GDPR and the future of data security: All you need to know
The role of IT within British businesses is changing fairly dramatically right now, with the forthcoming General Data Protection Regulation (GDPR) set to introduce far more stringent rules to help IT managers control, manage and secure their organisation’s data.
While IT guys used to look after ‘stuff’ – hardware that was clearly identifiable and stored in a computer room or data centre – their role has shifted to one in which they have become managers of third-party services. If you’re interested in keeping your data a little safer, check out this data centre, or maybe a colocation centre would suit you more in the age of GDPR.
The rate of the acceleration of change in the IT sector continues to increase and as businesses increasingly rely on cloud services, IT, in the words of Gartner’s research vice-president, David Cappuccio, “becomes a broker and a facilitator of services that deliver lines of business applications and functionality.”
Hyper-convergence, the cloud and the end of the discrete data centre
Back in the early days, IT used to be about big white boxes that took up an entire computer room. The IT Manager could walk into a computer room and immediately see where all of his or her data and platforms were.
We then moved across to a ‘converged infrastructure’, where we took all of that metal and converged it a smaller stack of hardware. Or what we call ‘hyper-convergence’, in which every single layer of IT and things that we need to function (such as networks, storage and computers as a service) are wrapped up into a ‘white box’.
Then, most recently, of course, we have the emergence of cloud computing, with many of today’s organisations using cloud based software for day to day operations.
Gartner’s Cappuccio notes that software-defined infrastructures (SDIs) are, “the tipping point in how I&O looks at overall IT strategy, moving away from a model where performance, support and availability of a discrete data centre was the objective, to a role where applications and data will reside and execute wherever its most appropriate for the business – whether that’s on the premises, in a hosting or colocation site, or even provided by a cloud service.”
So what you end up with as an organisation is a bunch of apps and platforms that service the business that drop data into ‘silos’ (or ‘data islands’). Gone are the days when IT could walk into a room and physically see a company’s ticketing platform, or payroll data storage or whatever else it may have been…
The boom in the use of disruptive productivity apps
IT no longer has the luxury of geographically-limited data control and management, because all of these data repositories now reside in very diverse locations. All of which means that it’s getting very, very difficult at a technical level for organisations to manage data: because we’ve created these silos or islands of data through disruptive and emerging technologies.
What makes this worse, in terms of data control – and something that is every CIOs worst nightmare – is the sheer number and diversity of employees using disruptive productivity applications such as Dropbox, which is something that gives the user a data repository on their mobile device yet, crucially, is also outside the field of vision for IT.
This means that they are outside the field of vision for the organisation. And when you bear in mind that 75% of the workforce is now mobile, 81% of employees access work documents on the go and 1.3 million mobile devices are stolen each year, the dangers of potential data breaches and data farming to business becomes clear.
And if that wasn’t enough, a few more worrying recent headache-inducing statistics for CIOs include the fact that 72% of employees are using unauthorised file-sharing services at work, while business mobile tablet usage is set to triple in three years.
Finally, with one in ten laptops still stolen or lost, it’s no real surprise that only 28% of CIOs believe their practices would meet legislative compliance requirements, as they don’t feel they have the appropriate mechanisms and systems to control their organisation’s data.
So where is this data going?
By data, we are referring to pretty much any information, covering everything that includes personally identifiable information, from your personal tax information through to your confidential medical records.
The real data growth is in cloud and end-points (i.e. mobile devices) – most of which is not within IT’s scope of vision. With the knock-on impacts for business being clear.
Companies have tons of silos of data, yet no unified platform or means of controlling and managing this data (as it is sat in and across multiple different locations). The legislation at the top level doesn’t change, yet how does the organisation apply it to all of these new and different data repositories? Or to put this in different terms: how does an IT team apply an organisation’s policy and legislative compliance to all these various silos of data?
Complicated systems integration and multiple fragmented systems that don’t talk to one another, means poor insight and reporting, a heightened risk of non-compliance and increased management overheads.
It’s a classic catch-22 situation. Either organisations risk being non-compliant OR they have a team purely hired to manage their increasingly complicated legislative or compliance obligations.
GDPR and best organisational practice for the data revolution
The only way to really address this emerging market and this data revolution is to apply a logical layer – or, if you like, ‘an all-seeing eye’ – over the top. One that has the ability to overlay all of the silos, all of the repositories, and can manage that data and apply company policy and can ensure you manage all your assets with minimal overheads.
The forthcoming GDPR, which comes into effect on May 25, 2018, is by far one of the most important pieces of European legislation ever to come out, because the breadth of application is just `phenomenal.
Which is why the high number of CIOs and CEOs we speak to for whom GDPR is still not even on their radar is both surprising and alarming. The point of this new regulation is to aggressively push organisations to take appropriate steps to protect the data they holds for a subject.
GDPR’s key message is that companies must look at the best ways of building privacy by design into their systems and infrastructure.
These days, when even a typical SME is using Office 365, Salesforce and Skype for Business – each of which is an application that can potentially hold and transmit data – they are all under scope.
The importance of opt-ins and data transparency
IT departments need to completely change the way they approach data collection. GDPR means that it becomes vital for organisations to explain why they need to collect the data and to have greater transparency for data handling and data collection.
Any subject then gets the ability to either opt in or out, as well as ‘the right to be forgotten’. Plus, entities above the 250 employee threshold will soon need to appoint a nominated Data Protection Officer, another move which shows the seriousness and breadth of GDPR.
Overall, GDPR is about readying business for modern data protection governance. About accepting that data breaches are going to happen, that they are an unfortunate problem that modern IT departments need the right strategies to detect, control, monitor and investigate as necessary.
Gaining visibility of your organisation’s data is a really good place to start, because once you understand your estate then you know what you are protecting.
“Your data, your problem,” as the T&Cs of most major cloud-based apps and services have it. And unfortunately, information governance is very low on the agenda right now for too many organisations.
GDPR is going to change all of that, which is why it’s time to take control of your business’s data back. Get visibility, because it is not good to have organisational information out there in the wild that you know nothing about.
