One of the best things about modern industry is the ability to adapt and change to meet new demands placed on it. Unfortunately this has made it a real struggle for governments, who have tried and failed for many years to place workable controls in place to restrict bad business practices.
From May 2018 (next year), they are taking a new tact. A government body, the ICO, are given new powers to force companies to take responsibility for their actions, to self-regulate and monitor their data protection practices. The primary driver for this change is the sharp increase in techniques by criminals to steal personal information from unsecured locations.
If businesses do not take significantly more care about how they collect and hold data, to make it more difficult for criminals, they will face big fines, to the degree of millions of pounds. This follows the governing body, the ICO, getting new powers to audit businesses and hold them accountable for not taking the proper steps.
How GDPR will push the Cloud Forwards
Moving to the Cloud, until this point, has been seen as a bit of a pain for most companies. While managing IT infrastructure and devices has its own challenges, companies often prefer this route. Hardware is owned by the company (and retained as an asset) and the cost of purchasing is a more predictable (and understandable for older business owners).
Data Protection by Design: Encryption
One of the main requirements for the GDPR, which you will no doubt be unable to get away from over the next six months, is encryption. All devices that leave company premises must be encrypted so that if they are stolen, individuals information is not at risk. Similarly data on servers needs to be encrypted while stored and protected in transit to stop cyber criminals attaining customer information.
Data Protection Policies or Cloud Management
New GDPR compliance demands leaves companies with two ways forward, depending on their size.
The first option, which may be preferable for smaller businesses, is to stay how they are and update all of their their processes and policies. This means having an internal data controller manage all databases with personal information and review security on how all data is accessed on business devices (servers, laptops, mobile devices and external storage).
From there the data controller needs to lay out the ways that they collect data and how they meet new obligations so that if an auditor came in tomorrow it could be shown to be compliant and safe, whether on-site, off-site or in-transit.
This must all be documented and updated regularly. To demonstrate that the data is correct, Endpoint Management can be used to audit devices and show that they have the proper software and policies in place.
The second option, more viable for larger organisations, is to migrate, or utilise more effectively and with greater controls, Cloud services. This means holding all company data in a single off-site location through a single provider and connecting through a secured process. Modern Private Cloud Servers are designed with data protection in mind and the setup can be designed with detailed permissions access with fully secure integration with other servers as required.
Auditing in a single environment, with clear marketing policies and end-to-end encryption, ensures that the key points of the GDPR can be followed quickly. Coupled with two-factor authentication, this will most likely become the default safe position for larger companies to show their data protection compliance.
Of course this still requires a review of the data itself, but in terms of security – migrating to the Cloud with two factor authentication processes are the quickest and easiest way for companies to demonstrate data protection compliance.
Which process will become the standard?
While both are possible, it seems likely that, from an efficiency standpoint, the second option (the Cloud-based option) will win out in the end. Not only does this approach mean less internal management, it shifts responsibility to hosting providers. It also means that, for security, a more focused approach on sign-on access will emerge.
While two-factor authentication is becoming more and more prevalent, it will likely see far greater deployment if companies do adopt this approach for GDPR. Entry to the central system will form the core security for businesses, rather than securing complex network routing.
This will have the impact of making devices cheaper (because they require less resources), the Cloud (as a service) more secure and regulated.
Key questions: How will your company manage encryption and password protection to ensure secure access to your personal information once the GDPR takes effect?
The GDPR and BIG DATA
Consent is buzz-word for the GDPR. From May 2018, any collection of personal data must have explicit consent for whatever that company plans on doing with it.
This may include receiving marketing materials directly, being informed of any changes to their account, being notified of particular events which may effect them, selling data to third parties for targeted advertising or using personal data (such as voice recordings and other communications) for training and quality control purposes.
While many companies may offer some kind of information when their data is being processed, companies must begin documenting and recording each active step and reflecting a robust consent gathering process covering customer communication and data collection. This means not just internal documentation and user confirmation but updating customers any time the way their data is used changes.
Any time a company holds data which identifies a data subject such as these (as opposed to a business), companies need to think about how they obtained the consent, how they are storing it and how they plan to update that individual to get new consent if they way their data is used changes. This includes who data is sold to if it is being sold to a third party.
For the purposes of GDPR it may be a better idea to hold less data about their consumers and streamline their marketing processes toward quality and away from quantity.
Key questions: How much of the data which you gather as a business, such as lead generation data, analytics data and quality management data, do you actually need?