Resellers and MSPs gave a refreshingly brutal account of what impact the General Data Protection Regulation (GDPR) will have on both them and their customers at the recent CRN European Channel Leadership Forum.
The panel comprised Glen Williams, CEO of Damovo, Justin Harling, managing director of CAE Technology Services, Edel Creely Group managing director of Trilogy Technologies, Richard Lockey, UK country manager at Crayon and David McLeman, CEO of Ancoris.
Here are the edited highlights:
What is your understanding of GDPR, and how are you preparing for it?
Glen: Last year we rolled out an ISO 27001 accreditation, which was something our customers demanded. That's something that's prepared us really well for GDPR. GDPR is an EU-wide regulation; its data protection on steroids. But having worked in the German business for a long period of time it's not really a very big change for me. [Our first step] was ISO 27001, which gets you most of the way there in terms of information and security management systems. The next step was getting our head of group legal counsel involved, because he is a lawyer. It made a lot more sense to get him leading this rather than me or anyone else at this company, along with IT and my group COO. He's got a view of what we need to do and where the gaps are. But I have to say as an outsider looking in - I live in the UK but our business is based in Benelux and DACH primarily - there's a frenzy going on here I see it on Linked In every single day - and it's getting quite dull. It's a legal regulation and IT is an enabler to ensure you comply: that's it.
Justin: So far I think we are seeing the good, the bad and the ugly of this. The good is the focus that it's bringing to data security. I don't think there's anything wrong having a focus on that. The bad is the amount of time we are having to spend talking to lawyers. The ugly is the thing that we're not doing. And what we haven't done quite deliberately is go out with a marketing campaign that says ‘Oh my God, GDRP is coming: quick buy stuff otherwise you're going to be fined millions of pounds'. I really hate that stuff. I think it has no place. I think it's a really bad reflection of our industry. And we have seen it from manufacturers, distributors, other resellers. It's embarrassing. I just wish they'd stop it [applause from audience].
Edel: I very much agree with that. I think a lot of the introduction of GDPR to the market has been on a scaremongering basis. When I talk to customers and they ask what's it really about, I say where it's all coming from is actually about safeguarding the privacy rights of individuals and the data - how that data is processed by companies. So what you need to think about is what private, personal data you are processing as a business, how are you protecting that, and do you actually understand the implications of that for your business? Because it's not just about securing that data; it's very much about what that data is, how it flows through your organisation. And you need to be accountable for that as a business. So, yes, there's a lot of understanding of legal implications that has to come about, but I think there's a lot of very good information out there and a lot of great guidelines being produced by various governments, and companies are taking a very measured approach to looking at GDPR and how it impacts their business and what they need to do about it. Certainly, for some organisations the implications can be quite vast, but that's going to depend on the volumes of private data that your company is dealing with. So organisations must take it seriously. I think it's a very good thing. Why is it coming about? Because the amount of data that's now being processed in the world, due to the growth of digital, is absolutely phenomenal and it's really important that we do protect the privacy and safeguard that data for people.
Richard: I'm in a similar boat to Glen: we are headquartered in Oslo and have a large Nordic presence. An every time I engage with my CIO or my CEO they don't seem to be worried about it because in these countries data privacy seems to be taken a little more seriously and it's probably more of a given than it is in the UK. So there's a lot of hype around it in the UK. I think there's a lot of grey areas, which is going to make it really interesting. What is data privacy or individual private data? What defines that? What is public? What have you published yourself? From a technical side of things I'm led to believe that we're pretty much covered. I think it's going to change on an ongoing basis as we'll continue to review it. But the largest part is processes and procedural, so in the UK, I've employed a change management consultant to come up with the processes and procedures that we need to follow for data that is stored on people's personal devices - how do individuals use that data? Where does prosecution stop - does it stop at the company do you take it down to the employees? Do you have to manage that with your service providers from an IT perspective? There are quite a lot of grey areas coming up but if people proactively put in a change management process to try and address these issues, I think you're going to go a long way to avoiding the issues in future.
David: I agree with all the comments, particularly the ones around the hype. We've seen these feeding frenzies in the past and it doesn't do anyone any credit. I think this is mostly about the legal side of it more than anything. We've been working as a Google cloud partner for 10 years, so I think the tech side we all feel we've got that well covered. The challenges now come around some of the obligations to demonstrate compliance. I think we will take as much time reviewing what we're doing and documenting what we are doing so we can communicate it better to our clients to help them meet their own obligations - renewed privacy policies, renewed contracts. One of the other things that does change under GDPR is the responsibility of the data processor. Whereas previously as an AWS or a Google you could hide behind the catch-all of ‘we're a data processor you the customer are the data controller, it's all your problem', that's not the case under GDPR because as a data processor you have obligations as well. So we are seeing many of the organisations that are data processors having to start looking more tightly at what they doing. I don't think from a security standpoint it's going to change things very much as most of the big guys are good at security. But it's a contractual and legal challenge - that's 80 per cent of the issue here.
Have you had any customers come to you and say ‘we're worried'? Or is just hype from our industry?
David: I'm amazed that we've got 250 customers and just last week we had the first company ask specifically about GDPR. Clearly we get asked about data security and data privacy. We're eight months way and I'm sure the questions will go up thick and fast as we get closer to the date.
Richard: I think there are a lot of questions around GDRP around, but it's not specifically around technology. It's focused on the legal side of things, so a lot of the law firms we engage with have actually seen RFPs focused on GDPR.
Glen: The only companies we've done anything for are a couple of German banks - and our ISO 27001 accreditation was viewed as much more significant for them.
Edel: We are getting a lot of questions coming in from customers now which are being created by either their accounting or legal firms looking at us as a data processor in cases. It is an area certainly for MSPs that is being looked at more by our clients in relation to our own contracts. Contracts are being questioned and lawyers are being engaged because we in many cases are a data processor for those clients.
Justin: When we talked to our outside legal firm, they were quite clear: they said GDPR is 95 per cent a legal issue… and then there's some IT. And what's really important about this is the person who is actually owning GDPR inside an organisation - because it sure as hell isn't IT. They have a part to play, and we are seeing IT departments figuring out how they can support the rest of the customer, but they are not the owners for it. It's line of business that owns this.
The other part of that was also thinking about how we operate. We're used to finding solutions for things: here's a problem; here's a solution for it. We're a long way off that on GDPR. The ICO do have the option under the legislation to come up with this idea of certification around GDPR. They are miles away - years and years away - from going ‘here you go, here's something you can certify against'. What are we left with? Instead of that clarity we're used, what we're left with are the blood-sucking lawyers who will look at it in such a way that they will say: it's not about a solution it's about taking a defensible position. Wow: a defensible position. So effectively what it means is how little can you get away with, and, if it does go wrong, who can you blame? And if we're not looking at it in those types of terms, we could get burned. You've got to work really hard to be part of the solution and not part of the problem that gets you in a whole heap of trouble at the end of it.
Richard: Talking about a defensible position: who are the individuals out there that are actually going to be complaining and to whom, and for what reason? How many of us are actually going to be in trouble with this? There will be people who don't like the cold calling, I get that. But I think the public sector organisations are the ones that are actually potentially ripe for being in trouble with this, because of the sheer amount of data they hold. You've just got to look at recent events.
Should the government really be taking a ‘big stick' approach to data protection?
Glen: It's an EU directive; it's getting frenzied in the UK because it's the only regulation that's going to come in - that I'm aware of - in the Brexit discussions. That's why I think it's getting an awful lot of notice. I work in Germany a lot and data privacy and data protection is incredibly important. I'm used to the whole opt-in, rather than opt-out, process for marketing. It's not just Germany, it's most of mainland Europe - this isn't really anything new for the rest of mainland Europe. The fines are going to be bigger - that's the biggest change. But this is an EU initiative that's been driven. I would say it's very similar to what Germany has from a data privacy and data protection perspective, and being part of the EU and wanting to trade with the EU, we have to do it. Is it right or wrong? I don't know, but we don't have a choice.
David: I don't think any of us can question the need for data protection. I would echo the comments about the public sector. I think it's crazy that we've still got hospitals keeping data on servers that are 12 years old sitting on someone's desk. So if it clear up some of those practices that's probably a good thing. Again what are some of the things that will probably go away as a result of this? I'm sure we're all inundated with people cold calling us. Some of the consequences of GDPR as those practices get changed I'm all for it. I don't think it's going to affect most organisations that have good information security practices.
Edel: This is about protecting people against the unscrupulous or abusive use of data in a world where the volumes are absolutely phenomenal compared with what they were. I have a client in Ireland who we've just done a whole infrastructure refresh for, and the CEO said to me, ‘Edel, I don't want to be on the radio in the morning trying to defend a position where some very sensitive data has been compromised. In many cases I think organisations are now more aware of the reputational damage and the sensitivity of what they are holding, and don't want to be held to account in public, so the GDPR is will probably help to put some process and formality and protection around what organisations need to do. I think there's a lot of panic among some smaller businesses, but if they actually sit down and look through the guidelines, it will actually be in many cases be quite a simple process for companies to deal with.
Justin: I don't actually think it is a big stick, and I don't think our government is ready to use it as a big stick. The ICO, who own this and are responsible for all the enforcement around it, have a triennial review. That review was conducted in 2015 and published in 2016. One of the notes right at the beginning basically says ‘one of the things this doesn't take into account, because it didn't exist when we started this process, is GDPR. Brilliant. There isn't this great big GDPR police coming out of the ICO office that is going to be enforcing things from day one.
There's hysteria about GDPR in the UK. What's the European view - why don't they seem as bothered?
Glen: Germany has taken the lead on data privacy. The only enforcement from the ICO I can remember of any significance was the TalkTalk fine for £400,000, and the maximum it could be was £50,000. GDPR is €20m or four per cent of turnover. When I speak to my German MD, he's got responsibility to comply with a number of different things; this is just one of them. So when I said to him there's this big opportunity- people talk about a £1.5bn opportunity in the UK - he was completely nonplussed by it because he said this is what they are already doing. And it is very similar in other mainland European countries. The ICO has tried to gently persuade people to do things, whereas these things are enforced more in Germany, and I think the EU regulation is really coming out from Germany.
Edel: I would say in Ireland GDPR was being talked about before I noticed it being spoken about here. Part of the reason it's so important in Ireland is because nine out of the top ten global IT companies are headquartered in Ireland, and under GDPR they must decide in a European context in which country their data protection officer will be based - so for most of them it makes sense to be in Ireland. Therefore it's important that our data protection commissioner in Ireland is very much on top of GDPR, so there has been a big investment in that context in Ireland.
Richard: It depends on which country you talk to. If you talk to my German colleagues and my Norwegian colleagues they don't see it as an issue. But if you go to Denmark, there's actually quite a bit going on around GDPR. We've actually got a service that's delivered out of Denmark because there's a lot of demand for it out there, but again it's delivered from a legal standpoint not a technological standpoint. But most countries don't understand the frenzy [we're seeing in the UK].
So do you all feel that GDPR more of a legal/business assurance issue than an IT one?
Richard: We've all got a part to play in the execution of this. But if anyone thinks they're going to walk in and solve a GDPR problem for one of their clients, and sign a contract on the back of it that says you are now GDPR compliant, good luck.
Edel: There is so much hype. Who do customers then want answers from: it's us, as the trusted advisors. It all comes back to us, to have those conversations with clients, and certainly from GDPR perspective the security opportunity is just one small part that we can effect change in.
David: We clearly need to be informed about it. There are some things that I think do change. You need to document the lawful reason on which you are holding data - that's something I think is new. It's not just about consent by the way. There are six reasons on which you can lawfully hold data. Consent is one of them, but there is a catch-all of legitimate business interest at the end, and again we see the marketing agencies pleading with the ICO for guidance, and I don't think the ICO is really providing any leadership in the grey areas, and there are a lot of grey areas.
Has anyone hired a purpose-built DPO?
David: It's only mandatory if you are public authority, you carry out large-scale monitoring ie online paper tracking or large processing of special categories of data things like criminal records and so forth. I think most people aren't going to hire a DPO unless they are in a very special case.
Have any of you made any practical changes to your business around the way you do marketing, as consent is a huge part of this?
David: I personally don't believe in outbound cold calling mainly because I've been on the receiving end of it. So we have made changes, but we didn't do it because of GDPR. We did it because we felt that publishing content that's relevant about the stuff we're doing is a better way of drawing people to to us rather than doing mass outbound activity.
Richard: We are in the process of documenting what it needs to look like to make sure we are compliant, if there is such a thing as compliant.
Edel: No we haven't made any major changes as yet as a business we went down the ISO 27001 route and now that that's all in place we're looking now at the data we are holding and processing around that so that's underway. The other thing that we're changing - contracts where we are providing managed services to our customers we are bringing in the lawyers to work with us on those.
Justin: We've been through 27001 which has helped. We are conscious of it.
Can you summarise your thoughts on GDPR in five words or fewer?
Glen: Keep calm and carry on
Justin: Blood-sucking lawyers
Edel: Just get on with it
Richard: It's not going away
David: Just follow good practice
View pictures of all of last night's fights
Acquisitive comms provider swoops on Frontier Voice & Data and StoneHouse Logic
Cybersecurity firm rakes in £3.6m for unwanted unit
Results, reaction and pictures from last night's CRN Fight Night