Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe's GDPR already

Are you ready for 2018's privacy rules?


Comment Europe's General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying "buy our stuff or risk fines up to four per cent of your annual revenues." If you haven't done any preparation yet, is it really that bad and what should you do?

If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR, which comes into force on May 25, 2018, and will likely increase your costs.

What is GDPR? It is meant to return to people control of their personal data, and giving them, for example, a right to be forgotten. Personal information can include a name, home address, photo, email address, bank details, social networking website posts, medical information, and even a computer's IP address.

Your business needs to be GDPR-compliant but – and this is the bleedin' EU – it isn't as simple as that; there isn't a single GDPR compliance test. At an A3 GDPR session, lawyer Renzo Marchini – a partner covering privacy, security and information at Fieldfisher – said the regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It's fuzzy. You can't verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR.

Suppose you just want the GDPR issue dealt with, and order an SKU or contract with somebody to make it all happen. Tough luck. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don't exist. Ricky Patel, UK and Ireland channel sales director at Wasabi Technologies, said there is no uniform GDPR kit. Every vendor has their own implementation of the rules, every organization is different, and thus there is no one-size fits-all solution.

Business: Stressed man with pile of paperwork works against the clock

Tick, tock motherf... erm, we mean, don't panic over GDPR

READ MORE

Reputable suppliers will sell you products that point you in the right direction to GDPR compliance, setting you on the correct path to avoid any fines. Joe Garber, global head of information management at Micro Focus, said his company has eight such pre-packaged GDPR starter kits. Similarly, Mimecast offers gear with GDPR email capabilities, ditto Quantum with its data protection products.

Garber said organizations in less-regulated industries are being pulled full tilt into GDPR. Does that mean GDPR will increase the addressable market for data protection and governance suppliers? "You're bringing in new use cases, and also investigation and e-discovery," Garber answered.

That's a big boon for e-discovery and legal hold storage system sellers. E-discovery, or data discovery, is important because a business needs an accurate inventory of all the personally identifiable information it holds so it can ensure said info is not mishandled under the new regulations.

The flip side is organizations' costs will go up if they are enveloped by GDPR.

Suppose you think to yourself it's a storm in a teacup, and it'll be easy to implement any necessary changes? Bob Plumridge, director and treasurer for SNIA Europe and a former Hitachi Data Systems CTO, estimated: "That'll be the case for the vast majority, but for 20 per cent or so it will involve fines."

The fines may be relatively small, unless a national watchdog decides to make an example of somebody. Ultimately, any penalties will be proportionate. The UK's data watchdog, the ICO, has ruled out issuing fat fines.

You can buy GDPR consultancy services, such as this one from Jawbone. We have no idea how good it is.

But, before doing that, check to see if your country's data protection regulator has readiness-checking services. In the UK, there are self-service checklists from the ICO, such as this one.

If you find out there's more to be done, note that you're just six months away from the deadline, and should probably to assign a senior bod to get you ready. Consultancies such as Quocirca, Freeform Dynamics, and the 451 Group may be able to offer help to that lucky person. Another route for getting help is with a GDPR-skilled legal eagle.

The basic message here is to take the self-checking test and then, if you need to act, prepare to assign people and time, and therefore money, to appease the priests at your nearest GDPR temple, because there's no way out. GDPR is, one way or another, a tax you are going to have to pay. ®

Editor's note: This story was updated after publication to clarify that the GDPR covers not just EU citizens, as well as tidy up the language used.

Similar topics


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022