Not too late to help users deal with GDPR

When it comes to historical significance, the date of 25 May can lay claim to some memorable events: President John F Kennedy’s announcement in 1961 that the US would put a man on the moon before the end of the sixties, the Edict of Worms in 1521 outlawing Martin Luther and his followers, Oscar Wilde being sentenced to two years in prison in 1895, Henry Ford announcing the end of production of the Model T, Jesse Owens equalling/breaking four world records in 45 minutes and the release of the first Star Wars film in 1977.

In 2018, it is significant for marking the date on which the General Data Protection Regulation (GDPR) takes effect, after which errant organisations could face fines of up to €20m or as much as 4% of worldwide annual turnover. With the deadline fast approaching, have companies left it too late to become compliant in time?

“There is still time to make the deadline,” says Rob Wilkinson, corporate security and channel specialist at Smoothwall, “but many companies are cutting it fine.” He warns that “smaller-sized businesses are less likely to make it, as many large organisations will have employed dedicated GDPR-compliance roles to their ranks – a luxury most SMEs cannot afford”.

The good news is that a lot of what is required “is just good business practice, i.e. knowing where information is held, how it moves through the business and what it’s used for, and you would expect a large number of businesses to already have at least parts of the process complete”.

It doesn’t need stating that smaller-sized businesses are more likely to be reliant on channel partners for much of their IT requirements, so GDPR should be a good opportunity as well.

Dr Guy Bunker, SVP of products at Clearswift, urges companies not to give up on trying to become compliant. “It’s never too late to start!,” he exclaims. “It is unlikely that more than 25% of businesses in the UK (and across the EU) will be fully compliant in time for the May deadline, so if you haven’t started, you are not alone.”

He believes businesses should look at where the differences are between how they are currently regulated and what is required by GDPR and work out how they can fill the gaps. For those inclined to put it off for another day, he adds: “Prevarication is the biggest enemy to compliance so start today.”

Matt Lock, director of sales engineers at Varonis, acknowledges that although “the number of business days left until the deadline is rapidly diminishing, taking some action to get control of data is better than taking none. There’s real scope for the channel to support customers - and there’s still time to take measures which can make a big difference”.

The main thing businesses should do, he argues, is to map their environment and establish a data asset register of what sensitive data is held and where. Vendors can help “by providing the channel with the skills they need to help customers prepare”. Varonis, for example, is training partners to deliver a risk assessment “which is carried out when a company needs insight into how much of their data is exposed and at risk. These assessments have helped thousands of companies to identify where all their sensitive, overexposed and classified data is located within the organisation”.

The consensus definitely seems to be that it’s never too late to make a start with GDPR compliance. Chris Glynn, principal consultant at ECS, warns that “putting your head in the sand and ignoring the arrival of the GDPR will rightly leave you exposed to the harshest penalties. Instead, review what you have to do, put a plan in place and start acting on it. You won’t be the only organisation that hasn’t finished preparing for GDPR, just don’t be one of the organisations that doesn’t even have a plan”.

Steven Kenny, industry liaison, architecture & engineering at Axis Communications, seeks to offer some reassurance for those that miss the deadline, arguing that “the Information commissioner’s Office (ICO) isn’t going to start handing out fines to every business that remains non-compliant by the 25 May deadline”. Nevertheless, companies need to appreciate that a data breach after the deadline “will have significantly more severe consequences in comparison to a data breach tomorrow”.

The role of the ICO is something taken up by Howard Freeman, UK channel manager at ZoneFox, who notes that there’s a misconception the ICO is “some form of overbearing overlord. For anyone concerned about the ICO’s rulings, it’s important to remember that, in the initial stages, all that is required is for a company to be actively working towards a baseline of compliance”. He says “there’s no excuse” for companies not to try and demonstrate that they are at least attempting compliance.

Concerns over meeting the GDPR deadline should provide a focus for channel partners, claims Tim Brown, VP of security architecture at SolarWinds MSP. “One of the things the channel should focus on is their customers’ preparedness.” Partners can help customers build external privacy statements, security statements, cookie policies and GDPR readiness statements. Internally they can help with data mapping, data rights procedures and security of personnel data.

And whatever else happens, channel partners and their customers should always bear in mind, as Phil Heap, product & services director at Crayon Group stresses, “that GDPR will continue to run beyond May; GDPR is a continuous set of processes, not just a deploy and leave situation. The channel should be telling customers that it’s never too late. Even if very little has been done so far there are things that can be put in place to make a difference and show best endeavours”.

John Andrews, EMEA channel director at Centrify, also believes the channel can play a big part in helping businesses that have left their preparation for GDPR compliance so late. He says that uncertainty over the requirements for GDPR can help partners to “be seen as proactive leaders in a market that for many years has seen a power shift to the customer, simply because of available information (Google) and the increased desire for internal and independent decision making from the CISO/CIO level”.

He suggests GDPR could help partners move from the perception of being “reactive order processing agents for many vendors” and become a platform for vendors “to empower their channel partners to reach the heights of respected, admired, trusted advisers. True partners”.