection policies. The UK is due to leave the EU, but the process for this is not yet confirmed. The UK Government will have to invoke Article 50 of the Treaty of European Union, which provides a two year window for going through the proves of leaving the EU. The earliest that this will take place is reckoned to be in early 2017, so GDPR will be in force before this date.

Alongside this political aspect, there is the practical one as well. Even if GDPR itself is no longer required for companies hosting UK-only data, many companies will have customers within the EU. All EU customer data will have to be held in a manner that complies with GDPR. So companies will ultimately have two choices: comply with the rules and retain access to that customer base, or ignore GDPR and wave goodbye to the business opportunities there.

For smaller companies, the second option might perceived as a way to reduce costs, but there will be an equivalent set of regulations brought in for data protection in the future alongside the current rules in the Data Protection Act. Similarly, any company looking to grow can’t ignore Europe as a market, so compliance with the stipulations in GDPR will be required. However, GDPR compliance should not be seen solely as a cost. Instead, GDPR can support the development of a more wide-ranging business case for examining how data protection strategies are functioning today. For a company to be successful at aligning with GDPR requires more than understanding what current DR strategy is in place, as this refers to how companies react to a breach or exposure event.    

This is often based on “known data” where IT can track instances of data and ensure they are protected. This approach only works when firms have a complete overview of where all their data is. In order to keep up, IT must consider what it would take to build up and maintain that deeper understanding of what company data really is in practice, who has access to it and how it moves across the organisation.

For example, a company may have a database containing its customer data that is saved centrally and covered by the appropriate data protection requirements. However, this database can be copied and used for remote working by being stored on a laptop or as part of a cloud application. Any additional copies of data should be covered by the same security, encryption and data protection steps as the file saved centrally. However, would IT even know someone has created their own copy of that file?

At best, files containing sensitive data can be created and stored on mobile devices without the right levels of security due to ignorance. At worst, people can hive off that important data for their own ends and leave the company open to potential risk. It’s therefore important for IT to think about the wider processes that exist around information and data, as well as how this can be automated. IT can communicate policies and educate users as much as possible, but if any data is mishandled or exposed then the business would still have a significant problem. This wider information management challenge is just as important as protecting the data itself, so looking at GDPR can help improve the overall process for managing data within the business.

Preparing for GDPR

As IT moves towards mobile and cloud-based services, data will get spread more widely across the organisation. This shift from central IT to more ‘edge computing’ represents a big challenge when it comes to protecting data and meeting the requirements of GDPR. Preparing for this shift can help ensure that everyone’s data is protected across the business. Here are four steps to take in meeting GDPR:

  1. Audit your existing DR strategy and map this against the rules in the GDPR regulation. This process should show up any existing gaps that have to be filled in order to become compliant. This is the start for the project of being compliant around customer data, so it’s important to know what requirements will have to be met and where investment might be needed.
  2. Look at distributed data requirements, not just central storage. There are several ways to get more insight into how much data is stored away from the central systems. This could start initially with informal discussions for IT with groups of users around how they use and store data when they are outside the office; getting away from the department and touring the building can help open up conversations. Following this, IT can look at conducting more formal data discovery sessions if those are required. The aim here with these discussions is to increase the availability of data to users over time as well as making sure it gets adequately protected.
  3. Consolidate data storage where possible. One of the biggest challenges for compliance activities is to make sure that everything that should be included is in scope. Reducing the scope for data protection can therefore help make it possible to hit timescales for being compliant, as well as reducing the costs involved. Disaster recovery, backup and archiving services can all create multiple copies of files, each of which can contain customer data that are covered by GDPR. Reducing the overall number of copies of files can therefore help make compliance easier; however, this should not be at the expense of each use requirement. Migrating secondary storage over to public cloud platforms can assist in this deduplication of data while also ensuring that the data itself can be used for backup, recovery and archiving purposes.
  4. Take a more proactive approach to data compliance. Rather than looking to spot files that would be covered by GDPR after they are created, look at using more automated approaches to discovering and tracking use of data across the business. If IT can spot sensitive information as it is created, updated or altered across the organisation, then the appropriate steps can be put in place automatically. For example, a common type of sensitive data in the public sector would be a patient identifier. These identifiers would follow a standard format; if data matching this format is created within a file, whether this is on a corporate PC or as part of a cloud application, the file can be flagged at containing sensitive data and then the right backup and security rules put into action. For private companies, financial information would be the most common kind of data to protect, and similar rules can be created and enforced. 

This proactive approach to compliance should help companies improve their standing when it comes to ensuring that GDPR compliance requirements are met across the whole business, not just within central IT. This can also help IT stop negligence by users from inadvertently breaking compliance processes. 

The example of individual users running their own copies of customer databases is a common one, so tracking for specific data formats within user activity and then automatically applying the right data protection and security rules can help companies improve their compliance standing.

For companies in the UK, dealing with Brexit may be a simple task or a huge undertaking. However, making the data protection problem simpler can help reduce the potential pain around this, particularly where there are overlapping regulations or industry requirements in place. Managing multiple compliance regulations on new and existing data sets will require more use of automation that can subsequently enforce the right data protection. At the same time, this can also help IT adapt to changes in the regulatory environments over time. In general, companies should use GDPR as a spur to improve their approaches to data protection across all the data that their employees and business processes create, wherever they happen to be and whatever happens around Brexit. Getting more visibility into how data is created, copied and used within the business can ensure that there are no issues in the future.

The rules within GDPR provide a useful guide for protecting customer data and records across the whole organisation, particularly as more data is being held within cloud applications or on mobile devices rather than on central IT assets.

Rick Powles, Regional Vice President, EMEA, Druva

Image Credit: Yuri Samoilov / Flickr