The EU is revolutionising its data protection legislation to cater for the privacy and security risks posed by today’s powerful communication technologies. But what is GDPR? And why does it matter to you and your business?
In 1995, the last time Europe legislated to protect data privacy and security, we were living in a very different world. The World Wide Web had only just begun to make an impact, and popular communications technologies included dial-up modems, wireless pagers and fax machines. Yet the EU’s 1995 Data Protection Directive, drawn up in that era of old technology, still governs the data protection framework in Europe to this day.
But not for much longer.
In May 2018, a new chunk of EU legislation, the General Data Protection Regulation (GDPR), comes into force across the European Union. The GDPR brings data protection laws into the 21st century, taking into consideration the data privacy and security threats presented by today’s technology.
‘We need the GDPR’s new conceptual framework to reflect the many technological, societal and business developments that have happened since 1995’
– SHIRLEY FINNERTY, MICROSOFT
Deep impact, digital fuel
“The conceptual model of the 1995 Data Protection Directive came from a period well before the web made its impact,” said Shirley Finnerty, Windows and devices business group lead for Microsoft in Ireland. ”We need the GDPR’s new conceptual framework to reflect the many technological, societal and business developments that have happened since 1995.”
In addition, she said, the GDPR will further fuel Europe’s digital single market, by giving firms a more harmonised approach to data protection in all the markets they operate in.
The overarching aim of the GDPR is to protect EU citizens from losing control over which companies and organisations can store and process their personal data. It does so in many ways, since people can lose their data to those who take it without proper permissions, for instance, whilst others can lose personal records to data theft from companies that fail to properly defend their computing infrastructure.
The GDPR provides legal deterrents to both these risks, and allows people to check the data that’s held on them – and potentially have it erased, too.
No free lunch
The GDPR’s new protection won’t come for free, however. Businesses and organisations are going to have to make important changes to their technical infrastructure to comply with the GDPR. On the other hand, compliance also offers firms an opportunity to digitally transform their operations in the cloud.
Some firms may have to appoint a whole new type of employee – a data protection officer – to ensure GDPR rules are properly and transparently complied with. While the costs of that will doubtless provoke criticism, the status quo can hardly be seen as an option – tens of millions of personal records are regularly lost to data breaches.
‘GDPR orders that organisations can no longer confuse customers with what the EU calls “long illegible terms and conditions full of legalese”’
The first target of the GDPR is not technology per se, but the language of the terms and conditions (Ts&Cs) attached to software and services. It orders that organisations can no longer confuse customers with what the EU calls “long illegible terms and conditions full of legalese”; those that lead them into giving up their personal data simply because they can’t decipher what those Ts&Cs mean.
Instead, the GDPR says Ts&Cs must be concisely summarised, with the reason the data is taken explained clearly. People will also be able to withdraw consent, too, if they are unhappy with the way their data is used. That means companies and organisations are going to have to monitor permissions, using technology that produces auditable reports.
People also have a ‘right to access’ under GDPR, allowing them to delve into a firm’s databases if they suspect the company holds data on them, perhaps because, say, they have begun receiving digital advertising about subjects they haven’t knowingly given away data on.
To exercise this right, they contact a company’s data protection officer, who must investigate on their behalf. If the firm does indeed hold their data, it must explain why they have it, where they got it and give the petitioner – free of charge – a copy of the information they hold on them. People can either correct that data or – under what has become known as ‘the right to be forgotten’ – have it erased.
The GDPR aims to both significantly reduce the number of data breaches and also give victims of breaches as early notice as possible of data theft, so they can change their passwords, for instance, and warn their banks of possible identity theft. With companies in previous breaches having taken weeks, months and sometimes years to notify victims, the GDPR will mandate that organisations qualifying as data controllers have just 72 hours after becoming aware of personal data being compromised to inform their victims.
The GDPR packs some bank-balance-bending incentives to prevent data breaches, too. It will give the EU the power to fine companies and organisations a maximum of up to 4pc of their annual global turnover, or €20m (whichever is the greater). For lesser infringements, such as not keeping auditable records of personal data permissions, withdrawals of consent and re-permissions, the fine could be 2pc of annual global turnover.
Those stiff penalties will apply both to the firms that obtain personal information, known as data controllers, and those that use it, the data processors. Those firms must now decide what kind of IT architecture will best let them guard citizens’ privacy by securing their personal data economically and at scale, servicing requests by them to see that data, and allowing for modification and erasure if necessary.
“By next May, some 26m European organisations are going to need to make not only their IT systems but also their business processes compliant. That will not be easy because someone requesting their data might have information used across many tens of software applications in an organisation,” warned Finnerty.
For instance, the human resources, email and customer relationship management systems may contain some of the data being sought. “But even the app that people order their lunch on might have personally identifiable information on it,” Finnerty said – and that will have to be extracted, too.
The logistics and economics of performing such data retrieval from on-premise servers around a company’s various sites could present a nightmare. “For instance, you could have 20 different applications that you want to make secure for data compliance, perhaps running on five different platforms. Your people must be sufficiently knowledgeable to do that,” said Finnerty.
GDPR, according to Finnerty, may be an opportunity for businesses to adopt a hyper-scale cloud solution, whereby data centres, rather than on-premise servers, create a pool of remote computing power and data storage that is shared securely with other organisations. By making the transition, said Finnerty, firms can meet GDPR compliance and digitally transform their business in the cloud.
By Art Coughlan
Art Coughlan is business group lead for cloud and enterprise at Microsoft Ireland. He is a senior professional with extensive experience across both technical and commercial disciplines, having sold, designed, delivered and supported solutions across many industries over 20 years.
Click here (PDF) to download Microsoft’s white paper on ‘Supporting Your EU GDPR Compliance Journey’.