VP of Customer Experience Aaron talks GDPR

On the 25th May 2018 the EU General Data Protection Regulations (GDPR) come into effect across the European Union, including the United Kingdom. The EU GDPR is an extension to the already existing UK Data Protection Act 1998 and will come into force in the UK regardless of the outcome of the UK government’s impending negotiations with the EU.

But what does this mean to you? How does it impact your customers and what can you do to accelerate compliance? This article is designed to make the EU GDPR more digestible and to offer you a practical next step opportunity.  Are you ready for GDPR?

 

What is GDPR?

With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals[1]. The EU wants to give EU citizens greater control over how their data is used. Existing legislation pre-dates the boom of internet agencies sharing data and so this piece of unitary governance is playing catch up.

It affects companies that trade either in products or services in the European Union; this applies to all companies whether they are based inside or outside of the EU and where the company collects and stores data of any EU citizen.

The Regulations make the roles of a data ‘controller’ and a data ‘processor’ integral to an organisation’s compliance with the regulations. A data controller states how and why personal data is processed while the processor is the individual(s) handling/processing the data. “The definition of processing is very wide and it is difficult to think of anything an organisation might do with data that will not be processing”[2].

 

Who does it apply to?

The GDPR places specific legal obligations on both the data controller and processor. It relates to both ‘Personal’ and ‘Sensitive Personal Data’ – both defined here: Information Commissioners Office Organisations in the UK have been compliant for several decades under the DPA but the GDPR adds another layer to personal information including ‘online identifiers’ such as an IP address, as falling within ‘Personal Data’.

It is a controller’s responsibility to ensure their processor adheres to data protection law and a processor must themselves abide by rules to maintain records of their processing activities.

 

What role can you play in accelerating your customers’ compliance with the GDPR?

The global leader in cyber security, Symantec, recently surveyed interviews with 900 business and IT decision makers across the UK, Germany and France and it revealed that 96% of companies did not fully understand GDPR and a further 91% expressed concerns about their ability to become compliant[3]. The need to ensure compliance when offset against the backdrop of a fine of up to 4% of annual global turnover, or €20m – whichever is greater –  when in breach, is significantly heightened; a fine of this magnitude has the capabilities of putting many companies completely out of business.

By partnering with intY you are already ahead of many of your competitors in the market, in that you have access to the world’s leading cloud software applications from vendors who have committed to ensuring their products and services enable your customers to become GDPR compliant[4].

As more and more businesses drive data consumption through mobile applications and the veracious appetite of companies to profit from data, intY and its vendor partners are committed to ensuring you have access to GDPR compliant SaaS solutions.

5 core GDPR rules that require your attention now

Data breach notification

A large number of firms that do business in the European market or deal with European customers will have to tackle privacy rules for the first time. Your GDPR-related services can be critical to compliance.

Privacy-by-design

Partners can work closely with security leaders to provide GDPR assessments and determine how services can enable customers to meet privacy-by-design requirements.

Global mandate

With 72-hour data breach notification, partners can utilise services to become an incident response (IR) orchestrator through managed services or professional services.

Data privacy officer (DPO)

At least 75,000 DPOs will be required by 2018. Partners can consider providing DPO as a service to customers.

Evidence of risk mitigation

Per GDPR policy, organisations must demonstrate that they have implemented appropriate measures to mitigate privacy risks. Partners and customers can use services to build evidence of mitigation strategies and controls.

How do I get started?

Here are 4 very simple steps to help you get started in understanding whether you and your customers are ready for GDPR.

Step 1: Discover

Identify what personal data you have and where it resides.

Step 2: Manage

Govern how personal data is used and accessed.

Step 3: Protect

Establish security controls to prevent, detect and respond to vulnerabilities and data breaches.

Step 4: Report

Keep required documentation, manage data requests and breach notifications.

Next Steps

Start thinking now about GDPR and how this affects your business.

Determine if your customers need to be GDPR compliant.

Reassure your customers that through intY, the cloud services they consume will be GDPR compliant.

Learn more about the GDPR and intY security offerings from Microsoft, Symantec, Acronis, Veritas and Sonian.

Pilot your services and offerings with a few customers before you go broad.

All you need to do isask us for guidance

Give us a call now to discuss how intY can assist you in your preparation for GDPR.

Press enter or esc to cancel