Implemented on 25th May 2018, the General Data Protection Regulation (GDPR) was designed by the EU to improve data security and enhance the rights of citizens with respect to information held by organisations about them. Under the legislation, data subjects will have extended rights to:
- Access the information held about them.
- Change the information held about them,
- Remove information held about them
- Be informed in the event of a breach of their data.
- Be able to move their data between organisations (portability).
Known as Personally Identifiable Information (or, PII), this key data must now be stored, managed, processed and secured in accordance with some very strict guidelines.
So, time has now officially run out for GDPR compliance and organisations must now observe the new legislations or face huge financial penalties.
Yet numerous surveys and reports, suggests that only a few weeks before the deadline only a third of business were compliant. Hardly surprising when you consider that just a few months ago, the Department for Digital, Culture, Media and Sports (DCMS) reported that only 38% of UK businesses were even aware of GDPR. Of those that had an awareness of the legislation, only a quarter had made any progress towards compliance.
Understandably, the government has had concerns over how quickly this situation could be turned around and the lead up to the deadline was awash with information being published and issued by local government departments including the Information Commissioner’s Office (ICO).
The authorities are all too aware of the challenges faced by many over compliance with the GDPR and are expected to be lenient in the first few stages of implementation. They understand that compliance is an ongoing process.
Compliance (and willingness to comply) will be a major factor over the coming months to avoid costly fines and the potential for devasting damage to reputation. Unlike the countdown to the Millennium Bug, the 25th May 2018 wasn’t the critical milestone that, having now passed without incident, you can now ignore. Complying with GDPR is now a process which must be incorporated into all your data collection and management processes.
There aren’t many organisations who aren’t affected by these new requirements. From the health and financial sectors to manufacturing and retail, PII is a cornerstone of the way most businesses, and often their partners, operate. Consider the tech sector and how ISPs process client data. If they use cloud technology then GDPR processes will be affected by questions such as where those clouds are based, how the data is encrypted and who holds those encryption keys.
Although breaches are inevitable, if secure encryption is in place then there is a limit to the damage to victims of the breach. Data in transit is usually encrypted as a de-factor standard but data at rest is less commonly encrypted.
GDPR doesn’t prescribe the technologies used for data protection but, instead, outlies the process. This means that organisations are at liberty to choose the technologies most suited for their business in order to satisfy these requirements.
In fact, GDPR is a huge opportunity for many channel companies to offer solutions to clients based on a broad range of offerings to help achieve GDPR compliance. Evaluation and auditing tools and services are fast becoming a big seller as companies struggle to understand the extent of PII capture, processing and storage within their systems.
The ability to create and implement policies on GDPR is limited without the tools to identify the data in the first place. Coupled with penetration testing to meet the ‘due care’ elements of GDPR, technology providers are well-placed to ensure a smooth transition for most businesses to compliance.
Crucially, the success of GDPR will not be judged by the victims who fall foul of the first penalties or suffer the bad-press of a data breach. It will be judged as an ongoing process of continual development to meet the aims of the legislation, improve data security and empower the people whose data and personal privacy is at stake.
Yes, the deadline for GDPR compliance may well have passed but the clock has only just started for the journey forwards to meet these goals.