GDPR: Regulatory compliance is just the beginning

Joel Benavides, managing director of global legal services at Box, explains the policies enterprise companies can anticipate with cloud data management after the GDPR.

We have just a few months until the GDPR hits. The road map has now become a very short sprint. TechRepublic met with Joel Benavides, managing director of global legal services at Box, to discuss where the enterprise is now, are they prepared, and if not, what they can do. Below is a transcription of their interview.

Benavides: We are definitely coming down to the wire, as commonly said. I think that you'll find that there was a huge rush to get ready, and then right now, paradoxically, either people are, in fact, sort of wigging out, so to speak. Or they are just burying their head in the sand.

What I see, and I look at the statistics, I have seen that in a lot of ways it seems that companies outside of the EU seem to be a lot more concerned. I saw something, statistics, recently where it said that only about 45 percent of companies in EU felt that they would be prepared, they would be ready. And the number drops as you get to the smaller companies, the medium to smaller-sized business that obviously don't have the same resources as the larger corporations.

SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)

They seem to be really unprepared. At this point, it will be an issue of ... almost like damage control and really making sure that you are showing best efforts, at this point, to achieve compliance and start by doing just your analysis of the five Ws: where, what, when, and so forth. And really try to get to a point where you understand at least where the customer data is and what it is that you're doing with it, and how can you ameliorate any use above and beyond what you have consent for.

Patterson: I'm glad you brought up amelioration as well the consequences. We know there will be fines but for companies who are unprepared for the GDPR, what can they anticipate after the deadline passes?

Benavides: Yes. That's a great question. And, frankly, we really don't know. We really don't know how aggressive the data protection authorities will be, and whether we're going to see more enforcement actions coming from Germany or from France via the CNIL or Ireland and such. The one thing that we do know for sure is that they have doubled or tripled their staff. So, for example, whereas the Irish DPA used to have, I believe, 10 people in their staff, now, all of a sudden, they have at least double that.

What we can surely expect is that there will be a rush of data subjects who will be making complaints and then it's gonna be very interesting to see how the DPAs are going to react to that, and what kind of enforcement actions they're going to take. I would imagine, frankly, that they will start taking a closer look and moving forward with investigations and such with social media companies, because anybody that is a consumer-based company certainly has a lot more exposure to getting requests from the data subjects. To the extent that they ... that such companies are not able to produce the data and explain to the customer what they're doing with it or they'll leak that data, right? Purge the data from their systems, from a customer's request, then you can definitely see some exposure there.

Patterson: That actually brings up a great point. Regulation itself doesn't necessarily protect consumers. The companies moving to enact to the regulation might. What does this mean for personal, identifiable information for companies who have not complied versus those that have. Is it more safe? Is it less? Does it matter?

Benavides: Yeah, no. That's a great question. I think that it depends on the type of company that it is, right? If you have a company that has been dealing with personal, identifiable information and that company is, for example, HIPAA compliant. They have a certain infrastructure in place, and processes and procedures, with retention policies and such for the data. Whereby a lot of the objectives and at least the protected measures, organizational and technical measures will be place as mandated by the GDPR, on the one hand, that will in a lot of ways be matched by the infrastructure that is required by HIPAA and such. Same thing with financial information under the FINRA requirements.

You can see where the infrastructure that has been in place, and really more particularly the policies and ensuring that those policies are adhered to within the service provider processes and the way they handle that data, it's going to be very important and ensuring that you are following those policies. I think that by doing that, it will get you very far along compliant with the GDPR, even if you have not finalized all of the steps necessary in ensuring that you will reach compliance by the deadline.

SEE: The General Data Protection Regulation (GDPR) (LogRhythm download)

Patterson: So, last question, Joel, for companies that have complied, and they are many, is this the end of the road? Do they rest easy and feel good? Or is this the beginning of another path and will require multiple configurations down the line?

Benavides: Yeah, absolutely, this is definitely the beginning. Compliance, it's an ongoing requirement. As long as you have the personal data of the data subjects, you have to comply with the GDPR and even if that relationship has ended, you have to delete the data. You have to dispose of that data in the proper manner and it's specified in the GDPR. But there are so many more modalities coming into play here. For example, you can see with IoT, a different Pandora's box can be opened, because we need to think about all of the policies that need to be in place, so the systems, the automated systems are collecting information in such a way that it is within the consent that has been obtained from the customers. For example, if you are in wearables or you are collecting the data in all of their devices, in various devices at home.

And I think these are areas that we really need to, as citizens, ourselves, as their subjects, we really need to involve ourselves with and ensure that we are interacting with the legislators, the regulators. So that their mission of protecting the consumer while allowing for technology to flourish so that the consumer can be better off, so the services can be provided to the consumer. So, that all the mechanism. It's working smoothly and you are, on the one hand, obtaining the benefits, the great benefits the technology brings to all of us, while respecting your privacy in such a way that is allowed while you're using that technology.

So, I think these are very important issues that we all need to be concerned with and make sure that we're involved in this discussion, and that we elect the legislators that understand this and are gonna be working to really allow technology to flourish while protecting the consumer.

Also see

Image: iStock/SBphotos

About Dan Patterson

Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.

Editor's Picks

Free Newsletters, In your Inbox