GDPR challenges remain salient for technology leaders as they continue to collect data from customers in Europe, while businesses in California are navigating the new California Consumer Privacy Act. Alongside security compliance, leaders must focus on the finer details of how they manage consumer information or face the prospect of steep fines and litigation.
At the very core of security and compliance are design, a topic that Stuart Felsteadm and Ben Lidell. Both respectively head Oracle’s security practices and customer center of excellence to ensure innovation is constantly being met. Both are located in the United Kingdom and sat down with Frank Cowell of Cloud Talk Radio to discuss the ongoing issues surrounding both pieces of legislation and what customers should be aware of.
My first question is to Stewart. GDPR has been in force for the last 12 months, isn't this old news now?
SF: I think the simple answer is yes and no. I think everybody's aware of GDPR and I think a lot of organizations put a lot of effort into meeting the bare minimum requirements of compliance about 12 months ago. At Oracle, we did a great job of helping our customers achieve that with the implementation and execution of projects in the technology space, enabling them to encrypt data to meet compliance. But I think it's only now organizations are having to live with GDPR as a day to day process where their organizations evolve over time, applications are enhanced, improved, and often retired and replaced. That the real challenge of maintaining that GDPR compliance position and improving on it and removing any risks from their estate is really starting to be recognized as an ongoing activity that it's going to take many years.
Okay, great. So Ben, could you elaborate for our listeners on what that means?
BL: Well, it's really a question of what do you do first. The focus is to get through the first audit with the minimum amount of noncompliance and that's often done by taking a snapshot of the states of the business in readiness for the audit and then supporting the auditor as they troll through the reams of data and systems to to validate that evidence. Organizations have been through this before with other compliance framework, so things like PCI, DSS, Sarbanes-Oxley, and Basel II.
So it sounds like there's still quite a lot to be done. How would you go about making those next steps and do you have some advice for our listeners?
SF: I do. I think everyone's aware of the three major tenants of GDPR (and the California Consumer Privacy Act) around consent management, where we making sure that when we capture and process data, that the end user understands how it will be used. The second one is the right to disclosure, where users can ask any organization what information they hold, how they use it, why they've got it, where it came from, and whether it’s valid, along with an organization’s intentions to use it.
The third one is the right to be forgotten. I can ask any organization to remove my data at any point in time and the organization's must be able to respond to that request. Now just because I say I want you to delete my data, doesn't mean that the organization can legally do so. I might have some kind of contractual agreement with them, I might have a financial agreement with them and legislation mandates that therefore the data needs to be held for a period of time, often beyond the time that the contracts in place. So, financial regulation requires for money laundering purposes that you retain data for an extended period. But I can still raise the request today and when that legislative period is expired, the organization has to act on my request and remove it. So being able to track rights to be forgotten and process those is a pretty big challenge for most organizations.
Okay, great. So Ben, question for you. So how would you recommend organizations and data protection officers tag all this task?
BL: Well, that's the million-dollar question, isn't it? It's not hopeless though. I mean there are some basic foundations the DPOs can start to put in place to address this. The first of those is policies. So any organization will have policies, whether these were around business policies or HR policies, recruitment, expenses, operational policies, Infosec, IT, what people can do with their laptops or their mobile devices. Really they need to start ensuring that these policies adhere to the requirements of GDPR and the California Consumer Privacy Act. The second foundation is the controls that are put in place around these policies. So they need to make sure that these controls enable them to operate in line with both pieces of legislation. So anything that the company mandates to ensure that PII data is properly captured, handled, shared, destroyed.
Don’t get lost in the adventure of data compliance. Let Oracle help as you manage the data of your employees and beyond. Be sure to catch the rest of this podcast here to see how we’re helping customers with their GDPR strategy and contact us if you’d like to discuss your needs.
You might also like