adrian_ilie825 - Fotolia
Enterprises should not be fooled into thinking General Data Protection Regulation (GDPR) compliance can be bought through investments in information management technologies, third-party consultancy or new hires.
Speaking at the inaugural Datacloud Ireland conference in Dublin on 21 September, NetApp chief privacy officer Sheila FitzPatrick set out to separate the fact from fiction during a presentation about the “ripple effects” of GDPR.
In advance of GDPR coming into force on 25 May 2018, she said “every company and their mother” is claiming to have in-house expertise or specific technologies that enterprises can buy to ensure compliance with the new-look data protection regime.
“There is a lot of misinformation out there and a lot of that is because of companies jumping on the bandwagon, either trying to scare companies into becoming compliant or providing misleading information to buy technology that is certainly going to be important, but you don’t start there,” she said.
“If you’re just buying data lineage tools, data discovery tools or data eraser tools – they’re going to be important later on, but they’re not going to help you obtain compliance.”
Enterprises need to tread carefully and learn to appreciate that, for many tech suppliers, GDPR is seen as little more than a new source of revenue generation.
“Organisations that don’t even know how define privacy already have GDPR expertise on their websites. All of a sudden, companies are GDPR experts and they honestly do not know anything about GDPR,” said FitzPatrick.
She likened the push around getting companies to invest in technologies to protect themselves to the sales hype surrounding the Y2K (AKA Millennium Bug) in the late 1990s, and said it amounts to little more than scare tactics.
“There is a lot of scaremongering going on, where organisations are coming in and saying, ‘You need to buy our tools and technologies to be compliant with GDPR.’ Well tools and technologies are not going to make you compliant with GDPR,” she said.
“They will help you on the GDPR journey, but you need to have that legal foundation and a privacy programme in place before you start investing in tools and technology.
“I am not anti-cloud by any means – I’m a big supporter of cloud and having datacentres in-country, but those alone are not going to solve your GDPR problem,” she said.
Check before you hire
The final version of the GDPR states that European public authorities and organisations engaging in data profiling need to hire, appoint or contract a data protection officer.
According to FitzPatrick, this requirement has prompted a rush of people to remarket themselves and their skill sets as a good fit for this role, when very few of them truly are.
“There is no approved certification for data protection officers, even though a lot of companies are saying ‘take our training – we will certify you’,” she said.
“The EU Data Protection Article 29 Working Party have not [identified] any approved certification programmes to date. This is a very rare expertise and they [data protection officers] are few and far between.”
FitzPatrick also shared some common misconceptions some of the enterprises she comes into contact with during her day job have about GDPR, with many failing to appreciate that data security and data privacy are two very different things.
“My pet peeve is when people say we have world-class security, so we’re good when it comes to privacy,” she said.
On this front, she said it is common to hear organisations state that, just because their data is encrypted, their data privacy obligations to their customers have now been met.
Read more about GDPR
- UK information commissioner Elizabeth Denham has warned that not everything written or said about the EU’s General Data Protection Regulation (GDPR) is true, assuring UK businesses that they will not be hit with fines for minor infringements and that maximum fines will not become common.
- The UK government has announced details of its Data Protection Bill, which it said will update existing law to make it fit for the digital age.
“For those of you who operate with companies that are headquartered in the US, if you try to talk about privacy, they want to talk about security. ‘We’re all good. We encrypt your data,’ they say. Just encrypting data is not going to make you privacy compliant,” she said.
While one of the core aims of GDPR is to harmonise the data protection laws across the EU, it would be wrong for enterprises to assume – once it comes into force – that each country has interpreted the regulations in the same way.
“We’re seeing in the 28 member states – soon to be 27 – that there is a fundamental difference in the way they handle personal data and the way they enforce it. So we’re still going to have to juggle not only the EU regulation, but also the national laws,” she warned.
To back this point, she shared examples of a couple of European countries that are adding supplementary regulations that are over and above what GPDR calls for.
“Germany and Austria have already implemented new national laws to meet the requirements under GDPR, and they’ve actually gone further. They’ve added more requirements in addition to what you see in GDPR,” she said.
“So that entire idea of a harmonisation of the data protection regulation is still changing and there is still going to be country-specific laws that you’re going to have to look at in addition to GDPR.”