By Mark Chillingworth
As the countdown begins, technology leaders discuss the implications of GDPR
In one year’s time the General Data Protection Regulation (GDPR) comes into force. From May 25th 2018 organisations will have to comply with the latest information management regulations if they handle data regarding European Union citizens. GDPR will become a major strategic focus for business technology leaders over the next 12 months, Horizon brought together three leading experts on the subject to sift the data and discuss what organisations must be aware of.
Stephen Deakin has been a CTO with the Home Office, police agencies, Moneysupermarket.com and Barclays Bank. Simon Goldsmith is director of Altius Consulting one of the UK’s fast growth data intelligence organisations, while JC Gaillard heads Corix Partners an information security advisory business.
“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established,” the EU states on its GDPR website. “Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.”
Goldsmith of Altius says there are three core points to GDPR that CIOs need to be aware of: “One is the consent of data, you are now no longer able to assume consent and it must be clear what you are going to use the data for. Secondly notification, previously it was not necessary to inform the regulator of a breach, that is mandatory now and there is a limit of 72 hours on informing the regulator. The third is use cases, the things you will have to do in relation to this data, people have the right to be forgotten and you may be asked to transfer data and being able to answer requests from people on how their data is being used.”
“You have the right to be informed that information is being gathered and stored and processed,” adds CTO Deakin. “You have a right to access all the information that is identifiable to you, you have a right to rectify mistakes and we talked about the forgetting, you have the right to have the information erased. There is also an ability to restrict processing and the ability to share information and you have a right to restrict marketing and finally you have a right to prevent automated decision making and you can ask for humans to make decisions.”
Deakin says the right to be forgotten will be an area that causes CIOs the largest challenge: “The challenge is the data may be on tapes and in the situation of a crash and the following backup there is the risk that when the data is restored data may reappear.”
“A lot of organisations have such a disparate set of data, data warehouses and in terms of the footprint of a customer that can mean it is in many different formats and mediums,” adds Goldsmith of how customer data can be on tape archives, rarely used databases and often on spreadsheets in departments that the CIO may not be aware of.
One of the reason that GDPR has attracted so much attention in the mainstream media is the size of the fines that organisations can face. Organisations found to be in breach of GDPR from next year could face a fine of 4% of global revenue.
“You need to look at it in terms of your third party partnerships. Most organisations are using a cloud provider, I know a lot of the providers, people like Microsoft, are bringing their contracts up to date, but that needs to be something to consider so you can be sure.”
“That is tremendously focusing for the boards,” Deakin says it is helping make organisations realise how important GDPR is. “They are looking at info-sec, but info-sec is really just table stakes”.
Gaillard agrees, but informs CIOs that there is a high level of opacity within the regulations. “There are no explicit definitions of what a major breach is and no explicit explanation of how turnover will be calculated.
“The regulation is open to interpretations for legal challenges,” he adds. Goldsmith says that it is not only the fines that are a challenge to business technology leaders, GDPR requires organisations to alert the authorities of a data breach within 72 hours of discovering the breach. For CIOs Goldsmith says that means they must understand their information environment clearly. “You need to look at it in terms of your third party partnerships. Most organisations are using a cloud provider, I know a lot of the providers, people like Microsoft, are bringing their contracts up to date, but that needs to be something to consider so you can be sure.”
GDPR also plans to put data management at the heart of corporate structures and the regulations stipulate that an organisation must appoint a Data Protection Officer (DPO). Gaillard questions whether it should be the CIO that appoints and is line manager for the DPO.
“For me the key is to appoint a DPO according to the real challenges your organisation faces,” he says, adding that the DPO is a role about ensuring an organisation’s culture is right on May 25th 2018 and beyond. “Many of the aspects of GDPR are not new. It goes back to 1998 Act and a directive from 1995. You need a DPO that has the gravitas to make something happen, so the key thing is not to rush to appoint someone.”
“There is no doubt that there is shadow information in enterprises and it is going to make GDPR programmes quite difficult and this is not the time to be complacent,”
“I think the DPO roles are separate to the CIO role,” says Deakin who sees the role as very similar to the CISO: “It is more about regulation and compliance and the CIO could unwittingly coerce the DPO and this law is very clear about the independence. So there is a legal accountability that is separate to the demands of the CIO who has to deliver the very best data platform and user experience they can.”
Goldsmith of Altius has seen organisations balance the tension of what to do with their data and he says organisations will need to really focus in on consent to balance clarity with the customer and remaining within the rules of the regulations. The Director says preparing for data portability will also be a complex journey for a lot of organisations, which Deakin agrees with.
Shadow information management
“There is no doubt that there is shadow information in enterprises and it is going to make GDPR programmes quite difficult and this is not the time to be complacent,” Gaillard says. “It is best handled softly, the CIO has to listen to the business and build channels and talk and help them through being an advisor and an influencer,” he says of how CIOs and DPOs will need to bring strong governance to organisations.
“I think the good news is that there is a huge opportunity, as compliance is not an option and when you comply with regulations it is just a cost overhead, but look across the board of your data and how do you begin to drive benefit from that,”
All three business technology leaders agree that compliance with GDPR is going to be complex, but is an opportunity for organisations to rationalise information silos and improve their business processes at the same time as meeting compliance demands. Goldsmith says organisations will need to address GDPR with agility as organisations will not want to “sit behind a major change process, however with GDPR there needs to be a coming together of the business to look at how the agility can increase and the business understand how storing information in a spreadsheet is not appropriate,” he says.
Deakin says the adoption of cloud technology and in particular moving to cloud based productivity platforms like Office 365 help organisations break down silos and remove the need “to run things locally” as improved “discovery tools, chat, recording and information management” means teams can find productive ways to work and “the corporate body to retain governance”.
Gaillard adds that organisations will be able to bring information governance issues to the boardroom table. “I think it could be a real catalyst for action on security and privacy and it will force large organisations to work across silos,” he says.
“I think the good news is that there is a huge opportunity, as compliance is not an option and when you comply with regulations it is just a cost overhead, but look across the board of your data and how do you begin to drive benefit from that,” Goldsmith says of the opportunity for GDPR to drive digital transformation, the holy grail of information management at present.
GDPR is an opportunity for CIOs to put the information back into the chief information officer job title.
“The cloud is commoditising the traditional job of the CIO,” Deakin says of the technology operational focus that some CIO roles have become. The CTO and CIO says the role becomes about business strategy and data and they can climb the value chain of what the business can do with its data, so it will be more of a CDO role.” Deakin believes a regulation like GDPR will ensure fewer CIOs will be reporting to the CFO.
Gaillard believes the CISO role will also change because there is vagueness to the GDPR regulations.With a year to go the trio of information security experts advise CIOs and business technology leaders to “understand the entire scope of the regulations,” Deakin says. Gaillard adds: “Don’t panic, quite a lot in the regulations is not new.”
Goldsmith of Altius says: “Do some upfront thinking about how you are going to comply, use it as an opportunity to get your data in a better place, the tech is there especially leveraging the cloud technology that is out there at the moment so that GDPR is a cost positive exercise.”