Bobsguide’s exclusive interview with Perivan Technology MD Nick Roi
When considering GDPR, is Brexit going to have an impact on how firms can utilise SaaS data storage technology?
No I don’t think so. What is of importance is taking into account data that is considered commercially sensitive and/or personally identifiable user content. User profiles to utilise the system, including email addresses and phone numbers are examples of data that might be held in the application that would meet these criteria. And that’s really what GDPR would affect from a B2B type of software application.
Is Brexit making your partners think differently about GDPR?
GDPR will be in play from May 2018, Brexit will not have an effect until 2019 or 2020, so GDPR will come in to force and must be recognised before Brexit will occur.
Post-Brexit, in order to ensure that finservices in the UK can compete with the rest of Europe, the UK Government is going to have to confirm that the UK will continue to use GDPR as its standard, and that the UK will write its own laws that are as stringent or more so than those in laid down in GDPR to keep everybody happy.
Or the UK Government won’t do that, but at the moment the government seems to be saying that it will, the only component that is of concern is how the laws will be arbitrated or governed. Because even if the UK does state that it will follow GDPR, and write its own laws, an aspect of GDPR is that it is ultimately governed by the EDPB. If the UK is not going to submit to EDPB rule then how it is going to be enforced is seemingly a big question currently.
Are firms already approaching you to discuss GDPR and the implications of Brexit? How will GDPR affect you as a SaaS?
Not in relation to Brexit, but we are starting to see organisations coming to us asking us about GDPR and what that means for them. Are we going to be updating now, and what the potential new terms and conditions would be. Essentially financial services want to know what the regulation means for their data, and how can we work with them to be compliant moving forward.
A number of the large banks and fund managers are particularly concerned about GDPR. We are fortunate in the sense that the data privacy legislation is concentrated on individuals and the volume of individual content that we hold in our systems, just as is the case with most B2B systems, is quite small. And it’s very easy to get the consent required through your contracts and consent of your commercial customers.
We already have a security director established, but the biggest difference for us is that we have to go through the process of naming an individual as a data security director, which is one of the requirements of GDPR. And we have to notify our customers who that individual is, and then there is a requirement on us should there be an event that could cause a loss of private data or information that we have to inform one of the regulated bodies. We know who that regulated body is for the next two years, but beyond that it isn’t yet known.
So the overarching message is that Brexit is not going to affect GDPR compliance, but the governing body overseeing the regulation is still not clear?
In essence. One of the problems with financial services is the amount of regulations that have been applied to them in the past few years, financial services are trying to catch up and ensure that they’re compliant with the next set of regulations, and the next set of regulations is going to be GDPR but they don’t want to get ahead of themselves and guess what is going to happen beyond that.
These are huge issues that affect companies with a lot of people and a lot of systems all over the world. That’s the other component of this that makes it compliance so much more complex.
If you’re the type of organisation that only supplies software applications and services to UK market then this doesn’t really affect you greatly post Brexit. The unfortunate problem we have now is that if you do supply customers in Europe regardless of the country you are supplying the service from, the second that you are storing data of any European citizen you have to submit to these rules.
Do you expect companies to make the deadline for GDPR compliance?
To be honest these regulations are getting quite onerous in regards to what is required. However, from a software vendor’s perspective, really what we have got to do is nominate an individual, and ensure that we report any event in a specific way to a specific body. The other obvious difference is that you can get fined very heavily, which is different from the way it was before.
But from a B2B perspective the concept of consent and the sheer amount of data classified under these regulations is very different to say Facebook or Twitter.
Ultimately we’re a SaaS business, and most SaaS businesses have been dealing with the issue of security for years. It’s just a slightly different format of governance for us.
We have been going so far beyond what was required to secure people’s data in the first place to make people and organisations feel comfortable that we were storing their data securely and making IT departments feel that they could allow us to store their data offsite outside of their direct control.
In terms of the actual data protection and the security measures we have to put in place, to be frank they’re already in place and have been for years because we’ve gone so far beyond regulatory standards that are currently in place. It’s the same with banks, you’ll find most financial services have data security to the nth degree.
Is the industry in general already meeting the standards in data security that GDPR sets?
The major differences between how the industry currently operates and how it will have to comply with GDPR is the way you gain consent from someone, which is more a legality than an actual protection, and GDPR is formalising the penalties should you breach the directive. Up to this point it has been very discretionary and dealt with on a case by case basis .
Are there any difficulties you can foresee with GDPR?
The only thing that might be slightly complex and contentious is the right to be forgotten.
If you’re a company or application with a record of past present or potential future customers and one of these companies say they want to be removed from your system, it may be difficult because a lot of these applications have never been built that way because there was never a requirement. So you have to build a way into the application to be able to delete this data wholly and completely. Some vendors might struggle with that initially.
There are some conflicting obligations; the directive says that you’ve got the right to be forgotten, but as a business you also have a right to keep records for audit purposes. It will be interesting to see which one wins out.
If we have a customer that asks us to delete an account, that’s not just deletion from live servers, you’ve got to go through backups and remove the data from there as well until it is all gone and there is no record anywhere.
I would say that right to be forgotten isn’t particularly clear and I don’t know how feasible it is in practice, even if it is a good idea in theory. Practically you’ve got to build functionality into an application to allow it to do that in the first place and then there’s the practicality of whether there is a necessity to store that information should a company be audited. A lot of the financial institutions are required to keep their records for up to seven years, so that seems to be conflicting.