You might have heard. GDPR is coming. Of course we know that you know about the impending General Data Protection Regulation, but how do you feel about the May 25 go-live date? Anxious, confident, confused, or ambivalent?
A month before the launch date, we thought we would go behind the scenes at HighQ and share our approach and thoughts about GDPR—what we’ve been doing to get ourselves ready and how the change impacts what we do.
As Global Head of Information Security for HighQ, I've been fielding questions around the new regulation from clients and colleagues. I recently sat down with HighQ’s Chief Product and Strategy Officer, Stuart Barr, and General Counsel, Xavier Langlois, to discuss several of these questions and get their input.
Question: When did HighQ start to get ready for the enforcement of GDPR?
MH: I first undertook investigations within a few days of joining the firm in February last year.
XL: We had a number of different initiatives, as we tried to accomplish different things. A consultant visited us last year to audit us, and he put together a report that set out recommendations for what we needed to do to become GDPR-ready. Luckily for us, it wasn’t too much, thanks to security and data protection being at the heart of our business model already.'
Question: GDPR is widely considered to have some of the most significant impact of recent regulatory initiatives. From a business and risk governance point of view, what have been the key challenges that you’ve faced and addressed?
XL: We’ve tried to be as pragmatic as possible, by ensuring that we’re following what the regulation requires, and by making sure we know what that means for HighQ.
MH: We were already in a good position, so this hasn’t meant making significant changes for us. Previously, we had focused heavily on regulations including Health Insurance Portability and Accountability Act of 1996 (US) and the Federal Data Protection Act (Germany) and worked hard to ensure we were compliant with those laws. We also wanted to ensure that our clients could be GDPR-compliant well in advance of the 25th May deadline, so we wanted to improve and release updates to our platform to help them achieve this.
SB: As well as being ready for GDPR as a company, our products also need to be compliant, including the way we store data and how we allow users to interrogate and use the data in accordance with the regulations. We have the necessary tools and mechanisms to comply with the various requirements under GDPR, including the Right to Erasure (right to be forgotten), and Subject Access Requests.
Question: As a SaaS technology vendor, in what way has GDPR impacted your global business model?
SB: We were already very well placed to handle GDPR requirements, because we’re not a typical SaaS platform with a multitenanted application hosted in the public cloud. The way we deploy our product is within HighQ’s private cloud, which is regionalised into seven different jurisdictions, and each customer gets their own dedicated instance of our platform in whichever jurisdiction they choose.The benefit of this is that we’ll never transfer data out of the specific jurisdiction of their choice, which is obviously an important consideration for GDPR.
We also give clients a huge amount of control over securing their content within our platform, and preventing it from leaving the system. For example, we can allow users to share files securely with "view only" permissions and prevent users from permanently saving or printing them using our Digital Rights Management (DRM) capabilities, so there's a high degree of control over what happens to your data if it leaves the system as well.
MH: What we’ve seen over the past few months are more questions around what HighQ as a company are doing with clients’ data, what safeguards we have, and so on. This has driven us to make changes to software, as well as boosting what we do internally, such as training, which ensures that security and personal data are at the forefront of every employee’s mind.
Question: Does ongoing GDPR compliance require significant change in the operating processes you currently have in place for risk management?
SB: No, given the nature of our business and the markers in which we operate, we already have tight controls over our data and robust information security policies.
MH: GDPR is driving a shift in focus in the area of risk management. We already undertake Data Protection Impact Assessments (DPIA), which help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. We use a high-tech solution for managing our risks, and we can do impact assessments for our information assets. What we are also seeing is a focus on the risks within the supply chain, and this is driving our clients to audit us more frequently and in more detail, as well as requiring us to audit our suppliers more often. HighQ undertook a detailed compliance exercise with CSA Star, which we share with our clients to demonstrate some of the security measures we have in place to protect our clients’ data.
XL: It has added focus to ensuring that companies are changing their processes and doing whatever they need to do to comply with the protection of personal data. The UK has made a commitment that it will enshrine GDPR within UK law, in the Data Protection Bill, which means that even if Brexit goes ahead, and we leave the EU, GDPR will still stand.
Question: Does anything in the GDPR framework give you cause for concern in terms of meeting obligations, and are you confident that you have the right processes, skills and resources to meet your obligations?
SB: From a technical perspective, and the way we manage and deploy the applications for our customers, most of what we needed was already in place, and we start from a very strong position. Minimal refinement was required to bring us in line—it was more an evolution of what we already had, rather than a massive implementation exercise.
MH: We brought in external legal counsel. He looked at our processes and spoke to every manager and member of the executive team. He analysed our internal processes and platform, and was able to say with a high degree of confidence that what we’ve done so far is great, and puts us considerably ahead of other firms in terms of maturity and data privacy.
Question: Looking back at your GDPR programme, is there anything you would have done differently?
XL: We haven’t finished it yet! But in all seriousness, starting earlier would have been great, but as with all businesses, finding the time to fit everything in can be tricky. And because of the uncertainty, starting too early might not have been wise either. It will evolve over the next few years.
MH: The only real challenge has been the fact that no one has really known how to interpret some parts of the GDPR regulation. For example, we've had conflicting guidance on what constitutes a data transfer. I wish someone could tell us definitively! If I could go back to the Information Commissioner’s Office (ICO) and tell them that we need better guidance, that would be helpful.
Question: To what extent does technology play a role in helping firms to manage their GDPR compliance activities? And do you think Regulatory Technology (RegTech) as an emerging subsector is here to stay?
SB: Technology is so important, and our tool plays a big part in helping firms and companies become compliant. For example, our iSheets feature allows you to create compliance checklists, capture and store data, as well as create asset management databases and drive processes, so it’s easy to audit how and where data is held.
The RegTech space is something we’re very interested in—having technology to help you with processes is crucial to being able to deliver a reliable compliance solution that’s also comprehensive and efficient.
MH: RegTech has been here to stay for some time. The technology has really become de rigueur—it’s necessary for everyone now! Any firm that says they don’t need this technology probably doesn’t understand risk the way they should.
Question: GDPR has been some years in the making, and of course technology continues to change. With every new opportunity technology offers, we might ask ourselves if the regulations are still fit for purpose. With this in mind, do you expect the GDPR framework to evolve, and if so, what sort of issues do you think GDPR will need to deal with?
SB: All regulations evolve when they become out of date. The current data regulations are outdated, as they predate technology that’s available today, which is what has driven the new GDPR framework in the first place. It’ll need to continue evolving as technology changes, and as data capture and sharing changes.
XL: I agree. It has to evolve. The way people communicate with one another has changed dramatically in the past decade and will continue to do so, which means that our laws and regulations have to keep up and evolve. GDPR is however a huge step up from what it used to be for many countries in the EU in regards to the protection of personal data. It also ensures EU alignment of how personal data is treated. The hope is that it is flexible enough to deal with changes in behaviour in the coming years so that there isn't a need for a major overhaul anytime soon.
MH: Laws do change, often reactively in line with changes in technology. When the Data Protection Act was enforced in 1998, Facebook, Google and smartphones didn’t exist, so it was impossible to predict how that would change our lives. GDPR has come about in response to the changing landscape of technology. We now live digital lives, and the data that is captured from these lifestyles doesn’t just sit in one place, it’s a global entity. Although it’s hard to predict how GDPR will change, there will of course be further amendments needed as test cases emerge following the first data breaches, but also as the tech landscape evolves.
Question: Are you confident of HighQ achieving GDPR compliance in time?
XL: Of course! A lot of companies are taking a pragmatic view and not changing anything, but because of the service that we provide, and our clients, we want to make sure that we’re doing the right thing for our clients and also for our employees.
MH: We are already compliant. When our GDPR consultant audited us, he told us that we’re in the top 5 percent of organisations ready to go on 25th May. However, this is a project that doesn’t end. It’s a continued area of focus, and any firms that think they’ll just sit back and not do anything further have missed the point.
SB: Yes, of course!