GDPR will take away the hiding place
Stories about data being exposed unlawfully are all too common. Or are they not common enough? That might sound like an odd question but not all significant data breaches are reported in the media. This will be a relief to any of the IT professionals who have the misfortune to have their data hacked, but it’s not going to last. The safety net of burying any data loss in the books somewhere is going to go away with the increased transparency demanded by Europe’s forthcoming General Data Protection Regulation (GDPR), which comes into effect in May, almost a year before the UK is due to exit the European Union, so we’re affected.
It’s worth considering what happens at the moment when data is exposed. This link recounts the story of the Information Commissioner’s Office fining Nottinghamshire County Council £70,000 for leaving vulnerable people’s data exposed online for five years. It was a basic matter of not having sufficient security in the shape of passwords and soforth in place. Nobody is saying this was anything other than regrettable, but the fact is that the fines for not complying with GDPR can amount to millions rather than thousands.
This Gartner report outlines some of the key areas of risk. The definition of personal information will expand. Regulations on how it should be processed will be narrower, so what was “good enough” under existing legislation won’t work any longer. You will need to demonstrate accountability and compliance through extensive paperwork (where ‘paperwork’ might easily be electronic).
Citizens will be able to demand access to all the information you hold on them and this may well include details of any breaches of which you have a note. This is where a secondary impact of GDPR could hit the public sector: by all means an initial breach and fine are bad news, but if word gets around as might be expected and the citizens lose faith in your technology it could be increasingly serious as they decline to self-manage online, restoring all the costs of human contact that you’d aimed to eliminate through automation.
The answer is to comply immediately the law comes into force on 25 May 2018, and one core component of this compliance will be getting the right technology in place. A good partner will be able to advise on this, and one key area is the storage systems for which you opt. The right sort of robust encryption will be vital as will efficient erasure of data if and when someone wants to exercise their right to be forgotten.
Storage systems such as those from IBM, supplied by S3, will have the robustness and the capacity to erase and encrypt as required that will enable you to comply completely with this new legislation. Nobody is saying the hardware alone will enable you to comply, it’s more complex than that – but making sure your technology is up to it is an excellent start.
It can begin with a call to S3.
Comments are turned off for this article.