In a global economy, changes in one region can have far-reaching impacts. Failing market indicators on one side of the planet tend to have a domino-like effect on other markets, highlighting the connected nature of world economies and global business markets.
The General Data Protection Regulation (GDPR) is a great example of change taking place in one part of the world — the European Union — that will have global impact. GDPR goes into effect in May 2018, and yet most companies that will likely be impacted by this European Commission regulatory change are not yet taking action.
The Domino Effect of Regulatory Changes
What is it? GDPR is a new EU regulation created to strengthen data protection for individuals within the European Union, including how that data is used outside of the EU. It will affect not only those businesses with a physical presence in the EU, but also any business offering goods or services (including online services and goods) to citizens of the EU.
In a recent #CollabTalk tweetjam on the topic of GDPR (summary available here), participants discussed many of the issues and concerns surrounding preparation for, and enforcement of, changes to data privacy regulatory changes such as GDPR — and the likelihood of other similar regulatory changes in other regions of the world due to the increasingly porous nature of our digital world.
Following the tweetjam, I asked several of the experts panelists to share some of their experiences working with customers to prepare for GDPR implementation, including:
- Dana Simberkoff (@danalousie), Chief Risk, Privacy and Information Security Officer at AvePoint, Inc.
- Tobiasz Koprowski (@koprowskit), Microsoft MVP and Founder of Shadowland Consulting
- Seb Matthews (@sebmatthews), Consultant, Technology Advisor, and Chief Executive Officer of extaCloud
- Nick Brattoli (@byrdttoli), Founder and Lead Consultant at Byrdttoli Enterprise Consulting
- John White (@diverdown1964), Microsoft MVP and Chief Technical Officer for UnlimitedViz and tyGraph
Preparing for the GDPR
I asked each of them to expand on the questions asked during the tweetjam, and share additional insights into their conversations with customers around GDPR impact and overall readiness.
1. Are companies underestimating the potential impact of the EU’s General Data Protection Regulation (GDPR) coming in 2018?
Dana Simberkoff: According to a global survey and benchmark report conducted by AvePoint and the Centre for Information Policy Leadership, companies around the world are working hard to prepare.
Tobiasz Koprowski: Yes. And no. It really depends on the country, industry, position in the market and the people you speak with.
In general, I can say that many of the companies heard about it and think about it, but honestly very few have started to do something in this direction — to making GDPR understandable. Many have no idea what it is.
When I start the discussion with customers, we spend two hours just talking about the fact that this change is coming, and what it means. Most really underestimate the potential problems with GDPR, and the differences between GDPR and ISO/PCI, which is a voluntary practice, versus the enforcement of GDPR.
Seb Matthews: What we’re seeing is companies broadly falling into four pots: the Ostriches, the Swans, the Tree Frogs and the Lions.
The Ostriches are simply burying their heads and hoping the entire regulation simply does not apply to them — this seems to be true of many organizations based outside of the EU — they’re convinced there is ‘nothing to see here’ and are carrying on regardless.
The Swans are putting on a brave face whilst madly scrambling behind the scenes to pay the information ‘taxes’ they have not been paying as they go along. They’re trying to gather, audit, classify and generally get a grip on the information they have, why they have it and where it is. They’re the most engaged but they’ve got a sweat on behind closed doors.
The Tree Frogs are calm. They sit there on their branch just chirping ‘compliant!’ every few minutes. In some cases they do genuinely get it, they’ve been through the process to understand their compliance/risk position and they’re pretty chilled. In other cases, they just have not understood the obligations (and the risks) and think they’re all good — in many cases this belief has been driven by what they’re being told by IT partners and vendors, who are actually Ostriches ….
The final group — the Lions — are the ones that are just backed into a corner and are lashing out at anybody within paws reach. They hate the EU, they hate information, they hate consultants trying to help them — they’re lashing out while secretly hoping the whole thing will just go away.
Nick Brattoli: In the US, I rarely even hear it get mentioned (it's typically people from the EU/UK mentioning it). Many US companies will be affected, and I don't believe they are putting enough effort into it. I have seen a lot of companies that have little to no data governance in place (even international ones). The amount of effort required to get up to regulation could be staggering.
2. Where should an organization start in terms of getting ready for GDPR, and what are the budget/timing implications?
Simberkoff: Start by understand the data that you hold. Global companies are allocating significant budget and headcount to prepare. If you’ve not already started this work, you may already be too late.
Brattoli: If your organization is not already familiar with the GDPR, I'd hand somebody smart inside your organization a copy of the book, "EU GDPR: A Pocket Guide" and have them read over it. If they understand it, make them your new compliance officer and pay them accordingly.
After that, perform an audit on all of your data, PII, policies and procedures, which you can then inventory and create Benchmarks from the GDPR (Look at this: https://www.avepoint.com/gdpr) to see your level of readiness and the effort required to get you there. Budget is going to vary based on the size of your company and the current state of your data.
As for timeline, there's no time like the present!
3. How should organizations benchmark their readiness for GDPR — and measure their progress?
Koprowski: Everything began around 2012. It’s not a new subject. On the portal for Smart Insight, you can see a roadmap for preparing for implementation. The steps they recommend include:
- Information you hold
- Communicating privacy information
- Individual rights
- Subject access requests
- Legal basis for processing personal data
- Data breaches
- Data protection by design and data protection impact assessments
- Data protection officers
If an organization follows something similar and builds their plan based on this example, they should be in great shape.
Matthews: For me, readiness in the context of the GDPR is broadly broken into steps that have a striking resemblance to a number of the famous 12 steps of AA.
It’s about acceptance of the issue, analysis of the current position, understanding the work involved to right-shift the position, working with partners to understand the multi-party implications, delivering the right-shift and then accepting the ongoing nature of the challenge.
When working with customers, we like to give them context by walking them through ‘The Six P’s’ — Placement, Process, People, Products, Privacy and Protection. We’ve designed a framework that allows us to help them map out their readiness position (and progress) by understanding how PII within their organisation sits into the 6 P’s.
Simberkoff: Not knowing is never better. Understanding where you are today creates an opportunity for measurable improvement. Look to the AvePoint/CIPL benchmark report for key indicators to rate your readiness.
4. What is the role of PII within Office 365 workloads and other Microsoft solutions?
Simberkoff: Because Office 365 workloads and Microsoft’s solutions are used for communication, collaboration and productivity, they are likely to hold both PII and Sensitive PII as defined under GDPR. This means you must take extra measures to assess and protect those systems.
Koprowski: PII is everywhere. Managing this kind of data is hard. First, we need to know what PII is, then what we need to do to secure and manage those data. You need to consider data in Office 365 as well as data that you own and manage within your on-premises environment. The role of this data is important, and feedback to Microsoft will be important to help drive Microsoft to improve services and deliver new functions.
5. What is Microsoft doing to help partners and customers prepare for GDPR?
John White: I think Microsoft is better positioned than anyone to handle the implications of GDPR. Recent security and data privacy enhancements to Azure and Office 365 demonstrate that fairly clearly. While some other cloud vendors seem to have their heads in the sand in this area, preferring to tackle the low hanging fruit in North America, Microsoft is addressing it head on. The German data center opening is a perfect example.
Koprowski: Microsoft is a secure, well-prepared, global service provider, as well as a very good advisor for business around GDPR. Material published on various Microsoft sites, including the Safety and Security Center in Office (especially labeling, categorizing, classification, compliance) and Security in Azure (compliance, classification), are very helpful.
We — the customers — just need to imagine what kind of data we have and need to secure. We — as specialists and consultants — can easily suggest solutions and demonstrate capabilities. Microsoft is adding additional documents, materials, and workshops every week to help customers better prepare for GDPR using their solutions.
Simberkoff: Microsoft is doing a lot of work to educated customers and partners in advance of GDPR and is providing guidance on what to expect from Microsoft. Microsoft is also aligning with key partners, like AvePoint, that specialize in data protection, security and privacy to support other customers and partners.
6. How will GDPR impact data privacy and portability, and the rate of innovation for collaboration technology?
Simberkoff: GDPR is all about data flows: understanding data as you create it or collect it, use it, share it and ultimately end of life it. This means that data (which flows like water within and between businesses) must now be measured and monitored. Privacy and security are the “dams” that keep us from drowning, and allow for safe data movement.
White: One impact of GDPR may be that European customers won't be in the first release wave for some new features.
7. What practical guidance would you give organizations just starting to plan for GDPR?
Brattoli: Three steps:
- Get a compliance officer
- Perform an audit and benchmark everything
- Create appropriate policies and procedures and disseminate them everywhere
Bonus: create quick reference sheets or find some on the internet.
Simberkoff: Start by understanding the data you hold. Evaluate your 'as is' environment while you think about where you need to be. Then you can create reasonable and measurable steps that let you demonstrate progress.
Don’t try to boil the ocean and do everything at once. Instead, think about tying your GDPR work to an IT transformation project. For example, if you are moving a legacy system to the cloud, that is a great time to do that data cleansing and build a compliant migration. This is an area that AvePoint works on with our customers around the world.
Even if you are keeping your data on premises, data is the new currency that fuels most businesses today. Take care of it and you will be able to use it. Good GDPR compliance means you are able to make data available to people who should have it and protect it from people who should not.
White: Where possible, leverage the Microsoft platforms. They're investing heavily in this space, and if they clear the way, then you may not have to. You can benefit from their investment.
Matthews: For organizations just starting out on the GDPR planning highway we would, in the first instance, give them some really simple advice:
- Wrap your heads around the Regulation. By legal standards, although there is plenty of opportunity for ‘grey-area interpretation’ many of the definitions are surprisingly clear and are not, therefore, too mired in ambiguity.
- Look everywhere. Many organizations have been stacking up information debt — the manifestation of not really knowing what is where and why they have it. Some of the greatest concerns we have for our customers revolve around their ability to be absolutely certain that when asked, they can provide, update or remove all of the information pertaining to a given individual. Failure to be demonstrably compliant will be the battleground for breeches in my view.
- Work with a partner, especially in the early phases. Sure, I have a vested interested in this advice but, as with so many ‘minefield challenges’ you can gain velocity if you don’t stumble over issues that others have already been through. It’s worth noting that in this context ‘partner’ does not necessarily mean ‘pay a consulting company.’ It could be seeking out peer groups, industry working groups or user groups and joining in the conversations they are having to benefit from the collective experience.