GDPR one year countdown - the industry reacts

With a year to go until the new GDPR regulation comes into force, ITProPortal finds out what some of the technology industry’s biggest names have to say.

Robert Coleman, CTO UK&I at CA Technologies

“One year from today the GDPR will come into force and any organisation, anywhere in the world, that processes EU citizens’ personal data must comply with it. Compliance will be no mean feat for anyone, no matter their size, requiring vast amounts of time and resource. The first step to getting ready in time is to create a cross-functional programme of work containing representatives from Legal, IT, HR, Business Units. This is not just an IT problem!

“The regulatory approach taken by the EU is all “stick” and no “carrot” and the penalty provisions for not fulfilling the detailed requirements are much more punitive than the currently active legislation. It remains to be seen how hard organisations that fall foul of GDPR regulations will be hit. But we can be sure that come May 2018, few excuses will be accepted for not having robust processes, technology and organisational structures for managing and securing personal or private data in place.” 

Ashley Winton, partner at law firm Paul Hastings and Chairman of the UK Data Protection Forum 

 “With a year to go before the GDPR is implemented, it is a good time for businesses to pause and check that they will get to the finish line in time. Many companies are undertaking a detailed GDPR gap analysis or sophisticated data mapping, and whilst they can be useful tasks in themselves, it is worth re-examining them to see if they can be simplified in order to bring forward key remediation tasks. 

“For many companies, GDPR compliance will be greatly assisted by alterations to existing databases and technologies, and so in the GDPR compliance triage, an immediate focus on technology could be a lifesaver. In the UK there will be no grace period for compliance with the GDPR so with 365 days to go and counting, now is the time for businesses to re-assess their approach to becoming compliant.”

 Guy Marson, Managing Director, Profusion

 “Two things that all companies need to be fully aware of in relation to the EU’s General Data Protection Regulation (GDPR) is its sheer scope and the punitive fines for breaching it. Nearly every company will be touched by GDPR as it impacts the management of data and the communication with customers and other businesses. It practically makes data management infrastructure a legal requirement and radically changes how companies market themselves – particularly via email.

“What is striking about GDPR is how few companies are aware of its implications or erroneously believe issues such as Brexit mean it will not apply. One year may seem like a long time to get your house in order, however, given that fines could be in the region of €20 million or 4 per cent of global turnover, together with how much work needs to be done to become compliant, time is running out. If you run any business that deals with EU citizens’ data you need to start getting a plan in place.

“There are a lot of companies now offering software solutions to help companies become GDPR compliant, however, I believe that most companies would actually benefit from tailored more holistic solutions. 

Regardless of GDPR, proper data management infrastructure and systems can create excellent cost and time efficiencies and, via analysis, uncover profound insights into how a business operates and the behaviour and needs of customers. Put simply, even if you are under the misapprehension that GDPR is not a big deal, your business should have up-to-date data management in place.” 

 Richard Lack, Managing Director - EMEA, Gigya

 “With just one year to go until the General Data Protection Regulation (GDPR) comes into force, the countdown to the death of third-party data has begun.

“GDPR, love it or hate it, is the EU’s attempt to put consumers back in control of their online data and compel businesses to keep that data safe from hackers. No more obscure service agreements that we all accept with a single click and never read. Consumers know they’re being mistreated and aren’t happy about it; a recent survey by Gigya found 68 per cent of consumers don’t trust brands to respect their privacy. How many will accept the terms to give away their data, given they have no obligation to do so? My prediction is zero.

“It’s also important to understand GDPR doesn’t just apply to organisations in Europe. Any organisation, anywhere in the world, collecting personal information from EU residents must comply. The result: Existing third-party data in the EU is gone, and no new data will flow to data brokers as a replacement.

“Businesses must, therefore, ensure that they have compliant systems in place to prevent a mass consumer ‘opt-out’ when the new regulations are enforced or even worse, face hefty penalties for non-compliance, with fines as large as four per cent of annual revenue. 

“For many, this will mean reviewing what structures need to be implemented to remain compliant while ensuring the optimisation of customer needs and the associated need for transparency surrounding the use of their data.

“Despite this, all hope is not lost. Businesses have a year to wean themselves from third-party data and refocus on engaging directly with their audience to obtain first-party data. This might not be the easiest path, but it’s the best way to build committed and long-lasting customer relationships.” 

 Ross Brewer, vice president and managing director at LogRhythm

 "As the saying goes ‘knowledge is power’ and this couldn’t be more accurate than when discussing EU GDPR. With just one year to go until the regulations are enforced, it’s crunch time for businesses. 

“As a result of EU GDPR, we will see monitoring, detection and response become a much more fundamental component of a company’s cyber security strategy.  Indeed, businesses will require a more coordinated and efficient approach to threat detection that goes far beyond simply deploying firewalls or anti-virus. 

“Having an end-to-end threat lifecycle management process that gives businesses the insight and full facts of a compromise from the offset will be vital, and businesses need to make sure they are adapting their strategies now so that they are fully prepared this time next year.” 

Richard Henderson, global security strategist, Absolute

 “As we mark the one year countdown to EU GDPR, it’s never been more important for businesses to start taking greater responsibility for their data. With stricter notification windows and greater levels of data accountability, organisations must have a complete understanding of how they collect data, where it’s stored and how it’s managed in order to remain compliant. 

“To describe the new rules as an update or a refinement in the data protection regime is not accurate – this is not a fine-tuning of the law. A far more fundamental change is taking place. Under EU GDPR, businesses will not be able to get away without having complete visibility into endpoint assets at all times so they can identify suspicious activity and take action – whether a device is connected to the corporate network or not. In this hyper-connected world, businesses cannot afford devices to ‘go dark.’ 

They need to maintain a constant connection, and have the ability to remotely control data stored on endpoint devices to stop them becoming the gateway to a damaging breach, and subsequently protecting themselves from the repercussions of lax security.” 

 Mike Ferris, CEO of Abacode

 “Many organisations have refrained from reporting cyber-attacks or data breaches in order to safeguard their brand reputation. But with only a year to become compliant with the GDPR, it’s essential that businesses leaders are aware of the organisational and technological changes needed to ensure compliance. 

Companies must have the appropriate governance policies in place. Around 90 per cent of companies have inadequate governance structures regarding cybersecurity, and frequently IT departments are left with the responsibility of evaluating and governing their own systems. Unless these policies are reviewed and appropriate organisational changes implemented, UK businesses leave themselves open not only to cyber-attacks, but also to non-compliance fines.

The stipulation that companies must report breaches within 72 hours, also means CTOs need to change the way they monitor and remediate breaches. Companies stand no chance of being compliant unless suitable systems are in place to constantly monitor for attempted, or indeed, successful breaches. Currently, only 3 per cent of UK business have these kind of monitoring systems, which can be likened to ‘burglar alarms’, in place at present – a worryingly low number. 

With the GDPR-compliance deadline fast approaching, and fines associated with non-compliance more substantial than ever before, companies need to ensure they are prepared. A new, holistic approach to cybersecurity is not a ‘nice to have’ but a commercial necessity. In reality, managed security service providers are the only option to ensure this holistic and strategic approach while at the same time removing the huge complexity and cost that would follow if the company attempted a DIY approach.” 

Sheila Fitzpatrick, Worldwide Data Governance & Privacy Counsel/Chief Privacy Officer, NetApp

 “Businesses need to act now to ensure they are compliant in this timeframe, or be at risk of fines of up to €20m, or 4 per cent of global annual turnover, whichever is higher.

“Brexit and the outcome of elections will have little to no impact on whether UK businesses need to comply with GDPR. It applies to any businesses that come into contact with data on an EU citizen. As such, companies of all sizes need to take an active look at what data they hold, what they use it for, and where it’s stored. They can then use this insight to conduct a comprehensive review of data privacy policies, consents, processes and so on to ensure they are meeting the minimum legal requirements.

“GDPR isn’t a “nice to have”, it’s a legal requirement. Companies have 365 days to become compliant, or face the potentially grave consequences when GDPR comes into effect.”