The General Data Protection Regulation (GDPR) comes into full force in May next year - but confusion is still widespread, and awareness is low. At one of Computing's free events for IT CIOs this month, we heard some of the top concerns the industry has about the new law.
The right to be forgotten topped Computing's research into GDPR worries among IT leaders; once such a request has been made, companies will have 72 (business) hours to locate all of a user's personal data in their system. Clearly, that is easier said than done.
Several attendees thought that the system could be simplified by technology. One said, "My hope is that, from a technology point of view, we can apply something that will help us discover where data is and identify it… The onus is on IT for that bit of the GDPR." However, none of the group knew of any technology that would adequately fulfil this function.
Others supported the idea of driving data discovery with a process: having a clear system in place for what to do with personal data that is received (although it was acknowledged that that wouldn't help with existing archived data).
No attendees felt comfortable with the level of data discovery that they currently had.
Another recognised problem was BYOD: firms have no control over the data on their employees' own devices, even if it is personal information about their clients. One CIO expressed a reluctance to stop staff from using their own devices to take notes and pictures, saying, "One of the reasons we're a successful firm is because of that maverick nature." If devices are used in this way - and some attendees admitted that even they were guilty of doing so - then that data could be stored in the cloud.
Under the GDPR, the personal data of European citizens must be kept within Europe, and can only be transferred out under certain conditions - but with the cloud, that suddenly becomes a very sticky issue. Who can say where a specific byte of data is kept when it's on Google Drive or Dropbox?
One CIO's company has already implemented a complete block on the public cloud: "There's no way I want anyone to be able to sit at home and log in from their home PC to their work OneDrive account and download the information [that] they want, willy-nilly. We've been paranoid about that for years." He added, "It's a shame because we moved to Office 365 and I look at all of the features of OneDrive that I want to embrace as much as I can, but I have to be really careful about how I do it."
Another attendee said that his company takes it on "a data-centric approach," allowing the use of the public cloud but blocking all personal data.
There was a shared hope that, like Microsoft with OneDrive, more companies would open dedicated European data centres.
It will help the European Commission to draft new Digital Services Act
A panel of judges and a previous winner explain how to give yourself the best chance of winning big in the 'Oscars of IT'
Computing and the BCS, the Chartered Institute for IT, give the hottest tips for your UK IT Industry Awards entries - register to maximise your potential to walk away with one of the most coveted gongs in the industry!
'We've seen more innovation in six weeks than in the past 10 years,' says one CIO, as Computing speaks to some of the UK’s top IT leaders to find out what they’ll be bringing from the COVID-19 pandemic into the post-lockdown world
Computing's Women in Tech Awards are on track for a big year in 2020, with dozens of prestigious awards to be won by women at all levels, and at every stage of their career