E B O O K

The GDPR Interview SeriesPART 3

Calligo’s GDPR Interview Series is a

unique collection of interviews with expert

commentators on GDPR. Our experts

discuss GDPR’s origins and motivations, its

implications and where and why businesses

are struggling and succeeding with preparing

for the 25th May deadline.

This third instalment in our four-part series

features a data privacy legal expert and a

cybersecurity specialist, both with remarkable

experience. Despite being from different areas

of business, they share consistent views on

various topics, including where businesses

to focus their attention to be confident of

adherence, and the role of IT security.

Sheila FitzPatrick is a world-renowned

expert in data privacy and sovereignty and a

consultant Chief Privacy Officer. Ian Thornton-

Trump has more than 20 years of experience

in IT and cybersecurity, including Canadian

Military Intelligence and some of the largest

enterprise brands.

Introduction

For more information visit: www.calligo.cloud/gdpr

3

Sheila FitzPatrick is a worldwide

expert in Data Privacy and Sovereignty

Laws, especially GDPR, a consultant

Chief Privacy Officer for all industries,

including the technology industry,

and a regular speaker at national and

international privacy conferences.

Sheila and our GDPR Global Lead,

Sophie Chase-Borthwick, discussed

the confusion that reigns amongst

businesses over how to adhere to GDPR,

what has created it and how businesses

can combat it.

Sophie Chase-Borthwick: How did GDPR

come about?

Sheila FitzPatrick: GDPR arose in part because of the need for harmonisation of multiple privacy legislative frameworks across Europe, but also because of the emergence of new technologies.

In terms of technology, it was a question of the EU keeping pace. There were too many privacy directives and national laws founded on outdated technology environments. This mean that regulators were not sufficiently empowered to address the new digital age, especially fields such as the Internet of Things (IoT), artificial intelligence (AI) and mass cloud adoption.

The rapid development of IoT means we have sensors, cameras and wearable devices generating big data inherently based largely on personal information, while AI has given companies the ability to monetise it. Data is almost more important to companies than their employees now.

As a result, the EU realised it had to change the regulations and start guaranteeing a standard of privacy and protection that 99.9 per cent of companies around the world currently fail to meet. Companies often say great things and have great policies, but inadvertently repeatedly breach their own rules by storing, scraping or using data without any concept of data minimisation or a focus on the law. This is what the GDPR seeks to address.

SCB: With now very little time until

GDPR goes live, have you noticed an

increasing urgency around GDPR and its

obligations in the last few months?

SF: I work with multi-national companies and I’m seeing not only a greater recognition that GDPR is coming, but also a realisation that they have been focusing on the wrong areas in the last 18 months.

Sheila FitzPatrick“What the lawyer thinks”

Expert privacy counsel

For more information visit: www.calligo.cloud/gdpr

4

Organisations are now putting in the effort to genuinely understand GDPR requirements for themselves, rather than relying on vendors’ messages, many of which have been found to be misleading.

Businesses have now realised

that relying on hyperscale

providers saying “Put your data

into our German data centre to

be compliant” is insufficient for

compliance.

Equally, they are starting to see through the misleading claims from the likes of security companies who purport to make businesses compliant just through using their encryption tools.

SCB: It sounds like a corner has been

turned in businesses’ understanding of

GDPR.

To a degree, yes. But the key question that organisations still don’t ask themselves is how they gathered their data in the first place and whether they should have it. If you are not legally entitled to hold or process it, then encrypting it or putting it in a particular country will not make you compliant. These companies need to trace back the source of their data and make sure they are permitted to keep it – and if not, they have to act.

I have also seen more companies aiming to rely on “legitimate interest” post-May. I find myself often warning them that there is a higher bar now to defend that legitimate interest.

Too many are stretching

legitimate interest almost to

breaking point, and are frankly

setting themselves up for a fall.

SCB: All things considered therefore,

what is your prediction for the

proportion of businesses that will go into

25th May rightfully confident in their

GDPR approach?

SF: I just laugh when anyone claims to be 100 per cent compliant, especially in relation to the right to be forgotten and rights of erasure.

I estimate 40 per cent of companies have a strong programme in place. That’s not the same as being fully compliant, but they are in a good position. They are defining what they need in terms of managing relationships or providing services and are drawing up the right policies to identify where the data resides. They have thought to ask questions of their cloud providers about their compliance and risks, and found out where and how other third-party providers are storing data.

For more information visit: www.calligo.cloud/gdpr

5

Then there will be the remaining 60 per cent that believe they have cracked compliance because they have invested in technology and a cloud environment in the EU.

But this is to start building a

house on the second floor – mad

and impossible.

Since they have not first established what data they can continue to hold, they will sooner or later find themselves in deep trouble.

If organisations don’t have a GDPR programme in place, or assume that adhering to the EU-US Privacy Shield is enough, then they will face big problems. In contrast, businesses that can show they have embarked on the required compliance programme will be better positioned – especially than those spending millions on technology with no roadmap.

SCB: For that proportion that will not

be fulfilling their obligations from day

one, what are the key reasons for their

complacency?

SF: Complacency is mainly coming from having invested in the “right” technology and put their data in the “right” geography without understanding what the privacy laws really mean. I often tell companies that if you steal money and lock it in a fortress so nobody can touch

it, you are still a thief. So only encrypting or putting data in an EU country will not make you GDPR compliant.

Many companies also believe

GDPR is primarily an IT or

security issue. It is not.

Privacy is a business issue, yet they never think about it in these terms, largely because they still mistake privacy for security. Security and privacy are not the same and being secure doesn’t make you compliant. Organisations must start thinking about their lawful right to hold and process data, instead of focusing solely on protecting it, which is not the only foundation of compliance.

Of course complacency can be more naivety than arrogance. Organisations are constantly bombarded with webcasts and marketing which totally confuses them, with the result that they simply do what the big names with great technology say.

SCB: Are there common themes or

categories of mistake that people are

making in their understanding of GDPR?

And what’s causing them?

Unfortunately, many companies have their heads buried in the sand and believe that as long as they have security covered, they will be fine for GDPR.

For more information visit: www.calligo.cloud/gdpr

6

To compound the problem, a lot of cloud and technology providers are claiming to be GDPR experts and jumping on the bandwagon, offering services such as Data Protection-as-a-Service (DPOaaS) despite never having worked in the privacy space. Some spread false information, leading clients down a rat hole, leading companies to this confusion between privacy with security.

Organisations must build privacy programmes that outline the data they genuinely need and the legal justification for collecting it. Businesses need to realise they are just stewards of the data.

The subject owns the data – no

one else. This is a concept that

organisations have a hard time

coming to terms with.

For more information visit: www.calligo.cloud/gdpr

7

Ian Thornton-Trump has more than 20

years of experience in IT security and

IT. He served in the Canadian Military

Intelligence and Military Police, speaks

at numerous cybersecurity events and

is a regular contributor to European

and North American industry press and

national media on information security

topics.

Ian and our GDPR Global Lead, Sophie

Chase-Borthwick, discussed how GDPR

will be enforced, the mindset shift

required in business regarding how they

hold data, and the role of IT security in

GDPR.

Sophie Chase-Borthwick: Is the arrival

of GDPR a sign that collection, storage

and use of personal data had reached

such disrespectful levels that regulation

was required, or is it a safeguard for a

potential future?

Ian Thornton-Trump: Neither. Let’s not forget we have had privacy regulations in place long before GDPR arrived. In my opinion, GDPR is an attempt to codify UK/EU societal values when it comes to personal data and establish some protectionism of EU/UK industries and further differentiate UK/EU business from North American business. The implementation will be problematic to say the least, but EU/UK anti-trust law has paved the way for GDPR.

GDPR is an evolution of the fact

we are living in a society where

data about us goes through a

whole variety of systems that

most of us don’t even know exist.

Many British people finding out about the Equifax data breach were surprised that an American company had such an impact on the lives of people in the UK.

SCB: How do you think GDPR will be

enforced?

IT: This is the million-dollar question!

There is a sense that crippling fines will be used where they can be justified. However, I would suggest that in the early stages, GDPR doesn’t want to be perceived as a business-killer because that will give it a deeply political overtone that supervisory authorities will want to avoid. I see most authorities becoming increasingly aggressive a year or so after it comes into play.

In effect, the authorities will

be corrective at first, and then

punitive after a considerable

amount of precedent is built up.

Ian Thornton-Trump“What IT security thinks”

Cybersecurity expert

For more information visit: www.calligo.cloud/gdpr

8

I can’t see them wanting to do much damage to businesses early on.

That said, GDPR will set arguably the highest data protection standard ever seen and it’s quite possible that someone will bring an action, causing a company to be fined for how data has been used and confirming that Privacy Shield adherence isn’t up to the task of GDPR. I think US businesses have a giant target on their backs – many have been siphoning data away on European businesses and citizens and failing to be good custodians of it.

I would also not be surprised if in 2018 we see world trade organisations wanting to take action against countries that use GDPR to protect their own industries. This is why the supervisory authorities will have to step lightly – if it becomes political or a barrier to trade, it could spell the end of it.

SCB: Most businesses view their data as

an asset, especially personal data. They

rarely consider holding data to be a risk.

Will GDPR finally bring home the need

for such a mindset shift?

IT: I think it will. Some businesses are holding huge treasure troves of data that aren’t essential to the running of the business function. For example, if you look inside many companies’ CRM systems, you will find personal data such as birth dates. What is the businesses value here? If you can justify it, for example if you are in the insurance

industry, then you have no issue, but in other industries it is difficult to argue you require dates of birth!

Also, after a certain point, data becomes irrelevant. For instance, the Christmas client party invite list from seven years ago that is still live on a business’ system. Today, there is no value in this. It doesn’t matter if this is outdated – it is personal information and its wrongful retention is still punishable under GDPR.

The only way this mindset of data as an asset changes to data as a risk is by empowering Data Protection Officers. As the precedent of supervisory authorities’ interventions builds up, a DPO’s internal influence should grow, allowing him/her to (amongst plenty of other things) wage war on the holding of unnecessary data.

The sign that the tide is turning

will be when businesses start

finitely defining the minimum

amount of personal data

they need to retain in order

to function, and how they will

justify holding it.

SCB: How else do you think DPOs will be

able to prove their value?

IT: The technical role that DPOs will play must not be underestimated. They will not only act as the voice of the data subject, but also navigate businesses through the various overlapping, and at

For more information visit: www.calligo.cloud/gdpr

9

times seemingly contradictory, pieces of legislation. For example, GDPR requires old personal data that has no practical use to be removed. But this needs to be balanced with the need to archive old data, as required by HMRC and even industry-specific regulations. A good DPO will know and be able to apply all the applicable regulatory frameworks beyond just GDPR, while also making sure the business’ practical needs are met.

SCB: What should IT security personnel

be doing now in order to prepare for

GDPR?

IT: The IT security industry needs to move away from the idea that its role is, in simplest terms, endpoint defence and instead towards data management. If you can reduce or remove the personal information the business holds by identifying what is not needed, and implement a robust layered defence, you are in fine shape for GDPR.

Whether many in the industry

realise or not, IT security has

moved from an era of protection

to assurance.

IT security’s role is now about being able to go to the business and state confidently that we know where our data is, we know who has access to it and we have the necessary protection mechanisms in place.

SCB: There is plenty of rhetoric from

within the IT security industry claiming

that GDPR adherence is best led by

them, given their experience in data

protection. Meanwhile, those outside IT

security claim they should manage it on

the basis that building walls around data

you shouldn’t even have in the first place

is hopeless. What do you think? Where

does IT security responsibility regarding

GDPR begin and end?

IT: Regardless of GDPR, IT security’s frequent failures to tackle general cybercrime has shown it needs to evolve to be an exercise in due diligence and documentation of risk. My opinion is that part of IT security’s new ‘assurance’ role is to amass a considerable amount of evidence to prove the effort the business is taking to protect personal data – obviously, the more the better.

If you can identify the data that isn’t necessary for the functioning of the business, you are in a situation where you need to start re-architecting your processes so you can get rid of that data. The more personal data you have, the more risk you attract.

I tend to look at IT security as the frontline troops as it where, protecting the network. Whereas I see the DPO as understanding what data is necessary, understanding how long it can be held for and working with IT security to ensure there are as many obstacles to cybercriminals as possible. Although I see the two in alliance, they have different missions.

For more information visit: www.calligo.cloud/gdpr

10

Sophie Chase-BorthwickGlobal Lead - GDPR Services, Calligo

Final ThoughtsOne of the most interesting discussion

points from these interviews is the role

of IT security. Both agree – quite rightly –

that to make GDPR a solely IT or security

issue is foolish. GDPR cannot be solved

by technology or cybersecurity alone.

Those that make this mistake seem

to fall into two camps. The first group

have been naïve, mistaking security for

privacy and assuming that their defences

guarantee their ongoing compliance.

The second group on the other hand

have misunderstood their obligations

and instead of considering whether they

are legitimately entitled to hold personal

data, have simply built walls around it.

No one would deny the role of

IT security in GDPR. But even

a major role is not the same as

ownership.

As Ian stated, an IT security team’s

responsibility is to assure the business

that its data is secure, held in sensible

locations and that access is appropriately

controlled.

What IT security cannot be responsible

for is the legitimacy of the data. In fact,

both our interviewees made interesting

points about the real GDPR battleground

being whether the business has made

the effort to identify the appropriate

reason why personal data is held, and

acting if not.

For this, the business must turn to the

Data Protection Officer. And crucially, if

there are boundaries to IT and security’s

GDPR capabilities, then businesses

must appoint DPOs that have skills and

expertise beyond just technology. Ian

makes a good point over the complexity

of the legal technicalities involved in

personal data, which would be beyond

most with a solely IT engineering

background.

As Sheila said, a DPO that only

understands technology will only

compound the problem.

For more information visit: www.calligo.cloud/gdpr

11

Data Protection Officers “as a Service”IT security is not the silver bullet to GDPR

adherence. And nor is legal knowledge.

The two must operate hand-in-hand.

The appointed DPO therefore needs to

be qualified to bridge the gap between

technology, processes and regulations.

A failing in any of those three leaves the

business open to scrutiny.

It is not only a rare internal combination,

but it’s also complex and can at times

entail internal political issues. As such,

many businesses decide that they need

external support.

This is why Calligo has designed its Data

Protection Officer as a Service offering.

Calligo has a dedicated GDPR team

with the legal, compliance and technical

expertise to identify shortcomings

in your current ability to observe the

regulations, make recommendations

to rectify them, and monitor ongoing

adherence. Your team will also represent

your organisation to data subjects and

the Supervising Authority, while also

navigating the internal structures in

order to smooth the ongoing observance

of obligations.

To find out more about Data Protection Officers as a Service:

www.calligo.cloud/gdpr

sophie.chase-borthwick@calligo.cloudEMAIL

VISIT

For more information visit: www.calligo.cloud/gdpr

12

Calligo is a data optimization and privacy specialistWe believe that data privacy is the starting

point to any interaction with data. Our unique

collection of innovative cloud-based services

covers the entire data journey, from capture and

storage to analysis, monetisation and archival -

with data privacy embedded at every step.

These services include public & hybrid cloud,

data analytics, artificial intelligence and archival

& erasure services, all supported by ‘privacy-first’

data management consultancy and specific

assistance with national, international and

industry-specific data protection obligations.

Who is Calligo?

Cloud InfrastructureOur public & hybrid cloud

platforms come with

market-leading performance

guarantees and were first to be

designed with data privacy &

sovereignty at their core.

Data Privacy ServicesOur services instil international,

national and industry-specific

data privacy requirements into

the core of your IT infrastructure

and wider processes.

Data InsightsA portfolio of analytics and

artificial intelligence services

that help you extract the fullest

possible value from your data,

underpinned by a ‘privacy by

design’ ethos.

Learn more >

Learn more >

Learn more >

IT Managed ServicesA strategic service that supports

your day-to-day operations,

security, helpdesk and network,

while also tackling your

regulatory compliance and data

privacy obligations.

Learn more >