Get talking to your third party cloud storage partners now, as GDPR is coming

2018 waits for nobody, and it's all going to be complicated

Computing reminded the enterprise of some of the stickier points of GDPR this week, after appearing on HelpSystems' web seminar Preparing for GDPR: The First Steps to GDPR Compliance.

As host Donnie MacColl, director of EMEA technical services at HelpSystems, worked his way through GDPR's "eight rights", Computing's Peter Gothard supplied commentary on the realities of complying with the regulations, which come into force on 25 May 2018.

MacColl reminded viewers that the "Right to be informed" covers ‘first contact' details as specific as those made between firms and customers through phone calls or websites.

"You have to be notified either by the privacy policy - which will now need to be updated for GDPR - that has to be concise and intelligible, how it's going to be stored and how long it's going to be stored," said MacColl.

"[So] if you call an insurance company and they say they're going to record [the call], they'll have to give you their policy."

MacColl also cited the example on "Right to access" of his own mortgage application having his wife recorded as an "interested party".

"Under the new rules," explainexcd MacColl, "that would have to be made clear."

As for the "Right to rectification" and the "Right to erasure" - i.e. the ‘right to be forgotten' goes, Gothard had a warning:

"While i[these two points] are common sense and all very good - because it just makes sense to have control over our own data - from CIOs and also lawyers I've spoken to over the past year or so, the real problem is how mired organisations are going to be in their old way of doing things, and how you're going to keep finding legacy processes in place that you'd never thought of, that may actually be blocking these processes from happening [beyond your direct control].

"So it might be that while a company undertsands it needs to rectify or remove data, it's held in a third party's servers or in a place you can't easily get to it."

Thus getting to this data will require impressing the requirements of GDPR on a number of business partners, and "like untangling a ball of wool," observed Gothard.

"In such a shot amount of time, it's the part of GDPR that's probably going to require the most thought really," concluded Gothard.