GDPR Insights From A Software CEO
A conversation with Mark Stephens, CEO, IDRsolutions
IDRsolutions CEO Mark Stephens recently wrote about GDPR compliance on the company’s blog to outline the legislation going in to effect in May 2018 and to reassure customers that the company is taking additional data security measures. In addition to sharing the full text of his post below, Stephens sat down with Software Executive and ISVinsights to provide insights on his software company’s approach to GDPR.
Many software companies will not be GDPR compliant by the time the May 2018 deadline rolls around. How long has IDRsolutions been preparing for GDPR?
We have had it on our radar since it was announced in 2016 and starting looking at how we would implement it in 2017. An added complication for us as a UK Company is that this is EU legislation and the UK’s ongoing long-term relationship with EU and EU law is still very unclear. Our working assumption is that it will transfer into UK law in March 2019 but may subsequently be modified in how it works in the UK.
The number of high profile data security breaches reported in the press have raised general awareness, but I think it is still regarded as something which effects other people, not us as software providers. In many ways it is an opportunity to have a proper strategic review of how you handle data in your organization and engage your customers and key stakeholders.
What advice do you have for other software companies who are trying to determine how long the process takes?
Start now! It may well involve technical, contractual, and workplace practice changes in your organization. You need to figure out your direct and third-party liabilities (both agencies you use and customers using your software). I would also recommend a thorough review to ensure you are only retaining data if you really need to have it.
Be aware that this legislation has teeth with serious financial fines for non-compliance. This is not a law you want to be found in breach of with potential fines up to 20 million pounds or 4% of your turnover (if higher).
What resources did you rely on to determine the company’s strategy for GDPR? Were there any particular web articles, vendors, government resources, consultants, etc. that were particularly helpful in forming your game plan?
The portal at https://www.eugdpr.org is very useful and has an excellent FAQ.
Several vendors have produced online guides for their customers and as a marketing activity (there are nice examples at https://info.sugarcrm.com/GDPR-Guide.html and https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/get-started).
Many of the trade bodies have been putting out information as well. The IOD has a nice, non-technical description at https://www.iod.com/news/news/articles/GDPR-for-employers.
What remaining questions do you still have about GDPR?
It is still not clear how this will all work in practice. There is still no clear definition of what is “reasonable.”
Have you come across any misconceptions from clients, service providers, partners etc. related to GDPR that you’d like to clear up?
We have found our customers in the financial sector to be most self-aware and concerned with the issue. They are most used to this type of oversight and legislation in their sector.
---
 |
| Mark Stephens CEO, IDRsolutions |
The following is the original version of the post Stephens wrote for the IDRsolutions blog.
2018 sees the introduction of a new law after a 2 year transition period. The General Data Protection Regulation will have an impact on any companies selling into any European Union country (regardless of their location). These rules have teeth and the full weight of the European Court of Justice behind them. Failure to comply could result in fines of 4% of global turnover or €20 million.
Given the size of the EU market (and the undesirability of having different versions of a product for different regions), many companies will make it their default as well.
A key aim of the new rules is to establish a common standard across all EU markets, and the focus is on how companies obtain and store data and what they can do with it. The EU says it is about giving consumers control over their data. This has lots of profound implications but I would like to highlight 3 specific items in this post.
Where you software is physically located will matter far more in 2018.
Many products and services now run on the cloud or the data centers. The exact location is going to matter far more as Companies show they are complying with these rules by keeping data in the EU or avoid being impacted by these rules if they are otherwise not linked to the EU markets. Location is already becoming a politically complex issue with several governments seeking potentially more power over their access to data while seeking to reduce the potential of other states to access data.
You can make far more limited assumptions about permission in 2018.
Websites already need to ask far more permissions to use cookies and track users. This is going to make developing software much trickier as there will be a conflict between the desire to extract and mine as much data as possible versus the need to comply with these new laws. We will doubtless see some court cases before it is clear what the laws actually mean.
Client data security is going to be much more important.
A key requirement of the new laws is to ensure data is kept securely, so that even if main systems are hacked, the data is not easily obtained. There have been too many embarrassing cases where hackers broke into systems and took easily accessible information which was not secured. So more and more systems are going to use Strong encryption as standard in all systems to ensure all data is secure.
This is actually the reason behind the theme of this month’s blog post on security and encryption.
The PDF file specification already offers the option to encrypt PDF files using AES encryption. At IDRsolutions we are extending this to ensure that any local data our software creates (cached copies of images from PDF files, etc) will be heavily encrypted as default if the user gives us a password. Without the password (which we never store and the user provides), any local data will be encrypted garbage. This will help our customers to ensure they are meeting the new requirements.