The EU’s new “General Data Protection Regulation” (GDPR) is expected to be formally adopted by Easter 2016 – what does this mean for telcos?

The IT world is certainly not lacking in acronyms – and from LTE to VoIP, ALOC to SIP, telecoms professionals deal with more than their fair share. Yet a recent data survey disclosed that more than 50% of IT professionals were unaware, or unable to accurately identify, what the acronym “GDPR” means.

Recently approved in its draft form, the EU’s new “General Data Protection Regulation” (GDPR) is expected to be formally adopted by Easter 2016. Described by a leading analyst as a “paradigm change in the way that data collection and use are regulated”, the pan-European GDPR will supersede a previous EU directive with something much more unified and robust.

But why should any of this matter for telcos?

File Transfers – the lifeblood of telecoms operations

Inside a telco’s operation, personal data is being moved around in huge volumes, and to suit many purposes. CDRs represent the molecular structure of telco activity, their correct processing being critical to revenue streams, and also aggregating into vast CDR datasets, which present significant storage challenges. Meantime, all manner of revenue assurance feeds, finance interfaces, real-time fraud streams, and data warehouse feeds combine and overlap to create a congested and complex data landscape that needs careful control, classically achieved via the implementation of a dedicated MFT (Managed File Transfer) solution.

The correct management of data, in terms of its movement, its processing, how it is shared, and its storage and retrieval, is critical for minimising the risk of an accidental breach of GDPR.

Harmonisation through GDPR

The good news arising from GDPR is that the harmonisation of the differing national legislations around a single new EU-wide regulation should make the task of data compliance less confusing and time-consuming. Instead of analysing and complying with 28 different country laws, we will now have to comply with just 1.

Fines on the way

The bad news is that breaches will now be met with fines – real and painful fines. Even worse, these fines will be levied as a percentage of the organisation’s global turnover, not just against EU commercial operations. The precise definition of the fines is still awaited with keen interest. However, from the draft versions prepared by the EU, fines are expected to be at least 2% – and possibly as high as 5% – of global turnover. For a multi-million, or even multi-billion euro telecoms enterprise, this represents a new and significant financial risk.

It’s also worth mentioning that GDPR will be binding in its nature. Whereas the previous EU law (from 1995) was only a Directive, this new law is to be a Regulation. That means it carries much more authority; for instance, superseding the jurisdiction of national laws set by each country.

Key principles addressed in the legislation

Accountability will be critical, with companies being called to account at the request of inspectors to demonstrate that appropriate data processing, sharing, movement, retrieval and storage processes are in place.

This sounds straightforward, but many organisations rely on ad hoc / in-house technical scripts to manage the movement and storage of datasets. Often these scripts are created in isolation to support an individual requirement. Over time, layers of script build up into a disjointed design. It is still comparatively unusual for an organisation’s IT department to employ a single cohesive system or process for the management of data transfers, and the internal ownership may be similarly fragmented across different teams. Such an approach may now become painfully exposed in a number of areas:

  • Telcos may be using an unreliable or ineffective process. It may fail to deliver a dataset from A to B. It may send data to the wrong place. It may stop working and nobody even notices. The consequences of those failures now bring the threat of fines into play.
  • Telcos may be using a process which functions adequately day-to-day, yet still fails to meet the governance requirements set out by GDPR. Can data security, and the right level of controls be clearly demonstrated? Are there safeguards in place to quickly highlight breaches, or risks of breach to the overall process? Is there an error management tool or system to identify and manage unexpected outages in the movement of files? Can an audit trail of what happened when be shown? Can it meet SOX?

According to a leading lawyer specialising in IP, in the wake of GDPR “organisations will need to adopt entirely new behaviours in the way they collect and use personal information”.

Cross-border transfers and the death of Safe Harbor

GDPR also concerns itself with the matter of transferring data outside the EU’s borders. In the digital age, that’s now incredibly commonplace for individuals, with personal computing and social media heavily reliant on cross-border movement of data via Facebook, Google, Microsoft et al.

For the telco enterprise, even those providing services purely at a national level, many will be using 3rd party BSS/OSS service providers that process and store data on their behalf at an international level. Data sent to outsourced service providers could end up being processed in an EU member state, but equally might be processed and located in countries such as India or the USA. A telco’s data might even be handled, on its behalf, by a provider utilising “the cloud” – but where exactly is the cloud?

In October 2015 the EU Court of Justice very suddenly ruled that the 15-year old “Safe Harbor” agreement, which allowed US companies to move the data of European citizens freely to the US, was invalid. Under this finding, as of January 2016, US data processors are no longer allowed to self-certify their internal data security.

This means that telcos using a cloud-based OSS/BSS solution of US origin, or who are otherwise transferring personal data to a US based facility, may now be acting illegally.

Ensuring compliance

In a post-2015, post-Safe Harbor world, and following the formal adoption of GDPR, outsourced service providers handling the telecoms sector are now expected to focus heavily on providing an end-to-end, 100% EU-located data management and storage model. An EU-based facility ensures peace of mind, compliance with GDPR, and side-steps the potentially illegal arrangements exposed by the EU ruling on Safe Harbor.

iCONX, as a pioneer of cloud-based services since 2001, boasts a 100% EU-based, fully redundant, end-to-end data hosting and management process that complies with all current and expected future legislation.

Since 2001, iCONX has safely transferred, processed and stored more than 250 billion customer CDRs across its secure European ASP platform, with fully tested and assured SOX compliance and with accreditations including SAS70, ISO27001 and ISO22301. iCONX also offers its own dedicated “iCONX MFT” (Managed File Transfer) solution, which is the world’s first MFT package specifically optimised for the high-volume, high-density data transit requirements of Telcos.

If you have additional concerns about compliance with GDPR and post-Safe Harbor data transfers, please contact to set up an initial discussion.