By Paul Flannery, Senior Director, EMEA Business Development, Oracle
Organisations are currently faced with the question of how to approach the General Data Protection Regulation (GDPR), the new legislation coming into force in May 2018 which sets out to harmonise data protection across the European Union. Rather than be seen as a compliance burden, GDPR should be seen as one of the best opportunities to deploy long term technology investment to unlock true digital transformation.
Whilst the regulation itself is limited to the processing of personal data, the EU’s interpretation of what that actually constitutes is broad. Essentially, any data than relates to an identifiable living human, including something as disconnected as an IP address that can identify a specific user’s device, is regarded as within the scope.
The extended scope of the legislation doesn’t end there. For example, organisations are obliged to take into account the “state of the art” in cybersecurity—yet specific technologies, controls or processes beyond that phrase remain unmentioned, leaving a high degree of risk assessment and subsequent judgement to be applied by the organisation itself.
The timescale for addressing compliance is tight too, and any organisation of sizable scale will find it difficult to even understand what data they have in the first place and assess its sensitivity.
The cost of non-compliance is what has brought GDPR to the attention of boardrooms not just in the EU, but globally. The potential magnitude of fines are significant (4% of an organisation’s global revenue, or €20 million, whichever is greater), as well as the potential reputation damage that may result from non-compliance with the new mandatory breach notification requirements.
The cloud, whether it’s public or private, Software-, Infrastructure- or Platform-as-a-Service, can mean different things to different people. The overall understanding across the majority of industries is somewhat immature, specifically with regards to compliance and security. Yet the journey to the cloud is happening regardless, and without proper security in place, that inevitable shift will arrive in the form of shadow IT, bringing with it unnecessary risk exposure.
Generally speaking, there are substantial benefits in moving to the cloud, such as enhanced security capabilities that go beyond what would be affordable for most organisations in an on-premises environment. However any move to the cloud needs to be carefully planned and architected properly; with the new legislation approaching, the consequences of getting it wrong are significantly increasing.
GDPR compliance is a long term commitment, and investment in implementing a cost-effective supporting infrastructure will prove to be valuable in the years ahead. It might even represent one of the biggest opportunities to accelerate digital transformation in recent years.
It places focus on good data management, with benefits to organisations ranging from increased security and operational efficiency, to improved customer service and corporate reputation. For example, one of the key legislative requirements is to be able to provide any individual with every piece of data an organisation holds on them, including all data records and any activity logs that may be stored.
On the one hand, this places significant technology requirements that would only be possible with the simplification and standardisation of complex IT environments. Yet on the other, the potential for converged data of that quality from a business or marketing perspective is substantial, and brings with it a wealth of possibilities.
Earlier this year, IDC gathered CIOs and CSIOs from enterprises across EMEA, to gain insight into how they are approaching GDPR in light of current cloud adoption and security requirements. Their resulting report, "Does Cloud Help or Hinder GDPR Compliance?" summarises discussions from events in France, Italy, Morocco, Spain, South Africa, Sweden and Switzerland. It not only flags the many potential benefits of compliance, but also sets out IDC’s simple but effective technology framework to help organisations focus on the particular requirements of GDPR, and select the right technology for the job.