Don't you forget about me

clock • 7 min read

During a recent NetApp roundtable on the incoming EU data protection rules, the conversation soon homed in on how new rules around the 'right to be forgotten' will affect how enterprises must handle data

At a recent NetApp roundtable on upcoming EU data protection regulation reform, talk among the resellers present quickly turned to one controversial aspect that could have far-reaching consequences for their customers: the right to be forgotten.

It was announced on 15 June that all 28 members of the EU's council had agreed to introduce a single set of data protection laws that cover the whole of Europe, with the aim of implementing the new regulation by early 2018.

The European Commission said that with the regulation as it is, "internet companies and start-ups cannot take full advantage of growth opportunities online", and just seven per cent of SMEs currently sell cross-border.

The commission continued: "A fully functional digital single market could contribute €415bn (£289bn) per year to our economy and create hundreds of thousands of new jobs."

But the roundtable - attended by NetApp partners including Node4 and Q Associates - was largely dominated by the right-to-be-forgotten legislation, which is set to be strengthened under the new regime.

This could be a challenging prospect for enterprises because if removal was requested, most aren't set up to prove that all data related to a single person has been excised from their systems. In addition, many don't think it applies to them, participants of the roundtable agreed.

"The right to be forgotten is a terrifying prospect for enterprise"

From the channel's point of view, this opens the door for resellers to offer assistance to their enterprise customers, preparing a strategy not just for the right to be forgotten, but for the reforms as a whole.

Adam Ryan, head of cloud services at NetApp partner Q Associates, said: "At the moment it is all about getting sound knowledge about what it means and what the ramifications are. When I look around our client base, there is a varying degree of awareness and how applicable the regulation is to them."

Steve DenbyNode4's head of sales south, Steve Denby (pictured), warns that "the right to be forgotten is a terrifying prospect for enterprise", and that clearing out every trace of an individual's data is a near-impossible task. "Nobody can undertake that, it will bankrupt them," he said.

"Unless someone pulls the plug, then data will never disappear completely," he added. "I think services and products need to be reviewed and altered to take the new law into consideration. So solutions need to be designed around the consumer so that you can slice and dice the data and remove it in such a fashion. I think it is going to be a challenge for the channel to deliver solutions that allow the enterprise and SME market to do that easily."

Businesses that are not au fait with the legislation perhaps think it is of more concern to IT players such as Google or Facebook, and don't fully understand that the scope is considerably wider, according to Ryan.

"The migration of data into archives and frontline data, plus the split of where that is all held - to have the ability to show through all that, that certain data is completely gone? Good luck with that," he added.

In context, this is a big ask of enterprises, but one that should be taken seriously, attendees said. If a business does not abide by these rules, no matter how complex they may seem, there will be a price to pay. In some cases a fine of two per cent of a company's yearly global turnover or €1m - whichever is greater.

NetApp's director of technology and strategy, Matt Watts, voiced his concerns, saying: "I think of a datacentre as a kind of city where the apps are shops that you go into. Every time you work within a datacentre, you are leaving traces of yourself wherever you go. How do you consolidate that when someone says, 'I want all of it gone'?"

Data world

But the reforms will have the benefit of making conducting business within the EU a far more attractive prospect due to the increased protection and ease of operating under one authority, Watts added. However, he insisted that companies must be careful with the data they are holding. "Information about people is a product, so we need to be treating that information as something with significant value. You don't want someone outside Europe tapping into our data and generating revenue from it," he said.

 "This legislation could make us more competitive on the world scene. It will attract customers because of the protection we are offering."

Watts advises companies to be more aware of what data they are collecting about someone as well as what it is being used for. If it is contractual (for example, records of transaction in a retail environment need to be kept for six years in the UK, as stated on the government website), the regulation decrees that you do not have the right to be forgotten.

In fact, the rule says this is not an absolute right, and in cases where there is reason to retain such data, the right to be forgotten does not apply. It also includes the provision that it does not, whatsoever, encroach on the freedom of expression and information, such as in the press.

"Information about people is a product, so we need to be treating that information as something with significant value"

To help enterprises prepare for any upcoming changes, Q Associates is running a number of operational readiness and alignment programmes, Ryan said. In these programmes customers will be told what they need to be aware of, and how to set up protocols to deal with it.

Denby ended on a positive note, saying: "Moving forward, I think it is a good idea. I wouldn't say it is a terrifying prospect in terms of the point of doing it; it is executing it that is terrifying."

What the law is now

legislation-booksThe data protection regulation as it stands is based on the 1980 OECD (Organisation for Economic Co-operation and Development) "recommendations for the Council concerning guidelines governing the protection of privacy and trans-border flows of personal data".

These recommendations are based on seven principles inscribed in the directive 95/46/EC, on the "protection of individuals with regard to the processing of personal data and on the free movement of such data" penned by the European Parliament in 1995.

 The seven principles

- Notice: The subjects whose data is being collected should be notified.

- Purpose: The data collected should be used only for the stated purpose(s) and for no other.

- Consent: Personal data should not be disclosed or shared with third parties without consent from its subjects.

- Security: Once collected, personal data must be kept safe and secure from potential abuse, theft or loss.

- Disclosure: Subjects whose personal data is being collected should be informed as to the party or parties collecting such data.

- Access: Subjects should be granted access to their personal data and allowed to correct any inaccuracies.

- Accountability: Subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.

What is changing

The reform first came about in January 2012 with the European Commission publishing two proposals for a new data protection regulation. The drafts contained the commission's desires to update the current framework, which aimed to give users more control over their data, and introduce one set of rules for the whole of Europe.

The framework will also be extended to include a guide to protect a person's data used by the police or in criminal justice organisations, and it has been proposed that a data protection officer is to be appointed by the EU to ensure the new rules are being adhered to.

What the reform means for businesses

- One continent, one law: The revised regulation will act as one rule book for the whole of Europe, meaning companies have to deal with only one law, as opposed to 28, regardless of where they are established.

- One authority: Companies will have to deal with only one authoritative body, with the aim of making it easier and cheaper to do business in the EU.

- Less red tape: Notifications to supervisory authorities, which represent a yearly cost of €130m for businesses, will be scrapped.

- Rule breakers: Companies will be fined two per cent of global annual turnover, or €1m (whichever is greater), if they do not abide by the new rules.

Data protection reform timeline

Jan 2012 - Publication
March 2014 - EU position
June 2015 - Council position 
First half 2016 - Adoption
First half 2018 - In force

Related Topics

You may also like
NVIDIA becomes Cohesity investor as 'grandfather of AI' announces flurry of partnerships

Vendor

NVIDIA becomes Cohesity investor as 'grandfather of AI' announces flurry of partnerships

The likes of CrowdStrike, Pure Storage and NetApp want a seat at NVIDIA’s table

clock 19 March 2024 • 3 min read
Google invests £800m in UK datacentre expansion

Vendor

Google invests £800m in UK datacentre expansion

Tech giant continues commitment to UK with new Hertfordshire datacentre site

clock 22 January 2024 • 1 min read
NetApp UK&I partner boss: 'I aim to leverage distribution to scale our commercial business'

Vendor

NetApp UK&I partner boss: 'I aim to leverage distribution to scale our commercial business'

Sonya Mathieu speaks to CRN about how the partner ecosystem is evolving and how partners can drive value with AI

clock 22 January 2024 • 3 min read
Author spotlight

Phil Tottman

View profile
More from Phil Tottman

Radware nabs F5 channel man

LogMote opens UK channel floodgates

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

Get the newsletter

More on Reseller

Xperience Group CEO: 'We're on course for £40m by 2025'
Reseller

Xperience Group CEO: 'We're on course for £40m by 2025'

CRN caught up with Iain O'Kane to hear what’s changing in the business and how the gap between MSP services and business applications is narrowing

Kelsey Rees
Kelsey Rees
clock 24 April 2024 • 4 min read
Core Technology Systems acquires Velocity IT for skills, teases potential future buyouts
Reseller

Core Technology Systems acquires Velocity IT for skills, teases potential future buyouts

The acquisition adds around 16 people to the group.

Victoria Pavlova
clock 23 April 2024 • 2 min read
Ampito Group earns EcoVadis bronze medal for sustainability
Reseller

Ampito Group earns EcoVadis bronze medal for sustainability

The rating places Ampito in the top 35 per cent of companies assessed

Kelsey Rees
Kelsey Rees
clock 23 April 2024 • 1 min read

Highlights

Staff & Salaries 2022
Careers and Skills

Staff & Salaries 2022

A snapshot of pay and headcount trends in the UK channel

Doug Woodburn
Doug Woodburn
clock 09 March 2022 • 1 min read
Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels
Distributor

Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Stephen Fenby talks to CRN after Midwich’s 2021 results in which profitability exceeded pre-pandemic levels

Josh Budd
Josh Budd
clock 08 March 2022 • 3 min read
4 more vendors suspend sales in Russia following Ukraine invasion
Vendor

4 more vendors suspend sales in Russia following Ukraine invasion

IBM and Microsoft are among a number of vendors which have also announced that they will halt sales in Russia following the invasion of Ukraine.

Dan Bennett
clock 08 March 2022 • 3 min read