To Have a GDPR-Compliant House, You Need a Strong Foundation

DUBLIN, IRELAND — GDPR already impacting practically everyone in the digital arena. And if nothing else, that means that the data center industry survived May 25th 2018. So CapRE invited Sheila M. FitzPatrick, President and Founder of FitzPatrick & Associates to the Third Annual Ireland and Emerging Markets Data Center Summit in Dublin in July, to provide a keynote presentation titled The Impact of GDPR, Data Privacy and Protection Laws on Cloud Adoption and Role of the Data Processor. This is the fourth article in a series of CapRE Insider Reports covering her remarks, which offer a simple model of understand success in the era of GDPR: building a house.

data center summit“When you’re thinking about building a compliance program and thinking about compliance to GDPR and other data protection laws, you have to start with a foundation. Or a blueprint,” she began FitzPatrick. “You would never go out and build a house by building a roof first. Because there’s no foundation to sit on. So if you’re out there telling your customers, well, if you buy our data mapping tool, or if you buy our data privacy tool, then you put data in our Cloud and our data center which is located in Ireland, and you’re compliant with GDPR, that’s not exactly accurate.”

And why is that? According to FitzPatrick, it’s because it does nothing to address the foundation that the tools are sitting on. “What is your client’s program built on?” she asked the room, inquisitively. “You need to look at the ground floor first. The ground floor, the blueprint, is what your current data privacy program — what the foundation – is.”

For example, do you have rules in place? “Do you use model contractual clauses? How do you find your lawful basis for processing? How do you comply with the various regulations within the jurisdiction in which you operate?” asked FitzPatrick. “The first floor is all about the policy, the procedures, your consent, your notifications, your contractual agreement with your data processors. With your internal organizations that you’re sharing data. With your notifications to your customers and your clients.”

Sheila M. FitzPatrick, President and Founder of FitzPatrick & Associates

“You have to build all of that first, before you then start looking at, what data do we have, where is that data located, how is it protected, what environment does it sit in, what country are we going to put our data center in?” she stressed. “Those are all extremely important questions, but you don’t start with those questions.”

FitzPatrick then shared some intel from the field. “I have had so many companies that come back to me and said, we immediately went out and started identifying where our data was, and started looking at our security infrastructure,” she revealed. “And again, that’s important, but the one question they never asked was, why are you collecting that data to begin with? Who did you collect that data from? Why do you even have that data? How long are you maintaining it? Who gave you the right to find that data?”

Therein lies the rub, in FitzPatrick’s eyes. “Those are the foundational questions that are rarely addressed, and that is really the foundation of GDPR,” she concluded. “It’s the data, it’s not the technology.”

For more from FitzPatrick, check out a previous CapRE Insider Report covering her earlier remarks: