EU’s data privacy regulations put the pressure on IT

Most corporate acquisitions come with a fair share of complexities. But when Accuride acquired a majority stake in Italian truck wheel manufacturer Gianetti Ruote, the Indiana-based company never dreamed of the impact the deal would have on its IT activities. Since Accuride expanded into Europe late last year, its U.S. IT team has had to contend with everything from a stalled cloud strategy and decentralized systems to increases in hardware costs, licensing fees and IT head count.

Welcome to the European Union, where authorities are requiring companies that handle the data of EU citizens to comply with some of the strictest data privacy regulations in the world, or else suffer dire financial consequences.

“[The new regulations] have impacted our entire strategy for going into Europe and have added costs that we wouldn’t normally have,” says Paul Wright, CIO and vice president of IT at Accuride. “And that’s only the beginning.”

Gone is the 20-year-old Safe Harbour pact, invalidated in October 2015 for its inability to guarantee the fundamental rights of Europeans. In its place are sweeping and stringent agreements and legislative proposals including the EU-US Privacy Shield and the newly proposed EU General Data Protection Regulation (GDPR), which includes penalties of up to 4% of a company’s global revenues for failure to comply.

“There is a new set of transparency obligations that will lead to business adjustments, capital expenditures and a really different approach to how we engage with third parties and individuals,” says Stewart Room, who heads the cybersecurity and data protection practice at PricewaterhouseCoopers Legal in London.

Making sense of new rules

Complicating matters further is the lack of clarity around many of these new laws. In mid-April, European authorities rejected the EU-US Privacy Shield, arguing that the agreement doesn’t go far enough to protect European citizens’ privacy rights. The setback forces EU and U.S. lawmakers back to the negotiating table, leaving U.S. multinationals in a state of limbo. At the same time, once ratified, the GDPR won’t become law until 2018. Bereft of Safe Harbour but with no clear directive on how to handle cross-border data, U.S. companies are caught up in a maelstrom of confusion and concerns as they contemplate the new privacy agreements.

First, there’s the financial burden these new regulations place on businesses with European customers. In a recent Ovum survey titled “Data Privacy Laws: Cutting the Red Tape,” a staggering 52% of the respondents said they think that new data protection regulations will result in fines for their companies, and two-thirds said they expect the new framework to force changes in their European strategies. Asked whether they would invest in greater data protection capabilities, 55% said they plan to institute new training for employees, and 53% said they will prepare by adopting new technologies.

But a new regulatory environment also promises to take a toll on IT teams, forcing them to forever change the way they collect and store consumer data across EU and U.S. borders. Take Accuride, for example. The U.S. manufacturer has been gradually migrating all of its systems to the cloud. However, its all-cloud plan hit a stumbling block when the company acquired Gianetti Ruote. Accuride primarily relies on cloud-based systems, such as manufacturing software Plex, to run its operations. But because of the EU’s restrictive data privacy policies, it can’t store personal data about its Italy-based employees using its existing systems.

Instead, the company must build on-premises applications in Europe to house this information — a move that comes at a considerable cost. To date, the tally includes more than $65,000 for on-premises servers, $12,000 in annual licensing fees, $25,000 a year for payroll and human resources systems, and $75,000 in additional head count, not to mention ongoing training and support expenses.

Complicating matters further is the fact that there’s no telling what other regulatory changes will arise as the EU’s data privacy laws go into effect over the next two years. “Anytime you’re shooting at a potentially moving target, it makes things more difficult,” says Wright. “That’s why I’m hedging my bets and going with an on-premises solution for nearly everything [in Europe]. I’m keeping nearly every piece of data that I can out of the cloud system just because who knows where the regulations are going in the next couple of years.”

The data center shuffle

Peter Oehler understands Wright’s reluctance to take chances. He’s chief operating officer at Karlsruhe, Germany-based Axonic, maker of Lookeen search technology. “Anytime a new rule comes out or is changed,” Oehler says, “we’re forced to stop and research what that means for our products and our customers.”

For example, last year, Axonic moved its Lookeen.com site to a server in the U.S. to improve site performance for U.S.-based visitors. However, since the EU unveiled new data privacy rules, the company has had to rethink its strategy.

“We may have to consider moving our dot-com website back to EU servers in order to be completely sure that we’re in compliance,” says Oehler. “The problem with that is that it will make access to our U.S. website slower in comparison to our U.S. competitors. We may take a hit from Google for the slower speed and actually lose a first-page position, which would essentially be a death sentence for our U.S. business. The alternative is to invest in a compliance program, but these have their own significant costs.”

The decision about where to situate servers isn’t the only IT responsibility heavily impacted by the EU’s new and proposed data privacy legislation. Other concerns include vendor management, shadow IT, data security and breach notification.

For instance, under the GDPR, in the event of a personal data breach, a company must notify authorities within 72 hours of becoming aware of the exposure. As a result, IT must shift its focus from simply preventing a breach to making sure the necessary forensic and proactive incident response solutions are in place for quick notification.

New data privacy regulations are also changing the way IT interacts with cloud service providers. Part of the challenge is that cloud technologies make it difficult to control access to data and meet minimal compliance requirements. No longer can companies simply assume that their consumer data sets are being safely stored and processed by third parties. Rather, it’s up to IT to ensure that a cloud vendor is securing, storing and processing data in a way that adheres to today’s most stringent privacy regulations.

Indeed, according to Wright, properly vetting a cloud vendor now requires asking about its globalization strategy, globalization team, data center locations and new strategies for self-certification — questions that have been known to raise eyebrows. “Vendors think we’re nuts because we’re just supposed to be choosing based on which one has the prettiest screen,” says Wright. Instead, he says, new data privacy rules have “shifted the conversation” to deeper concerns when it comes to selecting a vendor.

Internally, IT is also facing mounting challenges. Shadow IT — applications built and used without explicit permission from IT — has always been a nuisance for IT professionals. But in light of today’s new laws, rogue systems not vetted by IT may be in violation of privacy regulations and could be subject to serious penalties and exorbitant fines. But rather than simply shutting down such systems, IT must find a way to ensure that they’re in compliance while still satisfying the technology needs of the business units that set them up.

Another burden on IT is finding the right talent to navigate the choppy waters of data privacy. For example, the GDPR stipulates that multinational companies with more than 250 employees are required to hire or appoint an independent data privacy officer. Forget about your garden-variety techie. A data privacy officer needs to be a hybrid who not only understands both technology and the legal aspects of the regulations, but also can communicate with senior business leaders to make sure that they understand what’s required.

It’s a hard-to-fill position that can command an annual salary ranging from $75,000 to $110,000. Tapping in-house talent may not save money because you’ll likely have to spend a good deal to train the individual in some aspect of the job.

In fact, according to Oehler, small and midsize businesses may not be able to afford a data privacy officer or a lawyer to handle the changes to data privacy laws, especially since some of the laws affecting data transfers are still subject to change. What’s more, Oehler says Axonic “will also need to look at purchasing additional insurance to cover us in the event that we’re found in violation.”

An attitude adjustment

But the biggest burden U.S. IT teams face in today’s new regulatory environment isn’t financial; nor is it technical in nature. Rather, they must spearhead a shift in attitude toward data privacy — one that’s likely to happen at a glacial pace.

“In Europe, data privacy is held in the same regard as freedom of speech in the U.S.,” says Oehler. That’s a hard sell for U.S. employees accustomed to a steady diet of Facebook feeds and Google ads. But it’s a mental hurdle that U.S. companies have to make if they are to continue doing business in Europe.

In fact, German IT leaders — trained in one of the world’s strictest data privacy regulatory environments — have a distinct advantage over their U.S. counterparts, says Guido Laures, CTO at Spreadshirt, an online seller of personalized T-shirts that’s based in Germany and has offices in the U.S.

“Everyone learns data protection rules in Germany,” says Laures. “It makes it easier for us compared to an American company that didn’t care about data privacy in the beginning but now has to make changes.” Spreadshirt’s precautionary measures include running completely separate, dedicated and fully encrypted servers for each of its various locations.

Steps to protection

Fortunately, U.S. IT teams can heed EU regulations without breaking the bank — or the backs of their IT workers.

Some companies are building data centers in the EU to circumvent the thorny issue of transborder data transfers. Others have already carved out “model contract clauses” — high-priced agreements between data exporters in the EU and importers in the U.S. on how to transfer data out of the EU.

With cloud computing, the challenge arises from the fact that data that originates in one country can end up in data centers all over the world. In such scenarios, IT must ensure that it’s in compliance with each region’s data privacy requirements.

Some cloud computing vendors offer workarounds to ensure compliance. For example, Intralinks, a provider of hosted collaboration tools, is updating its systems so that it will be able to manage customers’ applications while, at the same time, enabling customers to determine where data is being stored and processed. It’s a hybrid approach that could minimize the risk of noncompliance.

Cleverbridge, a Chicago-based provider of e-commerce technology and services with offices in Germany and Japan, also helps clients avoid violating privacy laws in Europe. Its strategies include implementing incident response and escalation procedures, which are tested at least once a year, so that companies can avoid incurring data breach penalties.

Blue Coat Systems, a Sunnyvale, Calif.-based security vendor, offers a cloud security platform that ensures compliance by unifying security policies across all cloud applications, scanning for regulated information and preventing it from crossing a border. Blue Coat’s technology also assesses infrastructure to determine if data is leaving the EU through shadow IT systems. This approach allows companies to keep regulated data within specific countries while using cloud-based systems.

In-house evaluations

While there are countless vendors offering products designed to address the data privacy challenges posed by stringent regulations, IT leaders can also take matters into their own hands. For starters, IT teams should always conduct a gap analysis by asking themselves, “What kind of data are we collecting? Where is this data being transferred? Where are we storing our data? What databases and systems are we using to manage this data?” The answers to those questions can provide an idea of an organization’s data privacy strengths and weaknesses before IT has to start battening down the hatches.

What’s more, PwC’s Room says IT leaders need to look beyond the letter of the law to achieve compliance. “The question for CIOs is, ‘What are we doing in order to ensure there are adequate protections for information and for privacy?'” he says. “But that’s not necessarily about where the data center is located; it’s about what’s actually going on in the data center and how well it’s being run.”