4 Questions, All The Answers. What You Need to Know About GDPR

GDPR seems to be on everyone’s lips at the moment. While the regulation doesn’t come into force until 2018, preparation has already begun for many organisations. For some, however, GDPR still raises a number of questions and queries.

We asked the former Head of Fraud, Risk and Security for Vodafone UK and now Exonar’s Chief Operating Officer, Julie Evans, what GDPR means for Exonar, what we will be doing about it and what the potential implications for other UK businesses are.

What does GDPR Mean to Us and Our Clients?

GDPR significantly increases the level of proactive management of Personally Identifiable Information (PII). It increases the requirements on any organisation that deals with the personal information of EU citizen customers or employees. The fact is that no-one is clear on what the post-Brexit world of GDPR will look like in the UK but it will still impact most UK organisations.

The UK exit from the EU will not be complete before GDPR is implemented. There will be a significant period of overlap following the triggering of article 50 and, even after Brexit, there is a strong possibility that similar regulations will be sought by the ICO and demanded by international companies who will look for ‘adequacy’ in UK law to ensure that the UK can compete and operate seamlessly across Europe and the world. Further, GDPR requires adequate privacy protection in states outside the EU, if EU companies are to store their data there. In all, it seems nearly inconceivable that privacy of personal information will not be a significant factor in the coming years.

As well as increasing privacy requirements, GDPR introduces significant penalties for non-compliance and also broadens the scope of what is considered PII. Although somewhat lacking in absolute clarity, the Regulations define PII as being information that enables the identification of a person.

What does GDPR mean for Exonar?

As a relatively new company Exonar is not burdened by legacy of old IT infrastructure although we must ensure the way we hold data is compliant with GDPR. For us, this is primarily employee and shareholder data. In common with most organisations the first task is to find and create a register of the data. Even a relatively small organisation like Exonar uses multiple different platforms to store information; documents, spreadsheets, PDFs and presentations, located across file shares, email and in cloud drives. It’s not an insignificant issue, however, we do at least have our own Exonar software at our fingertips to enable us to map where this information is being stored.

As well as identifying where all of our PII is, we’ll also need to designate the role of Data Protection Officer (DPO), an individual within our organisation directly tasked with identifying and protecting individual’s information within our organisation, it does not need to be a full time role but there must be clarity of accountability and we are re-apportioning our job roles to accommodate this requirement.

How can We and Other Organisations get Ready for GDPR?

Understanding the key changes proposed by GDPR is the first step in understanding how to be compliant with the regulations. The table below (courtesy of consulting firm EY) highlights the key areas that need addressing:

Depending on the level of organisational maturity, the new regulations could therefore demand changes to resourcing, training, process definition, applications as well as how the data is handled. The requirements could be significant.

How Is Exonar Going About GDPR Compliance?

I am confident that the leadership team of any organisation would tell you that they would love to have the insight to their customer journey from a customer perspective. GDPR for us is a fantastic opportunity to use our own product and to experience the output. We have set up the ‘discover’ phase of the Exonar journey to crawl all of our data stores. Given that we only hold a couple of terabytes of data we achieved this in our first afternoon.

Our next phase is to ‘understand’ what we ‘discovered’, determining what PII was where, who put it there and why. We’re able to do this through the use of our software’s querying function, it’s “Find More Like This” capability for identifying all data relevant to a topic and the results graphs and charts that show me what information we have, in what format it’s in and in which application of filestore it’s been put.

Now I know what I’ve got I can act upon it so our next phase in GDPR readiness is to review our policy and process as well as our use of applications and communicate our recommendations clearly to the whole team. It does take time so it’s perhaps a good thing that we are not leaving compliance with GDPR until the last minute…

What We’ve Been Reading And Writing This Month

Data Protection

                                       What We’ve been Reading and Writing This Month

Data Exposure, Protection Law and Passwords
At the End – Know Anyone We Can Recruit?
Brexit: Implications for Data Protection Law
Dan Tench, Partner at Olswang LLP, here reflects on the implications of the recent Brexit vote in the UK on data protection law. For months, data protection lawyers have been warning…
WhatsApp Privacy Fears as Deleted Chats Are Recovered
WhatsApp chats can still be retrieved even if users think they’ve completely deleted or cleared them, according to new research. Security researcher, Jonathan Zdziarski, claimed that even…
Wolverhampton Council Blunder Exposes Data
Wolverhampton council is the latest local authority to have its knuckles wrapped by the Information Commissioner’s Office (ICO) after a data handling blunder led to it exposing the…
The Data Protection Dustbin: Safely Disposing of Personal Data
A recent article by Kevin Townsend picks up on a report by Blancco Technology Group suggesting that ‘78% of second-hand hard drives purchased from eBay and Craigslist now contain…
Defensible Disposal: You Can't Keep All Your Data Forever
Guest post written by Deidre Paknad Deidre Paknad is founder of the Compliance, Governance and Oversight Counsel and Director of Information Lifecycle Governance Solutions at IBM. Deidre…
Yes, the passwords to many of your systems ARE stored in...
The interview- the cause of the Sony hack in 2014? At organisations ranging from small governmental bodies to large Fortune 500 companies we’ve found dozens through to tens of thousands of…
Start a meetup, you might be surprised what happens - Exonar
Exonar ended up in Newbury, Berkshire, for carefully considered, statistically sound, scientific reasons. Company legend has it that the early employees sat round a dining table, used…
Think you've got what it takes? Exonar are hiring - Professional Services Lead wanted. 
Think you’ve got what it takes? Exonar are hiring – Professional Services Lead wanted.
Professional Services Lead Reporting to: Julie Evans, Chief Operating Officer Job Purpose With support from the leadership team accountable for client outcomes post sale, through programme…
Have a flair for development? Exonar are hiring - Junior Dev Ops Engineer wanted.
Have a flair for development? Exonar are hiring – Junior Dev Ops Engineer wanted.
Exonar is looking for talented individuals to join our dynamic team. JUNIOR DEV OPS ENGINEER POSITION Why Exonar? Exonar recognises that the key to information security in an organisation…

Another Day, Another Event – This Time, Privacy

With another day comes another event for Exonar, this time it was Privacy: The Competitive Advantage. Hosted in Microsoft’s Paddington office, the event was conceived to highlight the state of play in data protection and the safeguards put in place. As John Taysom, Senior ALI fellow at Harvard University, reminded all in attendance; ‘Big Data is a Euphemism for data about you.’ With this in mind, we are reminded that it has now become cheaper to store data permanently rather than to actually find personal data and delete it. With potential fines of up to 4% of global revenue if companies disregard data privacy and are found to have negligently lost person data on EU citizens in GDPR, solutions are needed.

Silicon Valley companies realised early on that data is the new capital and in response cornered the market in a relatively short period of time. With this in mind the EU is fighting back and could create a serious challenge to the current data ‘land grab’. They state that no data is allowed to leave the EU and be targeted by third parties without consent. It is in light of this that data management now requires a change of culture and mindset; companies who hold personal data may be liable to huge fines should the regulators deem companies are complicit in abusing the personal information.

One of the main themes of the day considered how the individual can leverage their data value when their data is only valuable when compared with a significant volume of data. ARM’s Ian Ferguson shed light on the fact that personal data is owned by the individual and needs to be shared only with their consent, meanwhile the Industry needs to gain trust and secure the data. Highlighting the fact that hackers will find a backdoor and that Data leaks are a problem, Ferguson went on to reiterate that the industry needs to earn the right to hold your data and should lose that right if they cannot secure it. Amit Pau from Ariadne Capital sees opportunity in data privacy and a change of world order. Millennials are deemed much more savvy and able to recognise that they, the consumer, are in control of their personal data. If they get value from apps then they will expect companies to exploit that.

Steve Wood, head of Policy Delivery at the ICO, presented the facts, that fines represent a significant increase on the previous maximum fine of £500K.  Data controllers need to demonstrate how they comply with the law and an implementation plan for data Privacy. With this in mind, the event illustrated the fact that legislation is catching up with the market for data and it is trying to readdress the balance of exploitation for benefit or the protection of the European public. We should hope that in a post Brexit world the data of British citizens is equally looked after.
By Jason Phelps