Interxion's Patrick Lastennet shared essential tips for SMBs that have not yet complied with the EU's new data protection regulation.
TechRepublic's Dan Patterson spoke with Patrick Lastennet, director of marketing and business development at Interxion, and asked for advice for companies which need to comply with GDPR.
Patterson: The GDPR, that is the General Data Protection Regulation, was a challenge for a number of companies to become compliant by the May 25th deadline. Well, now we live in a post-GDPR world. Patrick, what advice do you have for companies who are looking to enter European markets, they may have some data but aren't yet compliant? What are the best next steps for those companies to get up to speed?
Lastennet: Well, first of all, Dan, I think it might sound obvious, but it's something to really take very seriously. We've seen a little bit from the US, an attitude, "Well okay GDPR, we're going to leave it to CTO or legal officer to sort of handle on the side and you might want to tick a box and be compliant with privacy shield," but I think it's a lot more than this. It's actually putting across the organization the fact that privacy really matters.
The first step is to make sure that at your board level decision makers someone is really championing GDPR within the organization. Governance, that the step number one. Step number two, you need to very quickly establish whether you are data processor or data controller. Do you control the data of your customers, or are you more further down the value chain? Both cases you're potentially liable. But I think the attitude towards privacy will defer a little bit. And number three start thinking about where the data of your customers is processed. Do you take personal data and in turn ship it back to the U.S. or do you make sure that it actually stays within Europe and gets processed? And on that third point, I would say that there's a lot of choices today. Most of the big clam providers have all deployed their computes all across Europe. So do not think that it's necessarily a huge task to have European data stored in Europe.
Patterson: So for companies who are already established are there any best practices that you've seen that have worked well, and kind of the opposite of that have you noticed any road bumps or speed bumps that companies might want to avoid in their compliance journey?
Lastennet:Yeah, I think those, the most established companies, first of all they've looked at it more as an opportunity as a hindrance and they really utilize the concept of privacy by design. So this is really at the outset id. Whenever you start a new business process ensure that you handle sensitive data the right way. Make sure that you minimize the collection of it. Essentially the more established companies have been able to use GDPR as a playbook for digital transformation. This has really given them some really good guidelines as to how to structure their IT and general practices to handle personal data. Now on the opposite, I'm going back to the sigma approach. A lot of companies might want to treat this as another compliance exercise, and they might want to sort of say "We're going to put the minimum required, we might collect some fines, but hey that's the cost of doing business." And I think that attitude is very dangerous because the reputational risk is really quite significant when you deal with data privacy.
SEE: Big data in 2017: AI, machine learning, cloud, IoT, and more (TechRepublic)
Patterson: Patrick, I wonder if you could leave us with a forecast. If we look down the road, say 18 to 36 months, where are we with not just compliance, but how companies handle and interact with personal data at large scale?
Lastennet:Well I think it's interesting. It's very difficult to say which parts of GDPR are going to be more or less important. Everyone goes on about data breaches and security just ahead of the deadline. And then all of a sudden Facebook, Cambridge Analytics, and there was a completely different perspective on the whole issue, more to do with how you share data with other organizations and the user for a data privacy in different business models. Personally I think this is going to still be top of the agenda, consent, how we use data. And I will have thought within 12 to 18 months probably you're going to have one or two big hacks or data breaches which are going to put the limelight on data security. And there all of a sudden techniques like encryption, like Sudanization, and things like that are going to start to be front page I think.