A recent study by Senzing showed that only 40 percent of European companies are prepared for the upcoming EU GDPR. Right now is a make or break time for GDPR compliance – organisations can either get into gear – fast – or risk hefty fines and reputational damage.
Preparedness for GDPR is, without doubt, hard to achieve. GDPR is a cross-departmental issue – every department from HR to IT have their role to play. But for the IT department in particular, the emphasis on data protection means that the burden of GDPR compliance often feels like it relies heavily on their shoulders.
With this in mind, and with not much time left until GDPR comes into force, seven IT experts have come together to give their must-have GDPR tips for IT departments.
To start with, we have Simon Spring, Senior Solutions Architect, WhereScape. Spring understands that many businesses might feel overwhelmed by the amount of data they need to find and secure, but believes that, with the right technology, this issue can be solved. He explains: “GDPR brings a significant shift in the way that any business that has data at its heart operates and, as a result, many businesses appear stuck in ‘analysis paralysis’. I think the first, and most important, step is for organisations to quickly get to a point where they can both identify and audit their data, which sounds daunting, but there are products out there that can help and automation software is a good place to begin a search.
On a proactive basis, data infrastructure automation software can go off and discover data areas and tag areas of concern. It can be used to map out all data systems within the organisation, providing a really effective means of auditing and cataloguing data. And on a reactive basis, if ever a company is asked to prove anything about a particular piece of data, or to pull multiple trails together quickly for an export request, again, data infrastructure automation software can supply a full lineage of that data trail. Even better, data infrastructure automation software can retrospectively go out and catalog all data, and easily enable complex data extraction. So using automation can help firms ensure rapid compliance with GDPR requirements and, from here, the roadmap to GDPR compliance should look a lot clearer!”
As Spring mentions, one of the most intrinsic features of GDPR is the emphasis on knowing where data resides. Echoing Spring’s sentiments, Gary Watson, CTO and Founder of Nexsan states, “As businesses start to prepare for GDPR its essential to be mindful of how data is stored and protected - data locality, security and protection are of paramount importance if businesses are to remain compliant with the new, tighter guidelines. Organisations need to be reviewing their policies and, even if data is stored with third party vendors, it's important to understand who is responsible for ensuring compliance is met. As part of the guidelines, data leaks and breaches will also come under scrutiny as organisations will need to report any breach within 72 hours of becoming aware of it. With this in mind, the industry will be looking to see how efficiently and quickly businesses can regain control, so ensuring there is a comprehensive second line of defence in place is critical. GDPR provides the perfect opportunity for organisations to be mindful that their IT infrastructure can safeguard and protect critical data by bringing policies under corporate control.”
Watson mentions that, with the GDPR, will come a 72 hour breach notification period - the time frame within which an organisation must notify the ICO that it has been breached. Luke Brown, VP and EMEA at WinMagic, goes into further detail about the breach period: how organisations can check they’ve been breached and how to reduce the likelihood of a hacker getting away with sensitive data: “It is no longer unusual to read about hefty fines imposed by the Information Commissioners Office against organisations who fail to protect systems and information. Companies must deploy strong protection and detection capabilities and be able to prove they did what they could to protect themselves and their systems and their customer’s/employees’/patients’ data. Because companies have such a wide variety of infrastructure spanning everything from endpoints, data centres and cloud, this is not easy. What is needed is an end-to-end data protection platform that works across all infrastructures. More importantly It must also encrypt the data, and ensures it stays encrypted until it’s needed. If a cyber-criminal does manage to get encrypted data but not the key used to encrypt it, the data is useless to him. As the roll–out of GDPR comes ever closer, the need for specialised data encryption management has never been greater.”
Whilst it might be easy to get tangled up in the data side of GDPR, it is important to remember what GDPR is for. It is, after all, not just a data issue, but a people issue. Jan Van Vliet, VP and GM EMEA at Digital Guardian, discusses the rights that the GDPR gives EU citizens, and how this will impact IT teams. "The GDPR includes an extensive collection of rights that EU citizens residing in the EU will be entitled to, as a way to protect their personal data. This is leading to a pendulum swing back to where the EU citizen is the data owner until they give consent for it to be used, not vice-versa. Companies need to adapt and learn how to operate in this new environment.
Perhaps the biggest challenge here is around changing attitudes towards data consent and ownership within organisations, which some will find harder than others. Businesses accustomed to reinventing themselves tend to accept change far more easily than those with an entrenched way of doing things. Education will play a key role in shifting internal behaviour towards personal data over time. Changes to data usage consent are also a key element. The GDPR requires companies to specifically state how personal data is being used and give citizens a choice on whether they are happy for their data to be used in that way or not. As a result, the people within the business need to change how they approach consent. Consent tools must become far more user-friendly and easy to locate, not secretive and hidden like many of them are today.”
Nigel Tozer, Solutions Marketing Director for EMEA at Commvault, further explains the ‘data trail’ that IT teams need to keep track of in order to achieve compliance. He explains: ““Becoming GDPR compliant is not simply a matter of flicking a switch, so its no wonder that according to a recent survey by Commvault, 89% of organisations and IT personnel admitted to still being confused by key elements of the regulation. At the core of GDPR is the data trail created by every individual. But whose data is it? The individual's, or the business that collects and uses it? Think of it like this: Big business monetises personal data, just like a bank uses your money to generate profit. Similarly, from May, it will be a business’s duty to protect that data like a bank protects its customers' cash and keeps them informed.
In the same way that you can take your money out of a bank, GDPR also mandates that an individual can request to be forgotten, effectively removing their data from the business. In fact, under GDPR, an individual can also ask for data to be transferred elsewhere, just like a bank transfer. There is much talk in business media about ‘monetising data’, and historically the individual has had little say or control of how their data is used. GDPR was created to redress this imbalance.”
Again on the subject of people, Steve Wainwright, VP and GM, EMEA at Skillsoft, focuses on the importance of training employees to reduce the risk of non-compliance. He says, “ongoing compliance training will ensure employees are aware of the new rules on personal data management, while also increasing accountability throughout the organisation. Training helps employees stay mindful of potential compliance impacts when making decisions, particularly those involving the handling of data. A one off training session won’t be enough; companies will need to introduce a comprehensive, ongoing training strategy to address GDPR.”
Lastly, Dave Ricketts, Head of Marketing at Six Degrees, believes that if all else fails, organisations should consider outsourcing. He explains: “GDPR is just over one month away. If you have not already started preparing for it, the simple fact is that you will not be ready for GDPR implementation if you are undertaking the processes to compliance on your own. The good news however is that you don’t have to do it alone. Preparing your system and your team to be ready for GDPR is no small task, and if you are not well acquainted with the compliance that's needed, the preparation can be downright stressful. Service providers with expertise in this area can offer an array of solutions that are GDPR-ready, along with advice and education to ensure your business has the skills to manage and maintain its compliance. So, one solution to your worries is to outsource to a GDPR-specialised managed service provider who can deliver your GDPR-ready infrastructure, from 25th May 2018 and beyond.”
Ultimately, although achieving GDPR compliance might feel like trying to get through a data protection maze, by following the above tips and acting quickly, organisations should be able to get themselves in good shape for the GDPR deadline – and reduce the likelihood of facing data breaches too.