Ever wanted to read a post on GDPR with a Star Wars reference? Well look no further, these are the droids you’re looking for.
Yesterday I attended Microsoft Airlift on Security. All in all it was a great event with a mix of general discussion around privacy, information management and security solutions. Even though there was a natural bias toward looking at all these issues from a provider perspective, most of my take-away’s came from the more general discussions around GDPR.
As most know by now, and as soon everyone will be aware, GDPR will have a huge impact on both technology and process management for just about every single business operating within the EU to any capacity. No doubt, GDPR compliance will spawn a whole new business segment within data management and security.
Before we start discussing further, let’s take a look at what the GDPR actually is. (Note, I am not a legal professional, and the information contained in this post should in no way be interpreted as legal guidance, this is simply my understanding and interpretation as a layman)
GDPR in a nutshell
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU (source: http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf)
Simply put, the Scope of GDPR is humongous. GDPR regulates all use of personal data in some way linked to a EU citizen by any organization in the world. All users will have right to understand how and why and where their personal data is stored, as well as having the right for their personal data to be completely erased.
What is personal data? Essentially, it’s anything that can be linked to that person, private or public. From data that we would already classify as sensitive like for example banking details, address, credit card details, medical history etc. to anything from name, photos, and even social media posts. So in theory, even if I send something as insignificant as a restaurant recommendation to a member of your organization, you are responsible for complying with GDPR in dealing with my personal data. Also, if that member of your organization prints out my email and then deletes it, you will still be responsible for the data contained on the print-out. And you need to have the processes in place to comply with this data according to GDPR in terms of retention time, privacy, right to be erased etc. Freaked out yet? (if not, maybe you should be)
I could go on for pages just talking about the GDPR, but for the sake of this post, let’s just agree that the GDPR is like a little speck on the horizon slowly approaching, and as it comes closer you realize: “That’s no moon… it’s a space station!” And depending on how prepared you are, you might just as Luke Skywalker, “Have a very bad feeling about this”.
(if you want to know more and get a quick overview of GDPR I recommend starting on Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)
So, back to my original idea for this post. Will the implementation of GDPR and the rigorous security and data management demands drive cloud adoption? An interesting part of the GDPR is the idea of “privacy by design”, which requires data protection to be built in to all technologies and business processes. Ok, so what does that mean in terms of tangible policy? The way I interpret it (and some smarter people than me) it means that if you do not have processes in place to deal with the above mentioned example of restaurant recommendations (and frankly more important matters) you are liable to be sanctioned in any way from a written warning to up to 20,000,000 EUR or up to 4% of your annual worldwide turnover. Now, I’m sure we’ll have to wait and see what kind of presidents are set in the EU-courts, but the risks are very real indeed.
Now, what options do we have? Disable e-mail? Stop using social media? Pull the plug on all printers? Ask customers not to contact us because we do not want to be burdened by handling their data? Well, even though feasible, I don’t really see these as great options for sustaining a business…
Any other options? The way I see it, the only way to sustainably deal with GDPR is to proactively build the required processes into your organization. And I would argue that a key part of this is to embrace the cloud solutions that are already designed with the GDPR principles in mind, where “privacy by design” has already been implemented (this is a conversation all service providers should be part of). And if you are using services built on GDPR-compliant technology but developed by a 3rd party, you need to make sure the 3rd party is also compliant with GDPR requirements. This is an integral part of your “privacy by design” business process design.
Leaving the seminar yesterday I had a thought I could not shake. In the near future, will organizations be able to trust on premise IT? Ironically, security and privacy have long been objections when it comes to adopting a cloud IT strategy. Today, organizations may feel that they are in better control of their customer data when it sits on their server. I believe that the GDPR will change this radically. Not only will the GDPR put enormous pressure on all cloud providers to secure data, but moving to cloud based solutions will also allow organizations to “pass the buck” of GDPR incompliance to their cloud solution provider. If you don’t handle data, you side-step the potential blame if there’s a breech. So now, all of a sudden, Cloud-first becomes a risk-mitigation strategy!
Now, how will the cloud solution providers deal with this? I think we will see a lot of movement on the market, and it will become very clear what providers take customer and data privacy seriously. Of course, I wouldn’t be doing my job if I didn’t mention that basing your cloud offerings of Microsoft’s CSP stack is one way to ensure that your offerings are built on the principles of “privacy by design”, and that this will no doubt be an expanding business as more and more organizations start looking into GDPR compliance.
If you want to know more about reselling GDPR-proof Online Services, let’s connect and we can get into the details.