Virtualization Technology News and Information
VMblog's Expert Interviews: IDA Ireland Explains What Companies Need to Know About GDPR


With just a few days to go before the most significant new data protection and security laws to appear in decades in the European Union go into effect, a worrying percentage of American companies either aren't aware, aren't prepared or mistakenly think these laws don't impact their business.  IDA Ireland works every day with U.S. firms involved in virtualization, cloud computing and many other product areas and they see that many American partners are looking at the General Data Protection Regulation (GDPR) and wondering what it means for them. These rules, which come into force on May 25, represent sweeping changes in consumer privacy, with non-compliance possibly resulting in fines of up to 4% of global annual revenues.  We ask Paraic Hayes, head of the Western U.S. region at IDA Ireland, what companies need to know about GDPR.

VMblog:  What is GDPR?   

Paraic Hayes:  The General Data Protection Regulation governs the privacy, protection and reporting of personal data and applies to all companies processing and holding data on people living in the European Union, regardless of the company's location.  GDPR gives EU citizens the right to access data held about them, the right to request correction or removal of data -- also called the right to be forgotten -- and the right to restrict processing of that data.

GDPR involves a broader definition of consumer data than here in the United States and includes not only personal identifiable information but also covers a person's digital footprint, including cookies, IP addresses, information stored on messaging platforms or devices, or other unstructured data within an in-box. In short, it covers any information that relates to an identifiable, living individual stored anywhere, on paper or digitally. One of the biggest implications of GDPR is that companies must now request consent before they can continue to store or use personal data.

VMblog:  What does GDPR mean for American companies?   

Hayes:  Before this new ruling, U.S. companies with European customers but without an actual office or presence in Europe weren't affected by European data legislation. That changes with GDPR. Companies also have security requirements under the ruling. For example, if a company has a data breach, it must notify those people impacted within 72 hours.

VMblog:  How does someone know whether GDPR impacts their company?

Hayes:  Any U.S. company that has data related to an EU citizen is impacted, even if it's just one person. That includes personal data on e-commerce sites, media sites, messaging platforms or in files, anywhere it might be stored, electronically or on paper. Storing European customer data in the United States doesn't inoculate companies from GDPR oversight, even those firms without a sizeable number of European customers. An EU customer database, regardless of its size, must comply wherever or however it resides.  Those firms with a UK office that think Brexit will make them immune in the future should be aware that GDPR covers the entire region, regardless of Brexit.

VMblog:  What steps should a company take to comply with GDPR?

Hayes:  At a high level, the areas of focus are discovery, training and process development.  Companies need to perform a data audit to find out what European customer data exists in order to be better able to put comprehensive measures in place to protect it. Also, companies must know whether consent has been given to use that data, which is a major task in itself.

Training staff is also critical, along with developing processes related to current and future personal data. A wise move is to appoint an internal data protection officer or some dedicated person  responsible for plans and implementation.

With reports that up to 50% of U.S. companies affected are unprepared for GDPR, it remains to be seen how quickly regulators will begin enforcement for noncompliance. At the very least, companies should be able to demonstrate that they are making the right moves toward ensuring that they're adhering to the rules.

Some good news for companies is that they should no longer have to deal with specific regulators within each of the EU's 28 different member states. GDPR introduces a "one-stop-shop" compliance framework that allows companies to have their cases managed by one lead regulator in their country of "main establishment."  For example, the Irish regulator has been particularly prominent and deals with many U.S. tech firms, having built up a lot of experience in some of the most complex cases. The approach there is certainly firm, but also fair, favoring engagement with companies in the process so they have a clear expectation of their obligations.    

VMblog:  Will GDPR be bad for business in the EU?

Hayes:  Overall, GDPR will be good for customers; they will feel more comfortable engaging and interacting online and with product or service providers. And whenever customers are happy and engaged, companies benefit.  There will definitely be a period of adjustment, but if we look a year or two down the line, customers will still be purchasing and going online and companies will have acclimatized to the new rules.

The European market is still a very large, very mature, very attractive market that is targeted by most fast-growing U.S. tech companies, who, in our experience, need to be global from day one.  In order to navigate the ins and outs, it might make sense for companies to manage and store customer data within the EU.


Published Wednesday, May 23, 2018 8:31 AM by David Marshall
Filed under: ,
VMblog&#039s Qualified Interviews: IDA Ireland Clarifies What Companies Have to have to Know About GDPR - EMC VMAX - (Author's Link) - May 23, 2018 6:08 PM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2018>