The Cranky Admin

Stricter Data Regulation Is on the Way: Are You Ready?

The rules in Europe are much different than those in the U.S., so do your homework.

• By Trevor Pott
• 10/24/2017

Research released by the U.K.-based DMA Group shows 15 percent of U.K. companies still have no plan in place to be ready for the General Data Protection Regulation (GDPR), or its U.K. equivalent: the Data Protection Bill. While it's only one sliver of insight into preparedness for the new regulatory regimes coming into force across Europe, any insight is welcome.

Interpretation of the data remains highly subjective. For some, 15 percent of companies having no plan to deal with new data protection rules sounds dire. Certainly, the penalties for non-compliance with the GDPR could be unpleasant, with fines of up to €20M, or "4% of the total worldwide annual turnover of the preceding financial year," whichever is higher.

Look at the stats from the opposite angle, however, and we have 58 percent of respondents who believe their business is ready for the coming changes, with the remaining 27 percent presumably mired somewhere in the process of getting there.

In terms of change management in organizations, that's not too shabby. In contrast, remember the end of support for Windows XP in 2015?

How Ready Is "Ready"?
Of course, there is the possibility that some of the 58 percent who say they're prepared for change have an incomplete understanding of what will be required to become GDPR-compliant. The GDPR is a vague piece of legislation, setting lofty goals for the protection of Personally Identifiable Information without providing specific guidance about how to achieve them.

The GDPR demands that companies take a new approach to dealing with data privacy. This approach applies not only to digital data, but to all data collected by an organization. From file folders to NetApp filers, the goal is to change how organizations think.

Some highlights of GDPR rules are a requirement to design for privacy by default. This includes putting effort into encryption and pseudonymisation. Knowing where (geographically) data is held, and whether or not it moves, is also important.

The GDPR includes the principle of least privilege when accessing data, and suggests using something like Role Based Access Controls (RBAC) to restrict access. There is a requirement to report data breaches promptly, and this in turn likely imposes a requirement to invest in proper IT monitoring and alerting.

The GDPR also infers a requirement for data portability. Organizations must be able to give a customer a copy of their data if they ask for it, so it needs to be in an easily extractable format.

Complying with upcoming data protection regulatory regimes such as the GDPR will not be easy. There are a lot of companies selling tickbox compliance that is questionable at best. Until case law is established in court, there will remain a great many uncertainties about the exact implementation requirements and the scope of financial impact for various different offenses.

Worldwide Impact
The GDPR will impact all organizations operating on the data of European Union citizens. This means that not only are even the smallest of EU businesses required to comply, but any organization located elsewhere in the world which acts on an EU citizen's data is theoretically required to comply.

It is unlikely that anyone in the EU suing using these new data protection regimes will be able to enforce a judgment against a company, for example, based in the U.S. with assets and customers only in the U.S. That said, organizations that aren't headquartered within the EU but which have assets in the EU are in the firing line.

American cloud companies in particular will be in a tough spot. Political requirements in the U.S. are trending toward allowing law enforcement and government unfettered access to all data held by in clouds, for any reason, with virtually no oversight. As politics becomes law, it will be increasingly normal for organizations using American cloud services to be legally required to divulge information in the U.S., and legally prohibited from divulging that same information in the EU.

Similarly, a showdown looks set to emerge over the right of end users to have their data deleted. Even within the EU there is potential for conflicts between laws requiring retention of data and data protection laws like the GDPR that give citizens control over their own data.

One thing's for sure: with less than eight months until the GDPR enters into force, there's not a lot of time left to get ready.