Soon to be enacted across the European Union, the General Data Protection Regulation – better known as GDPR – has caused no end of concern among UK CIOs.
Although it represents good news for consumers, from a business perspective, things aren’t quite so simple. While the regulation will be helpful in making it easier and more cost effective for cloud providers to offer pan-EU solutions, as well as making customers feel safer in entrusting valuable data to third-parties, GDPR is likely to have serious implications for Europe’s approach to disaster recovery (DR) and business continuity (BC).
For a start, there is a significant difference between the current DR directives and the rules set out by GDPR. Its introduction will necessitate a hefty cultural shift, not only in the management of technology but in the way people operate and the processes put in place.
The regulation will impact any business, whether based in the EU or not, that holds the personal data of EU citizens. Moreover, the definition of ‘personal data’ is broad and could change as consumers continue to expand their online presence. Ultimately, it means that not only must organisations intensify their data protectionefforts, they must do so for a large volume of data. In turn, organisations will need to extend their BC/DR efforts to cover this greater remit.
And, as the pressure rises, so too do the stakes. GDPR is driven by two serious threats: reputational damage and monetary fines. Although you could argue that the former has always existed – with plenty of organisations having endured serious backlash from consumers following a data breach – the idea of financial penalties is new. Organisations who fail to properly protect customer data can be fined up to a maximum of €20m or four per cent of their total worldwide annual turnover, whichever is higher. A high price to pay for ennui or delay!
To manage these changes, it will be mandatory for businesses of over 250 employees to appoint a Data Protection Officer (DPO). From training staff on how to handle customer data through to keeping track of all data within the organisation, the DPO role will need to take a granular approach to the backup and archiving of critical data. Furthermore, to comply with GDPR rules such as ‘the right to be forgotten’, DPOs will be expected to know, with pinpoint accuracy, where any set of customer data is at any given time; an exceptionally difficult task when you consider that a lot of customer data doesn’t even make it onto the organisation’s central server.
As a DPO, it would be your job to root out this data, ensure it is adequately protected, suitably encrypted, and included in all BC/DR initiatives.
With less than 19 months before the rule is enforced, the clock is well and truly ticking. With today’s complex IT environments and cloud deployments, BC/DR processes are already challenging and the GDPR ruling means that complexity will only become more acute and the need to test all processes well in advance is a must. Organisations need to be certain that in the event of an issue, they will be able to remain complaint with the regulation – even when operating with diminished resources. Having everything in place is likely to require multiple invocation tests as well as serious investment – in time and planning not just funds. All in all, preparation is likely to take over a year – meaning there is little room for error when it comes to laying the groundwork for GDPR compliance.
Attaining GDPR will not be easy. It will not be quick. However, with the risk of such severe financial, operational – and likely reputational – penalties, it is an issue to which organisations must begin to direct their full attention. Today!
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.