The European Union’s (EU) General Data Protection Regulation (GDPR) is certainly strict and controversial, essentially forcing anyone with a website that collects data from EU residents to comply.
For those organizations managing customer data (besides offering website visitors to the option to opt-out of data collection), the implications can be vast. An organization in breach, for example, faces fines totaling up to 4% of annual revenues or €20 million ($22.5 million). A U.S.-based cloud provider, for example, must thus be vigilant about how data is storing for customers that have collected data from individuals and organizations within the EU.
However, as strict and far-reaching the GDPR is, the mandate is also seen as a major attempt to provide guidelines and governance about how consumer data is collected and stored. While far from comprehensive and seen as lacking in many ways, GDPR also serves as a blueprint for applying concepts of data sovereignty as different nations and states grapple with creating data privacy mandates and projections.
Data sovereignty, as well as the implications of GDPR, were the themes of a panel discussion held during the recently held ContainerDays in Hamburg, a conference organized by software developer Loodse.
Hosted by this writer, the panel participants were:
- Travis Jeppson, director of Engineering at Nav Technologies;
- Oren Penso, a cloud native staff systems engineer at VMware;
- Marc Korthaus, CEO at SysEleven;
- Erik Lau, Solutions Engineer at NetApp.
Among the panel participants at least, the consensus was that comprehensive data sovereignty laws and regulations are woefully inadequate at this time. GDPR is often seen as a first attempt to address data privacy concerns within borders, yet, as described below, it has its flaws.
What is lacking is a shared set of regulations that serve as a coherent structure for data governance across borders. The issue, Penso said, is that the tools and the methodologies required for “a common ground” for data laws and protections applicable worldwide are missing. “That’s the baseline: we need something to get [there], and we don’t have it right now,” Penso said.
Jeppson agreed. “I think that creating that common ground and the ability for us to come to a consensus across the entire world is really the best way to be able to solve it,” Jeppson said.
But as a first step at a universal data protection regulation, the GDPR represents a solid first attempt, Lau said. “I think that something like GDPR is very valuable… and is the first move in the right direction to protect sensitive personal data,” Lau said.
While acknowledging GDPR “might be really annoying for some,” Lau said, “it’s a first step.” “Legislation should empower innovation and, and make sure that companies aren’t getting blocked because of that,” Lau said. “This is pretty difficult to apply, obviously, but to achieve a common ground GDPR is a step in the right direction to govern data properly, so you know, where it resides.”
Since data regulations can only be enforced, by definition, by governmental bodies, individual nations, as well as states, need to play a strong law in data projection enforcement. “I think that being able to have some regulations [requires] some countries being strong enough or willing enough to be able to say, ‘hey, maybe we do need to step in and help everyone else figure out what makes sense. We need to represent our citizens and what rights they have with where their data is, and how companies are treating their data,’” Jeppson said. “And when things like that happen, with other nations starting to catch on to start to see that and others should follow suit. And I think the GDPR is a good example of that.”
But GDPR is not perfect, Korthaus said. “I guess we have some problems with the actual ruleset of GDPR. But the mindset is good, because who owns the data? You do,” Korthaus said. “So, I guess that’s the right approach.”
Korthaus said he thought the GDPR’s regulations were “not written very well.” “I have the impression that they really did not know what to write about and they did not understand IT. So, I think it is a good start, but it’s just a start,” Korthaus said.
NetApp and VMware are sponsors of The New Stack.