alphaspirit - Fotolia
The EU’s General Data Protection Regulation (GDPR) is less than a year away from coming into force and companies are rushing to meet its demands for data privacy and protection.
Finnish shipping company Viking Line was one of the early starters and launched its GDPR project a year ago. But CIO René Engman believes there is still plenty to do.
“We know now what we have to do, we have done some things and we have a plan for the future,” he tells Computer Weekly. “We have our structured data well under control already, but next we have to think about unstructured data.”
By unstructured data, Engman is referring to personal information about employees and customers that is stored outside formal databases, for example written in emails, spreadsheets and word documents. It is the last leg of Viking Line’s review of where and what kind of personal data is stored across the company’s internal systems and by its external partners.
This is no small feat. In 2016, Viking Line transported more than 6.5 million passengers and 130,000 cargo units on its seven cruise ships, sailing between Finland, Sweden and Estonia. And the new regulation applies to all personal information collected, stored and processed in relation to EU citizens.
Engman became Viking Line’s CIO seven years ago after a long career at the company, beginning as an IT manager back in 1987. Over the years, he has seen and overseen many changes in the shipping company – but the biggest is the role of IT.
“IT has grown to be the most important part of our business due to digitalisation,” he says. “IT is more business-focused nowadays, when in the past it was technically driven.”
This also means GDPR is a company-wide issue. It was Engman who initiated the compliance project and started to map out how the company manages personal data on the system level, but today there are teams of lawyers and business people working with him. Their role is to define the legal grounds for collecting different kinds of personal data and how long the company is allowed to, or must, store it.
The IT team’s focus is to ensure that customers can easily consent – whether on Viking Line’s app, website or booking system – to their data being stored, and that no personal data exists past its legal “expiry date”.
“From IT’s point of view, cleaning up data older than one or two years is a big thing, to build those routines and processes,” says Engman.
GDPR will also introduce a 72-hour notification requirement. It stipulates that all companies handling personal data must notify the correct authorities of any data breach within three days, or face fines of up to €20m or 4% of the organisation's global annual revenue, whichever is greater.
“To enable this, we have centralised our login information from different systems to be able to analyse it in a smoother way than before and to find indications of a breach,” says Engman. “We have also changed our firewalls to more modern solutions with better intrusion protection systems.”
No one completely ready
Although Viking Line embarked on its GDPR preparations early, there is no such thing as being completely ready, says Engman. Instead, the compliance process will continue long after GDPR comes into force as companies’ data needs change.
“We will buy new systems, so will have to re-analyse how personal information should be handled,” he says. “Also, in future we will use customer and employee information in new ways compared with today.”
Another issue Engman points out is legacy systems, which are not always easily updated with new data processes and take time to renew. He stresses that companies need to be fairly pragmatic in their approach, do risk analysis and define what are the most important GDPR requirements for them.
“I believe the regulators will be practical about this,” says Engman. “Many companies are working on [GDPR], but no one will have everything under control. You can always find something that can be done better.”
His advice to anyone still procrastinating about GDPR compliance is to start now, get top management committed to the process and involve legal advisers early, preferably as the project leads. One of the decisions needed is whether a company aims to be among the best in class, in the middle or just above the fence in GDPR compliance.
This includes revisiting any outsourcing agreements, of which Viking Line has many. The company follows a multisourcing strategy in IT and outsources anything – such as most of its infrastructure – where it doesn’t gain a competitive advantage by doing it in-house.
“You need to identify everyone who is handling personal information on your behalf, whether it is in the cloud or outsourced, and have an agreement with them on what they are and are not allowed to do,” says Engman.
GDPR represents a huge workload for Viking Line, but there is a positive side, says Engman – the company now has significantly better documentation of personal information and data processes across all its systems.
“You get better control and better structure [over data] – and that is good for all companies,” he says.
This is vital for Viking Line as the role of data will continue to grow in the company. Next on the list is using the data from its various digital channels to gain a better understanding of customers’ behaviour, such as why a trip booking is not finalised. Engman believes the company will stay competitive by developing its data-driven marketing, sales and analytics.
“We are going more and more in a digital direction and we have to think about what that means to us,” he says. “We have a lot of ideas, but we always have to calculate what kind of return on investment we think we can get from them or if they are connected to the overall strategy. That is the biggest challenge.”