To GDPR, or not to GDPR
Samantha Wright looks into what the channel thinks customers should be doing to prepare for GDPR in the wake of Brexit uncertainty
The UK was plunged into uncertain waters on 23 June 2016, when the nation voted to leave the EU. Amid the confusion, the EU's General Data Protection Regulations (GDPR) are set to come into force on 25 May 2018. While the UK waits to see when it will leave the EU, companies are unclear as to whether they should apply the regulations or wait it out.
Elle Todd, partner and head of digital and data at law firm Olswang, said that regardless of what happens with the UK's stance in Europe, UK organisations should be applying GDPR compliance now, to avoid running out of time.
"They should absolutely be worried about [GDPR]. We don't know what is going to happen with Brexit, and if it's a two-year process then this would have come into force by then," she explained. "Even when we leave, the [Information Commissioner's Office] has made it very clear the UK would need to amend its existing data protection laws to have equivalent or increased protections akin to GDPR. For international trade, if the UK was seen as having lesser data protection laws, it would be harder to effect the transfer of personal data within the European block, and that could be a barrier for trade."
The regulations
The main difference separating GDPR from previous data protection laws is that third-party companies hired to process customer data will now be held liable for any breaches of personal data that occur while the data is in their possession.
Previously only the company which entered into the agreement with the customer - known as the data controller - would have been liable for data breaches.
Paula Barrett (pictured right), partner at law firm Eversheds, said this change in the regulations will affect the technology sector the most, and data processors could now be subject to large fines.
"Whereas before [data processors] didn't have direct data protection responsibilities in the UK, GDPR brings with it direct responsibility. They pick up potentially direct liability to individuals if there are breaches to data security. The risk profile for data handling goes up significantly. My recommendation is to start preparing for GDPR. The clock is already ticking," she said.
MSP Sungard focuses on recovery managed services, including creating recovery plans, executing those plans and providing office space for people to move into if they cannot access their equipment.
Sungard's senior director of global proposition strategy, Chris Ducker, said that under the new regulations, it would be considered as a data processor and as such would be liable in areas in which it previously was not.
"I think we are going to see, as a service provider, we fall more and more into the regulations," he explained. "We would be a data processor, so we then have to conform to the regulatory aspects of that. If you think about the timelines, Brexit won't come into force until 2019 so GDPR will come in before that. We don't see a massive change happening because we need to conform to GDPR before Brexit, and the likelihood is we will stick with it after."
Under the current Data Protection Act, data controllers can be fined up to £500,000 for serious breaches. When GDPR comes into force, both data controllers and data processors can be fined up to a maximum of €20m (£1.7m) or four per cent of their total worldwide annual turnover, whichever is higher. Most breaches will see fines of €10m or two per cent of total worldwide annual turnover.
Nicola Fulford, partner and head of data protection and privacy at Kemp Little law firm, agreed that tech companies will have to pay more attention to the new regulations to avoid being fined. She added that GDPR compliance is not a "one-step exercise" so companies need to prepare now to be ready in time.
"[Applying GDPR] requires a review of current processes," she said. "It requires data mapping to work out what data you have and what you are doing with it. A lot of the compliance exercises have good, sound business reasons for doing them as well."
"You can't just turn it on with the flick of a switch; you need to be doing something now. Most businesses need to be thinking about preparing for and moving towards that kind of compliance."
Channel advice
Amid their own preparations for the change in regulations, resellers also play a large part in advising their customers on how to be prepared. Despite the apparent certainty that UK companies will have to apply GDPR regardless of what happens with the EU, a recent study of 300 companies across the UK, France and Germany by Delphix found that 21 per cent of UK organisations have no understanding of GDPR.
Jes Breslaw, director of marketing and strategy EMEA for Delphix, said that the lack of knowledge about the regulations could stem from the much lower fines that accompany the current Data Protection Act.
"Before GDPR came around, each country had the same data protection rules," he said. "The rules within them had very low fines, so people just thought 'well if I have a breach I'll take the slap on the wrist and move on'. But GDPR clearly has significant fees, and as a result they are going to have to pay attention. It's far more comprehensive than the Data Protection Act before."
However, according to Mark Taylor, managing consultant at global IT services provider NTT, a large amount of organisations have expressed interest in GDPR and becoming compliant.
"A lot of organisations are aware that the regulations coming into force bring [with them] a unique situation," he said. "One of the things we are seeing is organisations are taking very seriously the opportunity to widen their knowledge of what information security should look like. GDPR is actually giving people the opportunity to have those conversations again."
Taylor said the VAR has been going through "high-level" planning with its customers, focusing mainly on data discovery and recording of data.
"It is probably one of the longest pieces of work, especially in large enterprises where they have legacy systems and a variety of interfaces where they are capturing this information," he said. "Incident response [companies must now alert authorities with 72 hours] will provide some organisations with a challenge. These incidents, when they do occur, don't always happen between nine and five when everyone is in the office. So getting organisations ready for those changes is key to us at the minute."
Computacenter's chief technologist Bill McGloin (pictured left) said that a lot of its customers in the finance industry are already covered for GDPR because of the industry's strict regulations, but that some of its industrial clients will have more challenges to be compliant, and there is still time to do so.
"There is still time; it just depends how aggressively they want to do it," he said. "Our advice is certainly don't leave it any longer. You have to start preparing for it now. The first and possibly most important point is starting to understand the data you have, now. Understand the sources of the data and understand the value of the data; what is the crown jewels of the data. I think it is very difficult for customers to do the big-bang approach, which is why we are identifying several steps to help them on the journey."
Taylor added: "It's like throwing a stone in the ocean. The longer you leave it, the bigger the stone is and the more waves you are going to get in the organisation. Until eventually the fines comes in, and then it's tsunami time rather than a ripple."