Its purpose was long debated. Its arrival was highly anticipated. GDPR’s true effectiveness, however, is still to become clear.
May 25th, 2018 was a milestone date in the enterprise world as the European Union’s General Data Protection Regulation was finally implemented. A group of 99 articles welded together to deliver comprehensive data protection to EU individuals, GDPR’s resultant impact on the data management policies of businesses was inevitable.
The legislation came under an unprecedented amount of scrutiny from the point when root-and-branch overhaul of data protection rules was recommended by the European Commission in 2012. In the intervening six years, business leaders, EU officials and a broad spectrum of different voices argued and counter-argued about the virtues of this hugely significant regulatory step.
Over the past 12 months, the noise has steadily receded. Technology leaders are adapting to the new frameworks around which they’ve had to build their data practices. But are industry and GDPR now happy bedfellows? Fredrik Forslund, VP of Enterprise & Cloud Erasure Solutions at Blancco, is adamant that the relationships between businesses and their datasets are far too complex for a line to be drawn under this subject any time soon.
“We have just left the harbour! It’s a long journey,” Forslund tells Digital Bulletin. “I’d say that we are on one of those cruise ships that is never stopping; it is just going from port to port. It’s an ongoing journey that will be about increasing learnings and increasing guidance from the authorities on best practices. It has started yet it will remain with us.”
Blancco, as a multinational with market leadership in data erasure, has been a first-hand witness to GDPR’s implementation and the subsequent shifts around enterprise data. Erasure is one of the key doctrines of GDPR – in fact, the ‘right to be forgotten’ has generated more public debate than most parts of the legislation.
Businesses work with Blancco and its suite of services to guarantee the certified, secure and timely data erasure that GDPR demands. Referencing Blancco’s experiences with its own customers, Forslund believes that GDPR has helped to create more aligned data strategies that pinpoint to a brighter future.
“I would say there is a more focused approach,” he says. “You might have had [data] knowledge within an organisation previously but it had not held the same priority. So I think, what we have seen very clearly, is more concise organisational structures and responsibilities. Not only do we have a new title in many organisations – Data Protection Officer – but also people have, in their formal job descriptions, responsibilities that might have been more informal recently.
“I think we have also seen the enormous offerings of different courses, training and education. The whole industry has gone through an educational approach which has, of course, led to increased skill sets.”
There’s no hiding from it – GDPR has been good for Blancco’s bottom line. Recent financial reports back up the business opportunities presented by its expertise in data management. One specific area of growth sprouting from GDPR has been data gap analyses. Gap analysis by this definition is about an organisation investigating its compliance with the updated rules.
More and more companies have embarked on thorough gap analyses and the results have often led to the urgent need to cleanse their data.
“Say that you are launching, as a multinational company, a GDPR project – in that project, the natural start is to do some kind of gap analysis. That will focus on your data lifecycle; how data is being managed, located, stored, backed up and who has access,” explains Forslund.
“We have seen a lot of these gap analyses finding data where it shouldn’t sit. There have been several copies and locations of sensitive information that should be managed in one place rather than in many places. Once that has been identified, you need processes and the ability to prove that you have taken the measures. Data erasure then comes in as a solution.”
Similar examples have resulted in a proliferation of niche data companies able to offer a level of expertise that larger organisations simply can’t match. Big hitters now have no hesitation in collaborating with firms such as Blancco to ensure swift and continued compliance with legislation like GDPR.
This is a market trend that Forslund – who previously launched his own startup in the shape of encryption specialist SafeIT Security, eventually incorporated by Blancco – has observed with interest and he is predicting there to be specific opportunities in the field of data policy.
“There is a new breed of companies emerging that are focusing on providing the policy framework,” he says. “It could be the digital toolbox where you have, in a digital platform, templates or standard policies that are easy to roll out or organisational structures that make sure that you have a good chain of command. They are growing quite rapidly and getting good financing from venture capitalists.
“We also see an uptick for encryption technologies; in fact, a general uptick for anyone that works in network protection. In the end, it’s the data breach on one end that we want to prevent and the other end is that we want to prevent misuse from the organisations themselves, having access to customer data. Anyone that has a value proposition that relates to one of those two basic aspects will see a surge in their business.”
Forslund, closing in on 20 years at Blancco, is recognised as an industry voice on GDPR and his viewpoints have been repeatedly published over the course of a career that has transitioned in parallel with the digital technologies creating a completely new environment dominated by data.
Putting aside his interests with Blancco, Forslund has always tried to maintain a balanced opinion on the merits of GDPR. Its critics claim that the legislation has placed a harsh financial burden on companies and is unprepared for the scale of data that will be generated in a connected world.
“If you take a big step back and look at the process of how the legislation came into place, you will find several years of very strong debating, weighing up the pros and cons against each other, and very strong lobbying from industry against specific portions of GDPR. I’ve always tried to keep an objective mind and I could see both the pros and cons,” he comments.
“It will increase costs for some organisations, significant costs. There are some business initiatives that might be located elsewhere because of that, because it’s considered a burden. But on the other hand, if we look at the positive side, GDPR also kicked off a global discussion and legislation trend.”
Forslund expands on this point, highlighting other regions that have since followed the example set by the EU. Part of his role involves engaging with global clients and GDPR is more often than not on the agenda.
“As soon as GDPR actually came into place, you have actually seen very similar initiatives taken by very important IT hubs and countries like India,” he adds. “We’ve had Thailand and the Philippines launch their own data privacy legislation and you’ve seen California take a big step forward as a state within the US framework, which is then setting the standard for the entire US market.
“GDPR created a global trend, so I think we will actually see a harmonisation around the world with more mature economies living up to similar standards or even developing it further. Data privacy is here to stay and trust is definitely a key aspect of doing long-term business in the digital economy.”
In response to the doubts over the long-term adaptability of GDPR, Forslund believes that industry and government must work together to continually increase data expertise in a complex technology landscape.
Blancco’s role will only grow in importance in this regard and in relation to its customers, with Forslund concluding: “If I just look at our different educational and awareness initiatives over the last few years, I think we as a company have been a lot more active in this arena.
“It is of course something that relates to our normal business practices but also that there is a need. We’re moving towards a more complex environment; complex in technology and complex when it comes to compliance around rules and regulations. As complexity increases, you will see the end customers are leaning more heavily towards the suppliers and the partners that we use to get access to the market.”
