GDPR: Is time running out or is the clock just starting?

Ian Kilpatrick, EVP Cyber Security for Nuvias Group, looks at whether there are still channel opportunities with GDPR. The General Data Protection Regulation (GDPR) will overhaul how organisations...

Ian Kilpatrick, EVP Cyber Security for Nuvias Group, looks at whether there are still channel opportunities with GDPR.

The General Data Protection Regulation (GDPR) will overhaul how organisations store, secure and manage their customers’ data.  EU citizens will have extended rights that include the right to know what information is held about them, the right for that data to be removed, the right to data portability, and the right to be informed if there is a data breach. This data is known as PII (Personally Identifiable Information). The penalties for non-compliance with GDPR are extremely high.

Yet according to research published this year by the Department for Digital, Culture, Media and Sport (DCMS), only 38 percent of UK businesses said they had heard of GDPR – and among those that are aware of it, only a little more than a quarter have made any changes in readiness for the new regulations. It is now late in the day, but GDPR has to be addressed at some point, and as soon as possible, if companies want to avoid fines and reputational damage. The authorities know compliance is an ongoing process, and want to see organisations showing willingness to comply.

As a result, there is still a great opportunity for the channel to get customers started on meeting the challenges of GDPR. Particularly in conjunction with the opportunities around solution selection and implementation, code-of-conduct management and certification.

IT trade association CompTIA has confirmed that the GDPR regulations will also affect ISPs. So service providers will have to ensure that they are meeting GDPR standards, as they are processors of their clients’ data. And they must be able to answer certain questions. If data is processed in the cloud, where is that cloud based? If they are encrypting data, who owns the decryption keys?

Breaches will inevitably happen – this is now an unfortunate fact of life. But if the data is encrypted and proper key management is in place, having a tranche of data stolen leaves no damaged victims. Encryption of data in transit (SSL /TLS) is already almost a de-facto practice, but encryption of data at rest is far less common.

GDPR will be a boon for IT security vendors, particularly those which specialise in encryption and privileged access management. Channel companies should have both elements in their portfolio, if they want to benefit from this market opportunity. And of course, a fundamental requirement is for tools that identify and locate PII (personally identifiable information) since that obviously precedes the deployment of solutions to secure it.

Interestingly, GDPR doesn’t prescribe specific data protection technologies. Instead, it proposes processes, meaning that the channel has broad freedom when it comes to vendor solutions that can satisfy those process requirements.

The channel can also consider offering GDPR compliance audits and evaluation services to customers. This is not just a technology conversation, but it is a means of helping organisations create new policies to identify, secure, report and delete PII, as well as creating security policies that acknowledge reporting. Another potential area for business will be around regular penetration testing which again is still not common practice but again answers some of the ‘due care’ tests of the regulations.

Clients will be relying on their technology providers to help them meet the regulations, and as such, partners need to be ahead of the curve. The role of trusted advisor is a valued one, and so channel firms can use GDPR to strengthen their relationship with existing customers, and create business opportunities with potential new customers that are currently in the dark or confused over GDPR. Given the shockingly low level of take up for GDPR to date, this is a great opportunity for the channel.

It’s important to remember that GDPR is an ongoing opportunity. It’s a continual ‘review and implement’ process rather than merely ‘deploy and forget’. Effective security is a journey, not a destination.


Bio of author

Ian Kilpatrick, EVP (Executive Vice-President) Cyber Security for Nuvias Group

A leading and influential figure in the IT channel, Ian now heads up the Nuvias Cyber Security Practice. He has overall responsibility for cyber security strategy, as well as being a Nuvias board member. Ian brings many years of channel experience, particularly in security, to Nuvias. He was a founder member of the award-winning Wick Hill Group in the 1970’s and thanks to his enthusiasm, motivational abilities and drive, led the company through its successful growth and development, to become a leading, international, value-added distributor, focused on security. Wick Hill was acquired by Nuvias in July 2015.

Ian is a thought leader, with a strong vision of the future in IT, focussing on business needs and benefits, rather than just technology. He is a much published author and a regular speaker at IT events.  Before Wick Hill, Ian qualified as an accountant, was financial controller for a Fortune 50 company, and was a partner in a management consultancy.

For further press information, please contact Annabelle Brown on +44 (0)191 237 3067, email

In this article

Join the Conversation