Don't outsource your GDPR compliance

Europe at night

There's less than a year to go until new data protection rules apply to UK organisations, with the EU's General Data Protection Regulation (GDPR) coming into force on 25 May 2018.

CIOs and chief executives are currently knuckling down to the task of bringing their data governance policies into line with the impending law, which gives EU citizens and residents more rights over how their data is stored and used, and requires organisations to seek explicit permissions for how they process and use that information.

While much of GDPR is similar to the current Data Protection Act 1998, it's still a lot of work to ensure you're compliant.

Unsurprisingly then, vendors have been quick to position their products and services as the perfect shortcut to avoid all that hard work.

Some are offering GDPR educational sessions, others hiring out their data protection expertise to help create a compliance plan, while others are marketing their wares as a way to avoid the bother of GDPR compliance entirely.

See Dell EMC's assertion that its customers will buy, not build, their way to being compliant by purchasing hyper-converged infrastructure to set up a GDPR-friendly cloud.

And of course, all the cloud companies are at it too: Microsoft promises to write GDPR compliance into all its cloud contracts, while Amazon Web Services has joined the Association of Cloud Infrastructure Services Providers in Europe (CISPE) to make sure anyone using its services complies with GDPR by default.

Then there's Box's recent claim that customers use its collaboration cloud "as a system of record and a system of engagement" because of the data protection policies it can apply to a broad set of file types.

The general message: don't bother your head about GDPR – just spend lots of money with us and we'll handle it for you. And if that doesn't convince you, firms are quick to bring up the fines for getting it wrong: up to 4% of your annual turnover or €20 million, whichever is greater.

However, this scare-mongering tactic is based on exaggeration - fines, while they must be "dissuasive", according to the legislation, must also be "proportionate", meaning it's unlikely that you'll find yourself saddled with a business-crippling fine unless the data breach is particularly egregious.

The UK's data watchdog has shown restraint when issuing penalties too, preferring to work with firms to improve their actions rather than move immediately to punish them: of 18,300 data protection cases it handled in 2016/17, it issued just 16 fines totalling £1.6 million for serious breaches, according to its annual report released in July.

This is, of course, not to say that the cost of getting it wrong is worth paying - fines will be larger, and it's hard to put a price on the resulting reputational damage. But putting your fate entirely into the hands of vendors is absolutely the wrong approach.

The methods data protection authorities will use to enforce GDPR remain fairly opaque, but it's clear that both data processors (firms handling the data, in this case a cloud provider) and data controllers (firms that decide how data will be processed, such as a customer of a cloud provider) will be held liable for breaches.

While plenty of companies rightly farm out their data security to cloud providers that have spent millions on upgrading their infrastructure, you don't mitigate reputational or financial risk by outsourcing compliance.

In fact, the only thing you do get rid of by doing this is the benefits of preparing for GDPR, a process that not only will leave you in good shape for attracting new customers impressed by the steps you've taken to safeguard their information, but also with a much better idea of what's sitting on your infrastructure.

To ensure all your data's being held and used in a compliant way, you will likely be trawling through IT systems dating back through the decades.

As a result, your customer data will be accurate and your customers can keep it up to date for you – a new right under GDPR – by changing it via web portals.

Having accurate data means you can benefit far more from data analytics – accurate, reliable, relevant data will provide much more meaningful answers to questions asked of the information your GDPR-compliant company holds.

Of course, in a stricter data protection environment it's essential to know that the vendors you work with comply with the same laws that you must – otherwise the risk of outsourcing data storage or analytics is too great.

But that doesn't mean you should rely on third-parties to handle GDPR compliance for you. By all means bring in experts and lawyers to ensure you're on the right track, but don't trust vendors' claims that you don't need to worry about compliance if you sign a contract with them.

For one thing, you will still feel the data protection authority's wrath if they're found to be at fault. For another, you will miss out on the many benefits of achieving compliance.

This article was originally published in May 2017, and was subsequently updated in July 2017 with information from the Information Commissioner's Office's annual report.