tashka2000 - Fotolia
Last year the attendees at IP Expo Manchester barely noticed a mention of the forthcoming European data protection GDPR legislation but this time around the acronym was everywhere at the show.
The interest in GDPR has been something seized on by security and storage vendors and been an issue that they have altered their channel partners over as one that should spark some revenue opportunities.
The one slight problem is that many customers are confused about what they need to do to be on the right side of GDPR and large numbers will be unprepared when the legislation comes into force next year.
Gartner is warning that by the end of 2018 at least 50% of companies that would be affected by GDPR will not be in full compliance with the regulations.
"The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well," said Bart Willemsen, research director at Gartner. "Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.
The analyst house has come up with a five point guide to help customers get ready, including appointing a data protection officer, but there are chances that for some that will not be an option and they will need to turn to the channel for more support.
Gartner is recommending that firms act now if they are to have a chance of being compliant when the GDPR measures come into force.
Mark Sproson, regional sales director Europe at Nexsan, said that it had seen a surge of interest but many customers were still at the early stages of getting to grips with their data management and understanding what GDPR would mean.
"GDPR is definitely an issue and customers will have more questions," he added "Most haven't got there and [data] is the business."
Gartner has advised customers that there are certain things they need to be doing now:
1. Determine Your Role Under the GDPR
Any organization that decides on why and how personal data is processed is essentially a "data controller."
2. Appoint a Data Protection Officer
Many organizations are required to appoint a data protection officer (DPO).
3. Demonstrate Accountability in All Processing Activities
Very few organizations have identified every single process where personal data is involved. Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity as this will help to maintain compliance in future personal data processing activities. Organizations must demonstrate an accountable ground posture and transparency in all decisions regarding personal data processing activities.
4. Check Cross-Border Data Flows
Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein and Iceland. Transfers to any of the other 11 countries the European Commission (EC) deemed to have an "adequate" level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clause should be used.
5. Prepare for Data Subjects Exercising Their Rights
Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed (e.g., in case of a data breach). If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls.