The EU GDPR (General Data Protection Regulations) may appear to be just another round of legislation that falls into the GRC (Governance Risk and Compliance) bucket for organizations to wrestle with. However I invite you to dig a little deeper and recognize the seismic impact that its unification and standardization of European Union (EU) data privacy and security obligations means for ANY organization delivering services into or from the EU that involves Personal Identifiable Information (PII) of EU data subjects. Add to which this will include the UK post Brexit as the UK is going to adopt the exact same regulations.
There is perhaps only one technology vendor with the ability to think globally and act locally that could truly leverage the timing of GDPR to magnify exponentially and ahead of the rest of the industry such a commercial opportunity with significant customer benefits. It will require an attitude change from running with the pack to breaking clear into a visionary leadership motion – Blue Sky versus Red Ocean thinking (yes, I know the book by W. Chan Kim is called Blue Ocean Strategy, but for me the sky is the limit, the oceans are bounded). That potential is lying dormant in the Microsoft Partner Network (MPN). That is the Gold standard in Partner Channels and envy of the IT industry and beyond. Gavriella Schuster, Microsoft Corporate Vice President for the Worldwide Partner Group hinted at this in her article ‘How You Can Monetize New Privacy Regulation GDPR’.
Firstly, it is important to really understand why GDPR is so very different in nature to the procession of information standards and data regulations that have gone before. To start with it is useful to reflect on its predecessor, the EU Data Protection Directive 95/46/EC legislation. The EU DPD was generally little understood in many areas of the EU let alone globally and it was poorly enforced. Part of this was due to the nature of the EU process itself. A Directive is not a law. It is an official direction of travel imposed on EU member countries to legislate at a national level. The almost inevitable result being, each member state implementing an inconsistent form of local data protection legislation. Couple this with the various implementations and limited sanctions for non-compliance and history repeats itself. Regulation without teeth ends up being treated as optional rather than mandatory by those who should be implementing it. Consequently, it was poorly adopted and enforced. The bottom line was years of global abuse of EU data subjects personal data and a lot of bad data custodial habits getting ingrained into corporate culture.
The EU GDPR echoes much of what was instigated under the former EU directive but because it is Regulation at the EU level it applies as law consistently across all member countries and in so doing addresses much of the weakness of the early national data protection implementations in some fundamental ways that organisations can no longer ignore:
- It has real teeth, fines that will hurt and organisations will want to avoid proactively – €20 million fines or 4% of global revenue, whichever is the greatest.
- Legal liability for Breach. In the UK, this is likely to be made personal at Board level for Directors if suggested comments from the UK Information Commissioner come to pass. Yes the UK will be adopting the EU GDPR, after all we contributed significantly to its drafting and will still be in the EU when it comes into force.
- Mandatory reporting of breaches within 72 hours. This alone will challenge any company which does not have in place a proper Breach Response Plan. Non-compliance will likely guarantee a fine, or lengthy and costly dispute with the local Information Commissioners office.
- Its ‘extraterritoriality’ nature has big implications for SaaS, social network, amongst many core web service providers and most ISP’s (Internet Service Providers).
- Expanded scope – The size of an organisation is irrelevant. Any organisation that processes data of EU data subjects must comply, no matter where they are located or data is stored in the world.
- Expanded definition of sensitive personal data – This now includes genetic and biometric data, as well as online identifiers such as IP addresses or cookie identifiers and extending to other identifiers such as RFID tags and digital beaconing such as ultrasonic cross-device tracking (UxDT).
Most importantly non-compliance will be very visible as companies cannot avoid offering obvious signs in plain view such as:
- Website Opt-In NOT Opt-Out. This is also extended to the right to opt-out from profiling for direct marketing purposes. This means companies may still be able to retain data BUT not subject that data or certain records in those data sets to ‘automated processing’.
- If users do not start to receive requests for continued data retention from companies, the likelihood is those companies are not compliant and could be abusing citizen’s data. Organisations will need to seek consent to data processing every 6 months as well as just retention of data.
- Receiving unsolicited emails will be a sign a company is perhaps not compliant.
- Published Privacy Policies will need to refer to an organisations GDPR posture.
What starts to emerge is that this is not just another run of the mill piece of data compliance regulation to be ducked, dodged or reluctantly adhered to. It is an opportunity for leading vendors in the IT industry to address some outstanding housekeeping issues in its relationship with customers and the public at large and set a new tone in this regard over its treatment of individuals data and the example this sets. A posture change is required for these IT behemoths to communicate clearly and acknowledge their role and responsibility. They should be setting the example and raising the bar to new heights in earning the trust of customers and consumers in an increasingly hostile digital landscape.
This article’s message is not so much intended as a sounding box to raise urgent needed awareness of the GDPR implementation deadline of May 2018, but the wider strategic potential that GDPR could herald. The attention it is grabbing is creating a captive commercial audience encompassing every organization and cornering budgets looking for guidance. Most significantly for the IT industry, GDPR represents a pivot point in many organization’s decision making whether they know it yet or not. Call it Digital Transformation or simply facing realities that, given the right type of guidance, they are open to address some real transformative needs across a broad spectrum of organisational issues such as Cyber Security, Business process efficiency, Compliance amongst others.
“Cometh the hour, cometh the MPN!“
Microsoft, through its MPN has the potential of being the brand that can deliver what customers need and in so doing take chunks out of the competing market share, by establishing a depth and breadth of TRUST in digital life. For Trust in secure IT and IT security is a class of collateral that is in short supply in a marketplace riddled with security solution over selling and under performance. Imagine how compelling it would be for customers to be able to reach out to a trusted global network at a local level and intimately tap the pulse of innovation from a world leader in technology?
There are no other vendors with the global reach and local touch Microsoft has with the MPN. Yes, the IBM’s, Oracles, Google and their ilk compete in that space, but they all lack the uniqueness of the MPN in the cross compete nature of their own Partner relationships. With the MPN, Microsoft has unfathomable experience and capacity to land an intimacy of consistent service locally, from the SME’s through to the Large Enterprises. Something even the Alphabet soup of the consulting world cannot compete with. If the truth be told, all channel models pale into insignificance when placed alongside the MPN. It is not perfect, but it has never rested on its own laurels, which is why it is continuously evolving, challenging its Partners as well as Microsoft itself for the betterment of all customers.
The opportunity for Microsoft is an MPN genesis that harnesses the commercial potential from GDPR readiness by supporting its Partners to lead by example and in so doing be in pole position to capitalize on the guidance much needed by customers. If grasped, this opportunity could be reflected on as a milestone moment, raising the Cyber Hygiene and Compliance of a global ecosystem. In so doing the gauntlet is throwing down and the pace for a whole industry could be set, a new Trust tone for generations releasing waves of wealth creation for customers. Or will we reflect on a missed opportunity with more of the same old same old, where the only winners will be a continued burgeoning Cyber Security ‘snake oil’ trade and feeding frenzy of hackers.
Microsoft has already led the pack with its public proactive stance on GDPR in its statements at the RSA Conference 2017 last week. Reinforcing its commitment to be EU GDPR compliant by the 25th May 2018 deadline. There is one piece in the puzzle I was hoping to hear drop into place and its absence so far is deafening when you consider the implications to the Microsoft brand with the trust it places in the hands of its Partners to front up its crown jewels. Microsoft’s core tenant in its Partner relationships has been to deliver over 95% of its revenues through its Partner channel, the bedrock of trusted interplay between Microsoft the leviathan and its Partners whom in the majority are Small Medium Enterprises (SME’s) numbering in the 100,000’s globally.
The question to Microsoft is, how can you continue giving the seal of approval and Certifying an organization as a Microsoft Partner if they are effectively operating outside the law. GDPR is a law, unlike the old standards based world Partners have been familiar operating in, standards are guidelines only. The game has changed significantly. Can Microsoft afford to have ‘Partners’ unprepared for GDPR representing their brand and leading with their Crown Jewels where exposure is almost guaranteed for non-compliance?
A final point to note, the EU GDPR has its a milestone event in May 2018, the date it comes into force. It has in fact already become Law (May 2016) but this is more than technology and 80% of the effort will need to be put into the people and process which will take many months for organizations to address. So, ‘the games afoot’!