Verne Global

Industry | Tech Trends |

28 November 2017

GDPR, Seven Months and Counting...

Written by Tom Squirrell

Tom is Verne Global's Director of Customer Success, and is based at our London headquarters. You can follow Tom on Twitter: @SecretSq360

With General Data Protection Regulation (GDPR) enforcement set for May of 2018, time is literally ticking away. Everywhere you look now you see advice and attention being brought to the challenge of compliance.

The best and most simple explanation I have seen is this - to stay compliant under GDPR, businesses will need to ensure that all data is processed lawfully, transparently and for a specific purpose. Crucially, once this purpose has been concluded, the data cannot be held and needs to be deleted.

Step 1 for this challenge is to find yourself a DPO (Data Protection Officer). He or she will need to attend some form of briefing or training and take the lead on your compliance. Does this remind anyone else of the Millennium situation? And that all worked out ok didn’t it?

For a data center such as ours we are classed as “data processors” which covers colocation and cloud providers and pretty much reduces our responsibilities to those of security both physical and digital. For our customers who are “data controllers” the list of compliance needs rigour and documentation. Every process needs to be auditable and all customer information should be anonymised. Customers have the right to request access to see what you have stored through the scheme.

Contracts with data processors will have to contain different or additional provisions to be compliant. This is largely for companies processing or storing data on behalf of the client. Processors will have 72 hours to notify the nominated authority of any security breaches which is an example of the obligation that should be inserted into existing and new contracts.

The GDPR can enforce their rulings inside and beyond the EU. Businesses will have to carefully consider whether their data transfers are legal or not, given the new and stringent sanctions introduced by the nominated authority who will judge the level of data protection in the third country concerned.

GDPR has teeth! High fines (depending on the situation up to EUR 20 million or 4% of the annual global turnover, whichever is the highest) with the aim of enhancing the enforcement by creating national data protection authorities. No court case is necessary to enforce these fines so making sure you’re ready is a good plan.

I am the DPO for Verne Global and continue to read the documentation that comes through daily. Incidentally I was responsible for the sign-off for compliance for the Middle East and Africa region for the Millennium with a well-known Airline, and I survived that to tell the tale. Good luck!


Sign up for the Verne Global newsletter

Opinion, thought leadership and news delivered directly to your inbox once a month.