In this ESG360 Video, ESG's Christophe Bertrand and Mark Peters discuss the impact of GDPR on IT organizations.
Read the related ESG Blog: Talking GDPR
Announcer: The following is an ESG 360 Video.
Mark: I'm spending some time recently talking with my colleagues about particular coverage areas. I've already talked to Christophe Bertrand who covers data protection for us. Something that's front and center right now is GDPR, the General Data Protection Regulation.
Christophe: That's right.
Mark: One of the first things I wanted to ask you is how does this jive, if I can use that term, with compliance, because you have a right to be forgotten, but you know, that doesn't seem to link.
Christophe: That's a very good question. So first of all, all these emails you've been receiving, it's just the top of the iceberg. It's the part that says, "Do you agree again to our new rules and our new requirements to be doing business with you on how we're you going to use your data, etc.?" It's like the constant management piece of it. I would say that GDPR in and of itself is a new requirement from a compliance perspective. But it could also be in conflict with other type of compliance regulations.
So on the one hand, you have a rule that says, "You have the right to be forgotten as an individual or your personal data can be forgotten," more specifically. Yet, you may have other rules that say, "Well, we have to keep information about you for years and years."
Mark: Does anyone know that answer to this?
Christophe: Of course not.
Mark: Okay. It's a regulation, good.
Christophe: So we'll find out more, I think, in the next few years as case law evolves and as we see organizations really deal with what it means to be compliant with GDPR, but also compliant with other regulations and how it all plays out.
That's why there's a role, that Data Protection Office, that's gonna be critical in really ensuring that all of the requirements are met.
Mark: Do companies, organizations know what they've got?
Christophe: I would say very few probably do. My suspicion is that most of them do not. And it's not that they don't know what they have, they probably know what they have. They don't know how much of it they have or where it really is. So the reason why that's an issue is we're talking about what we call PII or personally identifiable information, that's personal data for lack of a better term. What it does is really is anything that defines you as an individual, and it could be an IP address, for example, because that could be tied back to you. So you can see it's far-reaching. So where is that data about you that potentially you may want to get corrected or amended, which is one of your rights, or in some circumstances, deleted? That's the right to be forgotten. But if you can't find the data, what are you gonna do? How do you delete something that you don't really know where it is?
Mark: Is this something, sitting in America as we are, that's over there and we don't need to worry about it in America? I suspect the answer is no, but…
Christophe: The answer is no, unless you're a business that doesn't have any dealings with European Union residents, not just citizens, residents, in other words, people who are covered by the laws of the European Union where they live. And so a lot of businesses are global. You don't have to be a very, very big business to have a branch in London or Paris or whatever the case may be and you may have some data that, by definition, will fall under the GDPR rule. For this reason, you see this GDPR adoption or the efforts to deal with it becoming very global.
The other dimension to it is it's really about data privacy, which is a big topic. Some will say it's a political topic, even, and I will not disagree with that. However, what it does that also forces not only the classification of data, as we were just talking about, to figure out what personal data there is that you need to protect and manage from a GDPR standpoint, but also the adoption rules that were not created here but have become global. So that's a very interesting topic. It also changes how you're going to handle backup and recovery, because what do you do with years of backup, of data that may have to be forgotten?
Mark: Right. From the perspective of the industry that we function in, is it good for business, as in good for the vendors of data protection, good for the consumers of data protection tools, irrespective of how it eventually impacts consumers?
Christophe: Actually, if you think about it, it is a good thing, right? Because it's going to force, number 1, the classification of data or understanding what you have as a business, and that's not a bad thing, because now you can start adding value to that. And as a matter of fact, you may be headed towards data management at that point, which gives you the ability to better, again, create value with data and be compliant, avoid the fines. Also, as a consumer, I may like the fact that you're really, really good with data privacy. I may have more faith in you as an organization that deals with my data, and therefore maybe give you more business. So that's a big deal from that standpoint.
The other thing is yes, for data vendors, or data protection vendors, I should say, there's an opportunity -- new features, better features, new partnerships. And I think those are gonna be needed.
Mark: Right. Well, thank you for the insight.
Christophe: Thank you, Mark.
Mark: I feel a little smarter. Thank you for watching.