Information security across Europe just got a lot more serious. The General Data Protection Regulation (GDPR), announced at the end of 2015, overhauls existing data laws and will have a huge impact on both CIOs and the businesses they serve.
The GDPR aims to harmonise data protection laws across EU member states. The fact that it is a “regulation” rather than a “directive” means it will be directly applicable to all EU countries without requiring national implementing legislation.
Danielle Jacobs, director of Beltug, Belgium’s largest association of digital technology leaders, is investigating the likely effect of the regulation. She is working closely with CIOs across Europe, who have until mid-2018 to prepare for the changes.
Jacobs, who also chairs international telecoms association Intug, says the GDPR presents both challenges and opportunities for CIOs. The regulation might have been announced only recently, but the small print is already having an impact on the people running major European firms.
“It is a concern for executives in all organisations – it is a very hot topic,” says Jacobs. “Two years is not that long in business terms. IT leaders must create awareness of GDPR at board level. They need to get past some of the legal uncertainties and provide answers for the other people running their business.”
According to Jacobs, the good news is that CIOs are aware of the importance of the GDPR. She runs regular Beltug cabinet sessions, where 30 CIOs from across the region talk about key IT and business concerns, and says the GDPR is at the top of the CIO priority list.
“It’s very, very new,” she says. “Privacy is often not taken seriously enough at boardroom level. This regulation helps to put the importance of security into context. Executives can’t avoid the risk of a data loss for ever.”
The GDPR focuses on the potential financial and reputational damage of a security incident. The regulation enables data privacy authorities to impose fines of up to 2%, and possibly 4%, of a company’s annual worldwide turnover. Jacobs says the fine is a powerful instrument.
CIOs must help their businesses to recognise the importance of sanctions emanating from the GDPR. The regulation presents a new challenge, but the current situation regarding data protection is far from ideal, says Jacobs. A company operating across Europe might have to deal with as many as 28 different data privacy regimes.
CIOs should see the GDPR as an opportunity, she says. Rather than data protection being a complex puzzle, the regulation should help to provide legal consistency across Europe.
“The principle of creating a single regulation across many countries is a good idea,” she says. “But there have been many lobbies around the detail of the regulation and the exact text will not be known until later this year.”
Jacobs describes the current status of the GDPR as a “compromise” – specific elements of the regulation are unclear and CIOs will have to work with expert bodies to understand it. For example, companies have the ability under the GDPR to select their main privacy authority, she says.
One privacy authority
Rather than having to work with different information commissions in different countries, CIOs will have to work with only one privacy authority. This national authority will be selected according to the location of the main establishment of the business.
But this definition has many potential interpretations, says Jacobs. A firm could have its holding company in Luxembourg, its main office in Belgium and most of its customers in Germany. She also points to the GDPR’s requirement for organisations that work with sensitive data to appoint a data privacy officer.
Lack of clarity around these concerns means the current status of the GDPR is, at best, a compromise, says Jacobs. “It’s a starting point,” she adds. “We want to help organisations that need to work with the demands of this regulation on a daily basis.”
Read more about enterprise IT in Benelux
- Specialist software has changed the game in virtual machine (VM) backup. Benelux organisations talk about their dedicated VM backup tools.
- Organisations in Belgium and Luxembourg are turning to the cloud for their IT, but there are striking differences in the level of take-up within the region.
- The European Commission is set to introduce data protection rules, but few Dutch companies are aware of the impact the changes will have.
To this end, Beltug is preparing a checklist of the issues that need further clarification. This covers two key concerns: legal matters and best practice activities for IT leaders.
“We are trying to define the key questions for CIOs so we can bring all the information together,” she says. As regards legal concerns, the aim is to work out in detail where further clarity is required. Beltug is working with law firm Allen & Overy to draw up the questions.
When it comes to best practice, Beltug is running workshops with executives at major companies. Best practice is expected to focus on a number of key areas, including assessing suppliers for GDPR readiness and producing key questions for commissioners, such as what the “right to be forgotten” means in terms of data retention.
Beltug is exchanging evidence with sister organisations in other countries, with the aim of producing a single set of questions to help European IT leaders prepare for the GDPR, says Jacobs.
No magic formula
“We want to help CIOs, but we don’t have a magic formula for coping with the regulation,” she says. “We can give CIOs recommendations, but they must also do the right groundwork.
“IT leaders need to work with other organisations, such as independent bodies and specialist suppliers, to get the right kind of advice.”
IT suppliers can play a key role and smart CIOs will tap into their specialist advice, she adds. “Consultation is crucial. Remember that suppliers have many of the same questions about the implementation of the GDPR – they want to help their customers.”
Beltug is starting to help CIOs understand the potential impact of the new data protection legislation, says Jacobs. “Meeting the demands of the regulations by 2018 will be tough, but a strict deadline does help focus the minds of everyone involved,” she says.
“Smart CIOs will use the GDPR to their advantage and help the business to protect its data. But before that can happen, everyone involved needs answers to some of the legal uncertainties that still persist. Executives across Europe need concrete interpretations.”