GDPR: A year in the life

GDPR: A year in the life

To mark the GDPR’s first anniversary, Data Centre Review spoke with seven data technology experts to get their opinion on GDPR – one year on.

On 25th May 2018 the General Data Protection Regulation (GDPR) came into force meaning organisations that do not comply could now face heavy fines.

The GDPR replaced the Data Protection Act (1998), which was outdated in terms of many things but importantly in terms of our technology advancements and how integrated technology is in both business and personal lives.

Designed to protect and empower all EU citizens’ data privacy and redefine the way any and all organisations across Europe tackle data privacy, GDPR has had an impactful first year – or has it?

High standards, accountability, and enforceability

Eltjo Hofstee, managing directorat Leaseweb said, “As well as making businesses more accountable, GDPR has certainly had a hand in shifting attitudes towards data privacy, which is significant given that everything we do today centres around data.

“Considering GDPR’s impact specifically in a data centre context, from our perspective, customers as the data controllers carry the main responsibility of ensuring compliance, however owners and operators also have a role to play as the data processors.

“Being able to demonstrate that our systems and infrastructure meet the technical and organisational requirements to support GDPR compliance is good business practice, and meaningful to customers. We therefore ensure that in our agreements we are clear where critical data is located, from geographic location to devices, servers, and/or networks.

“Cementing this type of information at contract level also serves to clearly define the roles and levels of responsibility for GDPR between data centre operators and customers”.

Alan Conboy, office of the CTO at Scale Computing commented, “The regulation has made an impact in data protection around the world this century. One year with the high standards from GDPR, organisations are still actively working to manage and maintain data compliance, ensuring it’s made private and protected to comply with the regulation.

“With the fast pace of technology innovation, one way IT professionals have been meeting compliance is by designing solutions with data security in mind. Employing IT infrastructure that is stable and secure, with data simplicity and ease-of-use is vital for maintaining GDPR compliance now and in the future”.

Naaman Hart, cloud services security architect at Digital Guardian said, “Ultimately without the plausible threat of punishment the regulations will fail to impact wide sweeping change.

“While awareness is definitely up and companies have taken steps to address the criteria of the regulation, or minimise their risks from it, I don’t see evidence in recent breaches that the regulation is being followed.

“We’re at a turning point of sorts. If test cases start to emerge with significant fines, then companies will start to take more notice and we should see some positive impact from the regulation.

“As we enter the second year of the GDPR we can but hope that cases and fines continue to paint a picture that companies cannot avoid punishment for poor data handling. If the risk outweighs the reward, then we should see a societal shift towards better privacy which benefits everyone.”

Right to erasure

CTO of Nexsan, a StorCentric Company, Rod Harrison said he thought that, “GDPR has provided the perfect opportunity for organisations to reassess whether their IT infrastructure can safeguard critical data, or if it needs to be upgraded to meet the new regulations.

“Coupled with the increasing threat of cyber-attacks, one of the main challenges businesses have to contend with is the right to be forgotten – and this is where most have been falling short.

“Any EU customers can request that companies delete all of the data that is held about them, permanently. The difficulty here lies in being able to comprehensively trace all of it, and this has given the storage industry an opportunity to expand its scope of influence within an IT infrastructure.

“Archive storage can not only support secure data storage in accordance with GDPR, but also enable businesses to accurately identify all of the data about a customer, allowing it to be quickly removed from all records. And when, not if, your business suffers a data breach, you can rest assured that customers who have asked you to delete data won’t suddenly discover that it has been compromised”.

On the subject of the right to erasure Nigel Tozer, solutions marketing director EMEA at Commvault told us, “One year on from the implementation of GDPR, the bruising barrage of fines and thousands of ‘Right to be Forgotten’ requests have – broadly speaking – been avoided.

“In the lead up to and over the past year, there has been a raft of new ‘solutions’ flooding the market, often claiming to be the silver bullet for GDPR.

“The fact of the matter remains however, that there is ‘no one size fits all’ solution that you can plug in and simply press ‘go’, to solve all the regulatory requirements. There are, however, solutions available that allow the more effective identification, indexing, sorting and management of data in ways that enable organisations to more easily meet ‘Right to be Forgotten’ requests or provide notifications and visibility around data breaches – all of which are key components of GDPR.

“As we approach the first anniversary of the inauguration of GDPR and review the present state of the regulatory landscapes, the key take-away for us all should be this: regardless of shape or size, it remains of vital importance that organisations continue to take stock of how GDPR is evolving; reflect on how far they have come in their own compliance efforts over the last 12 months; and seriously consider how far they may still have to go”.

Clarity in guidelines

Operations and compliance director at Hyve, Graham Marcroft, said, “Before GDPR came to be law, most people were confused as to what it actually was, as well as what they needed to do to fully comply.

“Now we are a year on, and it would seem that – aside from the jargon and scaremongering – GDPR has acted as more of a proactive force, ensuring all businesses take a good long look at their data compliance and cybersecurity strategies.

“The introduction of GDPR a year ago has certainly shed more light on where some companies have been going wrong, and has also meant that customers look more critically when choosing where to store and process their data.

“When it comes to choosing an MSP, customers are now more likely to look for somewhere that abides by guidelines over and above what is expected by GDPR, such as independent accreditations like ISO27001”.

Vicky Withey, compliance manager at Node 4 commented, “The new regulations might not have changed the processes for data centres that already followed their own, and independently audited, stringent data regulations.

“But, having these specific guidelines in place across the board has meant that both data owners and data processors are fully aligned when it comes to strategies that ensure data is properly secure. Since GDPR, we have seen an increase in the amount of customer audits, as data owners have begun to align their practices with the regulations that reliable data centres, like ourselves, will have already had in place.

“One year on from GDPR’s introduction, and we now see that efficient cyber defences have become a big differentiator for customers when choosing where to store and process their valuable data. While there is this increasing focus on cybersecurity measures, there has also been a growing number of customers choosing to use data centres that offer stringent and robust physical security measures onsite.

“On top of this, customers have started looking to data processors that hold certifications which have been independently assessed, such as ISO27001, because these provide the assurance that their data will be handled correctly, and in line with strict regulations”.

A ‘fit for purpose’ approach

Matt Aldridge, co-founder and CEO, Mango Solutions added, “As part of our consultancy work in helping clients make data-driven decisions, we also advise them in best practice around securing their personal data when their processes may not be fit for purpose.

“By creating and supporting ‘fit for purpose’ processes, our clients can operate effectively and consistently without needing to ever worry about whether they are GDPR compliant. This means that, as we approach the first-year anniversary of GDPR coming into force, none of our clients have had to worry about this at all, and any data required for ‘know your customer’ projects is always anonymised in order to meet regulatory compliance”.