In five questions or less, an industry expert defines and explains a technology, term or trend in CBR’s Tech Express – with this installment seeing Jes Breslaw, EMEA director of strategy at Delphix, explain GDPR.
CBR: What is GDPR?
JB: The General Data Protection Regulation (GDPR) is a new set of rules coming into force May 25th 2018 that governs how businesses collect, use, and share data from European citizens. It asserts that companies -EU-based or otherwise – must build data protection into their system design and infrastructure, or risk severe penalties. Businesses will face fines of up to 4% of global turnover for non-compliance, which is enough to jeopardise ongoing European operations.
CBR: How will GDPR impact data privacy and data protection?
JB: In a GDPR world, there will simply be nowhere to hide for a business that suffers a breach. The regulation punishes businesses that fail to leverage appropriate protection measures – such as data masking technologies—as a part of their overall security posture. Data masking enables companies to fulfill GDPR requirements to pseudonymise sensitive data that otherwise could directly or even indirectly identify a specific individual. Worryingly, our research indicates that over a fifth (21 per cent) of UK business have no understanding of the impending legislation, with a further 42 per unaware of the data masking tools that the legislation recommends.
CBR: What does GDPR mean for UK businesses?
JB: For many businesses, the GDPR will not only force them to ensure compliance and reduce the risk fines, but it will also help to usher in a new wave of IT innovation. As businesses look at how they manage, secure and deliver data as part of compliance demands they can also see agility and quality benefits in other areas. By combining data masking with data virtualisation, it will create opportunities for the business, improving the availability of on-demand secure data that can be used to accelerate IT initiatives and support innovation.
CBR: Does GDPR ensure data protection/data privacy?
JB: Only if robust security measures are adopted. Article 30 of the GDPR sets out the security requirements that businesses are expected to satisfy. It requires that businesses must implement “appropriate” technical and organisational measures to secure personal data, taking account of the risk presented to individuals if the security of that data were to be breached. In this regard, the GDPR expressly says that businesses should consider implementing “as appropriate … the pseudonymisation and encryption of personal data.” While the law stops short of telling businesses they must implement pseudonymisation, the express reference to in the security provisions of the GDPR is highly significant, as regulators will take its implementation into consideration when considering compliance.
CBR: Will Brexit affect GDPR in the UK?
JB: For the immediate future, the UK will continue to be subject to the same data protection regime as the rest of the EU. It may even be longer, depending on how long exit negotiations take. It’s also important to remember that the GDPR will still apply to every business that offers goods and services to EU citizens or that monitors EU citizens’ behaviour, regardless of whether it sits within the EU or not. Organisations still need to focus on getting their GDPR preparations underway.