The General Data Protection Regulation (GDPR) comes into effect in the UK on Friday, 25th May 2018, and will replace the UK Data Protection Act 1998 (DPA).
GDPR affects nearly all organisations in the EU, including the UK, and it would be fair to say that if you have not taken steps by now to be compliant with the new regulations it’s likely you will miss the deadline and be at risk of having swingeing fines for non-compliance imposed upon your organisation by The Information Commissioner (ICO).
However, whether you are primed and ready for GDPR compliance or still have significant work to do many organisations will not have considered that the GDPR is unlike a vehicle driving test – pass it and forget it, it is an ongoing commitment to maintain your compliance – forever.
This brings many technical challenges to the channel. Challenges that as trusted suppliers of ICT services to their users, resellers must understand and be competent in solving for their customers.
Many industry observers consider the top five technical aspects relating to GDPR compliance to be as follows:
- Where is all the data?
- Do you have a legitimate reason for holding the data?
- How secure is the data?
- How do you know when you’ve been breached?
- How do you limit shadow IT?
For ICT service providers, each of these aspects represents both a challenge and a potential opportunity and examining just a few of the issues demonstrates the enormity of both
GDPR is all encompassing and applies to all the data you’ve collected over the years. GDPR is the data stored on your local hard drive. On your network, the cloud, your user folders. It’s the data in your backups, archives and email system. In your files and databases. Excel. Word. You name it, ‘personal data’, regardless of where it’s stored, falls under GDPR legislation.
Also consider that it is estimated that up to 85% of all data is either dark or ROTten (redundant, outdated and/or trivial). That leaves only 15% of data that is deemed to be critical to business operations. The trouble is, how do you tell which is which?
Data security is such a big issue today that it often tops the headlines in both global and national news media – For example the recent instance of Facebook and its misuse of 87 million users’ personal data. Clearly this is not only an area of GDPR where best practice needs to be adopted but also an aspect where channels can directly help their customers.
GDPR also means that ‘Silence is no longer Golden’ with mandatory reporting of any data breach to the ICO no later than 72 hours after it was noticed. Would you even know when your data has been breached?
In recent years, it has become common practice for employees to bring their own personal devices to the workplace and hook them up to the company network. With or without explicit permission from the employer, and from the managing director down, tablets and smartphones have access to company data. And at the end of each day these devices are taken home.
This Shadow IT, by its very nature, does not have the controls to securely manage and control data. It is therefore inevitable that it represents a very real risk to organisations and in the context of GDPR exposes the distinct probabilities of both data breaches and non-compliance with GDPR.