Today, we saw the publication of the UK Government's Statement of Intent on its forthcoming Data Protection Bill — an interpretation of how the EU's General Data Protection Regulation (GDPR) will be delivered into UK law.
The materials accompanying the Statement of Intent focus on several key elements of GDPR including:
- The Right to be Forgotten/Right to Erasure
- The wide definition of personal data
- Free Subject Access Requests
- Data Protection Impact Assessments (DPIAs)
Based on the requirements of GDPR, which we wholeheartedly support, we believe it is important for businesses to be more accountable for their data processing and management, with data privacy being an obvious priority for all.
We have seen several vendor-backed research reports stating that businesses are a long way off from compliancy. Anecdotally, having spoken to our partners, customers and prospects, there is uncertainty from businesses about what to do, and how far technology can help resolve these issues. Some vendors perpetuate this uncertainty to say they are “GDPR compliant” when no certification has been issued. I think it's time we made something clear to anyone in doubt...
GDPR is not going to be solved by buying a piece of technology alone, be it hardware or software. It is about people and process. Technology can aid parts of this journey, but will not help mitigate against GDPR risk alone.
We believe the move by the UK government today — the first of its kind from a government around how GDPR should be implemented — should be applauded.
We hope UK businesses take this news to heart and begin if they haven't already, to prepare for GDPR. For other EU countries, we recommend that you take note of the news, as similar action will be taken within your countries. And, for those outside of the EU, remember GDPR is not just for Europe — if you have customers or prospective clients within the EU, or process/monitor data on EU citizens — it affects your business too.
Back in May we published advice on how businesses should go about assessing their needs, and we again reiterate these points, not simply to mitigate against the potential for severe fines, but rather to respect the rights of the individual.
A digital economy requires advanced security and Availability technologies to develop and grow, and to help manage data. But, at its very foundation, a digital economy must be grounded in positive moral principles such as ethics, respect and trust, to support data flows, something technology alone cannot do.
This is a milestone in the history of IT, and is in direct alignment with the long-term historical pillars of IT security: confidentiality, integrity and Availability. From Veeam's perspective, we feel a natural complement on the Availability side of that and look forward to enabling UK organizations to meet the GDPR standards where our technology allows.
In the coming weeks, we will be delivering materials that will help you understand the back-up and data protection requirements of GDPR (without scaring you into buying our products). Until then, begin your own DPIA and understand more about where your data resides, who has access, and who is using non-compliant data, because there are just over nine months left until GDPR becomes a reality.