Unabhängige Kompetenz-Plattform
für Integrierte Sicherheit in der Schweiz.

01.04.2017
von: David Kemp - HPE

De-mystifying GDPR for Swiss corporations and other entities

David Kemp - HPE

Real challenges of GDPR – Expert interview with David Kemp

By continuing profession a lawyer, David Kemp is an EMEA Specialist Business Consultant for Hewlett Packard Enterprise Software Division – creating business outcome solutions in the areas of Information Management and Governance. His delivery is assisted by his unique variety of experience, namely 5 years as external counsel, 10 years in the insurance industry with the Aon Group and Bank of America, 19 years at ABN AMRO Bank / RBS   - as Corporate Banker and Legal / Compliance Manager, and 6 years with HPE.

David Kemp, you are the EMEA Specialist Business Consultant for Hewlett Packard Enterprise Software Division, specialized in the areas of Information Management and Governance. As a lawyer and expert for the General Data Protection Regulation (GDPR) subject, you advise companies on how to comply with this EU regulation and actually benefit from it. The EU regulation applies in Switzerland and other non-EU countries. What is the relevance of this regulation to the Swiss Market and why should Swiss companies care?
The key importance of GDPR is that it applies rules in relation to anyone dealing with the Personal Data of any EU Citizen. As the EU is the largest and nearest trading bloc for Switzerland, hence involving major volumes of business with EU nationals, it is essential that Switzerland adopts a parallel regime of respect for data privacy and protection. If one takes the example of investment banking standards, Switzerland has similarly initiated law which mirrors that of the European Union to ensure a level playing field with EU countries.

How can a business logic for GDPR effectiveness be created, what are your recommendations?
GDPR is not simply a compliance issue. The real impact is firstly one of records management and secondly of security. There are 3 major drivers which are evidenced in Europe as a whole for GDPR compliance, namely:
a. Defensive compliance to avoid the 4% of annual revenues or EUR 20 million, whichever the higher as a fine. But more importantly, the reputational damage of ineffective data security e.g. the Sony 2012 hacking incident which resulted apparently in a 30% fall in their share price. Or the security breach at UK’s Talk Talk in 2015 which resulted in a fine of GBP400,000, but more importantly in a remediation cost in excess of GBP 42 million. Furthermore, with some EU countries now having GDPR compliance as a pre-requisite for Government Contract bidding, non-compliance can be critical to businesses which depend on governmental clients.
b. Operational efficiency. In order to identify Personal Data and the  to take action to protect  / move / edit / anonymize it, it is essential for Chief Information Officers initially even to be able to find it. For most large corporations, they are faced with an immense task of having to isolate personal data in say 25 years of "dark data". However, a secret to GDPR effectiveness will be the actual reduction of the mass data and elimination of the "redundant, obsolete and trivial". So the surprising effect is that CIOs are using GDPR as a catalyst for wholesale Information Life Cycle Management. By reducing their mass data, they can even be generating Return on Investment as they may need less storage, less power for their servers, less back-up and recovery facilities.
c. Revenue! Surprisingly, a variety of different industries are identifying even money-making opportunities from GDPR. For example:
i) Being able to stamp "GDPE effective" on their web site enables media companies to improve customer loyalty and attract new clients.
ii) Being required by GDPR to provide masking of personal data actually legitimizes the mining of data for new products and services.
iii) By acquiring technology to achieve GDPR effectiveness, "Hub" entities such as airports and major transportation centres can actually provide a managed service to the multitude of entities who operate in their environment e.g. an airport serving all the airlines that fly in as well as all the shops and facilities that inhabit the airport. And an additional benefit! Not only is the airport creating a new revenue source through hosting GDPR effectiveness, but it naturally can reduce the cost of the technology it acquired to achieve it!

Is there a programme that can be established for GDPR and if yes, what are the steps?
The demands of the GDPR require a measured approach which can satisfy not only regulators but also customers, investors and employees. From observation of the EMEA market-place activity on GDPR over the last 12 months, a usual programme sequence is evolving in the form of:

  • Obtaining Main Board / Senior Management endorsement of the criticality of the GDPR issue and appointing a steering committee with set objectives
  • Appointing a Data Protection Officer to manage the internal effectiveness in close co-operation with Legal / Compliance/ Risk / Audit / Security etc.
  • Carrying out a Data Discovery to identify the parameters of the Personal data held by the company
  • Execution of a full Risk Assessment to justify a formal Programme of engagement and delivery – in the area of policy, procedure, training etc as well as technology solutioning.
  • Gap analysis as to the extent that GDPR Risk assessment priorities can be met by existing facilities, and hence where new resources may be needed.
  • Implementation of new risk mitigation tasks – both legal and procedural, as well as from an IT stand point.

How can risk be assessed for a gap analysis?
Risk can be approached by having a thorough break-down of the legal implications of GDPR – both from an EU regulatory point of view, but also national Swiss law. With a suitable Legal Opinion, one can then work out the deliverables and functionalities to be addressed. With this achieved, one can then consider a range of options on each point based on the vulnerability of the organization. By creating a logical set of priorities for action, one can by definition generate a road map for GDPR effectiveness.

What are the opportunities for technology to complement corporate policy and human intervention?
The real implications of GDPR are that organizations will need to have a total overview of their data in every format, location, language and structure – ranging from structured data through to social media and even call centre traffic and video information. This involves a volume of data, needing to be analyzed at speed e.g. 4 weeks in which to locate and move the data of a private customer who wishes to have their data transferred to another company. This is beyond human intervention and management due to the volume and speed. As such technology can assist in terms of data identification and classification, the enforcement of policy against such data, and the provision of audit trails to show that a customer’s wishes regarding their personal data are respected.

What does "good" look like?
An effective GDPR Programme will ensure firstly that both the external & internal security of the organization is enabled. Then, that the company has sufficient records management facilities to identify and process personal data. But as described above, also to take advantage of GDPR to achieve larger operational efficiency goals which GDPR accelerates, and even make the most of increased revenue opportunities.

David Kemp will be speaking at the 15th Fraud & Corruption Forum taking place in Geneva on April 24th-25th. Further information and registration can be found here.
HPE on Security-Finder Schweiz


Security-Finder Schweiz: Newsletter