GDPR General Data Protection Regulation

There have been a huge number of words written (both paper and digital) dedicated to the subject of GDPR and the changes this will enforce in the way organisations need to think and behave when they are the controllers of Personally Identifiable Information (PII).

We at amatis agree the arrival of GDPR is a defining moment in the way businesses need to think about data protection.

Our business has been built around this standard and underpins the personal philosophy of the founders that data protection for our customers is paramount. The culture we have in our business is perfectly aligned with the demands of GDPR because it provides the Auditable Assurance that all organisations will need to demonstrate when controlling or processing Personally Identifiable Information PII.

Architecture

Getting complete compliance to the GDPR is difficult if you don’t have visibility of the entire flow of data. There is no use using the “cloud” if you have to use insecure connectivity to get to the place you store your data. That’s why amatis not only owns the network but owns the data centre. This allows a truly “Private Cloud” and “Private Network”.

Compliance

The real question is how will organisations know if they are compliant? The regulation doesn’t come in to force until 2018 BUT there are major challenges to get a standard for the entire EU.

  • The requirement to have a Data Protection Officer (DPO) is new for many EU countries and criticised by some for its administrative burden.
  • The GDPR was developed with a focus on social networks and cloud providers but did not consider requirements for handling employee data sufficiently.
  • Data Portability is not seen as a key aspect of data protection, but more a functional requirement for social networks and cloud providers.
  • Language and staffing challenges for the Data Protection Authorities (DPA):
    • Non-European companies might prefer the UK/Irish DPA because of the English language. This will require extensive resources in those countries.
    • EU citizens no longer have a single DPA to contact for their concerns but have to deal with the DPA chosen by the company involved. Communication problems due to foreign languages have to be expected.
  • The new regulation conflicts with other non-European laws and regulations and practices (e.g. surveillance by governments). Companies in such countries should no longer be considered acceptable for processing EU personal data. See EU-US_Privacy_Shield.
  • The biggest challenge might be the implementation of the GDPR in practice:
    • The implementation of the EU GDPR will require comprehensive changes of business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force (especially non-European companies handling EU personal data).
    • There is already a lack of privacy experts and knowledge as of today and new requirements might worsen the situation. Therefore education in data protection and privacy will be a critical factor in the success of the GDPR.
    • The European Commission and DPAs have to provide sufficient resources and power to enforce the implementation and a unique level of data protection has to be agreed upon by all European DPAs since a different interpretation of the regulation might still lead to different levels of privacy.

ISO 27001 as a Business Tool

We at amatis already run our business in a fundamentally different way to most organisations. We use the International Security Standard ISO 27001 not just as an Information Security Management System but as our Business Management ECO System.

Everything that we do, all our processes and most importantly our culture is built around this approach. For example, we are constantly looking at capacity planning to make sure that there is enough capacity (network bandwidth, data centre power and cooling etc..). All of this means we are already supporting organisations in a way that the standards require, now and in the future. The Auditable Assurance that we provide to our 200+ customers is now a requirement of anyone who deals with PII.

On behalf of our clients, we are regularly audited by many outside agencies. We are used to working with auditors and understand their language. This is a huge benefit to our customers as they get automatic compliance and audit, providing reassurance to their end customers. This certainly helps contribute to business success.