Compliance with the European GDPR regulation means a total revision of procedures within the organisation that affects the entire working of the departments.
Regardless of the status of digital transformation of businesses (which supposes the existence of a increasing percentage of digitalised information), Information Technologies play an essential role in the preparation for GDPR because they are, at the end of the day, responsible for the handling of data.
According to the study by IDC Research Spain regarding the impact of GDPR on Spanish businesses, they are not complying with the regulation, mainly due to a conflict of priorities (56%), because they have limited resources available (49%), or because of the absence of a budget (46%). It is certain that this was unexpected by many organisations, and this is reflected in the incremental spend in IT destined towards compliance. In 2016 it was €35.2m, it multiplied by almost three times (€97.4m) in 2017 and will reach €140.7M in 2018, decreasing slightly in the next few years.
What are the main areas of investment in order to comply with GDPR?
The study by IDC Research Spain shows us that today, only 35% of companies will comply with GDPR. To tackle or strengthen compliance, the five most relevant areas of our companies that will receive investment will be the management of identities (70%), the identification of applications which use private data (66%), training (61%), documentation of processes (58%) and backup services (52%). Other tasks to tackle are the reporting of incidents, risk management, anonymised data for Big Data and analytics and the discovery and classification of data.
Leadership in compliance is shared between various business areas. The IT department will take 35%, followed by corporate management (32%), the legal department (27%), and finally, the finance department (6%).
What role does the cloud play in this scenario?
Picking out more details from the study, for 53% of businesses, investments in the cloud will not have an impact as they will continue counting on the same provider as they have up until now, although it is true that we don’t all offer the same regulatory compliance guarantees. This gives you an idea of the maturity and trustworthiness offered by certain business cloud services. Another 33% are thinking about migrating to minimise risks. In this context… What is the current situation of your organisation? What actions are you going to take to ensure compliance?
Simplifying the options, there are two possible paths: invest in local installations to update them or trust in cloud services and their certifications of regulatory compliance to avoid precisely this spending on local hardware and software. On the other hand, consider that cloud services are thought of as a step from CAPEX (capital expenditure) to OPEX (operating expenditure) from the finance point of view, and it is these technologies on the cloud that, in the longer term, most IT providers will concentrate their maximum innovation on.
In this respect, for 2019, according to the consultancy Gartner, 30% of new investments by most software providers will go from cloud-first to cloud-only, shifting software design and planning gradually from one scenario to the other. They also indicate that, for 2020, a corporate “no cloud” policy will be as rare as a “no internet” policy is today.
Even so, the decision shouldn’t be judicious: it is about making the most of this circumstance of compliance to establish a roadmap where the organisation feels comfortable with a transition to the cloud without stops or risks, at the speed which best suits their own needs, in a hybrid IT environment. And from all of it, to draw a competitive advantage.
To meet this challenge, 90% of organisations will resort to outside help, counting on the collaboration of local and global IT services organisations, as well as management consultants, financial and legal firms.
At Microsoft we have done our homework and certainly, monitoring the security and privacy of our customer’s data is nothing new for us. We have technologies which are secure by design which cover the servers, communications, storage and the workplace.
We will discuss this in more detail in our next entry.