Here we are, one year out. Just 365 days separate us from the enforcement of the General Data Protection Regulation (GDPR), one of the biggest changes to how personal data is handled and managed in the last 20 years. If you’re reading this blog, you’re likely affected by it either as an employee of a business with customers in the EU, as a EU citizen yourself or perhaps both.
At Veeam, we believe in rules that protect the rights of consumers, and have welcomed GDPR since it was adopted by the European Council some 14 months ago.
What is it all about, and why now?
In short, GDPR strengthens and gives new rights to individuals over their personal data such as: Who can access it, where it can reside, guidelines and response times if the data is accessed during a security breach, and the right to be forgotten by a business and the retrieval of information to name just a few areas.
This is a necessary law. We are living in a society where breaches are coordinated and cost businesses upwards of $100 million, and share prices drop an average 1.8 % post-breach. Since 2013, more than 200 breaches were publicly disclosed on seven global stock exchanges, with 65 considered to be severe and catastrophic. And, the resultant information obtained is frequently that of a business’ users. This can lead to fraud, and more sophisticated targeting, all of which leaves a consumer with a low opinion of a brand that allowed it to happen.
More importantly, this regulation is designed to create new rights for the individuals and to strengthen their existing rights. This includes fundamental principles such as the right to be informed, the right of access, the right of rectification, the right of erasure and the right of data portability. Personal privacy will become increasingly important as the digital life and data becomes more valuable to the industry.
Recently, we’ve welcomed to the workplace a generation who has only ever lived a digital life. Their expectation is that the internet and Internet-based services just work, and digital experiences must be seamless and Always-On. Similarly, a willingness to share and trade information in exchange for a service has brought about issues around data privacy and ownership.
A necessary change
A decade ago, smartphones didn't exist. Three decades earlier, no one owned a home computer. In fact, when the Data Protection Directive (DPD) was created in 1995, the internet as we know it today did not exist. The world around us continues to change, and with those advancements must come changes in regulation to ensure we can use technology in a safe, secure and responsible way.
We believe GDPR is a positive regulation. It reinforces the weight of responsibility businesses have when they collect our data (as users), where they store it, and how they protect it. If a heavy fine and penalty helps restore the ethical and moral responsibilities of organizations, and increases their desire to better manage data, so be it.
The road to compliance
As a business based in Switzerland and with a global customer base, GDPR is an issue we must address, too. I sit on a team that manages the compliancy of the regulation. While we’re in good shape, we understand that not everyone is.
What we’ve seen and heard from our customers varies a lot. The realization for some is that this is not just a case of documenting what they already do, but for some, it will require a fundamental shift in how they operate, handle risk and manage data. Others in industries more familiar with heavy regulation are well-set and need to make only small changes.
While the previous DPD regulation was very similar, the difference with GDPR is that it’s mandatory and supported by a range of fines for noncompliance — some up to 20 million euros or 4% of a businesses worldwide group turnover.
No one-size-fits-all software exists
A critical thing to remember when reviewing GDPR within your business is that this is not merely a technology issue. Certainly, technology plays a part in helping discover, track and notify, but this is very much a legal and compliance issue and will relate to a lot of offline conversations, decisions and strategies.
Be skeptical of vendors saying their software is GDPR compliant when there is no certification to support this claim, and no one piece of software that can ensure all aspects of GDPR are met. For example, how does a piece of software ensure you have appointed a Data Protection Officer (DPO)? Some of what I’ve seen is clever marketing, while other vendors are just plain misleading. Assess products with the strictest of review. Don’t buy into a solution because you think it’s going to save the day and insure you against a fine. News flash — it won’t.
How can Veeam help with GDPR?
Veeam can assist centers on very specific aspects of your GDPR compliancy. Veeam already has great dashboards and reports that can assist in proving compliance for certain articles in GDPR, and our ability to restore access and availability to data in an expedited way following an unplanned outage is commonly understood to be market leading. Similarly, our backup verification testing ensures your organization can assess and evaluate the effectiveness of data saved for restore, answering yet another demand of GDPR.
Right now, we’re encouraging organizations we work with to do a GDPR gap analysis to assess where they are in terms of compliance with the regulation. This should begin with data flow mapping. This will provide you with the locations of all personally identifiable information (PII), and begin the process of who has access, where efficiencies can be made and where data needs to move, etc.
Over the next 12 months, we’ll provide you with more information on how Veeam can assist in your GDPR compliance plans. In the meantime, do not delay in beginning your GDPR gap assessment, for the resultant fines and fallout will be significant.
Failure to comply with GDPR comes with heavy fines, and similarly to the business challenge of Availability, heavier costs around consumer confidence and loyalty.