GDPR Mastered: Preparing for history’s biggest data privacy revolution
Where does the right to be erased and forgotten sit in the GDPR?
SF: This is the biggest challenge certainly in terms of GDPR from where the technology comes into play. I do not think there is going to be a single solitary company that is going to be compliant with the right to erase come May 2018.
The right to erasure is extremely difficult. Not from a main system perspective, such as data from an HR system. The problem becomes about the historical data that has been backed up, the replications.
What about the third parties that provide a service on someone’s behalf? There needs to be an understanding that it is virtually impossible to 100% erase that data if we do not know where every instance of that data is.
With GDPR coming into force, is incautious use of cloud a burden to compliance?
SF: Absolutely. When cloud first came out, everyone was jumping on the bandwagon because it was flexible, scalable and manageable. The problem is, they did not think of the data privacy compliance aspects.
And there have been a number of companies, especially financial services companies, that embarked early on the cloud without doing the privacy diligence.
When they tried to get the data back, they found out that it was either cost prohibitive and they could not get it back, or they did not know all the places where the data resided including where it was replicated and backed up.
That goes down to the fact that just by having a data centre, that does not guarantee that is the only place where your data resides.
Cloud adoption will not slow down, but companies will have to do a better job at choosing their cloud providers from a data privacy perspective, and ask the right questions about performing backup assessments; by asking privacy diligent questions before they even start looking at security.
What questions are the most important to ask?
SF: First and foremost, they need to ask how does the cloud provider comply with all of the data privacy laws, how does the cloud provider comply with GDPR, and what obligations does the cloud provider accept as a data processor.
Often the answer is that they will accept responsibility for compliance with data privacy laws where they process the data.
That is not acceptable because if data is processed in the US, does that mean it is only going to comply with data privacy laws in the US and not EU privacy laws?
The question has to be: how do they comply with laws in every jurisdiction in which their customers operate or where the data originates. That is a totally different and extremely important question. The other questions that I ask is how do we get the data back once there is no longer a business relationship.
Another big one is, what happens if there is a legal loophole on the data and the cloud provider received an order form the court, how does the customer even know that the data is now in a legal loophole?
None of these questions that should be asked have anything to do with technology or security, they have to do with the foundation of data privacy and the right to have that data.
How is GDPR going to change the boardroom?
SF: The boardroom is going to be concerned about all these issues and the conversations are going to change. They are going to start by looking at the full lifecycle of the data they collect. They are going to be asking the company what data do you actually need in order to manage the customer relationship or the employee relationship.
Do we have a handle on why we are collecting data and what we are doing? Risk mitigation is becoming extremely important in those conversations, and this is going to become much more aggressive within the boardroom.
Traditionally, the boardroom has talked about profits, revenues, performance, products. That is still going to be important, but now the conversation is going to start with data governance and data privacy.
In the end, are boardrooms educated enough to discuss this?
SF: No, but they are slowly coming at speed. The conversations are just starting and part of that is because the misinformation that is out there.
This article originally appeared in the Data Economy magazine. To read more on data centres, cloud and data, visit here.