Judging by the number of unsolicited calls I receive telling me that I’ve just had a car accident and can claim compensation (now we do all have moments in the car when we realise that we’ve done a mile or two and can’t remember anything about it, but I think I would remember a collision with another road user), or that I’m eligible for some kind of energy grant to double-glaze my already double-glazed home, or encouraging me to remember whether or not I took out PPI 20 or more years ago, the existing data protection laws don’t seem to be working very well. The more so as I did take the trouble to register with the Telephone Preference Service several years ago.
Furthermore, when one thinks of the coach and horses that various industry sectors have driven through the legal frameworks that are meant to govern their behaviour – the most obvious being the economic Armageddon brought about by the finance industry’s apparent disregard for both the letter and spirit of the law – with apparently no one deemed guilty enough to be punished, then one might be tempted to conclude that the imminent arrival of the General Data Protection Regulation (GDPR) will not change a great deal!!
However, on the basis that the vast majority of organisations do take their legal and ethical responsibilities seriously, there’s no doubt that the GDPR is going to have a serious impact on the way companies do business and, crucially, how they treat the data that is the daily currency of virtually all business transactions.
Right now, as I think I’ve written before, we seem to be in the massive hype stage of the GDPR cycle. Put simply, companies are being frightened into believing that, if they do not throw plenty of people and money at complying with the GDPR legislation, then they are likely to have their businesses shut down, be locked up in a dank, dark cell, and be very, very lucky indeed if the key to their jail is not thrown away.
The reality is that those organisations who already keep good, clean data records are unlikely to fall foul of the new legislation. The caveat to this bold/foolhardy statement is that I suspect that nearly all organisations will have to improve their data logistics in terms of the level of granularity of their records and, also, the speed with which they deal with any data record-related issue. So, the GDPR gives individuals, in terms of the data an organisation might hold about them, the right to be informed (how/when/why do you have me on your database?), the right to access (I want to see what information you hold about me), the right to rectification (you need to correct some of the details you have), the right to erasure (delete me from your list), the right to restrict processing (you can hold a record on me, but not do anything with it), the right to data portability (give me my record so I can give it someone else to use as well), and the right to object (you can’t use my details for this marketing exercise). This list is not exhaustive, but gives some idea of the amount of work that could be involved in not so much obtaining a data record on an individual but on how this record is subsequently used and maintained.
Alongside this data ‘micro-management’ requirement, there’s also the major issue of where and how data is stored. Data breaches will always occur and the organisations suffering from such an attack need to be able to demonstrate that they have done all that is reasonably possible to maintain the integrity of their data resource. The grey area here is what constitutes ‘what’s reasonably possible’. After all, the recent, major NHS security breach seemed to be a direct result of many hospital trusts failing to update their software – many of them claiming that they could not afford to. Good luck Mr GDPR regulator, and the legal sector, when it comes to deciding how much is reasonable or not when it comes to spending on IT security!
Much of the present GDPR hype cycle scaremongering centres on the location of your data – not so much in which data centre or other building, rather in which country or wider geographic region. Courtesy of several Cloud Industry Forum roundtable sessions that have discussed the issue of data sovereignty as part of larger debates around cloud security, service providers, hyper convergence and the like, I am reliably informed by specialists in IT and the law, that the GDPR has no specific requirement for data created in Country A to remain in Country A. So long as the place chosen to store data complies with the GDPR requirements as outlined above (a safe, secure, accessible location at a reasonable cost), then the data can, whisper it quietly, reside in all manner of locations.
As with the security breach idea, the legislation requires that due diligence has been carried out before deciding where to store, and backup data. Bearing in mind the present hurricanes and floods devastating parts of the US and the Caribbean, it may well be the law courts that have to decide whether such diligence has been exercised if data is lost thanks to weather events, for example. (One could argue that, as hurricanes and floods tend to happen rather frequently in this part of the world, keeping data in and around such locations is irresponsible!).
Whatever the letter of the GDPR law, more thought needs to be given to the public relations aspect of a data breach. For example, the GDPR may well allow your organisation to store its data somewhere in mainland Europe, but if the data stored is compromised, bearing in mind the furore surrounding Brexit, it’s not difficult to imagine the bad publicity you might suffer as various media outlets castigate you for having the ‘temerity’ to (disloyally) store your data outside the UK.
I hope that this blog has highlighted some of the issues that you need to consider when it comes to GDPR compliance, but there’s little doubt that you’ll have specific questions that need to be answered. I suspect that the legal sector, rather than the IT industry, could be a good place to start.
From a data centre industry perspective, we’re already seeing more ‘local’ facilities being opened across the European region (tallying with the idea that many organisations will not want to ‘export’ their data, no matter that the GDPR allows it). And I’m sure that, following on from this, all data centre facilities that fall under the GDPR’s jurisdiction will need to improve their data lifecycle management procedures – no small task. Accurate record keeping, and safe data keeping, are the foundation stones required to be in place so that you can meet the GDPR legislation head-on with confidence.