GDPR: It's IT's job to understand it, and explain it to the business

With business leaders desperate to understand the implications of the impending EU regulation, it's up to IT to understand it and translate its requirements into language they understand

One of the long-term aims of IT departments should be to understand the impending EU General Data Protection Regulation (GDPR), and find a way to translate its requirements into language business leaders can understand.

That's the opinion of Ray Bricknell, managing director of consultancy Behind Every Cloud, speaking as part of a recent Computing web seminar 'Cloud mix and match, getting the balance right'.

"What's the role of IT in the long-term?" asked Bricknell, referencing wide-spread fears that the rise of both automation and cloud will see many functions disappear. "Business managers are desparate to know the impact of GDPR on IT. If you can make your own assessment of that you will be a useful resource, and that's your job going forward," he added.

The GDPR is set to come into force in the UK in May 2018, although some leading experts have pointed out that it's already technically in force, and the data protection regulator the Information Commissioner's Office could potentially store up current breaches, and then punish them once the GDPR comes into force, using its larger fines.

Bricknell referred to the increased fines possible under GDPR, saying that Managed Service Providers (MSP) don't yet appear to have understood the implications, but that their minds will be focused by the scale of the possible financial punishments.

"So much of GDPR is not about technology, it's about process; things like data categorisation, understanding which data is in scope and how you manage it. The question around cloud is I see no evidence that MSPs are seriously discussing what the implications for them are, and where the line of demarcation [of data responsibility]is. But the is motivation there, with fines of up to four per cent of global turnover for a breach of the GDPR," he said.

Bricknell added that this could push more organisations towards using a hybrid cloud model, with sensitive data kept on-premises.

"This weighs down the scale between public or private cloud, and moves you slightly more to the hybrid model. At least then you know where your data is and that you're controlling it. Having control could be important for customer data under GDPR," he added.

Also speaking on the panel was Trevor Kelly, systems engineer director, western Europe for Nutanix. "The ability to have secure infrastructure, have control of your data and the ability to scale and respond to business requirements, that's also important from an IT infrastructure perspective," he said.

Jon Forster, global programme director at Fitness First explained that he was working for the NHS in a previous role, and that his patient data had to be kept in the UK.

"My sensitive data had to be held on-premises in the UK," said Forster. "It could be run by a third party, so I outsourced it, but it had to stay in the UK."

He added that in his opinion, the NHS isn't ready to make full use of the public cloud, due to security and privacy concerns.

"Is the NHS ready to go for cloud? Yes, for certain areas. But it would have to be non-patient identifiable data. They couldn't go full public cloud for that, because they have to be so wary of data protection."

Forster explained that he believes the NHS needs to move to a private cloud model.

"The NHS needs to go to a private cloud model, and get away from the need to run physical tin, with each application on its own box. They need to move away from that to be able to flex more. Even around email, they can't really push that out to the cloud as there's too much sensitive data going through it. So the NHS can't go fully public cloud," he concluded.