Ardi Kolah, executive fellow and director of the GDPR programme at Henley Business School, opened his presentation with a quote from Bill Gates:
“We overestimate the amount of change that will happen in the next one to two years, but underestimate the huge change that will happen in the subsequent three to ten. The future is exponential, non-linear, and unpredictable.”
“That sums up where we are now,” said Ardi. “The clock is ticking on GDPR and there is a lot of change going on, but that change means opportunity. What we need to do is not panic, but instead reboot our thinking. That means not assuming how we did things in the past will carry over to how we do things today. Given where MSPs sit in the continuum of knowledge and guidance when it comes to technology, it’s really important you reboot your thinking to support your customers in a much more meaningful way.”
Ardi pointed out that GDPR is about thinking about risk and then mitigating that risk. “This means understanding what you and your customers are doing in terms of processing personal data,” he said. “If it’s high or very high risk, it’s about working to reduce that to a residual risk. We can do that through organizational and technical means, and we need to think about how we deliver this in a meaningful and cost-effective way.”
Ardi also went on to say GDPR is not just about regulation, it goes much deeper than that and is about an organization’s—and even a country’s—reputation. To illustrate this, he quoted the UK’s information commissioner Elizabeth Denham, who explained the need to deepen digital trust.
“The starting point isn’t the horror stories,” said Ardi. “You need to think about the opportunities for yourself. Start by rebooting your thinking and looking at how you connect the dots on three things: business continuity, risk, and technology.”
One of the most important things that Ardi said needed to be rebooted was thinking about GDPR as a tick-box exercise. “This is about stronger controls for people—you and me. The driving force behind GDPR is simple: transparency; accountability; and control for end users,” he said. “It’s a principles-driven regulation. It doesn’t tell you what to do in most cases. Companies are expected to understand their own business and clients and then apply what is appropriate in that context.”
As Ardi explained, this is where MSPs have the opportunity to offer guidance, advice, and consultancy.
“What’s the business case for this? Why divert huge amounts of time, effort, and resources into GDPR compliance when an MSP can help take that pain away,” said Ardi. “However, remember, it’s more than just providing a technology solution at a price point, it’s about supporting people in their journey towards understanding and explaining what you can do to help their business. As you’ve heard many times, this is about moving away from being a supplier to being a trusted partner.”
After spending some time focused on the Facebook and Cambridge Analytica case, Ardi said, “I like to think about GDPR in human language. Does it feel creepy or cool? If something feels creepy then it’s unlikely to be lawful. How you feel about how data is handled is important.”
Ardi reinforced the point that GDPR is about transparency and accountability. “The hope of the EU is that GDPR will become a global standard,” said Ardi. “Data protection, privacy, and security should be at the heart of our thinking, and GDPR focuses our attention on this. As Elizabeth Denham says, the need to build a culture of data confidence sits above all the stuff about regulation.
“Data ethics is a big issue,” he continued. “We’re moving to a place where this is becoming a point of differentiation for brands and is a key element of helping us decide who we want to do business with. This is about reputation and data integrity.”
Ardi also went on to look at the new British Standard BS 10012:2017, which applies globally. “This is important because while GDPR does have Marks and Seals, they have not yet been activated, so this is a way to separate out the good guys from the cowboys,” he said. “The British Standards Institute created this standard in the wake of GDPR, and while it doesn’t mean you are guaranteed to be compliant with GDPR, it does guarantee you have a culture of compliance.”
After talking about the new standards, Ardi went on to discuss accountability within GDPR. “So who is accountable? You, SolarWinds, everyone you employ, and everyone your customers employ. This means every one touching personal data must be trained,” he said. “Who’s door will be knocked on first in the event of a breach? The HR director’s, as they will want to see the training logs. If you’re processing personal data, and if the people doing that aren’t trained, it’s an immediate aggravating factor if you have breach, even before they discover what has gone wrong. It’s critical that everyone thinks about accountability. It’s about a whole organizational approach with individual accountability at board level.”
He also pointed out companies will be expected to learn from near-misses and introduce measures to stop things from happening again, which is where he believes MSPs come in.
After looking at the territorial reach of GDPR, Ardi went on to outline the seven principles of data protection:
“The reality is lots of organization are struggling,” concluded Ardi. “HR and sales have a lot of legacy data. If they don’t have a legal reason to be holding that, they should shed this data. MSPs need to be having conversations with their customers to uncover where they are along their journey. Equally, there is a crucial point for MSPs to consider, and that is continuous improvement—to keep customers improving their position. With the knowledge you have, you can conduct that conversation with them. Get them to think about their reputation and the fact they’re doing the right thing, as it’s the right thing to do.”
Find more on GDPR in our GDPR Resource Center
Ardi Kolah LL.M is executive fellow and director, GDPR Transition Programme, Henley Business School (UK). For more information on Henley Business School's GDPR Transition Programme, click here.
© 2018 SolarWinds MSP UK Ltd. All rights reserved.