sb-nz logo
Story image

GDPR a "phenomenally powerful" opportunity if done right

17 May 2018

​There’s little doubt you’ve been drowning in GDPR content over the past months with the deadline just around the corner.

Businesses around the world have been scampering to get their data protection practices in line with the imminent regulations as the consequences are quite steep – fines of up to 20 million euros or 4 percent of total worldwide annual turnover, what ever is higher – and there is the general belief the European Union will be seeking to make early examples of non-compliant companies to prove the GDPR has ‘teeth’.

But how can you sift through all the content and get a simple straight answer? Fortunately I was able to catch up with Henley Business School GDPR Programme executive fellow and director Ardi Kolah at the recent SolarWinds MSP Empower MSP event held in Amsterdam.

“One of the things that we have to focus on is that this isn't the end of a journey. In many respects the 25th of May is the start of a journey. Up to that point there has been a transitional period,” says Kolah.

“The GDPR is in fact active now and was adopted by the European Commission back in April 2016. Because it touches the deep tissue of all organisations regardless of sector, the European Commission gave those organisations and member states time to get ready - two years - for what this new landscape would look like.

Kolah says all the headlines reporting a significant number of businesses to not be ready for the deadline are true in some respects as there are a lot of organisations that haven’t taken that opportunity and are now concerned about what's going to happen to them.

“In short, the sky won't fall in and the sun will still rise and set. What will happen though is that we are now working in a different landscape where we are processing people's data to a much higher standard than has been the case for the past 20 years,” Kolah says.

“That's a journey which we will continue to be on forever. Once we've reached those standards that we're expected to attain, we have to maintain them. It's about continuous improvement. If you're a global company, there shouldn't be a struggle, you shouldn't be panicking, and it should fit within existing policies, processes and procedures that you're doing anyway in order to maintain world class standards.”

Kolah says there is a lot of confusion around in regards to what the 25th of May will actually bring.

“It's the end of the transition period. You've been expected to change your policies, processes and procedures to be in alignment with these higher standards and effectively in very simple terms you're expected to identify what you're doing in terms of processing personal data of either high or very high risk,” says Kolah.

“You're then expected to have identified the relevant data to reduce it to a residual risk which doesn't cause harm and damage. Effectively, if you've recorded what you've done to reduce it from a very high risk to a residual risk by putting in appropriate organisational measures and recorded what you've done, should you have a data breach post the 25th of May you will have a narrative that you can put before the supervisor authority (and the regulator if you're in a regulated market) to demonstrate that you've taken all the steps necessary in order to mitigate risk. That in a nutshell is what you and I as individuals expect an organisation to do.”

Kolah stresses that it’s not just about reaching GDPR compliance, but growing and maintaining it – with the secret behind it being a rebooting of how you’re thinking about data protection, privacy and security.

What you may have done in the past may have been a bit of a tickbox exercise where you've done lots of stuff and data protection was an item on the list that you could tick when complete. Those days have gone. Everything that you now need to do in terms of products and services regardless of whether that's to be on a paid-for basis or even a free basis has to have data protection baked into it,” says Kolah.

“It's an approach that has been around for a very long time and it's called data protection by design and by default. That is now hardwired into GDPR as Article 25, which is not a very long article but we describe that as being GDPR in a box because if you can comply with data protection by design and by default you're effectively going to be compliant with GDPR.”

Kolah says the introduction of GDPR is well overdue as it is replacing 20 years of data protection laws and regulations that have essentially been a ‘patchwork quilt’ across the whole European Union.

“That created confusion, uncertainty, and an increase in cost - all things that are very detrimental from a business point of view. It's also not good from an individual's point of view because you weren't sure how your rights would be protected in Dublin vs London vs Athens vs Paris etc. That just doesn’t work anymore,” says Kolah.

“As technology has accelerated with the pace of change, the legal framework has been dragged and in a lot of cases stretched behind it. What the GDPR is trying to do is to actually update and create a framework that is not trying to stifle innovation but simply provide data protection alongside it.”

Despite this, there are a lot of organisations that say it’s a tradeoff between innovation on one hand and data protection and privacy on the other – something that Kolah says is incorrect.

“It's about doing more, not less, with personal data. And that depends on us deepening digital trust with those people that we're trying to involve with in a sense of products and services. That's really important because if we can build digital trust then we can do more with personal data, which is a real opportunity. The way we can do that is so simple but it does require a reboot in our personal thinking,” says Kolah.

“And it's this - we need to be transparent, accountable, and constantly think about putting control back in the hands of the individual. If we're able to do that and do it in a way that doesn't cause harm or damage when we're processing personal data, we will not survive but we will thrive because from a commercial point of view so many organisations are not currently doing this. If we're able to pick this up and see it as the opportunity that it really is then it will be phenomenally powerful.”

Ardi is releasing a book in early June titled The GDPR Handbook that is based on his programme at Henley Business School and uses practical experience built up over 20 years to present a solution in colloquial English - the only book to be officially endorsed by both the European Commission and the Information Commissioners Office in the UK.

Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
A brief history of cyber-threats — from 2000 to 2020
Many significant cybersecurity events have occurred since the year 2000 — not every one of them ‘firsts’, but all of them correlating with a change in security behaviour or protection.More
Story image
CompTIA forms Cybersecurity Advisory Council, led by 16 security execs
The new body will be co-chaired by Tech Data director of security solutions Tracy Holtz, and Alvaka Networks chief operating officer and chief information security officer Kevin McDonald.More
Story image
Entrust acquires HyTrust, with aim to improve data encryption solutions
Entrust says the acquisition will bolster its effort to deliver data protection and compliance solutions to its customers, while accelerating their digital transformations.More
Story image
Alibaba Cloud and LGMS tackle hybrid and multi-cloud security
Alibaba Cloud and LGMS, a cybersecurity consulting company, are teaming up to tackle the challenge of security around digital transformation and hybrid cloud.More
Story image
McAfee names ThreatQ innovation partner of the year
ThreatQuotient has been named McAfee Global Security Innovation Alliance Partner of the Year for the second consecutive year.More