In this ESG360 Video, ESG's John McKnight and Christophe Bertrand discuss GDPR and the challenges for organizations to comply with its requirements.
Announcer: The following is an ESG 360 video.
John: I'm here today with Christophe Bertrand, Senior Analyst covering data protection and compliance issues for ESG. So, Christophe, this is a very interesting time as we sit here today, we're mere days away from a deadline that has had many regulators, end-user organizations, and technology vendors very interested, concerned, involved for many years now. And that is the compliance deadline for the EU GDPR, General Data Protection Regulation. So remind our viewers what is the GDPR and why does it matter.
Christophe: So, first of all, it's a regulation, meaning that it is far-reaching, it applies to every member state, and there is no local or national adoption phase, such as what you would have with a directive. So it's a big deal. Secondly, it is very global in its impact. If you do business in Europe, very likely you will be impacted by the GDPR, meaning you have to comply.
John: So if I am a multi-national organization anywhere in the world with business operations in Europe, or the ownership of personal data of EU citizens, I have to be worried about this?
Christophe: Absolutely. And it's gonna be quite a challenge. There are a number of articles in the regulation that apply to how you're supposed to manage the data, what are you supposed to do with it. And more importantly, the fundamental aspect of it is that the individuals, you and me, if we are European residents, own the data and have rights. So it goes really far beyond just what you can do with it. It's really about the fundamental ownership of personal and the identifiers that go with it.
John: Certainly an issue that's been in the news on this side of the pond in recent weeks.
Christophe: Exactly. Absolutely. So we'll see how this one plays out. It will be very interesting.
John: In general, what are your observations on the level of preparedness amongst those multi-national organizations or business that are gonna need to comply with this regulation?
Christophe: It's very scary. Based on the 2018 IT Spending Intentions that we just conducted, 82%, I believe, are either concerned or very concerned about GDPR. So, clearly, this level of concern turns into a level of preparedness, which is very, very, low, about 11% believe that they're ready.
John: So only about 1 out of 10 believe they're ready to go.
Christophe: One out of 10, meaning 9 out of 10 are not.
John: Correct, correct.
Christophe: The simple math applies here, but what it means also is because of the type of issues that it could bring to your business in terms of penalties, GDPR is getting people's attention.
John: Right. And remind us what some of those penalties may be.
Christophe: So depending on the size of the business, it will be percentage of your revenue. Clearly, there's a lot of stick here and not a lot of carrot, but I think the real intent here is to improve the level of data privacy and how data is managed. Which, of course, comes at a price, which is one of the concerns we we've also covered in the survey. Clearly, one of the top concerns is gonna be the cost of changing a number of processes, including those in data protection.
John: Right. Now, those are the concerns of those that will have to implement the necessary technology, process, workflow to make this happen, but certainly they're going to back to the teeth of this regulation in terms of potential financial penalties. That explains the level of executive concern we're seeing among the survey respondents in our research.
Christophe: Exactly, yeah. But what's interesting here is, you look at GDPR and, again, a number of articles, including some that clearly state you have to protect your data. You have to inform the users or your customers in case of a breach. It's a 72-hour time frame. You have the right to be forgotten, which is Article 17 where it says as an individual, I have the right to know, first of all, what you know about me, whether you're the controller of the data, meaning you're the creator of the data about me, or the processor, maybe you're a marketing firm that's using data and doing some additional value creation on top of data that's been created by somebody else. And I also have the right to be forgotten, under a certain circumstances, where I want you to delete my data. That's complicated because what if there's a backup?
John: Yes, exactly. Well, that's...let's go down that path for a second. So you mentioned Article 17, the right to be forgotten. You cover data protection technologies, and the whole point of data protection, and backup, and recovery, and replication, and technologies, and processes, like that is...I'm going to make multiple copies of that data in case for compliance, or even maybe for TestDev, and disaster recovery, and all kinds of use cases. How are companies going to be able to cope with this need to...if I have to forget your data, doing that across all my copies of that data?
Christophe: Well, so it's a very complex question and answer. Few things first. If the data is neatly organized and you know where the data that's affected by GDPR is, well, then it's not that difficult. Right? You can go and look at what the expiration dates should be, you can go manage that pretty neatly. The problem is, do you even know where that data is? And that's one of the top concerns we uncovered in the survey. Another concern is how do you manage that then? So the right to be forgotten is really gonna be complex from that perspective. The real question will be how do you manage the recoveries should data that's supposed to be forgotten still be there? How do you manage access control? There are a number of other dimensions to the regulation around encryption, around protecting the data from being breached, around the ability to just read the data or not. So the good news is, there are lots of great tools in backup and recovery that help. But I will say, data classification, it's probably gonna be one of the big ones.
John: One of the key things, sure.
Christophe: Yeah, moving forward.
John: Okay. So, Christophe, clearly there's a lot of work to be done here. A lot of work has been done in the preceding months or years, really. But for those organizations that aren't there yet, or still have work to do, what would be some of the recommendations and best practices that you would advise those firms to embrace?
Christophe: Yeah, I'll keep it very simple. First things first, make sure the board, the executives are ready to go, ready to fund the effort. It's a compliance effort, it should not be neglected. The larger enterprises probably do this all the time, have large teams, not a big deal for them necessarily. I think, in the mid-market, it's gonna be more of a challenge where you now have to do things that you were not quite ready for originally. I will say that go back and understand where your data is exactly located, classify your data, and revisit your backup processes.
John: Now, for the vendor community, the technology vendors that are providing the solutions to help organizations with those data classification challenges, for example, backup and recovery requirements. What advice do you have for those firms as well?
Christophe: So I think it's already started. My advice would be education. So we're seeing a lot of that going on in the market. But I think there are still some question marks around how every piece of technology really fits, especially when it comes to backup and recovery. As I said, there are some great things that backup and recovery solutions can do to support GDPR. But there are some things that are just not a good fit. So being clear about where you fit, what recommendations you have for your customers. And I think there will be some technology improvements that will be needed, or additional features that will be needed to combine backup and recovery, data classification, and just good management of that critical data for the compliance regulation.
John: Great. Great advice. Well, thank you. This was fantastic. For more information on GDPR and other compliance and data protection issues, visit esg-global.com.