TechRepublic’s Dan Patterson talked with Crispen Maung, the VP of compliance at cloud content management and file sharing service Box, about doing business after GDPR.
Patterson: We now live in a post GDPR world, but what does this mean for the day to day reality of business technology professionals… Let’s start with what companies need to be thinking about in terms of compliance and making sure that other internal policies match external regulations.
Maung: Well Dan, most companies should have actually gone through this already, but in regards to what companies need to do if they’ve not done it, then they need to really think about how they manage the data and control data, and do they actually have the right controls and processes in place to secure the data. In addition, there’s other articles out of GDPR that require some operational processes to be put in place. Things like the right to be forgotten and deletion and erasure of data, and those types of things. In addition though, I think, companies also need to take a look at how they’re processing data or how they use data informations. I think that’s going to be one of the questions that regulators are going to start asking in the future. Not only is the data secure, not only how we actually address some of the process articles within the requirements, but also have you, and can you, show how you’re actually controlling the data in regards to how the data’s used within your organization.
Patterson: What about working with vendors? Often, well in almost all cases, whether an SMB, startup or enterprise company, you have to work with vendors at some level or another. How do you ensure not just that they’re compliant, but that your goals are aligned in terms of compliance and data management?
SEE: IT pro’s guide to GDPR compliance (free PDF) (TechRepublic)
Maung: Right. Once again, the obligation for you if you’re the data controller or processor or sub-processor, is to make sure that any of those suppliers or vendors that you might leverage, where data may be moving to those organizations, is also under control. Ultimately, at the end of the day, you have responsibility for making sure those controls are in place, making sure that you actually have the legal mechanisms for that movement of data to those other locations, and really you should actually have a fiduciary responsibility for making sure that, as I mentioned earlier, that the controls that a sub-processor may have in place, truly are in place and really that they meet your bar in regards to information security and data privacy. At the end of the day, everything should be at the same level. So you’re obliged, or obligated I think, to actually make sure that whatever you do as an organization is transferred in equal or similar controls with any sub-supplier that you may use.
Patterson: So what about those companies that may have been, or put a good effort into becoming compliant, but might have missed the deadline? Is there anything that they should do, other than the points you’ve already enumerated? Is there anything that they should do to make sure that they get their house in order quickly and perhaps communicate with regulators that, “Hey, we’re on the case. We may be a little behind the times.”
Maung: I think I would not necessarily reach out to the regulator. I think when you look at GDPR …
Patterson: Fair point.
Maung: … the regulator, well the requirement to be compliant by May 25th, 2018, was really a timeline by which you should have a program in place. And obviously, I think we need to recognize that there’s some companies have difficulties putting those programs in place because they’re so large, or they’ve not really paid too much attention until it became a serious issue. In which case I think having a program in place is important and actually having a project in place to put a program in place is probably even more important for those companies that haven’t started, or have started but are not quite finished. At the end of the day I don’t think any company’s finished. I think what you have to be able to show to any regulator is the fact that you do have a program in place for effective data protection. And that program is going to evolve and develop and improve over time. And I think as long as you can show a regulator that that’s what you’re doing and that’s the kind of program you have in place and you have the right mechanisms in place in terms of addressing some of the articles, like right to be forgotten and those types of things, then I think you’re fairly sound in your approach.
Maung: For those companies that have done absolutely nothing, I think they’re probably in a worse position, if not a really bad position to be quite honest, because you never really know when a regulator might start knocking on the door. But if you’ve got a partial program in place, you can show an effective program or an effective project plan for putting that program in place, I think most regulators would understand that this is an evolving thing for most organizations and as long as you’re in business, you’re going to have data, you’re going to have to come up against new challenges with the data, as your business moves and changes and modifies, you’re going to have to change your data protection profile. So it’s going to be an evolution.
To me, I think, the date last Friday was really the beginning of the end. Or the end of the beginning, sorry. In regards to putting an effective program in place for data management and data protection.
Patterson: I’m so glad that you emphasized a few times there that this is an evolving process and it really is perhaps the end of the Wild West era and the beginning of a new era. So what can companies anticipate in terms of regulation and in terms of just managing consumer data or business data going forward. Things have changed and we’re not going back to what was the status quo before the 25th of May.
Maung: Right. I think looking forward if you’ve got an effective program in place that’s absolutely fantastic. But nine times out of 10, what organizations did was focus on their internal controls from an information security perspective, and then over the last few months a lot of them have focused on supplier relationship that we mentioned a moment ago. But I think what I can see in the future is more discussions from the regulator of how they want to determine if companies can prove, organizations can prove, that they’re using the data appropriately. All right? And I think that’s one of the important areas that will start to surface with the regulators in regards to things they’re looking at. So the security question, check box done. Everyone might have an ISO 20000 Certification or have controls in place for information security that’s pinned to that standard, in regards to managing supply base, then you can show evidence of that. But a lot of organizations aren’t really thinking about the operational processes they need to have in place to prove that they’re only using the data appropriately. And I think that’s where the challenge is going to be for most organizations.