Sharing our GDPR journey - CTO Changing the definition of personal data

2018 is here and, as we leave the Christmas festivities behind us, a regulation six years in the making is about to become a reality…

The year of GDPR is finally upon us. By now, we’re all well aware of its aim; to transform the way that European businesses view data in terms of both protection and privacy. And, let’s face it, given that 2017 was a year in which cybercrime thrived - with attacks such as Petya and WannaCry making the headlines - maybe it’s just the thing that’s required to bring about a much needed change in attitude.

As Chief Technology Officer at a cybersecurity company, over the last few months GDPR has never been far from my mind. Not because I’m ‘productising’ it to make money out of our customers, but because we’re faced with the same compliance challenge as any other European organisation.  It’s played a part in all decisions, whether they’re about changes to our infrastructure or updates to our product. The journey to ensure that all of our systems and technologies are as compliant as they can be is an ongoing one.

A change in mindset

One of my main considerations within this journey has, of course, been around personal data. The emphasis on protecting it is nothing new - that’s something that has always been important - even if the potential consequences for failing to do so threaten to be higher than ever before.

However, under the new regulation, ‘personal data’ as a concept is set to be redefined. It will now refer to “any information relating to an identified/identifiable natural person” and, for the first time, will include online identifiers, such as IP addresses. It’s a bit of a mindset change to say the least, and something that over the last few months we’ve been working on embedding into our offering and services.

My main focus? Well, so far it’s been geared towards analysing the databases and systems within our current infrastructure, especially those that we use to process email and web or cloud application requests from our customers.

Like the majority of organisations preparing for GDPR, during the review process we’ve chosen to make some changes to our offering, many of which have been around the management of our core databases and the regionalisation of the data that we store within our global network of data centres. This network has been designed with speed of response in mind, so all of our data centres are based in strategic locations. Although users have always been able to select a home region for their data, historically copies of core databases could be made and stored in each data centre. This meant that, no matter where our customers were based, our response times were fast and efficient.

Under GDPR, the replication of data will become more restricted. For us, this means that our customers will be able to specify which region – and even which individual data centers – they want their core information to reside in. So, if a customer chooses to use only European data centres then none of their core database information will be replicated anywhere else. It’s all part of the new ‘opt in’ system that GDPR will enforce. It shouldn’t affect the service - that will stay exactly the same… well, until users travel abroad.

When users are physically further away from the core database information then response times could suffer. Users might even see a delay when it comes to accessing cloud applications or trying to browse a web page. Unfortunately this is an unavoidable consequence of compliance at this stage. It’s a challenge that many companies are facing and another aspect of the regulation that we’ll need to adapt to in due course.

Looking forward

Preparing for GDPR has actually given us the opportunity to review our services. It’s been a time for reflecting and for making positive changes to improve our offering. We’ve been able to strengthen the alerting, logging and monitoring systems that we have in place and, when there’s been the scope to, we’ve encrypted all data, even when it wouldn’t necessarily affect our own GDPR compliance. So the regulation has injected a new perspective into our decision making, alongside the new definition of personal data.

From my point of view, although we’ve made huge strides in terms of analysing our various services and systems to better understand what data is stored where, we’re still only part of the way through our GDPR journey.

As CTO, my next big focus will be on reviewing our processes around gaining consent and our ability to report any data breaches to ensure that we are as close to compliance as possible in those areas as well. Needless to say, there’s still a lot of work to do.

And there’s nothing wrong with that. We may have reached 2018, but the ‘Complete Guide to GDPR’ still doesn’t exist. There’s no checklist and you can’t complete one area of compliance, tick it off and then forget about it as you move onto the next. It’s a continuous journey and a learning curve for all those on it.