Michael Bird: Hello and welcome to Explain IT brought to you by Softcat. This is a show for IT professionals that aims to simplify the complex and often over complicated bits of Enterprise IT without compromising on detail. I’m host Michael Bird and over the next 20 or so minutes I'll be challenging our panel of experts to take a different area of the IT ecosystem and, of course, ‘Explain IT’. This week, we’re going to try and tackle the General Data Protection Regulation, also known as GDPR - a regulation which came into force on the 25th of May 2018. We’re going to try and explain what it is, probably more importantly, what it isn't and what organisations should or shouldn't be doing to comply. So to help us wade through GDPR is Katie Efde, Softcat’s data management business manager, Mark Overton who is Softcat’s information security officer and Graham Charlton who is Softcat’s CFO.
So Mark, I'm sure this is probably one of the most Googled questions in the world right now, but what actually is GDPR and how does it differ from data protection?
Mark Overton: GDPR is the General Data Protection Regulation and it's the new standard for data privacy across the EU. It's been brought in to standardise data protection across all of the European states and also to address changes in data privacy that have been brought about by the use of new technologies and the modern world in which people share data so freely through technologies like social networks.
Michael Bird: So what are the key components of GDPR?
Mark Overton: Well one of the biggest changes from the Data Protection Act or previous data protection legislation is going to be the fines. It’s the 4% of global turnover or the 20 million euros that has really grabbed headlines and forced this onto the agenda for pretty much every organisation. Previously the data protection legislation was always focused on the controller; so that's the company who would consider themself the owner of the data and who would decide on how to use that data. The GDPR means that enforcement action can now be taken against processers which are the companies or organisations who controllers might share data with to undertake certain tasks such as an online email archive being an obvious example in our industry.
Michael Bird: Now sorry to bring up Brexit, but do UK based organisations still need to worry about it once we leave the EU?
Mark Overton: So we’re currently in the process of enacting the data protection bill in the UK - that's passing through Parliament. It doesn't look like there’ll be any sign in that changing and that bill is based upon the GDPR. So yes, that's not going to stop its passage through Parliament due to Brexit and it's going to be really important to allow us to continue working in partnership with EU organisations; they’ll want to see equivalent data protection law in our country too.
Michael Bird: And so do you think the onus is on the organisation? Or on the people? Is this the regulation towards helping the individuals or providing more support for organisations?
Mark Overton: Absolutely, so the regulation is focused on data subjects, it's focused on individuals, but where it's created the workload is inside companies and organisations who are responsible for managing the data of those individuals, who hold the data of those individuals. This is a change in regulation designed to improve how companies look after individuals’ data. The benefit will be for people – that’s what we hope.
Graham Charlton: It's long overdue as well. It was last updated in the UK in 1995, data protection laws, so the internet was barely around when it was last done. And the question is whether other countries are going to follow suit now, as well. In the US, data protection laws are still woefully inadequate by comparison to GDPR. So it was time it happened and I guess, for consumers, it's a day to be very pleased about it, because they had very little protection until now and still do in a lot of countries.
Mark Overton: I was keen to ask those doing the podcast with me what they perceive by privacy - what does that mean to you?
Graham Charlton: To me it means that if I'm interacting with a company and therefore giving it my data in some way, that that data will only be used for the purposes that I'm giving tacit consent. So if I'm giving my address to Amazon because I want them to deliver something to me, that is the only thing they’ll use it for. So to me privacy is along those lines.
Mark Overton: Katie - I'm almost thinking of a core right; you know, you have a right to a fair trial, you have a right to privacy?
Katie Efde: Yes it's a human right, isn't it? It's a human right to have my information only accessed by people I wanted it accessed by.
Mark Overton: Yeah and that's really close to what people who talk about this say, they say it’s your right to control who you share information with. It's your right to choose what you're going to share with people.
Michael Bird: And I think, for me at least, that looks like companies not being quite so creepy with my data. I think that's the big thing - as technology and as everything has moved on in the last maybe five years or so, actually the way that my data is being used is just increasingly more creepy; i.e. adverts following me around the internet that are targeted on things that I looked on a different website, so clearly my personal data is being used in a way I’ve not explicitly said I want them to use it in, but it's just happened because that's just how the world has moved on. So I'm kind of, looking forward to just stuff being a bit less creepy, to be honest.
Graham Charlton: But this is the point, isn't it? Michael said he hopes the world gets less creepy, in terms of how it follows his movements, and as far as I can see, GDPR should bring that about because it's absolutely saying that companies cannot just share data that they have been given by individuals with other companies unless they've got explicit consent to do that.
Michael Bird: So there's a concept of ‘privacy by design’ within GDPR, what exactly does that mean?
Graham Charlton: You don't get privacy by accident. You've got to work out what you are allowed to do with data, then design systems that create privacy so that you are actively building the maintenance of privacy into the way you do business, rather than, kind of, working out what you want to do and doing your business and then somehow shoehorning privacy into it. It’s like a mobile first strategy, but for privacy sort of thing.
Mark Overton: Yeah we’ve seen a lot of companies struggling with this, with information security - that a company kicks off a project, gets it almost to the stage of completion and then involves the information security team who clearly should have been brought in at the beginning. It's exactly the same for data protection now, you need to bring those teams in early on, discuss what your aim is, what the desired outcome of the project is and ensure that that isn't going to infringe on data protection law.
Michael Bird: So we talked about individuals. What about organisations? What's been the effect on organisations?
Graham Charlton: I think it's put information security and privacy on board agendas when it wasn't before, so you’d get the odd thing in the news about ‘there's been a data breach here’ - the weight of those incidents, but then GDPR together I think, has made the corporate world and leadership in the corporate world take notice in a way that they hadn't done before. The consequences of getting this stuff wrong just went up a couple of levels in the last few years. And again I think that's a good thing because the internet has slowly crept up on us what companies are doing with data via the internet, has slowly crept up on us and there does need to be a pause and a reality check now, so I think boards are looking at it in a way they never have done before. That creates questions that flow down the chain and companies have then got to really interrogate their systems and processes and make sure that they are doing things with data that survive the common sense test.
Michael Bird: So Graham, if I can translate that to Softcat and, I suppose, to you personally, as well, how has the perception of data protection and GDPR changed since you've been at Softcat, or since you've been on a board? How has that changed?
Graham Charlton: Up until probably about 18 months ago I don't think I'd been in a board meeting or an exec leadership team meeting, whether at Softcat or elsewhere, where data security was discussed in any detail and Mark now, as our data protection manager, has been into a couple of board meetings now in the last 9 months. It's definitely moved the needle and I think it won't just be happening here. My old company, actually, which was an online marketplace company, we had a few debates, probably four or five years ago, when I was there, about levels of consent that we’d use for customers going through the website and we were almost using opt in consent as a way to differentiate, we were ahead of the curve and felt quite good about that and of course, now if you don't do that then you're simply non compliant.
Michael Bird: So Katie, what's stopping an organisation just doing nothing?
Katei Efde: It's mainly the fines is the most off putting element of GDPR. So under the current data protection was the fines were a lot smaller and the fines for GDPR are going to be proportionately dissuasive, depending on the size of your company and the nature of your business, so they’re going to be big for you.
Michael Bird: So what are the fines then?
Katie Efde: The upper limit is 4% of your group annual turnover or 20 million euros, whichever is higher of the two.
Michael Bird: So if you’re a little organisation with a one million pound turnover you could potentially get fined 20 million.
Katie Efde: Yeah, on paper.
Mark Overton: It's another one where it's really good to go and read the ICO website about this stuff. They have, numerous times, said they’re not looking to put companies out of business using this regulation, which it does feel like many companies are afraid of. But the fines will be proportionate, that's absolutely correct.
Graham Charlton: But it can and will put companies out of business. The reseller industry that Softcat operates in, the average net profit margin is less than 4%, so if you got hit with a maximum fine, that is your whole year’s profit gone in one fell swoop. And that's if you're making a profit, a lot of businesses, of course, don't, make a loss and adding 4% loss to a loss that's already there will be pretty cataclysmic for a lot of businesses. The combination of the financial and reputational damage that a serious GDPR breach could create is genuinely business ending, which is why I think it's got the attention of boards because you can't create a risk register now that doesn't recognise the risk of GDPR.
Katie Efde: I think, as well, GDPR’s already raised awareness of individuals’ rights across people who would never have had any experience of data protection laws or any awareness of what they're entitled to, so you get someone like my mum who knows what GDPR is, and will know now, as a consumer, what her rights are and have higher levels of expectations of organisations that she works with than she would have done in the past. So for us, we’re huge on customer experience, on building trust with our customers - there's a level of expectation within all of our customers for us to comply with the new laws.
Mark Overton: Yeah, the reputation damage, absolutely is going to be a huge impactful thing for organisations that trade on a quality of service like ourselves. The other one we’ve seen a lot of is supply chain diligence. That companies expect anyone who they're working with on their supply chain to take this stuff seriously and we see many companies, especially in the public sector, that will absolutely refuse to do business with companies who have had breaches or cases brought against them by the ICO.
Graham Charlton: And the thing I can't get my head around yet, which I think will be very interesting to see how this plays out, is when companies, big internet companies from outside of the EU, who have to comply with the GDPR when operating in the EU have breached the regulation somehow. How does the local country enforcement agency then bring the weight of the law to bear on, maybe a US massive internet company? How does that work through in practice? I don't think anybody probably has an answer to that yet.
Mark Overton: It's interesting, because we focused a lot on the fines, but there are other actions the supervisory authorities can take, such as not permitting organisations to process personal data. So they could try and restrict their operations inside the EU.
Michael Bird: So that could cut a social network off if, for example, that's an organisation that had a breach of some sort or had breached the regulations?
Mark Overton: Yeah it's going to be so interesting to see how this plays out because how do you cut a social network off? When they cut off WhatsApp in Brazil, the country essentially rioted. I'm exaggerating somewhat, but the citizens made their voices heard very very quickly.
Michael Bird: So what are the basic things that every organisation needs to do, if they haven't already done so?
Mark Overton: You've got to start with ensuring there's someone in your organisation who is responsible for data protection and that they have the time and the support of the business do that role properly.
Michael Bird: And what does that role entail then, day to day, because that's what you do, isn't it?
Mark Overton: It is, yes. One of the things I do, with the support of others around me in the company, and I think that's going to be critical because we see people in legal teams being put in charge of data protection, in security teams and sometimes in HR. The fact of the matter is that an effective data protection programme, for most companies, is going to need the support of people from all those roles. What does it entail? Well I think for most people when they're starting off with this, they need to go and understand how their company uses data, what data they use, where they collect it from, where they store it, what it's used for and how they put appropriate safeguards in place to secure it. And I think that's actually, Graham, it's an interesting one. What's your experience of companies when it comes to collecting and storing data? Because it's been very easy, thanks to the cheapness of technology in recent years, to collect and store hordes of data. You might not have actually had a purpose for it at the time, but have you seen businesses collecting data on the basis that they think they may have a use for it in the future?
Graham Charlton: Yeah absolutely. I remember seeing an article a couple of years ago in The Economist which talked about data as the new oil. So it simply was a valuable commodity and the more of it you could grab, the better and I've certainly worked in companies where we had that ethos which was, “I might not know what I'm going to do with it today, but as long as I can grab it and store it, I’ll work out how to use it in the future,” and of course, that's just been blown out of the water, that sort of approach, which again, as a consumer, is a great thing.
Mark Overton: And certainly one of the challenges which I saw in the early days of trying to get a handle on what this meant to Softcat is that people in roles where they are responsible for data are very protective over that data, they've been working to build up that data and manage it and when you start questioning them about whether they need it or when’s a sensible time start getting rid of it, you will certainly encounter some people who aren't happy with that line of conversation.
Michael Bird: So that's about understanding the data that you have and how long you need to hold on to it for?
Mark Overton: The people in the company who are responsible for that data, because although in a role in data protection you're taking protection for the data, you're unlikely to be the person looking after systems and the databases that it's stored in.
Michael Bird: Ok so the first two ones are, ensure there’s someone responsible for data protection; number two, understand your data. So what's next on the list?
Mark Overton: Once you've got a good feel for that you can then start to build an action plan and at this point you're going to need to understand the GDPR. I’d absolutely recommend sending people on training courses from organisations like the IAPP to get a firm grasp on it and ensure that they're comfortable. But yes, you're going to be looking to understand about what your company does with data and whether there are any conflicts with the regulation.
Michael Bird: And then once you've done that?
Mark Overton: Well you’ll be looking to work out what your project looks like. Every company is going to be building their own GDPR project and I guess at that point you’re going to be needing to engage with all sorts of stakeholders across the business to ensure you have their support. Trying to do this stuff in isolation is never going to work. You're going to have to work with all sorts of departments to succeed with those projects.
Michael Bird: Ok what's next on the list then?
Mark Overton: So the security is always going to be a key thing, and that's going to wrap into your action plan. Hopefully your company will already have an effective security program in place that understands the data that the company has and understands how it protects the data, not just worrying about things like malware, or the latest threats which are being posted on the news, but actually the company's assets. Very often these days that is the company's data and how have they put appropriate security controls in place? And this is another lovely grey area of the GDPR. The security needs to be appropriate to the risk of the data but you're not going to get much more than that out of the regulation. So it can be a tough one to know what you're aiming for.
Michael Bird: Ok so if you understand how you going to secure data, what do you do next?
Mark Overton: Well throughout this whole process you should be documenting everything that's going on here, building that paper trail is incredibly important. I've heard it said a number of times and repeated it myself, right now again with these grey areas it's not necessarily about having every answer 100% right, it's about ensuring that you've reasoned how you've got to those answers and you can you show a fair justification so by building that documentation, should you ever need it, you can show that you did take this stuff seriously and you can show the actions you took.
Michael Bird: And then what's the next thing that we look at?
Mark Overton: There’s a couple of final areas I’d say companies should take a look at as part of this. The lawful basis for their processing is really important, again, as we alluded to earlier. A lot of companies have gone out and sought to regain consent from the individuals they work with, but consent isn’t the only lawful basis for processing, it can be because you have contract in place with that person or that company, it can also be because there's a legitimate interest in you processing that data and I think that's a really interesting area which companies should go and read up on if they don't understand it already. And then you've got things like vital interests. If you're laying on a street in serious need of medical assistance, unable to speak, you could be unconscious, you don't need a paramedic to turn up and get you to sign a form and tick a box before they can help you, so if you're doing something that protects the vital interests of individuals, that’s again, another lawful basis for processing. So it's good for people to go and read up on those and understand what applies to their organisation. And finally, just a key thing that, it always winds me up when I see these done terribly because it should be such an easy thing for companies to do, is to create those privacy notices that show that transparency to the individuals they are working with. It's just an absolute cop out to do that badly because every company should know how they use data and they should be able to explain that openly to individuals. To me, it's an immediate red flag these days if you've got a company that's trying to take a load of data, but doesn't let you know clearly what they will be doing with it.
Michael Bird: From the sounds of this, GDPR is a lot of compliance, a lot of process and a lot of work for organisations. Is there any benefit to doing GDPR?
Graham Charlton: Yeah I think there should be. Companies for a long time now been trying to get more value from the data, so it's a bit of a fallacy, or a bit of a myth that companies think because they hold all this data they’ll get value from it. You've got to do a lot of work in order to actually make that come true and quite often, it seems to me - past experience, that the ability to analyse data is seriously compromised by poor storage and management of that data. So if companies get good at data management because of the need to comply with the GDPR, then their ability to analyse and use the data they hold should massively increase as well. So I think there's a genuine business benefit there, and so something of a silver lining.
Katie Efde: It could even be as simple as storage costs, so by reducing the amount you store, you’re naturally going to reduce the infrastructure costs that go with it. So that could be storing it, backing it up, protecting that data. So you're reducing the cost, but you're also reducing the risk by minimising the data that you keep. I suppose the flip side as well is the board awareness that this is raised around data protection and the onus on data security has just raised the status and the importance of keeping that data secure. So for the IT department, they've always understood the importance of data security, this is just elevating it for them and getting, maybe, projects and things improved that they've been wanting to do for a very long time.
Michael Bird: So what do we expect to see in the future? Look through your crystal balls, what do we see?
Mark Overton: I'm hoping to see some case law, some precedent come through. As much as we don't want to see people being stung by this regulation, hopefully it will provide a lot of clarity for people in the types of stuff which we can expect to see in the future.
Michael Bird: Do you think there are going to be organisations that will get fined fairly soon? Do you think it's going to happen or do you think there's going to be a bit of a waiting period, a bit of grace period?
Mark Overton: There seems to be a guarantee, from many years of looking after the security side of things, that data breaches will happen and that they will be headline grabbing. So it feels like it can only be a matter of time until we see that next headline grabbing data breach. TalkTalk got fined the maximum fine of 400,000 for their previous one, obviously that's all changed now.
Graham Charlton: Mark, do you think the enforcement agencies in the individual countries are going to be able to cope with the volume of complaints that it’s going to trigger?
Mark Overton: It's going to be really interesting because certainly all the law firms are advising everyone to over report. There's this statement in the regulation that if it's not going to impact the rights and freedoms of individuals, you don't need to report the breach, but no one understands where that line is right now, so what everyone's been told to do is report it. It's much better to report it and have the supervisory authority tick it off and say it’s ok, but the understanding is that the supervisory authorities have lost a lot of good talent to the private sector and I do think they're going to struggle in these early months to handle this new workload.
Graham Charlton: Customers presumably can raise a complaint to the ICO as well as companies reporting a breach, so there's two streams to that volume, is that right?
Mark Overton: Yeah I think anyone can raise a report to the ICO and they are looking to, if they’ve not done it already, to somewhat automate this by providing a website, form-based submission for these breaches and other notices.
Michael Bird: So, to summarise? Would anyone like to summarise?
Mark Overton: So ultimately it's the responsibility of every organisation to understand the regulation and how that applies to their company. Everything we’ve said today hopefully will be useful guidance for people, but please don't take it as gospel, it is our opinion.
Graham Charlton: So from my point of view, thinking about it in the round as both CFO of Softcat but also a consumer, I think it's a good thing. Now it's quite easy for me to say that because of everything we’ve said about how Softcat and its business operations aren’t at the more extreme end of the spectrum when it comes to compliance and the onerous nature of that and particularly the impact that that could have on strategy and how we go to market. So as a consumer I think it's great, as a parent actually as well I think it's great. We didn't talk an awful lot about the ‘what's in the GDPR relating to children’ but there's quite a lot of protection in there specifically aimed at children, so on balance I'm very positive about it. However how it gets enforced in practice we could still, I think, collectively drop the ball there, and if that becomes the point at which it's proven to be not pragmatic and not actually in the consumers’ best interests and also recognising the cost of compliance to companies then it could still become a really poor piece of legislation. But as we stand today I’d be very positive about it.
Mark Overton: Yeah I have to agree, it's definitely being done with the individual in mind. This was not about making life easier for organisations, it was about improving the rights of privacy for individuals that have been eroded significantly by the growth of technology in our lives. So from that side it's a really good thing. Another angle is it's created a small industry in itself over the last couple of years with GDPR compliance and it's driven companies’ security programs forward as well which are all good things.
Michael Bird: So Katie, Mark, Graham, thank you so much for your time, it's been really interesting talking to you all. Listeners, if there's anything in this show that has piqued your interest, or if you'd like to talk to someone at Softcat about anything we’ve talked about in this episode, please check out the show notes, we’ll include some links about some of the stuff that we've talked about today as well as some contact details. Also make sure you click subscribe wherever you get your podcasts and we'll deliver the next episode to you as soon as it lands. You’ve been listening to Explain IT from Softcat, thank you so much for listening and goodbye.