The General Data Protection Regulation (GDPR) is coming into force on the May 25. The new law is wide reaching and marks a significant shift in the approach that organisations must take to protecting personal data. Because of the number of changes GDPR enforces and the intricacies of the regulations, addressing the requirements can seem overwhelming.
Below, six IT experts give their advice on how organisations can become GDPR compliant prior to the fast-closing deadline.
Gary Watson, CTO and founder of Nexsan, believes that organisations need to better understand GDPR and the implications of non-compliance, “Organisations need to rapidly prepare for GDPR in order to ensure they will be on track to meet the requirements. Last year our research revealed that 48% of respondents didn’t even know what GDPR was and the reality is that few organisations are fully prepared.”
He continues, “Organisations need to review their cloud services, ensure control over data privacy and locality, and prepare a second line of defence against ransomware attacks and data breaches. Not only will organisations face a fine of up to 4% of global annual revenue for failure to comply, but they potentially risk irreversible damage to their reputation as data leaks will need to be reported within 72 hours.”
Rob Mellor, VP and GM EMEA at WhereScape, echoes Gary’s sentiments, “For those not prepared, the ICO’s fines will provide a harsh slap on the wrists both financially and in reputational damage, so it’s important that all firms with data at their heart get onto the path to compliance now.”
“The only way to ensure effective compliance is to create a kind of map of all the data in your firm, identify where a particular piece of data sits, tag it and, in order to satisfy ‘access upon request’ requirements, you need to either store it somewhere with extract capabilities or be able to build those extract capabilities quickly.” Rob continues.
“In addition, you must be able to explain the purpose of that data. You must be able to show that your business is built on requiring that information and, most critically, you have to show that people have opted IN to you having their data. And if that sounds daunting, rest assured there are products out there that can help and automation software is a good place to begin your search.”
The location of personal data will become extremely important under GDPR. Graham Marcroft, GDPR consultant at Hyve Managed Hosting, believes that choosing local data centres can help with this issue, “Choosing to locate to data centres overseas is an option some providers have taken due to the lower costs. But will the same providers now struggle to guarantee data can be held to the standards GDPR requires you to meet? And can they be sure that compliance will be met in the future?”
“Making the move to a local UK data centre can be a step towards easy GDPR compliance. The UK hosting industry is a vibrant technology leader, rivalling others on price and performance,” states Graham. He continues, “UK data centres and providers can offer you a huge range of skill sets, delivering services best suited to the individual needs of each customer. In May, when data sovereignty rules, being local will shoot up the list of buying criteria. Communication between service provider and customer is going to become the most important thing.”
To be compliant by the GDPR deadline, organisations should also review and consolidate their existing services and suppliers. Nigel Tozer, solutions marketing director EMEA at Commvault, explains, “No matter the size of the organisation or business, GDPR may just be the catalyst for reviewing how you currently treat personal data and provide an opportunity to gain some business benefits. For example, reviewing multiple cloud services or suppliers with a view to consolidation will help to centralise customers data and make it more manageable, while at the same time it could reduce costs by improving or adding new services for your own customers.”
Eduard Meelhuysen, head of EMEA at Bitglass states that organisations should also think carefully about their cloud data responsibilities. He explains, “One of the key issues surrounding GDPR is that some believe they can abdicate all responsibility over data security once they migrate to the cloud. While cloud apps provide necessary infrastructure and application security, data protection remains the responsibility of the enterprise and critical for compliance under GDPR. The difficulty is that just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk. Organisations must realise that they are responsible for configuring the cloud services they use in a secure manner.”
“To achieve compliance with GDPR, organisations need to think about protecting data that can be accessed from unmanaged devices and unsanctioned applications that do not meet GDPR requirements. Cloud apps for example push corporate data outside of the network perimeter, which is difficult to secure with traditional premises-based security systems. In order to be compliant with GDPR, businesses must make sure that IT teams have visibility and control over all corporate data, regardless of where it resides. A business that is GDPR-ready will know where cloud app data is being stored, it’ll ensure that all apps being used meet the GDPR standards, and that access to customer and employee data is secured with appropriate limits on external sharing.”
If achieving compliance in house sounds like a too daunting task, there are other ways. Matthew McGrory, strategy director at Six Degrees explains, “Preparing systems to be GDPR compliant is not a small task and if you haven’t started yet you simply are not going to be ready by May on your own – but you don’t have to go through it alone.”
“While the Information Commissioner’s Office has issued a list of ‘steps to compliance’, in reality it can be daunting when it comes to implementing them all, especially if you are not a GDPR expert. However, moving to an infrastructure delivered by a managed service provider that has GDPR compliance expertise is one solution. Service providers can offer an array of solutions that are GDPR-ready along with advice and education to ensure your business has the skills to manage and maintain its compliance.”
“Moving into 2018, GDPR should now be part of all conversations with managed service providers, whether you are employing them specifically to help with compliance or not.”
With GDPR fast closing in, organisations must act quickly and competently to ensure that the personal data they are responsible for is secure and compliant with all of GDPR’s requirements. By focusing on data protection, investigating third parties and being aware of where data travels to, organisations can ensure they are GDPR ready by the deadline.