Compliance with EU's new data protection laws will be 'very difficult', warns Fujitsu

And talk to your lawyers first, advises Fujitsu's Frank Reichart

Organisations in Europe should brace themselves for two years of upheaval, as IT will need to be analysed in-depth and potentially overhauled in order to meet the demands of the European Union's new General Data Protection Regulation (GDPR).

The new EU-wide law will apply to all businesses and organisations across the continent, and will require them to ensure that personal data can be identified and quickly deleted from systems. Any data breaches must be reported promptly to data protection authorities, among other stipulations.

"If you look at the IT infrastructure landscape from a security angle, you will see that it is highly distributed, which makes it very difficult to protect in order to fulfil all of these new [data protection] requirements," Frank Reichart, senior director of storage product marketing at Fujitsu, told Computing's web seminar today.

Appearing alongside JP Buckley, a legal director at law firm DLA Piper UK, Reichart continued: "The data flow in a company is touched by many applications, servers, storage systems, and different network segments, probably in different locations as well."

As such, organisations might need to centralise, or re-centralise their IT operations, which they could do in-house or could consider resorting to the cloud, added Reichart. "This could be the new incarnation of the mainframe, having all your IT centralised in a clustered zone, having access that can be controlled in an easier way," he said.

However, warned Buckley, simply putting IT resources in the cloud won't absolve an organisation of responsibility over data protection.

Before embarking on the project, advised Reichart, organisations ought to consult with third parties, such as lawyers, to first get a better idea of their responsibilities, and how these need to be applied to their corporate IT infrastructure. "Getting there will be different. It will need a lot of advice, knowledge, and development not only from an IT perspective, but also from a legal perspective.

"So you should reach out for help, not just to providers and vendors, but also to lawyers," he said.

Even an all-cloud solution will hold many areas of responsibility for an organisation - data protection obligations cannot be completely outsourced - particularly in terms of security, he added.

The new law, combined with a heightened sensitivity towards data protection issues post-Snowden, has stimulated demand for "data protection officers" in recent years - and both Reichart and Buckley expect to see a lot more of these roles coming up in the next couple of years.

Computing's web seminar, GDPR is coming - Make the Most of It, was first broadcast online on Wednesday 3 February at 11am. Register for email alerts to be the first to find out about future Computing webinars and events