Andrew Davidson, Head of Marketing, Cyber Security EMEIA at Fujitsu shares his seasoned opinion on the EU’s new General Data Protection Regulation (GDPR) and reveals that the devil is in the data
A recent joint article chose a revealing headline: ‘GDPR: the new data-protection law giving watchdogs a mega-bite.’ Much of the coverage of the EU’s new General Data Protection Regulation (GDPR) has been focused on the possibility of huge fines being levied on companies that fail to comply with the provisions of GDPR. But at Fujitsu, we prefer to accentuate the positive.
The new regulation is an opportunity. EU statutory regulators agree. They have indicated that companies which distinguish their products and services by data privacy standards will win more business.
This is not only an obligation but an opportunity. With compliance comes competitive advantage, as organisations can better utilise the data at their disposal, gain critical insights and build trusted relationships.
By approaching GDPR from the perspective of people, process and technology as well as enabling digital transformation, you can make the most of the opportunity.
GDPR is not about technology
GDPR is about protecting the personal data of individuals. Technology will help you to do that, but the emphasis needs to be on achieving a holistic view of all the data that you hold and process. To do that you need good policies and governance. Your processes, systems and technologies then need to be aligned with those policies.
In that way, everything you do can be linked back to the basic principles outlined in GDPR and you will be able to not only comply with the regulation, but achieve significant benefits for your business, your people and your stakeholders.
That’s what we mean by the ‘devil is in the data’ – look closely at the demands of GDPR, understand what you need to do at all levels of your organisation. That’s important because every enterprise is complex and there’s always a risk of data getting lost or duplicated across functions and within them.
Achieving better visibility can deliver a lot of benefits to the way you operate and the information you can leverage.
Focus on people
The principles behind GDPR are founded in the EU Charter of Fundamental Human Rights. Regulation is a positive step forward for the rights of citizens to have more control of their personal data and to engage with organisations which hold and process it in positive ways.
We believe that this human-centric view of GDPR should be the foundation for how organisations comply with GDPR. It’s not just another regulatory burden, but a means by which better-managed quality information can directly contribute to business improvements and efficiencies with the needs and rights of peoples placed firmly at the heart of the entire exercise.
It is often hard for businesses to create a true sense of ownership when it comes to dealing with privacy issues around personal data. It’s been seen as an issue for lawyers or compliance specialists. It’s not considered a core part of the business. That also used to be the case for cybersecurity, but the recurrence of high-profile breaches which have affected the reputations of global organisations has transformed that mindset. It is now well understood that investment in cybersecurity not only delivers higher levels of protection, but also engenders trust. This is what we are seeing with GDPR which aims to give individuals more ownership and control over what’s happening to their personal data, even if most people won’t notice the difference in their daily lives.
Your focus needs to be on the interests of data subjects – people – employees, customers and all stakeholders. Everyone you come into contact with. Their interests are the principal focus, not just technology.
Data is at the core of all businesses
You need to build a culture of exemplary data governance. Know what data you have, where it is, what it’s for and who has access to it. Organisations need to own the responsibility for protecting the privacy of their customers and employees by designing compliant business processes, based on appropriate technology, to collect and processes personal data.
Effective data governance and management need to be considered holistically, rather than in silos. In an era of cheap storage, many organisations have just stored data without really understanding whether that data is still required. This goes against the GDPR concept of data minimisation – which is to only hold the minimum amount of data required and only for legitimate purposes.
Understand your data, make it visible
In a world replete with threats, a lack of visibility and understanding represents the biggest danger for organisations, not just in terms of GDPR, but across but for organisational effectiveness too.
Hackers know that personal data can be profitable, so they will attempt to steal it. And, it’s not just cyber that counts: data can be lost in many other ways. Poor practices can see data lost through using unsecured Wi-Fi in public places or printing out documents and then not shredding them. Good lifecycle management of data in all its forms is vital.
As digitalisation projects gather pace and the Internet of Things (IoT) devices like wearable or remote sensors gather increasing volumes of data (from video to numbers to sound and biometrics), you must get ahead of the data curve.
It’s all part of your digital transformation
At Fujitsu, we believe that your approach to GDPR should be based not just on compliance, but also on contributing to your digital transformation. Data, as we’ve stressed, is at the heart of any modern enterprise. You need to embark on a journey that ensures you know where and how to invest in locating, managing and protecting and utilising your data to its maximum potential. Complying with GDPR can kick-start this.
And it’s not just about personal data. We’re arguing for a holistic approach to ALL data. Make it the core of your digital future. Achieving high-quality information and data management can be a differentiator in a dynamic marketplace. Seeing it in this way will help you make the investment case for a robust and creative approach to your data management and governance.
People, policy and processes and technology that deliver ‘privacy by nature.’
GDPR calls for organisations to achieve its principles ‘by design’ which means that when they are developing, designing, selecting and using applications, services and products which are based on the processing of personal data or do so to fulfil their task, then the protection of that data must be designed into them from the start. Our approach extends that principle to everything you do to achieve what we call ‘privacy by nature’.
People, policy and process are key to the former. Technical controls consist of applications, infrastructure and security. It sounds obvious, but the key is to ensure that it’s all done logically and in the right way. You need to understand the needs and expectations of all stakeholders as well as understand the rights and freedoms of data subjects (as defined by GDPR).
You need to understand all the categories of data you hold – and all the sensitivities associated with them. That will enable you to ensure you have categorised the data correctly and then understand what needs to be done to protect its integrity. This helps you define policies and processes. Once they’re locked down, you can understand the technology you need to deploy to locate, manage and protect the data. So, for instance, you have to ensure that your systems make it possible to find personal data, extract it and, if necessary, amend or delete it. Ideally, that needs to happen at the application level and filter through to the underpinning infrastructure.
The end game is to ensure ‘privacy by nature’ – it’s fundamental to what you do and who you are. That’s why people are the priority. To achieve that balance of people, policies and processes and then achieve the right level of sophistication at the application, infrastructure and security levels takes work. For many, it’s not something they want to do alone. Which is where a co-creation partner comes in as well as an ecosystem.
Talk to Fujitsu about how you can make the most of the GDPR opportunity.
Please note: this is a commercial profile
Head of Marketing,
Cyber Security EMEIA