YouGov recently found that only 3 in every 10 UK businesses have started preparing for the GDPR. This is worrying when we consider that the GDPR is mandatory, and that the penalties for non-compliance are severe. Businesses simply can’t bury their heads in the sand when it comes to this new regulation.
To help enterprises along their way, seven experts have come together to offer advice on the key areas that businesses should focus on in order to get GDPR preparations underway, and be compliant by the time May 2018 rolls around.
One of the most significant changes is the introduction of the Data Protection Officer (DPO). Thomas Fischer, threat researcher and security advocate at Digital Guardian, believes that one of the biggest GDPR priorities companies face is trying to understand whether or not they need to appoint a DPO. “All public authorities and organisations that monitor data subjects, or process sensitive personal data on a large scale will be required to appoint one.”
When looking for a DPO, Fischer says organisations should bear in mind that this a compliance office role. “He or she will be accountable to both the board and customers as the focal point for all data protection and compliance activity. What should be made clear is that even though this role is intrinsically linked to data, it is not an IT role.”
Another main concern for organisations centres on the stringent regulations regarding breach notification, subject access requests and the right to be forgotten. As Matt Bryars, CEO and co-founder at Aeriandi, puts it:"Under GDPR individuals will have the right to make reasonable requests to access their personal data. They will not be charged for this, and businesses will be obliged to share any personal data held within a database, without delay and within one month. Individuals will have the right to access, change and remove any personal data a business is holding.“
Nigel Tozer Solutions Marketing Director EMEA at Commvault believes that these specific regulations are especially challenging for organisations with large amounts of unstructured data. “This data can be difficult to keep track of, especially where it potentially lies on endpoints.”
But, despite these regulations being challenging, Tozer says that it is not all bad news. “Businesses should look at GDPR as an opportunity to harness company data for greater insight into customers and company practices. By investing in technology that can identify, index and automatically manage data, organisations can move closer to GDPR compliance, increase efficiencies and create a competitive edge in the market. Working to gain compliance early may also help with reputation and increase customer loyalty,” he adds.
Bryars agrees, adding that “businesses should review whether the information they store in house is properly stored, and also make sure it is available to legitimate customers, as and when requested. He states that “GDPR guidelines suggest a self-service approach – customers should be able to access their personal information directly and edit what is stored if they wish. Many businesses will need to question their current capabilities, and in many cases, upgrade their systems.”
Chuck Dubuque, VP Product Marketing at Tintri, believes that the cloud represents another big GDPR challenge. He says that, while cloud technology has become an essential part of the IT landscape “it’s simply not suitable for everything – like data security and compliance restrictions from country to country.”
Dubuque believes that “critical company data such as the personal information of customers and staff members must be stored in a way that ensures ‘privacy by design’. Public cloud can struggle to offer the security and control necessary to meet this legislation.”
“This doesn’t mean that organisations should abandon the public cloud – instead, the perfect solution could be to find a platform that will help oversee a multi-cloud environment, where data can be more precisely stored, protected and managed. Building an enterprise cloud platform on-premises allows businesses to harness the benefits of both environments while ensuring regulatory compliance.”
For those organisations that are already using public cloud, considerations will need to be made. Eduard Meelhuysen, Head of EMEA at Bitglass believes that the trouble arises because “some organisations think that they can abdicate all data security responsibility to their CSPs once they migrate to the cloud, which is incorrect.” He explains that “whilst cloud apps provide necessary infrastructure and application security, data protection remains the responsibility of the enterprise. If your company has relinquished its data responsibilities to a CSP, you simply won't be compliant under GDPR.”
Meelhuysen believes that “to become truly GDPR-ready, businesses should be able to provide proof of where customer data is being stored, and ensure that all apps being used meet GDPR standards. They will also ensure that access to customer and employee data is secured with appropriate limits on external sharing. Ultimately, while achieving compliance under GDPR might seem like a monumental task, IT teams need to focus on data security solutions that secure data beyond the network perimeter.”
Unlike its predecessor, the Data Protection Act, GDPR has specific requirements that impact service providers. Brett Candon, EMEA Channel Director at Exabeam, believes that Managed Security Service Providers (MSSPs) in particular will find it difficult to comply with GDPR. “This is because they are typically using legacy Security Incident & Event Management (SIEM) solutions as the main vehicle to manage their Security Operations Centres (SOC).”
“GDPR compliance requires processes for managing and securing private information – the need to be able to identify exactly where a threat started, what it touched on its journey and what controls were in place to try to prevent/minimise the risks. Being built for an environment over a decade ago, legacy SIEMs are simply not equipped to provide the level of visibility, detection and automated response that’s required to tackle the threat landscape of today.”
“In the event of a breach, to provide all the necessary info expected by GDPR in an acceptable timeframe is likely to be an ‘all hands on deck’ task in itself – leaving the SOC in an even more vulnerable position. MSSPs are beginning to understand that it’s time for a change – and are now starting to look at new security management options available.”
Tony Glass, VP and GM EMEA, at Skillsoft, believes that training is a key way to meet GDPR’s reporting requirements: “Ongoing compliance training is necessary to mitigate the legal, financial and reputation risks associated with falling foul of compliance regulations. When GDPR comes into force, businesses will face this risk on a daily basis. Not only will training mean employees are aware of how GDPR regulates personal data management, it will increase accountability throughout the organisation. Employees need to be mindful of potential compliance impacts when making decisions, particularly those involving the handling of data. A one off training session won’t be enough; companies will need to introduce a comprehensive, ongoing training strategy to address the changes GDPR will bring."
Ultimately, the aim of GDPR is to make data safer. Although some of its regulations can be challenging to comply with, it is not an impossible task. With timely preparation, the right solutions and awareness of these new regulations, GDPR compliance can be achieved before the deadline.