May 25th, 2018, the implementation date for the European Union’s General Data Protection Regulation (GDPR), has come and gone: the regulation will now be enforced, and the potential penalties are steep. Fines can be 20 million Euros, or 4% of global turnover, whichever is greater. With that sword of Damocles hanging over everyone’s head, it’s worth taking time to understand what the GDPR is, and what some of the key real-world concerns related to it are.
The basic premise of the GDPR is that EU citizens should have control over their own Personally Identifiable Information (PII), and how that information is used. In short, this means that EU citizens have rights that allow them to ensure the data held about them is accurate, have data about them expunged, and require that organizations not share data about them with anyone. GDPR does not apply only to European organizations. Any business that works with EU citizens needs to pay attention to GDPR.
Under the GDPR, organizations cannot require EU citizens to divulge more data than is absolutely required to perform a service or sell a product. This means, for example, that an online retailer cannot require an EU citizen to divulge their national identification number (similar to the Social Security Number in the US) to complete a sale. National identification numbers are not necessary to sell retail goods, thus providing them cannot be a condition of sale.
In addition to the above, organizations are now responsible for protecting data regarding employees, staff, and contractual workers. Under the GDPR, individuals should only be able to access information required to do their job. The janitor, for example, does not need the ability to access someone’s medical records.
As a result of all of the above, complying with the GDPR requires effort and change from both IT and business teams. Getting an organization—any organization—to the point of GDPR compliance is unlikely to be easy. Business practices and technology implementations will have to be modified, and many organizations simply do not have the expertise to accomplish this on their own.
How Channel Partners Can Help with GDPR Readiness
Whenever a technological task is difficult or complex, there is an opportunity for the channel. Value Added Resellers (VARs), Managed Service Providers (MSPs), Cloud Service Providers (CSPs), and Systems Integrators (SIs) all have an opportunity to help organizations meet their GDPR requirements, and prove that compliance on an ongoing basis.
Helping organizations define their current infrastructure is a key requirement. This includes helping organizations do baselining, needs assessment, and security audits. It’s impossible for an organization to know where the gaps in their data handling are if they don’t have a complete understanding of their extant IT.
According to new surveys, as few as 27% of organizations have made changes in their operations in order to ready themselves for the GDPR, and this is in the UK, which is still a part of the EU until next year. Most surveys show that organizations outside the EU which are subject to the GDPR don’t even know that it will affect them, let alone what they need to do, or how they would go about doing it.
Ignorance about the GDPR specifically is not unique. More than 75% of organizations believe that cloud providers are responsible for securing data, a view point at odds with the terms and conditions provided by the majority of cloud providers. This means that there is scope for the channel to help organizations deploy standard IT security solutions such as encryption, segmentation, monitoring, and unified authentication, and do so in a verifiable manner.
Even if organizations can get their IT sorted, none of that matters if they cannot prove that it is compliant when asked. Unfortunately, this isn’t easy in part because agreement on what exactly needs to be done is hard to come by.
Consider data protection. According to many GDPR experts, the GDPR gives EU citizens the right to have their data erased not only from production systems, but from backups as well. Many backup vendors disagree. The view of backup vendors may be influenced by the inability of current data protection products to perform fine-grained deletions from backup sets, however, either view on this topic has yet to be tested in court.
Solving the real world challenges associated with the GDPR will, for most organizations, require a significant amount of systems integration. Under the GDPR responsible data governance requires that a chain of custody exist: one that provides a clear view of who has access to—and has accessed—which bits of data.
Proving this will require an automated auditing solution that spans all of an organization’s IT across all platforms and infrastructures. Auditors—as well as IT staffs and business owners— will want a single view of all of an organization’s data, in addition to tools that ensure a deletion request touches all data stores.
Because extant solutions in the areas of data protection, data governance, and auditing are broadly inadequate to the task, off-the shelf solutions are unlikely to meet organizations’ needs. This means that a careful and considered analysis of an organization’s IT, combined with the provisioning of modern, secure services and competent integration work will be required for years to come. This is a market opportunity tailor made for the channel.
How Channel Partners Cannot Help with GDPR Readiness
While channel partners are unquestionably key to helping organizations meet their obligations under the GDPR, the channel can’t do everything. The GDPR requires that organizations make changes to business processes that incorporate the principle of least privilege into everything from paper handling to IT.
At a bare minimum, this requires a dramatic culture change from the “wide open IT networks” used by most organizations, which is as much a cultural change as it is a technological one. Similarly, organizations will have to take the time to define what data individuals within their organization need access to, and then set about restricting access. This is again as much about business process and corporate culture as it is technology. The channel can help with the tech, but it cannot create a cultural change without cooperation from all members of an organization.
In addition to data handling concerns within an organization, the GDPR requires that organizations enforce GDPR rules on any and all organizations and individuals that they contract with. While service providers can ensure that they themselves comply, ensuring that all other contractors comply isn’t really something that service providers can currently solve.
Why Automation is Key
Even if one puts considerations about data protection and the right to be forgotten to one side, under the GDPR automating the chain of custody for data is a clear requirement. Nobody can track access and usage of data manually anymore; even the smallest organizations simply process too much data per day.
This automation is critical not only to keep auditors happy, but because it helps IT teams find areas of IT that require improvement. As more effort is put into needs assessment, more holes in how organizations handle data will become known. This will in turn require additional IT resources to address.
IT automation in general is thus an important part of meeting an organization’s needs under the GDPR. Automation is critical to freeing up the administrator time necessary to work on the complex business and IT challenges the GDPR creates. It is also important because automation creates a predictable, repeatable, and above all easily auditable environment.
GDPR compliance is a long process, and it has created a requirement for increased IT efficiency. Organizations that waste the time of their IT teams with “keeping the lights on” will be at a distinct disadvantage when compared to their competitors.
It will take many solutions from many vendors working together to help organizations modernize their IT in the face of challenges from regulatory schemes such as the GDPR. At the core of these solutions lie multi-infrastructure management solutions that span on-premises IT, service provider clouds, and public cloud infrastructures. These automated management solutions not only provide high degrees of automation, they offer visibility into an organization’s IT usage across multiple infrastructures in a single, simple interface.
CloudCheckr is one such multi-infrastructure management solution. With CloudCheckr IT teams can begin to unify their IT management so that they can focus on security, regulatory compliance, and IT projects that add value to the business. To learn more about what we can do for you, schedule a demo.