GDPR Telco

The GDPR and the Telco Industry

We see many Telcos that have come onto the scene after 2000 and others that have been around in one guise or another for 50 years or so. Mergers and acquisitions are still relatively recent news in the industry (BT and EE being one example) so the issues of inheritance of applications and data continue. So, my challenge: In terms of the GDPR, what differentiates Telcos from Insurance, Public Sector or Automotive? In my opinion the following are some of the biggest differentiators:

  • The Technology: Perhaps the most prominent factor is the advance in technology either led by or supported by Telecoms companies, which have brought about the need for the GDPR and other legislation. Think Social Media, Mobile technology and the Internet of Things.
  • The Data:
    • The type and format of data such as the huge quantity of Unstructured Data in the industry.
    • The vast amount of data including Metadata, Transaction Data, Message Data and Big Data.
    • The speed at which data is being collected.
    • The file transfers that are the lifeblood of Telco operations.
  • The Lobbying: Interestingly, many Telcos initially lobbied against the provisions in the GDPR.
  • The Fines: Certain Telcos have been the subject of some significant fines from the ICO in the last year or so. It is not difficult to imagine that the industry, and particularly those companies that have been fined, would consider that they are under the spotlight,

 With regard to other legislation, already in place is the Privacy and Electronic Communications Regulations 2003 (PECR) which implements European Directive 2002/58/EC, also known as ‘the e-privacy Directive. The PECR was most recently updated in 2015. It sits alongside the Data Protection Act and sets out more specific privacy rights in relation to electronic communications. In May 2018, EU member states are required to pass legislation to enforce the requirements of the Network and Information Security (NIS) Directive and the UK government has confirmed that the Directive will apply irrespective of Brexit. The NIS represents the first EU-wide rules on Cybersecurity with obligations for Operators of Essential Services and Digital Service Providers.

The NIS directive seems to have had very little attention compared to the GDPR. The objective of the Directive is to achieve a high common level of security of network and information systems within the EU, by means of:

  • Improved cybersecurity capabilities at national level
  • Increased EU-level co-operation
  • Risk management and incident reporting obligations for Operators of Essential Services and Digital Service Providers

One of the big challenges we are seeing from clients is with Unstructured Data. Data Warehouses and, to an extent, Big Data and Data Lakes have acquired a bad name by becoming more of a data dumping ground. I hear stories of data analysts and data scientists spending 80% of their time correcting or sorting the data and only a small percentage of the time innovating or deriving business value from the data.

A challenge for GDPR preparation is finding your Personally Identifiable Information (PII) and sensitive data amongst your Big Data, Data Lakes, Content Management Systems…the list goes on. The technology for discovery in Unstructured Data is developing; we see it in use within the legal profession, for example, where much PII is held in MS documents or PDFs.

Technology for remedying (pseudonymizing or masking) unstructured content is still a poor relation when compared to what is available for Structured Data. The usual suspects that most turn to for data management tools don’t seem to have this on their roadmap or rely on partners to provide solutions.

What this means is your data management solutions are coming from multiple suppliers, likely new suppliers where Unstructured Data is concerned, and we do find clients who are very reluctant to bring in new vendors.

Our continuing challenge is to provide options and demonstrate the benefits.