At TM Forum Live! (in Nice in May), Microsoft’s Karel Dekyvere will deliver a presentation on ‘Security & privacy standards and regulations – what is enough, is there ever too much?’. In this post, he takes a looks at the General Data Protection Regulation (GDPR) legislation.

The General Data Protection Regulation (GDPR) is becoming a new buzzword. It will affect all entities that handle information relating to any citizen in the European Union. In practice, this is nearly every organization doing business with EU citizens, wherever it may be located in the world. We should ask ourselves why this regulation is so important and how we can get prepared for it.

The main driver behind GDPR is privacy. And that is in essence all about freedom — freedom to control your personal information and freedom to be forgotten. For many people that sounds like serious overreacting against the big data era, another buzzword.

Now let’s go one step deeper on this. For sure, anyone older than 35 has memories of being a teenager. Some are great, some you prefer to forget. Luckily, only your mind has fragments of them. Today’s teens live in a world saturated with social media. There is a digital trace of everything, both smart and stupid.

The context of a millennial taking a job interview is likely to collide with a party picture taken in a completely different context. These context collisions are a recent phenomenon, and will only get more frequent. GDPR is there to assure that you, as an individual, can manage these context merges.

23 May 2018 is the deadline to become GDPR-compliant. That seems like a long time away. There is, however, a snag: GDPR compliancy boils down to the maturity of an organization’s ability to manage information. Information maintained by people. People working on any type of device. Devices running on many networks.

An organization will not be able to strictly manage its information streams if it has little view and control of the identities (people) that can govern it. Not to mention they fact they work from several devices.

There is another catch: the size of your organization is irrelevant to the actions you need to take to become compliant. The only thing that matters is the amount and type of Personally Identifiable Information (PII) you manage. There is, for example, an obligation that, in case of a data breach, data controllers must inform within 72 hours. Mature organizations with a well-established detection and response plan will beat this number but others will find it challenging. That could become a choking IT investment, especially for small companies.

The good news is that many vendors are preparing (cloud-based) service models that will help customers to move towards GDPR compliant businesses. Small and medium businesses in particular will find a cloud transition a cheaper and safer approach. Providers that offer black box solutions should be avoided — there is no such thing as a one size fits all.

Any given solution should always contain a protection, detection and response component. When data is thoroughly protected, when services are set up to detect anomalies and breaches, and when a solid response plan is in place to react, a company will be complaint with GDPR. Now is the time to start evaluating these three components. Assess where the gaps are in your organization, fill in these gaps and increase overall data protection maturity.

It’s still early days — there is a lot more to be said on this topic.


This article first appeared in TMForum