Christof Stache/AFP/Getty Images
show image

Lee Wade

Chief executive officer, Exponential-e

As GDPR approaches, network providers must view themselves as data controllers

Data is the new gold. In centuries past, intrepid explorers ventured to uninhabited corners of the earth to mine the land. Today, like its shinier predecessor, rich, deep veins of information exist in great swathes across the planet – and they are increasingly rising in value.

The fundamental difference between the two however, lies in the fact that data starts its life as the property of someone – be that a person, or an employer they work for.

As with any precious commodity, there can only be so much time before some form of control needs to be implemented. Data’s value continues to rise, so it is inevitable – and highly necessary –  that new regulations are implemented to manage it and protect those that rightfully own it.

Here in the UK, this very 21st Century ‘gold’ has been regulated by the 1998 Data Protection Act (DPA). But, so rapid and complex has the growth, ownership and importance of data become, that a far greater, modern regulation has long been needed.

Enter the General Data Protection Regulation (GDPR), which is set to come into force in just under 12 months’ time, on the 25th of May 2018. Designed to harmonise the rules in which EU Citizen’s data can be accessed by any organisation, anywhere in the world, it brings with it the promise to bring about fundamental change – with law makers promising to be much stricter with businesses that disobey the rules.

 

Beware all that glitters

Here in the UK, warning shots have already been fired. The Information Commissioner’s Office (ICO) handed out fines totalling £43,000 to the RSPCA and the British Heart Foundation last year. This related to the ways in which the charities breached the DPA in their handling of donors’ personal data. They both included ‘wealth screening’, whereby the financial status of supporters was analysed to estimate how much more money they might be prepared to give.

They also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And they traded personal details with other charities, creating a massive pool of donor data for sale.

In laying down the fines, Information Commissioner Elizabeth Denham said the monetary amount could have been as much to ten times greater. It was a statement designed to rattle the cages ahead of GDPR’s implementation, when a maximum fine could total either four per cent of an organisation’s annual revenue or €20 million – whichever is higher.

Changing the game

The changes that will come into force as a result of GDPR are nothing short of monumental. In today’s world, everything is digital. As the RSPCA and British Heart Foundation shows – if an organisation is in operation, then these changes affect it, as it will always be in some form of control of customer’s personal data –from email and physical addresses to personal details such as medical and financial information.

It also doesn’t matter if that organisation is located in the EU or not. If it has a presence on the internet, then it potentially has a worldwide customer base. Unless it blocks traffic and transactions from the whole of the EU, then GDPR implicates and impacts both it and its customers, regardless of whether it operates out of Ghana or Germany.

Such is the nature of modern data, that it mostly always travels over a network connection and will likely be stored in a datacentre at some point in its life. As such, just as cars travel on complex roads that are regulated by a sophisticated network of CCTV and traffic police, or aeroplanes fly across different international air spaces and must report into numerous air traffic controllers, data must be monitored and controlled in the same way.

Always be prepared for anything

As GDPR approaches, it’s highly important that network and cloud providers are fully aware of the duty of care they must provide to their customers and have a clear view of the data they transport and store. This is due to the fact that ultimately, when it is under their control, they have responsibility to ensure that the data they are being paid to transport remains safe, secure and does not end up in the wrong hands.

In a world where cyber criminals are increasingly more sophisticated, networks are becoming a prime target – much in the same way the ships that transported gold on the high seas were sought out by pirates. Security of data whilst in transit is now of more fundamental importance than ever before.

With GDPR implemented, there would have been far greater consequences for any business affected by the recent WannaCry attack, as ultimately, people’s personal data was put at risk. Had this happened in 12 months’ time, the maximum fine companies would have faced would have been astronomical, bearing in mind that hundreds of thousands of people’s personal information was affected. It was a pretty big heads up to network providers to ensure state-of-the-art security programmes that have the ability to protect and encrypt the valuable data they transport is firmly in place by the time GDPR becomes standard practice.

Ultimately, it’s important that those companies that provide network and storage take their positions as data guardians seriously; they must be prepared for every situation that could potentially put the data in their care at risk of theft, damage or abuse and fall foul of GDPR regulations in the process.

Data, like gold, will retain its value for generations to come, and even become more valuable in time, as the world continues to learn how to harness and even trade it for tremendous profit. Data controllers – as they are referred to in official EU terms – must view themselves as more than just transporters.

The need to provide insight, advice and clarity to the customers they serve will make them experts and consultants on what this brave, new and highly vital, GDPR-led world entails.

Lee Wade is chief executive of Exponential-e