The EU-mandated General Data Protection Regulation (GDPR) is coming into force next May and it is the most ambitious piece of pan-European security and privacy regulation ever created. At a time when businesses are simultaneously dealing with potential disruption due to Brexit, companies have to ensure that their processes, data handling and communication systems are prepared for the change. If they fail, they could face severe consequences.
What has made GDPR such a wakeup call is the risk of finding themselves forced to pay up to 2% of their global revenue as fines for serious breaches. The regulations rules simple put create a set of guidelines that businesses must follow when dealing with European citizens’ personal data. The rules apply to any company that interacts with European citizens no matter in which country they are based in.
Although notionally focused around data protection, the interconnected nature of technology means that GDPR can’t just be considered an IT problem as it can impact an entire business. It will determine which questions must be included on forms, which telephone calls must be recorded, where data is kept, who has access to which systems and what information they can and must not see.
Whether it will be the GDPR and or the UK’s post-Brexit Data Protection Act that will be the main legislation on these shores, one thing is certain: the regulations will be non-proscriptive about how organisations enact controls. Instead they will focus on the end results. In other words: companies have to prove due diligence and ultimately redress when individuals want to ascertain the state of the personal data held by an organisation.
What can organisations do today to get ready for GDPR? To begin with they have to forget the notion that there is some magic software solution or fancy hardware device that can solve everything. There is no quick fix to solve a conundrum that mixes technology, policy, process and corporate governance. Still, there are plenty of things a company can do to get ready for the implementation of the GDPR.
Firstly, organisations need to start bringing together expert teams – both from internal stakeholders and potentially external experts – to enact new policies around how data is captured, stored and used. Companies must be ready for the change and this foundational step should form the basis of potential technology realignment.
Secondly, organisations should start conducting audits of what systems they have within their estates that are likely to be impacted by GDPR. From this point, it is worth asking key technology suppliers across areas such as communications, storage, security and the critical line of business applications if they have a position and guidance on how their particular element can fit into a plan to meet and retain GDPR compliance. Older, inflexible systems are likely to be the most troublesome while platforms that have embraced the cloud and open API’s are probably going to be easier to adapt. With the deadline for compliance being less than nine months away, simply ignoring the issue is the perfect way to court disaster.
If the US regulatory journey around digital data has taught us anything it is the importance of being able to adapt to new circumstances. The regulatory framework has continually shifted due to the American four-year cycle of presidential and state governor elections plus rapid technology advancement. In Europe, with Brexit looming, it’s always best to assume that today’s law will likely move the goal post in a few years. As such building flexibility is an absolutely essential philosophy to have when looking at a strategy for dealing with GDPR.
This article comes courtesy of Curtis Peterson, SVP of cloud operations at RingCentral, provider of cloud unified communications and collaboration solution