By Mark Adams, Regional VP, UK&I at Veeam
When it comes to the General Data Protection Regulation (GDPR), many of you may be feeling a bit like Scrooge, the miserable character from Charles Dickens’ Christmas Carol, during the festive period.
You can’t get away from hearing about the regulation, with mentions of it appearing in every publication you read. The four letters may even be seeping into your dreams. It’s making you anxious and miserly. Surely, there are greater issues for your organisation to worry about – right?
Unfortunately, I have bad news for you. The end of May simply marks the beginning of a GDPR-compliant world. If anything, you’ll only be hearing more about the regulation in the next few months, as the first instances of fines start making headline news. Even today people are talking about it, with the Information Commissioner’s Office (ICO) having handed out £1.7 million in fines in January 2018, a figure which represents a staggering 312% increase on the average monthly figure for 2017. Demonstrating that the regulator is sharpening its claws before the launch of the GDPR and the increased attention data protection will gain from the media, governments and the public alike.
All of this is especially important when you consider how the first few cases of GDPR non-compliance will influence the responses of others down the line. Organisations worldwide will be looking to see who falls foul first, and how they can avoid making similar mistakes and suffering similar penalties. So expect a continued influx of GDPR-related articles, as best practice advice emerges in the coming months.
Yet this needn’t be a bad thing. At Veeam, we believe that the new GDPR should be treated as the starting block for more comprehensive personal data management in the modern age. As such, action on compliance shouldn’t be left to the last minute. It must be treated with the same gravitas as any other major strategic business decision, like expansion or wider digital transformation initiatives.
To do this (and avoid being caught out by the regulators), businesses need to go about protecting their processes with a ‘privacy by design’ approach. This can be done in a number of ways. All of which will ensure that yours is not the business the ICO turns its gaze on.
Remain transparent and secure
Thanks to a number of well-publicised data breaches in the last few years, the public are now more aware and concerned about their data security than ever before. Under the GDPR, consent for collecting data will be an active activity – users will need to opt in.
Similarly, people will soon be able to exercise a variety of rights over their personal data. They’ll be able to place limits on the use, collection and disclosure of their personal information against organisations. Data controllers will need to be able to fulfil these obligations – not just for compliance reasons, but for customer service and brand reputation reasons as well.
It’s important to have processes and resources in place that can support this significant change – being clear and transparent on your intentions should be key. But it’s also important to balance privacy and security. A recent article from CSO discussed the risk of allowing GDPR rules to overrule security standards. It’s vital to constantly have one eye on the safety and availability of data, as well as its privacy. There’s a very real possibility that the first GDPR fine could come as a result of this tension.
Consider end-to-end security
One of the first pieces of advice a Data Protection Officer or GDPR expert will offer is to put the time and energy into building a comprehensive data map. This should let you quickly see where data is entering your organisation, how it is being collected, and the type of infrastructure and storage solution that underpins its existence.
By now, every business should have done that. So the next step is to retain a proactive, rather than a reactive, approach to data management, availability and security.
What that looks like in practice will vary by business. But regardless of size or structure, every organisation will need to adopt an ongoing plan for data monitoring and protection, that includes strategies for availability and backup, should a breach occur. These plans must be flexible enough to take into account the continuously shifting data landscape. And will require involvement from all areas of the business – not just the IT department.
The new age of GDPR
The cost of non-compliance is steep. To remind you once again, serious violations could result in fines of up to €20 million or 4% of annual turnover – whichever is higher. But the question remains, who and what will the regulators be looking at? Will their attitude be lenient, or will they look to make examples of the first to fall?
Only time will tell. But we can speculate on the type of organisations that may get stung first. It’s safe to rule out the public sector, for fines could easily bankrupt many essential services. Yet other sectors may not be so lucky. To stay protected, all organisations need to treat GDPR as an ongoing project – not just a one-time event.