Our website makes use of cookies like most of the websites. In order to deliver a personalised, responsive and improved experience, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. These cookies are completely safe and secure and will never contain any sensitive information. By clicking continue here, you give your consent to the use of cookies by our website.

Tuesday, 18 April 2017 17:48

General Data Protection Regulation: The BC/DR Impact

Posted By 

Soon to be enacted across the European Union, the General Data Protection Regulation – better known as GDPR – has caused no end of concern among UK CIOs.

Although it represents good news for consumers, from a business perspective, things aren’t quite so simple. While the regulation will be helpful in making it easier and more cost effective for cloud providers to offer pan-EU solutions, as well as making customers feel safer in entrusting valuable data to third-parties, GDPR is likely to have serious implications for Europe’s approach to disaster recovery (DR) and business continuity (BC).

For a start, there is a significant difference between the current DR directives and the rules set out by GDPR. Its introduction will necessitate a hefty cultural shift, not only in the management of technology but in the way people operate and the processes put in place.

The regulation will impact any business, whether based in the EU or not, that holds the personal data of EU citizens. Moreover, the definition of ‘personal data’ is broad and could change as consumers continue to expand their online presence. Ultimately, it means that not only must organisations intensify their data protection efforts, they must do so for a large volume of data. In turn, organisations will need to extend their BC/DR efforts to cover this greater remit.

And, as the pressure rises, so too do the stakes. GDPR is driven by two serious threats: reputational damage and monetary fines. Although you could argue that the former has always existed – with plenty of organisations having endured serious backlash from consumers following a data breach – the idea of financial penalties is new. Organisations who fail to properly protect customer data can be fined up to a maximum of €20m or four per cent of their total worldwide annual turnover, whichever is higher.  A high price to pay for ennui or delay!

To manage these changes, it will be mandatory for businesses of over 250 employees to appoint a Data Protection Officer (DPO). From training staff on how to handle customer data through to keeping track of all data within the organisation, the DPO role will need to take a granular approach to the backup and archiving of critical data. Furthermore, to comply with GDPR rules such as ‘the right to be forgotten’, DPOs will be expected to know, with pinpoint accuracy, where any set of customer data is at any given time; an exceptionally difficult task when you consider that a lot of customer data doesn’t even make it onto the organisation’s central server.

As a DPO, it would be your job to root out this data, ensure it is adequately protected, suitably encrypted, and included in all BC/DR initiatives.

With less than 19 months before the rule is enforced, the clock is well and truly ticking. With today’s complex IT environments and cloud deployments, BC/DR processes are already challenging and the GDPR ruling means that complexity will only become more acute and the need to test all processes well in advance is a must. Organisations need to be certain that in the event of an issue, they will be able to remain complaint with the regulation – even when operating with diminished resources. Having everything in place is likely to require multiple invocation tests as well as serious investment – in time and planning not just funds. All in all, preparation is likely to take over a year – meaning there is little room for error when it comes to laying the groundwork for GDPR compliance.

Attaining GDPR will not be easy.  It will not be quick. However, with the risk of such severe financial, operational – and likely reputational – penalties, it is an issue to which organisations must begin to direct their full attention. Today!

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.



255x635 banner2-compressed