Is your Data Centre ready for new EU Data Privacy rules?By Fiona Hughes,
Businesses have two years to get their data in order now that the European Parliament has ratified the General Data Protection Regulation (GDPR) – new rules that will have big implications on data privacy when they are applied in 2018
It’s a long overdue shake-up. If reputational damage isn’t enough to encourage organisations to do everything possible to stay compliant and protect against breaches, there are hefty financial penalties with fines of up to €20,000,000 or 4 per cent of annual worldwide turnover for the previous year, depending on which is greater.
Data privacy – new role and responsibility
So who’s responsible for enforcing the new rules? The GDPR says organisations that regularly and systematically gather data will have to appoint a data protection officer to oversee compliance. A big part of their remit will be keeping tabs on where company data resides and making sure it adheres to the regulations.
This is not as straightforward as it used to be when most of a company’s data was kept on premise or backed up on a co-location site. Replacing regulations that date back to 1995, GDPR is a response to a world that has seen huge technological changes that have impacted on data privacy and the way data is collected, collated, stored and used.
Most large organisations now have public and private clouds that inevitably involve third-party data centres; many are running a hybrid combination of services, consuming IT from different platforms in different places. This inevitably has implications on where data resides and how it is managed
Responding to a breach
Data protection is not just about prevention. In a world where cyber threats are constantly changing and increasingly sophisticated, it’s also about having the ability to respond if there is a breach. GDPR introduces a mandatory obligation to notify the supervisory authority within 72 hours, where feasible. When it’s high-risk data, the subject involved must also be notified “without undue delay”.
Similarly, the “right to be forgotten” in specific circumstances is now introduced in the regulations, allowing people to have their personal data removed from systems and online content.
Warren Deery, BT Ireland Data Centre & ICT Specialist says ‘Not only must you make sure your data centre mitigates security risks and guarantees compliance, you have to be able to quickly identify a breach and then inform everyone who needs to be told. A data centre with ISO 270001 is a must. The certification shows that an organisation has the systems and processes in place to protect against cyber threats – and not on a one-off basis.’
The certification is achieved through annual audits by an independent body that ensures continuous improvement.
Ensuring your data centre partner is ISO 270001 certified is certainly a crucial step. ISO 27001 is the international best practice standard for ISMS (information security management system), ensuring companies can protect against technology based threats, as well as more practical security risks such as uninformed staff or the absence of suitable procedures.
BT was one first data centres to be ISO 270001 certified in Ireland. It’s been annually inspected by Lloyds of London for so long that a security-first culture is now embedded in our day-to-day operations.
Having a choice of data centre locations around the globe also allows customers to keep their data where they want and move it between locations if necessary. Under the BT Compute portfolio, BT has over 48 data centres globally and 22 cloud compute platforms giving customers their choice of data location. GDPR will however stipulate that processed data that belongs to a subject in the EU is still the responsibility of the firm’s data controller or processor, regardless of where they or the data are located. So it’s up to organisations to ensure that every data centre it uses, anywhere in the world, maintains a consistent and compliant approach.
Organisations need to also constantly assess whether they have the right risk management, security strategy and business continuity plan in place to protect their business now and for the future. As part of our BT Assure Portfolio, we have access to a huge pool of security talent. With over 2500 security professionals around the world, of which 500 are security consultants, customers have access to specialists in cyber defence, risk and compliance, application and data security and infrastructure.
The primary intention of all the GDPR changes is to push data privacy up the agenda and make sure organisations implement appropriate technical and business measures to protect people’s privacy. The changes may be two years away, but rest assured BT is ready and able to help.