GDPR is a game-changer for the processing of personal data, but it also has substantial impact on IT operations more generally. This blog is the first in a short series that will explore some of the key areas where GDPR will have an impact on IT operations.
GDPR is the biggest shakeup in data protection legislation for three decades. What is more, with GDPR adopted by the EU in April 2016, the two-year transition period during which the regulation comes into force has already begun. Much of the discussion on GDPR so far has been around the security implications, often with a focus on encryption, but the scope of GDPR is much broader than security. For example, the regulation mandates the "ability to restore the availability and access to personal data ... in the event of a physical or technical incident".
Much has also been made of the punitive fines to be levied on non-compliance with GDPR. There are some important subtleties in the administration of fines. For example, a data breach due to a security failure attracts a fine of 2% of global revenue or €10 million (whichever is the higher). But non-compliance with the rules around consent, basic data subjects' rights, and the transfer of personal data to "third countries" (for example, in a cloud environment) attract double that fine. In other words, failure to comply with the principles of GDPR is considered to be much more severe than individual instances of data breaches.
What this means is that there are wider and more general implications for IT operations as a whole than just breach prevention. These include a rigorous and auditable tracking of personal data and IT assets, because IT assets are where personal data is most likely held: firms must therefore know what data and assets they have, where they are (physically) and their risk profile. GDPR also mandates a formal and audited schedule of data backup and recovery, and it even covers issues such as data formats ("structured, commonly used and machine-readable format"), to facilitate the new data portability requirements.
Arguably, the most important role introduced in GDPR is that of the data protection officer (DPO). The relationship between the DPO and IT operations will be one of the most important in the execution of GDPR compliance. In a nutshell, the DPO role is to:
- Monitor compliance with GDPR within an enterprise
- Advise on the applicability of data protection impact assessments (DPIA)
- Liaise with the national data protection supervisory authority
The monitoring role of a DPO is critical: in GDPR, data protection audits and reporting are key and, although not specified in the regulation text, this is likely to be carried out via IT systems. Other IT controls that facilitate best practice, such as provisioning of users and related permissions, are also essential. IT operations therefore find themselves as the facilitators of much of the compliance – and compliance monitoring – inherent in GDPR, and are a key part of an organisation's GDPR compliance strategy and implementation.
DPIAs are an interesting innovation in the data protection regime. The regulation requires that where processing of personal data is "likely to result in a high risk" to compliance, then the data controller must assess the impact on the protection of personal data. The DPO advises on the DPIA: importantly, the introduction of "new technology" in data processing is a key indicator of whether a DPIA is required. Again, the DPO and IT operations need to collaborate on DPIAs.
The next blog in this series will examine the direct requirements for IT operations, from both a tactical compliance perspective and a longer-term strategic viewpoint.
External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2016 IDC. Reproduction without written permission is completely forbidden.