• Encryption is at the heart pf GDPR and can protect enterprises from potential breaches and mitigate the problems if they occur.
• Enterprises cannot expect ICT providers now to simply accept the risks associated with data handling and should look to work collaboratively.
At its analyst day on June 29, Interoute set out its view on GDPR and how it is seeking to help customers prepare their own operations for when GDPR goes live. Most IT providers are now beginning to talk about GDPR, and some such as AWS have already launched services that pre-empt GDPR’s requirements.
GDPR is a serious business. The headline fines of EUR 20 million, or 4% of annual turnover, are designed to grab attention. In reality, the level of fines is likely to be much lower. In the UK, the Information Commissioner’s Office (ICO) has stated that it has never issued the maximum fine under the present guidelines and it does not anticipate that its approach will change under GDPR. However, enterprises should be aware that these fines are there to indicate the importance of these new rules. Factors that will determine how breaches are assessed in terms of fines include the swiftness with which the offending company reports the breach and also the measures in place to mitigate its impact.
In this light, Interoute has rightly highlighted the importance of encryption in responding to GDPR’s requirements. Indeed, enterprises should be aware that although GDPR does not necessarily specifically refer to encryption, encrypting data should increasingly be seen a best practice – if not standard practice when dealing with people’s data. An example would be that a stolen laptop that is encrypted may not be considered a breach. Encryption is also important in situations where data may be exposed to the public Internet. This is not to say that the Internet is not ok, but that it should be used in a way that acknowledges the risks. In a world where hybrid WAN has become the norm and SD-WAN is set to increase the use of the Internet versus traditional WAN services, enterprises need to engage with their providers to ensure that what they are doing is GDPR-compliant.