How GDPR help Oracle dominate European cloud computing market
£122 Billion is at risk just for the UK companies as of 25 May 2018. Tesco alone could pay £1.9 Billion fine under the new regulation. GDPR is coming and is mandatory for every company that wants to operate in any member of state of the EU.
Never heard of GDPR?
You are probably in US, Asia or other geographies. If you would be in the UK or Europe, you would be well aware of major risk for any company that operates in any member country of EU. What is the reason? Well, you can be fine up to 4% of your global turnover. Not good fun if you are major retailer, manufacturer or bank.
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
What GDPR means for companies operating in Europe?
Challenge is that, no matter where you headquarter is, if you wish to operate in European Union, then you must comply. Why? Because unlike previous legislation this is mandate, means every member state of the EU must comply. This is not on national parliaments. Even the UK, despite Brexit must comply. Why? Because otherwise UK companies will not be allowed operate in the EU without a local representative. One of the EUGDPR Institutes roadmap relates how to assemble the components of the road map;
Components of GDRP
There are three main components of GDPR you need to differentiate in your architecture.
- Controller (Mechanism to access data and reporting)
- Processor (How data are processed and architecture designed)
- Data subject (What you must deliver to comply with the regulation)
Now let's talk about each group separately:
Controller
Provides four major categories
- Accountability (who is responsible this links to your governance model)
- Data breach reporting (you must report data breach to EU)
- Anonymization and pseudonymisation (you must protect anonymity incl via APIs)
- Structuring data (data architecture)
Processor
How data will be processed in your solution (Don't forget it's you not your provider who will get fine in case of breach so don't rely on marketing!)
- Privacy by design (did you architected like this? You to prove in your documentation to auditors)
- Privacy by default (did you architected like this? You to prove in your documentation to auditors)
- Direct responsibility (in case you fail you have direct responsibility)
- Direct enforcement (in case you fail, EU will initiate an immediate action)
- Privacy impact assessment / Internal records (are you sure your architecture is GDPR proof, you rather should be)
- Product design process (it's not system integrator who is responsible for your governance)
Data subject
In case you want to store and process data in scope of GDPR you must comply.
- Privacy shield (can you prove to an auditor you have it?)
- Right. Erasure / Forgotten, Rectification of Information (are you able in all your systems?)
- BCR /Certification & Codes-of-Conduct (do you have everything written down for any process?)
- Cross border data transfers (are you sure no part of your infrastructure in cloud for example didn’t pass EU data to US data without you knowing it?)
How Oracle help?
Oracle, unlike public cloud providers only such as Amazon AWS, Salesforce or Workday has three deployment options:
- Public cloud (Oracle Cloud)
- Hybrid cloud (Oracle Cloud / On premise)
- Private cloud (Oracle Cloud in your own data center)
Why Oracle is in the lead?
Because you take any architecture and lift and shift to Oracle Cloud. Salesforce may tell you they are GDPR compliant but there is a small problem. This problem is technical. Salesforce has three data centres: UK, Germany and France. All was good when Britain was part of the EU because this meant data can be processed in all three data centres. Unfortunately, Britain is leaving the EU and therefore it's no longer possible for Salesforce use UK data centre in this loop. Given Salesforce has no private cloud option Oracle Bare Metal Cloud is the biggest winner here.
Are you still not sure what is GDPR and what does it mean for your company? Join the 11th annual European GRC and IT Security Summit in London or one of our certification seminars. http://www.eugdpr.institute/events/ at exotic cities like Helsinki in the north to Sofia in the south.