Rudolph Bos, Head of Enterprise and Cyber Security Benelux at Fujitsu

In spite of what you might think, GDPR is not a recent phenomenon, nor should the general concerns come as a surprise. But if you consider the reach of the regulation and the impact of what you need to do (or of the consequences if you don’t even try) to become compliant, you may understand that the road ahead sometimes seems as long as GDPR’s history.

Long history

Let’s have a look at that history first. In 1970 the federal state of Hessen passed the first national data protection law in the world. This was meant to protect data mostly stored in mainframes about individuals. In 1983 the right to self-determination of personal data was added, and the verdict established that personal data are protected in Germany. In 2011 the European Union announced that it would work on a harmonized Data Protection and Data Security policy. This led, on the 15th December 2015, to an agreement on the European Data Protection Reform, reconfirmed by the 47 countries of the Council of Europe on 28th of January 2016. The GDPR was effected in all member states on 25th of May, 2016. As per 25th of May 2018 states will issue fines when a violation is observed.

Far reach

So the general principles of the regulation have gradually grown out of concerns that have existed for decades. But never before have they been bundled and laid down in laws so thoroughly as today. The regulation covers so many concerns around protection of data that can be linked to natural persons – responsibility and accountability, user-profiling, privacy by design and by default, data protection impact assessments, consent for data collection, notification breach, right to request erasure of data, to name but a few – that it is hard to comply with all aspects without a thorough rethinking and redesign of your infrastructure and your processes.

To name just two of the main concerns: do you know exactly which information to protect to be GDPR-compliant ? For management teams and IT teams in most companies it is difficult to create a complete inventory of the data at risk. A lot more difficult than for hackers to breach information security. Consequently, a requirement such as: “All IT systems handling sensitive information should be patched to the latest software versions” becomes a very difficult one. In a modern corporate financial environment, over 300 applications are used across the IT infrastructure. To keep those updated and functional takes months of testing, at which time the security operations centre needs to take extra caution.

Another concern: natural persons need to be able to request their data to be deleted. What seems easy at first, can be a daunting task, taking into consideration today’s IT infrastructure, which is a meshed and hybrid domain of SaaS, PaaS and IaaS solutions spread over insourced custom applications and outsourced corporate service departments. The requirement to remove someone’s data from your own systems is already very complex, but to guarantee that their data is also removed from every backup, snapshot, pdf-printout of every IT solution supplier of the company ? That’s a completely new level of complexity.  

Deep impact 

GDPR may seem to revolve merely round data protection, but very soon it becomes clear that about every business process and every part of the IT infrastructure either involve, transport, modify, transpose, or remove personal data.

In some cases GDPR compliancy is assigned to the IT and IT security department. But ultimately it will be the management team/CFO who are accountable, and the COO will suffer the biggest impact due to changes in the operations. Hence it makes sense to address compliancy with the GDPR as a good opportunity to thoroughly re-evaluate the entire infrastructure and all business processes. The new insight may lead to new or more effective and efficient business processes and with that optimizing the profitability of the company. And maybe this is also the moment to look for alternative outsourcing solutions where it makes sense.