One year on since the infamous General Data Protection Regulation (GDPR) was implemented, how much has the regulation actually changed how data protection is viewed and regarded when it comes to businesses? It’s no secret that data is the lifeblood of an organisation, but with the threat of heavy fines, strict guidelines, and meticulous compliance regulations, the implementation of GDPR made businesses step up and think about their data in a more stringent way than before.
With this in mind, 13 IT experts have shared their thoughts and advice with ITProPortal, as to the different ways companies can ensure they are compliant with GDPR, and how they can continue to be in the years to come.
The C-Suite now has more responsibility for customer data protection
“Amid much fanfare GDPR came marching over the horizon with bundles of confusion, poor interpretation and the usual “silver bullets” from the technology world,” commented Steve Armstrong, Regional Director, UK, Ireland & South Africa at Bitglass. “Outside of many technology companies extolling “the” solution to make organisations GDPR compliant (which frankly is a pure figment of their marketing team’s imaginations) there have been some interesting consequences of GDPR.
“From a technology perspective, organisations are being far more diligent on contracting terms and getting a clear understanding how their data is being handled by their tech partners and ultimately what jurisdiction the data is being processed in.
“The C-suite has now much more responsibility for customer data protection. This likely caught many organisations off guard; but on the plus side it has broadened the conversation about data security from something the guys in the basement did, to a board level addressable issue.”
Organisations are still actively trying to comply
"With the one-year anniversary of GDPR approaching, the regulation has made an impact in data protection around the world this century,” said Alan Conboy, Office of the CTO at Scale Computing. “One year later with the high standards from GDPR, organisations are still actively working to manage and maintain data compliance, ensuring it’s made private and protected to comply with the regulation. With the fast pace of technology innovation, one way IT professionals have been meeting compliance is by designing solutions with data security in mind. Employing IT infrastructure that is stable and secure, with data simplicity and ease-of-use is vital for maintaining GDPR compliance now and in the future.”
GDPR is replacing VPN technology
“The introduction of the GDPR has impacted an unprecedented number of business processes, and security and risk teams are struggling to meet all these simultaneous demands,” believes Hubert Da Costa - SVP and GM, EMEA at Cybera. “On a more positive note, it has also brought an opportunity for companies to leverage new or additional technology solutions. Take the network edge as an example. This is one of the primary areas where personal data is at risk. In the past 12 months we’ve seen many organisations using GDPR as an opportunity to replace traditional VPN technology at the edge with SD-WAN technology. Due to its multiple data security capabilities, and levels of visibility and auditability, SD-WAN enables organisations to better meet GDPR guidelines. With Gartner predicting that before the end of 2021, more than one billion euros in sanctions for GDPR non-compliance will have been issued, we’ll continue to see security and risk teams under pressure to protect user data and privacy.
Companies should not avoid punishment for poor data handling
"The key to every new regulation is the punishment and their ability to enforce it,” says Naaman Hart, Cloud Services Security Architect at Digital Guardian. “Ultimately without the plausible threat of punishment the regulations will fail to impact wide sweeping change.
"So far the ICO of the UK hasn’t fined anyone under the GDPR which is evidenced by the ongoing miniscule fines dished out to offenders. Facebook as an example was fined a measly £500’000 for the Cambridge Analytica scandal, the maximum under the old Data Protection Regulation which GDPR replaces. Were that case brought under the era of the GDPR then they could’ve been looking at substantially more and it might’ve served as a necessary warning to companies with similarly dim views of privacy.
"As we enter the second year of the GDPR we can but hope that cases and fines continue to paint a picture that companies cannot avoid punishment for poor data handling.If the risk outweighs the reward then we should see a societal shift towards better privacy which benefits everyone."
GDPR is cutting teeth and shifting attitudes.
“As the GDPR celebrates its first birthday, there are some parallels to be drawn between the regulation and that of a human reaching a similar milestone,” comments Samantha Humphries, senior product marketing manager at Exabeam. “It’s cut some teeth: to the tune of over €55 million – mainly at the expense of Google, who received the largest fine to date. It is still finding its feet: the European Data Protection Board are regularly posting, and requesting public feedback on, new guidance. It’s created a lot of noise: for EU data subjects, our web experience has arguably taken a turn for the worse with some sites blocking all access to EU IP addresses and many more opting to bombard us with multiple questions before we can get anywhere near their content (although at least the barrage of emails requesting us to re-subscribe has died down). And it has definitely kept its parents busy: in the first nine months, over 200,000 cases were logged with supervisory authorities, of which ~65,000 were related to data breaches.”
“As well as making businesses more accountable, GDPR has certainly had a hand in shifting attitudes towards data privacy, which is significant given that everything we do today centres around data, adds Eltjo Hofstee, managing director at Leaseweb UK. “Considering GDPR’s impact specifically in a data centre context, from our perspective, customers as the data controllers carry the main responsibility of ensuring compliance, however owners and operators also have a role to play as the data processors.
“Being able to demonstrate that our systems and infrastructure meet the technical and organisational requirements to support GDPR compliance is good business practice, and meaningful to customers. We therefore ensure that in our agreements we are clear where critical data is located, from geographic location to devices, servers, and/or networks. Cementing this type of information at contract level also serves to clearly define the roles and levels of responsibility for GDPR between data centre operators and customers.”
Backup is key
“Since the implementation of the infamous GDPR last May – a date that’s likely engrained on every IT team’s mind for all eternity – meeting data protection regulations has never been so important,” says Steve Blow, Tech Evangelist at Zerto. “Yet despite the day coming and going without a bang, we still see many companies living in a compliance no man’s land – not fully confident in their compliance, but also aware of the regulation and the implications of rogue data.
“Although there have been a significantly less amount of fines than we all predicted, no business should become lax about compliance. My advice to those still in a grey area is to make sure their business is IT resilient by building an overall, comprehensive compliance program.
“A key component of this program should be backup. Backup that is continuously protecting data, making it easily searchable for long periods of time and ultimately, also, preventing lasting damage from any data breach you have to report. Peace of mind is a top priority for all IT teams and GDPR has definitely lead to some sleepless nights, but with an IT resilience solution that has your back, you can rest easy.”
The right to be forgotten
"Over the past 12 months, GDPR has provided the perfect opportunity for organisations to reassess whether their IT infrastructure can safeguard critical data, or if it needs to be upgraded to meet the new regulations,” says Rod Harrison, CTO of Nexsan, a StorCentric Company. “Coupled with the increasing threat of cyber attacks, one of the main challenges businesses have to contend with is the right to be forgotten – and this is where most have been falling short.
Any EU customers can request that companies delete all of the data that is held about them, permanently. The difficulty here lies in being able to comprehensively trace all of it, and this has given the storage industry an opportunity to expand its scope of influence within an IT infrastructure. Archive storage can not only support secure data storage in accordance with GDPR, but also enable businesses to accurately identify all of the data about a customer, allowing it to be quickly removed from all records. And when, not if, your business suffers a data breach, you can rest assured that customers who have asked you to delete data won’t suddenly discover that it has been compromised.”
“One year on from the implementation of GDPR, the bruising barrage of fines and thousands of ‘Right to be Forgotten’ requests have – broadly speaking – been avoided,” says Nigel Tozer, Solutions Marketing Director, EMEA at Commvault. “In the lead up to and over the past year, there has been a raft of new ‘solutions’ flooding the market, often claiming to be the silver bullet for GDPR.
“The fact of the matter remains however, that there is ‘no one size fits all’ solution that you can plug in and simply press ‘go’, to solve all the regulatory requirements. There are, however, solutions available that allow the more effective identification, indexing, sorting and management of data in ways that enable organisations to more easily meet ‘Right to be Forgotten’ requests or provide notifications and visibility around data breaches – all of which are key components of GDPR.
“As we approach the first anniversary of the inauguration of GDPR and review the present state of the regulatory landscapes, the key takeaway for us all should be this: regardless of shape or size, it remains of vital importance that organisations continue to take stock of how GDPR is evolving; reflect on how far they have come in their own compliance efforts over the last 12 months; and seriously consider how far they may still have to go.”
Look towards the ISO27001
"Before GDPR came to be law, most people were confused as to what it actually was, as well as what they needed to do to fully comply,” states Graham Marcroft, operations and compliance director at Hyve Managed Hosting. “Now we are a year on, and it would seem that - aside from the jargon and scaremongering - GDPR has acted as more of a proactive force, ensuring all businesses take a good long look at their data compliance and cyber security strategies.
“The introduction of GDPR a year ago has certainly shed more light on where some companies have been going wrong, and has also meant that customers look more critically when choosing where to store and process their data. When it comes to choosing an MSP, customers are now more likely to look for somewhere that abides by guidelines over and above what is expected by GDPR, such as independent accreditations like ISO27001.”
“The new regulations might not have changed the processes for data centres that already followed their own, and independently audited, stringent data regulations,” agrees Vicky Withey, Compliance Manager at Node4. “But, having these specific guidelines in place across the board has meant that both data owners and data processors are fully aligned when it comes to strategies that ensure data is properly secure. Since GDPR, we have seen an increase in the amount of customer audits, as data owners have begun to align their practices with the regulations that reliable data centres, like ourselves, will have already had in place.
“One year on from GDPR’s introduction, and we now see that efficient cyber defences have become a big differentiator for customers when choosing where to store and process their valuable data. While there is this increasing focus on cybersecurity measures, there has also been a growing number of customers choosing to use data centres that offer stringent and robust physical security measures onsite. On top of this, customers have started looking to data processors that hold certifications which have been independently assessed, such as ISO27001, because these provide the assurance that their data will be handled correctly, and in line with strict regulations.”
Create a ‘fit for purpose’ process
“As part of our consultancy work in helping clients make data-driven decisions, we also advise them in best practice around securing their personal data when their processes may not be fit for purpose,” believes Matt Aldridge, Co-founder and CEO at Mango Soutions. “By creating and supporting ‘fit for purpose’ processes, our clients can operate effectively and consistently without needing to ever worry about whether they are GDPR compliant. This means that, as we approach the first year anniversary of GDPR coming into force, none of our clients have had to worry about this at all and any data required for ‘know your customer’ projects is always anonymised in order to meet regulatory compliance.’’
Other countries are taking note
"Last year, the California Consumer Privacy Act (CCPA) was signed into law, which aims to provide consumers with specific rights over their personal data held by companies,” states Wendy Foote, Senior Contracts Manager, WhiteHat Security. “These rights are very similar to those given to EU-based individuals by GDPR one year ago. The CCPA, set for Jan. 1, 2020, is the first of its kind in the U.S., and while good for consumers, affected companies will have to make a significant effort to implement the cybersecurity requirements. Plus, it will add yet another variance in the patchwork of divergent US data protection laws that companies already struggle to reconcile.
“If GDPR can be implemented to protect all of the EU, could the CCPA be indicative of the potential for a cohesive US federal privacy law? This idea has strong bipartisan congressional support, and several large companies have come out in favour of it. There are draft bills in circulation, and with a new class of representatives recently sworn into Congress and the CCPA effectively putting a deadline on the debate, there may finally be a national resolution to the US consumer data privacy problem. However, the likelihood of it passing in 2019 is slim.
“A single privacy framework must include flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that will be subject to the law. It will take several months of negotiation to agree on the approach. But we are excited to see what the future brings for data privacy in our country and have GDPR to look to as a strong example.”
Image source: Shutterstock/Wright Studio