GDPR & the Cloud: New opportunities
In conversation with Microsoft’s Ramez Dandan and Joanne Fischlin on how organisations can leverage cloud technology to effectively comply with the impending EU data protection regulations.
The General Data Protection Regulation (GDPR) will change how companies process, store and secure EU residents data. With enforcement beginning in May 2018, GDPR is expected to set a new standard for data protection rights; however it does place a challenge on companies to introduce, realign or reinvent systems and processes to comply with specific requirements, especially when it comes to their IT infrastructure. Microsoft’s Ramez Dandan, regional chief technology officer and Joanne Fischlin, head of corporate, external and corporate affairs for the Gulf region talk about how GDPR compliance presents an opportunity for businesses in the region and on how cloud technology can act as a bridge to compliance.
The Middle East – ahead of the curve
The European countries have had a directive on the subject matter of GDPR for the last two decades; hence an evolution has taken place over the years in terms of adopting and introducing systems to comply. In last month’s edition of the Oath, we focused on the new law’s requirements, impact and reach in the Middle East. “To be honest, it is going to be difficult for businesses here to understand whether or not the regulations apply to them. I think it is important for companies to consider the opportunity with adopting GDPR. It is not feasible for a company to segregate between what part of its business should be compliant and non-compliant. This is where Microsoft can help with systems that are GDPR compliant and talk to each other, helping companies identify data, manage data and report breaches in accordance with stringent GDPR regulations,” said Fischlin. Further, as trade between the EU and the UAE exceeded AED32 billion in the first half of 20161, Fischlin opined that GDPR compliant EU-based companies will seek partners here who are GDPR-compliant as well and if not, consider the privacy framework here. “The privacy legal framework of the region is still evolving. Driving GDPR compliance will give a company a competitive edge and a level of assurance to their partners in Europe. It is important for companies to assess and determine the approach to take it to the next level. In all fairness, the region is stepping up and adopting robust privacy laws. Hence, it is important to implement a progressive compliance approach now instead of potentially losing part of the business with Europe.”
Dandan also views the compliance effort as an opportunity and not a burden, “The beauty of it is that companies don’t have to reinvent the wheel. They can adopt a part or all of what has been done elsewhere. As part of the GDPR exercise, companies will be forced to understand their data structure, set and controls and thereby, derive more business value and insights out of the data they possess.” He is certain that by the end of the GDPR compliance journey, companies will be left with a much stronger control over their most valuable asset i.e. data.
Internal policies, a solution?
With the existence of evident legislative gaps, is it up to companies to develop their own data protection policies? Fischlin commented, “I am confident that the legal framework of the region will evolve to match the changing requirements. Most medium and large organisations have developed internal privacy policies, however these policies will be ineffective if the company itself is not aware of where the data is stored and who has access to it. This poses a significant challenge as it is impossible to take action in case of a breach. In today’s world, having a policy is not enough. It requires a business-wide effort involving collaboration between the IT department and other units, helping the organisation understand all aspects of data protection in terms of storage, access and purpose.”
At the outset, it is critical for organisations to audit and assess data as mentioned above however, once the technical aspects have been implemented, Dandan and Fischlin stressed on the need for training employees on the GDPR requirements. Fischlin said, “At Microsoft, we offer great tools to enable to companies to make their GDPR journey but it is the responsibility of the organisation to ensure their personnel are trained to understand the value of the data and the risks attached to it.”
How can cloud technology help with GDPR?
Whilst there are several recommendations on how companies can comply by the deadline, adopting a cloud technology that provides sophisticated, built-in controls can enable companies to make their journey to GDPR compliance easier. Organisations can be GDPR-compliant by using traditional technologies instead of adopting a cloud platform however this process can be expensive and time-consuming. Dandan said, “By utilising the latest technology of cloud services, companies are in effect driving IT modernisation efforts as well – an assured path to compliance and the associated benefits of data protection.”
Though Microsoft is not the sole cloud platform in the market, they are the only service provider who has announced that their cloud services ‘Microsoft Cloud’ will comply with GDPR by the deadline. In this way, customers can be certain that by associating with Microsoft’s services, they can be compliant as well. The tech giant has a strong legacy in cloud technology, establishing their ‘Trusted Cloud Principles’ almost a decade ago with a focus on security, privacy, compliance and transparency.
“In line with the global digital transformation paradigm, cloud technology is central to changes we are witnessing at an individual, organisational and governmental level. Hence when it comes to cloud services, we have an unwavering commitment of building and maintaining trust with our customers. How do we establish trust? By being the most compliant cloud service provider in the market. We are truly a role model for the industry when it comes to trust, compliance and code of conduct. Hence, we can weigh in on this whole discussion about data protection, privacy and the rights of individuals in the context of GDPR,” said Dandan. The cloud in effect will act as an enabler by detecting, managing and reporting breaches with its built-in controls that leverage on the power of Big Data and AI.
Fischlin believes that the GDPR is also a massive opportunity for in-house legal counsel to rise as thought-leaders within their own organisations. “To in-house counsel, I would recommend them to partner with their IT departments to work out effective data management systems and reporting tools, and consider the costs and benefits of moving to a cloud provider as part of compliance efforts. This is a business opportunity down the line and a massive risk mitigation exercise – ticks the boxes of what an in-house counsel should be bringing to the table,” shared Fischlin.
Microsoft is committed to driving awareness in the region on how cloud can assist GDPR compliance. As Microsoft is also undergoing the whole process of complying with GDPR, Dandan shared that the company is discovering the right approach in their journey and open to sharing learnings with customers. Fischlin added, “As an organisation, we want to be leaders in compliance and the trusted cloud. To be honest, I don’t think we have all the answers. We are still on the journey ourselves and I am proud to see my organisation sharing lessons learned and failures along the way. We are systems specialists, capable of taking away that headache from our customers, however there is a whole other side to the process which we are very happy to assist with as well.”