The European Union’s new privacy law, the General Data Protection Regulation (GDPR), will come into force in a year’s time on May 25, 2018. This is more than just a privacy law for Europe – it affects any company with more than 250 employees anywhere in the world who handle data for anyone residing within the EU, not just EU citizens.
Disruptive.Asia talked to Chris Bridgland, CTO and Technology Practice lead for Emerging Region in EMEA at Veritas, who highlighted some of the results of Veritas’ 2017 GDPR survey and the challenges companies face in achieving compliance.
Complying with the GDPR rules means being able to see into all of the organization’s data, which will help adopt a holistic approach with processes adopted across all industries, geographies and business units, and provide a clear strategy on access and classification, Bridgland said. Organizations need to know where personal data is stored, in what form it is found, and keep track of who is authorized to access it. This can be difficult, given today’s fragmented computer systems and networks.
When a data breach happens, GDPR rules stipulate that enterprises have provide notification within 72 hours. But a bigger issue for companies is data access and the right to be forgotten, Bridgland says.
Any EU resident can say to any organization, “Give me any data you have on me.” If the request is valid, the organization has to search, process, redact and present that information within 30 days.
While a key benefit of the GDPR is that it brings consistency to the EU’s data privacy regulation landscape, that consistency does come at a cost – literally. The maximum fine for non-compliance under GDPR is 4% of global turnover or $22 million (20 million euros), whichever is greater.
To give an idea of the difference this makes, Bridgland spoke of the case of a telco in the UK that was recently fined $513,000 (400,000 pounds) for a data breach. Under GDPR, the same company would have been fined $90 million (70 million pound), which could be potentially business-ending.
Are you ready?
The Veritas survey exposed marked differences in GDPR readiness across the globe. For example, 35% of US companies surveyed said they were already GDPR compliant. In Asia, those percentages were lower, albeit varied – in Singapore, just 18% of respondents said they were compliant, compared to 19% in Japan and 31% in Korea.
Asked why Korea was more ready than Japan and Singapore, Bridgland explained that this was a survey asking C-level executives if they felt their companies were ready for GDPR rather than a consultancy study of how ready they really are. “It’s unique to their appreciation to what GDPR means,” he said.
More important was a number that was roughly equal throughout the various regions – the question of whether companies were worried about not meeting the GDPR deadline. Here’s how many said yes: US 87%, Singapore 92%, Japan 72% and Korea 93%.
“A lot of organizations, including more than 50% in Europe, do not think they are ready for GDPR deadlines. That almost negates the statement ‘I’m GDPR ready’,” he said. “[It’s more like] ‘Am I GDPR compliant? I probably have good privacy processes I can build on. But can I get it ready for next year?’ Suddenly customers are having to look at their agreements with cloud providers and third parties.”
That’s because the company is effectively a GDPR data controller, which is still responsible for the data when it is given to data processors. Data processors are in turn bound by GDPR rules, and they have to be able to report on data losses, or be able to respond to data access requests.
GDPR is a very different animal compared to Sarbanes-Oxley or BASEL in that much of the data that the company is expected to handle in compliance with GDPR is unstructured data in email, not just financial transactions. In the world of GDPR, you cannot simply say that you have had a pretty good look at the data – you have to prove that you have done an audit and gone through all your data stores, Bridgland explained. That is a massive change from previous regulations.
Traditional compliance is about finding anomalies, security logging and reporting on things that are out of character. In a world of unstructured data, the company needs to go through PowerPoint presentations, Word Documents and image files.
Yes, even photographs. Bridgland said he has spoken to legal counsel and confirmed that photographs come under GDPR regulations. There needs to be the ability to search within an employee’s home directory and look at the content of those photographs.
“Going to find someone’s face in a photograph is going to create a real challenge,” he said.
That’s not the worst of it. Some organizations, especially those in Germany, are saying that IP addresses are personally identifiable data elements that are protected under GDPR.
Keep your data clean
Bridgland’s advice to any business is to always question why they need to hold that data and what is the business case for it. That is how you get into the issue of proactive cleaning of data.
Apart from data breaches, companies also have to protect themselves against class-action and subject-access requests – for instance 2,000 ex-employees taking their employers to court and demanding all their personal data under the GDPR.
“Six months ago when we started asking the question, the interesting thing was that IT departments were almost but not quite oblivious to the massive need to build up security and searchability in every data source. The CFO and the CEO and that new role, the Chief Digital Officer, were aware but somehow assumed that IT would simply sort it out. Suddenly they are realizing that they have neither the investment nor the time,” he said.
The scale of investment needed is staggering. Even with an information governance solution that can return results immediately, a query that results in 30,000 documents means that each day the company has to audit, redact and have a lawyer approve 1,000 documents just from that one query to meet the 30-day deadline.
What about encryption? Bridgland says it depends on who holds the key. If the company holds the key then yes, they should be able to search through the data that is under their control, but if an ex-employee leaves encrypted files on a company server and, perhaps maliciously, throws a GDPR data request at the company, then that is a very defendable position under GDPR.
Asked if the huge amount of data logs by telcos was particularly challenging, Bridgland disagreed. Telcos and the banking world are very mature when it comes to searching and mapping data – it is more the unstructured data that is the challenge.
The Veritas 2017 GDPR report can be downloaded here [PDF].