In April 2016, the EU parliament approved the General Data Protection Regulation (GDPR), a new and comprehensive set of regulations which will be adopted by all EU member countries by May 2018.
GDPR sets out to give EU citizens full control of their personal data, and establishes a consistent standard for how organisations and businesses secure this data across the EU. In turn, this will simplify the regulatory environment for international business.
According to the European Commission, the personal data in question is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. Anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Clearly, GDPR has major implications for businesses and their obligations regarding the protection and privacy of data. We caught up with Dee Richartz, Security Technology Director at Rackspace, to find out what they are and how to prepare for them.
Hello Dee — why is GDPR being introduced, and why is it important?
Hi! Well, GDPR is really about standardising the way businesses handle people’s personal data, and making consumers confident it’s in safe hands. Every time you commit to something online — like opening a bank account, joining a social networking website or booking a flight, you hand over vital personal information like your name, address and credit card number. This is sensitive information. With high-profile data breaches and hacking on the rise, GDPR looks to tighten security and keep things safe.
Anything that keeps data safe has to be a good thing, right?
Everyone has the right to demand personal data protection. Breaches are getting more complex and more common, so lawmakers and regulators around the world have to respond to protect citizens.
GDPR provides a consistent suite of compliance requirements, stronger definitions and clarity of responsibilities, tailored for an ever more digital and mobile world. There’s a lot more data being generated and transported across networks and stored in data centres and devices, by businesses, public authorities and individual citizens.
In the past, conflicting data protection rules in different EU countries did not offer the same levels of protection. GDPR establishes consistency and commonality between EU countries. Personal data will be better protected, everywhere, and will stay private. That said, of course, anyone has the right to complain if they feel their data is being misused.
It’s more obvious what GDPR means for consumers, but what does it mean for businesses?
Data protection will be a vital cornerstone to the success of any digital-led country, economy or business. Protecting the data and privacy of customers should be the number one operational priority for any business.
GDPR applies to any company that manages or processes customer data in the EU — regardless of where the company itself is based. So, companies with cloud-based services need to ensure they’re in line and compliant with GDPR.
Failure to comply has big consequences, including potential fines of up to 4 percent of a company’s global revenues or up to 20 million euros, whichever is higher.
Does Rackspace have advice for businesses about how to prepare for GDPR?
Several things. Most importantly, they must put appropriate data security in place, using processes like “pseudonymisation” and encryption. These processes must be regularly tested, assessed and evaluated to make sure all data is being secured effectively.
When a breach does occur, it’s vital they tell the relevant people and/or organisations involved immediately — especially if the consequences are likely to put them at high risk. If they don’t do this, they may suffer financial consequences.
GDPR might still be several months away, but the time will go quickly, so, businesses need to plan their security strategies now and give themselves enough time to put the right technologies in place, iron out any flaws and stay ahead of the data privacy compliance curve.
What common mistakes do organisations make?
Some UK companies and organisations think GDPR does not apply to them because of the Brexit referendum vote. That’s not the case. GDPR still has implications. As part of Brexit, the UK will negotiate which pieces of EU legislation it keeps and which bits it gives back.
Ultimately, there may be elements of GDPR that won’t need to be adopted, but for the time being, companies should act as if GDPR wholly applies to them, especially if any UK companies operate internationally across multiple EU countries, not just in the UK.
What’s your advice to customers?
GDPR is comprehensive. My advice to UK clients, especially those who are international, is to implement all GDPR by the end of 2017. Then you’ll be in a good place to adapt to any UK-specific changes as and when they arise in 2018. It pays to prepare.
Another piece of advice: always encrypt your data files, both in the data centre and also in transit. Encrypting your data will help ensure you are GDPR compliant. Most personal data for which organisations are legally responsible actually exists in unstructured and random formats, such as emails and user-created documents in Office 365 and so on.
These aren’t as organised as databases; IT departments don’t have the same control over files. And cloud apps and BYOD policies make things even more complicated. So, you need to prove you’re covered. Encryption policies are the best way to do this.
What’s your number one piece of advice?
Always encrypt your data files, both in the data centre and also in transit. Encrypting your data will help ensure you are GDPR compliant. Most personal data for which organisations are legally responsible can reside in unstructured and random formats – like emails and user-created documents. These aren’t as organised as databases; IT departments don’t have the same control over files. And cloud apps and BYOD policies make things even more complicated. So, you need to prove you’re covered. Encryption policies are the best way to do this.
What questions are customers asking you about GDPR?
It’s really about the challenge of managing GDPR on an ongoing basis. Everyone’s rushing to prepare for it, and put policies and procedures in place. But it’s then about getting the right resources in place to stay on top of it, because it’s new and there has been no dedicated resource to look after it before.
So, customers ask about what kind of skills are needed, and who is the best person to allocate responsibility to. In fact, GDPR is resulting in the creation of an entirely new role — the Chief Privacy Officer or “CPO,” who will be tasked with making sure EU citizens’ data is compliant.
The CPO role is an interesting development in HR terms. Thousands of new positions will need to be filled within the next year or so, but who’s going to fill them? And we already have an IT skills gap!
What about non-EU companies? How does GDPR affect them and their dealings?
Many EU businesses have non-EU offices, or trade with non-EU companies. In fact, GDPR extends the scope of its EU data protection law to all foreign companies processing data of EU residents. In this way, things are actually made easier for non-EU companies. They will adhere to one set of standardised data protection regulations so they won’t need to wade through a minefield of differing rules depending on which country they’re working with.
How can Rackspace help customers?
Rackspace stores and transmits millions of data files on behalf of customers all over the world. Rackspace Managed Security (RMS) is a combination of Rackspace expertise, our technology, and a tenacious 24/7 Security Operation Centre team.
Together, it gives customers the peace of mind that they’re talking to the industry’s most results-driven, passionate security experts. They’re in safe hands.
Thanks to Juliette Spenceley for conducting this interview.