View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Hardware
January 15, 2018

GDPR: the new baseline for managing personal data

Quest’s Colin Truran talks compliance myths and reality, and argues that organisations shouldn’t rely on one or two technologies to address their regulatory needs.

By Ellie Burns

The EU General Data Protection Regulation (GDPR) will become the reference standard against which all organisations will assess their management of personal data across the world. That’s the view of Quest’s Principal Technology Strategist Colin Truran.

Talking to CBR TV, Truran pointed out that one of the major differences of the forthcoming regulation, due to come into effect in May 2018, compared to previous directives is the accountability it imposes on data processors. “It’s easy for the data controller – they know they own the data, responsibility lies with them,” he said. “It’s the question, ‘Are you a data processor?’ that is more of a quandary for organisations. [Is the organisation] actually participating in the lifecycle of the data? Do they have any responsibility during the journey of that data? If they do, then they are a data processor.”

“GDPR is the baseline. It’s what everyone should adhere to as a minimum. [And then] you’ve got to take into account all the legislation for all of the countries that that data resides in and passes through.”

Addressing the myths and confusion surrounding GDPR, Truran was asked whether it was really the case that organisations only have 72 hours to report a breach. “Not at all,” he said. “This is often a number quoted to scare organisations. You only have to notify the data protection authority of a breach within 72 hours if it poses a significant risk to the rights and freedoms of a data subject, an individual.” In other circumstances, the three-day deadline does not apply, Truran said.

On a related topic he was asked what responsibility an organisation had when it was in receipt of personal data sent in error. “It’s quite an interesting conversation to have because in essence you didn’t request that information and suddenly you’ve become a data processor or a data owner, a data controller,” noted Truran. “Therefore you have responsibilities for that data moving on. You can’t just … remove it. So you do need to notify the [originating] organisation and the authority that you’ve received this information in error.”

As for the technology organisations should adopt to help address compliance issues thrown up by GDPR, Truran said firms should not except to find a single, cure-all. “I hear a lot about two typical technologies that are mentioned: encryption and personally identifiable data discover,” he told CBR TV. “Two great technologies [but it’s] really important you don’t just rely on those technologies as your only form of bolstering your position.

“You need to make sure you have other technologies and other processes in place. For example, if you rely only on encryption, this only works when the account isn’t compromised. If the account is compromised you’ve lost the benefit of the encryption.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.