GDPR home and away.
Many people are under the impression that GDPR is just an “EU” thing. The legislative framework applies to countries within the region and is not binding on anyone else. Yet the nature of IT is increasingly global by nature and you may find that some of your data is being processed abroad, or companies wishing to operate within that trading zone may find their activities affected by the new regulatory regime.
At a recent conference I attended, we shared amongst ourselves the triggers for starting on our respective GDPR journeys. One participant gave the surprising response that the main driver came from his American vendor. The management of this company were so concerned that they insisted on a day’s remote session reviewing everything from database structures to data storage. This may be because the Americans have a far more litigious trading environment than we do here, but it does show the interdependence of our businesses via our IT structures that does go beyond borders.
Keeping information free flow while still being compliant.
Some organizations have set up their whole pricing model around the potential of some areas of work being conducted in economic areas where the cost of labour is dramatically less than in the Eurozone. With greater access to networks, this will undoubtedly mean information transfer beyond the EU. GDPR doesn’t prevent this style of working, but it does expect the same due care is expected as if the data remained in-house in Europe. This requires a due diligence which takes into account distance, cultural differences, levels of technology and internal procedures. That implies explicit vendor agreements, review of data processes and even verification which may require on-site visits. What most organizations are looking at is a way to “anonymise” the data so that personal data is not exposed in the process of moving it outside of Europe. A number of UK software companies outsource the bulk of the programming to companies in India. What they are now doing is giving potential suppliers dummy data using made up names so that they can reproduce the routines and test the scripts, but with raw data that is meaningless if leaked into the public domain. Others only give suppliers a small proportion of the overall process so that any information gleaned would be incomplete and therefore of limited value outside of its normal context. Either way, the principles of due care will apply no matter where the data is held. It’s just that it may be more difficult when that is being conducted overseas and allowances and extra effort may be needed in order to comply with both the letter and the spirit of the data regulations.
Keeping it safe.
Either way the principles of due care will apply no matter where the data is held, it’s just that it may be more difficult when that is being conducted overseas and allowances and extra effort may be needed in order to comply with the letter and the spirit of the regulations.