GDPR is one today, but what should UK businesses do next?

Last week marks a year since the European Union’s (EU) General Data Protection Regulation (GDPR) came into full effect. And, for the most part, it has been well received across Europe and far beyond. However, concern remains among multiple stakeholders within businesses – particularly with regards to data responsibility and legal vs. technical grey areas.

Lost in translation

After six months of GDPR, I spoke with AWS’ Cybersecurity & Compliance Regional Leаder for EMEA, Tim Rains, about the challenges that businesses are experiencing in translating legal topics into technical implementation. A further six months on, business stakeholders, particularly CIOs, are still concerned about this topic.

GDPR is largely considered more of a legal issue than a technological one – and this is exactly where boundaries become blurred and complexities arise. In truth, a chasm exists between the legal language used and the IT implementation needed to support it. The set-up of our current legal system means that regulations, like GDPR, include only vague, high-level requirements. The implementation of these regulations, however, are open to a wide range of interpretations.

Unfortunately, some vendors – IT, legal and management consulting services – have abuses the grey area between legal language and technical implementation, selling services of dubious value to their customers. As such, these customers will acquire ‘solutions’ that they don’t really need just to prove their due diligence. This can, in some instances, mean that customers fail to meet the data protection standards that this regulation promotes. While this chasm exists, the regulation will continue to be misunderstood and abuse of this grey area will remain.

Regulators can help to ease these concerns and misfortunes. They should focus on providing pragmatic and clear guidance at a technical level, without discriminating against future technologies or alternative approaches to meeting the requirements.

However, in today’s world, the reality is that businesses need to be able to protect their data even without having GDPR requirements fall upon them.

Who is responsible?

Another concern plaguing stakeholders is responsibility and ownership for the compliance of this regulation.

Compliance and regulation challenges, like GDPR, are typically owned by an organisation’s legal team. However, as touched on about, the technical implementation is the other part to the GDPR puzzle. IT teams are responsible for the devices, services and systems that generate and process the data. As such, the IT team have a strong role to play ensuring a business not only complies with GDPR but data protection in general. In fact, under the regulation, CIOs and their teams are usually considered “data processors” – and so already carry a level of responsibility as stated within the agreement.

And yet, in truth, the ultimate responsibility lies with the CEO and business owners – not everyone is aware of this. As the central figure of the organisation, it is only right that this same person is responsible for protecting the rights of the data subject. Under GDPR, these persons would be considered the data controller. Therefore, the business’ owners – all the way up to the CEO – should be held accountable for the protection of information of any kind, including personal data.

At HeleCloud, we have a multidisciplinary team including four consultants with expertise in data protection and GDPR. And as experts, we believe, regulators should focus on providing pragmatic and clear guidance at a technical level, without discriminating against current or future technologies over the next twelve months.