In just a few weeks, a new EU law will be approved which will heavily impact the regulatory landscape far beyond Europe’s borders. Aiming to protect consumers’ sensitive information, the EU General Data Protection Regulation (GDPR) will harmonise current legislation across the EU, obligating all businesses that handle personal data to comply with new rules regarding penalties, privacy and risk. Wimpie van Rensburg, country manager for sub-Saharan Africa at Riverbed Technology, talks about how to prepare for it.
Among other areas, the GDPR will regulate where personal data is to reside and how it is to be transferred to countries outside the EU. This means businesses across the EU will have to take a long, hard look at their security measures and adapt to the new law. This could be particularly tricky for companies with branch offices located worldwide, who will have to move data to geographically compliant locations while continuing to operate seamlessly.
Changes to data protection
Organisations operating within the European Union are already making provisions to comply with the new norm, which will include key changes to the ways personal data can be used and stored. By the time the law begins to be enforced in 2018, businesses will be expected to have compliant processes in place; otherwise, they could face huge fines. While the exact details on specific infringements haven’t been finalised, the agreed penalties are steep: up to €1 million or 2% of global turnover, whichever is greater.
In practice, the first step toward compliance will be for businesses to have a full understanding of where their information resides and where it’s being accessed from. For companies with branch office locations, the challenge will be working out which part of the data these changes apply to and determining which information currently residing in branches will have to be centralised to a geographical location compliant with the law. Additionally, businesses will look to place that data as close to the users as possible, in order to avoid network performance issues and ensure seamless access to the information they need to do their jobs.
New business challenges
As an additional challenge, the new regulation also creates added costs for businesses for complying with the expanded privacy regulations attached to the GDPR. The right to erasure—frequently referred to in the context of search engines as “the right to be forgotten”—will apply to databases, which will now be a potential liability to businesses. Individuals will have the right to have data removed from databases unless businesses are required to keep it for legal reasons. Companies must also notify authorities within 72 hours of any data breaches.
To comply with the GDPR, EU businesses will have to strike the right balance between protecting customer information and making sure users of that data can continue to operate the way they need to. This is easier said than done, especially when considering that, up until recently, businesses collected employee and customer information often with only a vague sense of how the data might eventually be stored and used.
As more and more organisations move to the cloud for day-to-day operations, visibility across the public, private and hybrid clouds will become critical. A dramatic increase in network complexity, virtualisation, and new, highly distributed application architectures demands a radical new approach to how IT operations look at their network and application performance infrastructure.
The road to compliance
While some companies are still scrambling to catch up with the GDPR, many are already in line with the new regulation. Having realised the importance of building their IT strategy based not just on what is dictated by the law, but also on what they need from an operational standpoint, they are using the latest technology to centralise their data and eliminate the risk of managing it across remote locations (known in IT as “edge”). New tools are helping organisations in Europe and beyond to secure edge data at the centre, and to protect against, detect, understand and report on data breaches.
Large enterprises with consolidated data centres often have branch offices in remote locations that are difficult to support and protect. Today’s technologies, however, remove that pain by storing and protecting sensitive data in a centralised location, where physical access is strictly controlled and backup and replication policies and procedures are stringent. Using specialised applications, these same tools facilitate operational agility by allowing businesses easy access to that information, to deploy new services, applications, or entirely new branch sites while ensuring maximum productivity of branch staff. New technologies also enable real-time continuous data capture and analysis so that companies can view network delays, providing speed, insight and control no matter where data is stored.
The real value of new technologies is about the journey over time. As the law changes, the businesses using these tools have the flexibility to change where their data is stored without impacting business processes. This translates into increased visibility, performance, and security for networks and applications and a better experience for end users. Subsequently, improved collaboration among silos in the business can create greater cost efficiencies, improve control, expand reach, and accelerate data centre operations.
The GDPR is good for consumer privacy but certainly creates challenges for businesses. While in the past a future-proofed IT strategy may have been a “nice to have”, going forward, it is a “must have”. Fortunately, large organisations, and the decision-makers behind them, have the time and tools needed to get ready and be in compliance when the new rules take effect in 2018.
Five keys to the new EU Data Protection Regulation:
* What does the new regulation cover? The aim of the new European General Data Protection Regulation (GDPR) is to harmonise a single set of rules across all countries in the European Union, governing the security and management of personal data, both of customers and employees.
* What does the new law mean for businesses? By 2018, EU companies will have to ensure that personal data moved outside of EU data centres or the cloud complies with the GDPR, and will have to report data breaches within 72 hours. There are key changes to the way in which personal data can be used and stored. Placing data far away from users, however, could mean network and operational challenges for branch offices.
* What companies will be affected? Initially, businesses with more than 250 employees processing over 5,000 personal records per year. In time, the law will encompass all small and medium-sized businesses as well, no matter what their size and record throughput.
* What consequences do businesses face if they do not comply? In addition to the reputational damage that has always been a consequence of data breaches, businesses could now also face penalties of up to €1 million or 2% of global turnover, whichever is greater.
* How can companies prepare for compliance? Businesses should consider the GDPR and their operational needs when developing their IT strategy. New technology tools can help them centralise data, eliminate the risk of managing it across remote locations, monitor network performance, report breaches, and improve employee productivity both at the edge and in the centre.