Many organisations have only approached GDPR from a legal perspective, but this only deals with a fraction of the task at hand.
GDPR is now lumbering into view on the 2018 horizon, and many organisations have left themselves tied to the train tracks. The major EU regulation is arriving amidst a hive of innovative activity, with enterprises pursuing the business benefits promised by digital transformation, a process that generates vast quantities of data.
CBR had the opportunity to talk to Jason Tooley, the Vice President for Northern Europe at the data management specialist, Veritas, about the impending regulation. It is clear that many are far from achieving compliance and some are beginning to make preparations, but there is only one way that GDPR compliance can be achieved while striding ahead toward digital transformation.
Mr Tooley said: “There are lots that are not ready, that is fair to say. Gartner recently said that GDPR had created 50,000 new jobs in EMEA in the last 12 months, however most organisations are not close to being compliant.
“What you have tended to see is organisations starting with what we would probably view as legal compliance – so what does my contract between myself and my supplier look like? Because what you should be looking for is if you are a supplier to me, those contracts should reflect consistent, appropriate use of information.”
The Veritas VP recognises that the enterprise reaction to GDPR began from the top down, with a focus on legality first and foremost, before entering into dialogue with IT executives. While this is a vital aspect of the approach to GDPR, it does not answer the pressing issue of how to harness and monitor the explosion of data coming from innovative ventures like migrating to the cloud.
“Most customers started thinking about GDPR in that respect, starting with their legal teams. What they have also got to do is automate the process of becoming compliant, and that is where technologies like our come in, because there is so much data being generated, especially by digital transformation, that you cannot take a manual approach to it,” Mr Tooley said.
The frightening prospect of facing a fine that could match four per cent of your organisation’s annual turnover, a very dangerous eventuality for many, has ruled the conversation on GDPR so far. While this holds an important message in terms of prodding organisations into action, it is not the whole story.
“You still see a lot of people talking about GDPR from the penalties perspective; twelve months ago we talked a little bit about that, but not now. We are now talking about it as an opportunity if it is done right.
“We have got customers already that are saying they can use GDPR in their annual report to build trust with their customers in terms of the services that they offer, and then they can use that to create new information-centric services to offer to their clients. That is where you start to be in the opportunity space rather than the penalty space.”
In terms of riding the wave of digital transformation alongside achieving GDPR compliance, there is an area Mr Tooley identified as one factor that is essential for organisations to understand. Responsibility is at the core of GDPR compliance, and this is potentially a major and widespread grey area.
Mr Tooley said: “A lot of customers have it in mind that it is the cloud service provider’s responsibility for governance or compliance, it is not. What you need is organisations to think ‘I have a cloud-first mentality, I am going to be looking at services that I need to bring to market, I need to be agile, I might want to create those services in the cloud, the information that those services are generating is my responsibility’”.
While managing GDPR compliance alongside digital transformation is a challenge, the Veritas VP ultimately believes that the two cannot be disassociated. This is because digital transformation and innovation more generally is reliant on collaboration and openness in terms of sharing data. With customers being trained to withhold their data, this could easily become challenging. With GDPR in place, customers can be reassured regarding the safety of their data.
“So you started off with a piece of regulation where people were asking how to deal with it, but we very quickly started to see that digital transformation, digital compliance and cloud are so closely interrelated in both creating value and also in maintaining compliance – you cannot really disassociate them.”
Commenting on cybersecurity, Mr Tooley said: “The only visible measurement of an organisation’s information governance historically has been when an organisations has been breached. GDPR is now going to create the second highly visible measurement of an enterprise’s information governance, disciplines, strategies and how they approach it. For most organisations, that is where that link between cybersecurity, data breaches, compliance and risk come together.”
In light of this, when companies take both a legal and a technological approach to achieving GDPR compliance, the subsequent environment could prove very conducive to innovation. Summing this up, the Veritas VP spoke about the effect of data breaches on trust.
He said: “The next part of this is cybersecurity, part of GDPR relates to data breaches, but if you really want to build trust with your customers so that they share their information more effectively, the easiest way to lose that is to have a data breach. GDPR means those data breaches will have to be shared in a more visible way than ever before. All of these things are very interrelated, data protection, cloud, digital compliance, all really under the banner of digital transformation.”