tashka2000 - Fotolia

Is the channel ready for GDPR?

The deadline for GDPR is getting ever closer but is the channel ready? We put that question out to the market.

Next year GDPR will come into effect and whether customers are ready or not the focus on data is only going to increase.

Research has indicated that a significant number of customers are not yet ready for GDPR, particularly in the SME market segment. But is the channel in a better position? We put that question about the readyiness of resellers to serve customers out there and gained some insightful responses.

“The channel must understand that GDPR requires a major change in terms of data protection and will require MSPs to make significant changes, but does provide a great deal of opportunities for MSPs to reassess the security of their clients data.

“By reassessing the situation, MSPs can take advantage of offering a layered approach, giving more comprehensive security services for their customers and at the same time better protect their own IT resources from attacks. One important factor in implementing this layered approach is that clients give MSPs visibility of their entire technology landscape.

“MSPs should already be preparing for the regulation to take effect. IT and Security executives need to work with representatives from business divisions, legal, risk management and other areas on planning what needs to be a collaborative approach. MSPs can help ensure clients are compliant with GDPR while also strengthening their defences against the growing array of security threats.”

Marwin Marcussen, sales engineer manager, EMEA at Kaseya

"That’s a tough question. Research and market stats indicate that a majority of end users aren’t ready and that many of them intend to wait and see. Which, by the way, is very similar to the response to PCI compliance, where the majority (correctly) did not think that they would be penalised for non-compliance and waited until fines were levied before they reacted.

"As a consequence, GDPR related sales are typically going to those larger or compliance-aware organisations, government departments, and non-governmental organisations (NGO)s that absolutely must be compliant. So there is a significant part of the channel which is ready, prepared and capable of delivering GDPR advice, support and GDPR-ready solutions. Similarly, there are many resellers that are not yet ready.

"Part of the challenge for the channel is that GDPR is designed to be a supporting programme rather than prescriptive. Unlike PCI, which was very clear about the how, why and where of solutions, GDPR is clear about what needs to be achieved in data protection - it does not really define how an organisation should achieve this. It’s not helped by many vendors claiming that they alone have the magic bullet for GDPR, when this is not the case. Typically, customers will already have part of the solution jigsaw and will add additional elements to achieve GDPR compliance

"Our training and information delivery around GDPR is therefore focussed on supporting the channel in understanding and delivering the additional (often different) elements necessary to ensure that their customers understand and implement only those elements that they need.

"A key element in the GDPR equation is that while interest and activity will continue to ramp up ahead of the 25th May deadline next year, this is not going to be a drop-dead date for GDPR business. Many organisations have, and will have, the bulk of their budgets for GDPR next year, or the year after. Or will find budget when the fines start dropping in 2018 or beyond. However those partners in the channel who haven’t yet got themselves up to speed, need to start doing so or risk being left behind by those who have."

Ian Kilpatrick, EVP cyber security, Nuvias (incorporating Wick Hill)

"There is a wealth of research out there demonstrating many customers are not ready for the impending GDPR – there are misconceptions about who needs to comply and confusion around how you can meet the regulation.

"This makes 2018 the golden goose for the channel and vendors: they should be prepared for the opportunity this regulatory upheaval gives them. If you can become your customers’ GDPR guide and consult them on their road to GDPR compliance, then you will reap the benefits.

"While technology isn’t the answer to all of the GDPR requirements, it can solve large parts of the puzzle. Although the majority of vendors out there have a strong message on how their solutions help meet some of its stringent requirements, no one vendor is the answer to the whole GDPR problem.

"What the channel should therefore be aiming for is to bring together a suite of products from vendors that solve the whole problem; including the end to end protection of data, e-discovery capabilities, and search, analytics and data management both on premise and in the cloud.

"If the channel can deliver this with confidence, they should be able to convince their customers to work with them on meeting their GDPR requirements. After all, budgets appear to be geared up and freely available for the long road to compliance."

Alex Raistrick, WEUR director Rubrik

"With the GDPR enforcement date approaching fast there have been a number of market studies and a lot of discussion in the press saying that organisations are not getting ready quickly enough to be prepared for the 25th May 2018.
In my experience of working with many clients across all industries, I see some common themes emerging in terms of organisations readiness.

• Firstly, there is now a high level of general awareness of the requirements of GDPR amongst business leaders in all industries.
• Secondly, organisations have typically made good progress in terms of their legal interpretation of the regulation and have often completed new privacy policies and notices.

"However, many organisations are then struggling with transforming these new policies in to true, operational capability that enables them to serve the newly enhanced rights of data subjects and to deliver on the other requirements of the GDPR.
This is where IBM is bringing value to clients; by helping them define and create actionable, pragmatic plans, which will enable them to address their most burning GDPR challenges quickly and affordably.

"As more organisations start to hit these challenges, it's crucial that the channel quickly steps up to be able to help companies with specific GDPR challenges.

"At the start of 2017, my sense is that the channel was excited by the business opportunity that GDPR presented but hesitant and uncertain as to how best to add value. This uncertainty reflected the lack of clarity as to how to attack GDPR that was felt by most companies. But as companies start to get a clearer vision as to what actions they will need to take to be ready for GDPR, the pressure is on for the channel partners to quickly establish clear GDPR value propositions.

"In my role at IBM, leading our programme to help our clients with their GDPR challenges, it was clear to me from the start that our channel partners were going to play a crucial part in delivering practical help. Our channel GDPR programme has focussed on achieving two clear goals:
• First: helping our channel partners establish a crystal clear value proposition for GDPR; tightly focussed on specific GDPR use cases,
• Second: creating a collaborative ecosystem of partners in the context of GDPR.

The first of these elements is crucial for the channel partner, as a result of three key factors:
1. The requirements of GDPR are so broad that few, if any, channel organisations are able to provide an end to end solution.
2. There are many organisations making very general claims about their capabilities to address GDPR challenges. Clients are getting smart to this and looking for capabilities that specifically address their GDPR gaps
3. Clients are uncertain as to how to address the GDPR gaps they are aware of.
In this context, channel partners are more likely to succeed if they can leverage deep technology skills, infused with an understanding of the GDPR, to address specific GDPR use cases such as:
• Data mapping - helping clients understand and document the lifecycle of personal data throughout their business processes
• Data discovery - helping clients use technology to analyse data stores, both structured and unstructured, to detect indicators of identity in data and gathering the metadata about that data to enable if to be managed and governed
• Data governance and management - helping clients design and implement data governance and management capabilities that will enable them to operate in a GDPR conformant manner
• Security controls - helping clients determine gaps in security controls and implement remediations
• Rights of data subjects - helping clients design and implement capabilities to serve data subject's rights for access, rectification, portability, erasure etc.
• Breach notification to the regulator - helping clients design and implement the incident response capabilities to enable them to be in a position to notify the regulator in the event of a personal data breach within 72 hours.

"Channel partners who can combine their skills with the relevant IBM technologies, that specifically address these use cases, are likely to be warmly welcomed by their clients.

"The need for this tight focus on specific GDPR use cases by channel partners highlights why such a tight focus needs to be placed on creating a partner ecosystem. By working with each partner to establish clear specialism we are able to share across our partner network a map of partners and their capabilities. This enables partners to select like-minded partners with complementary capabilities, to collaborate to deliver greater value to end user clients. We have already seen some great examples of this, for example, where a partner specialising in unstructured data discovery regularly works alongside a partner that specialises in structured data discovery, in order to give a complete data discovery solution.

"The pace of activity in our partners has really accelerated over the past couple of months. IBM is determined to help our community of partners deliver great value to their clients in the context of the GDPR; both by establishing focussed, specific value proposition that address GDPR use cases and also be maturing our GDPR Partner Ecosystem to enable partners to collaborate and deliver even greater value to clients." 
Steve Norledge, GDPR leader, IBM UK & Ireland

"There’s no easy path to across-the-board compliance, especially as more cross-border regulations are enacted. In fact, a recent study by Vanson Bourne found that (90%) respondents say that there will be regulations that represent a challenge to their organization with regard to meeting the EU GDPR.

"Many previously unregulated companies are going to have to discover sensitive data, protect it from malicious actors, and prove to regulators that they have sound data security policies in place. GDPR is putting pressure on more organizations to adopt data security best practices and this will result in a higher demand for security products and professional services from resellers and integrators.

"The channel needs to understand how their portfolio of products map to the articles of GDPR and how to pitch them within the frame of GDPR compliance projects. They can also work with vendors to design new service offerings to help customers not only meet the regulation, but to develop a unified security strategy as a long term solution to address data privacy standards and security policies." 
Liam Bridge, Channel Manager UK, Ireland & Middle East, Varonis

"We will likely see a range of responses and capabilities within the channel. Those who are subject to GDPR will need to comply with its terms. They will build and utilize solutions that allow them to become GDPR compliant as of its effective date. Others will adopt a basic compliance strategy and still others will likely make no attempt to comply. Transparency and reporting should be expected by the majority of the channel.

"As a business opportunity, keen managed service providers (MSPs) subject to GDPR should have the solutions ready to meet the demands of businesses who need outsourced support in the way of dataprotection, monitoring, and management to help ensure compliance with GDPR. MSPs that adopt such strategies may be more successful as they will likely play a consultative role and serve as a GDPR partner with their customers. The success of the channel and the success of the business (end-user) is tightly intertwined."
Tim Brown, VP Security Architecture at SolarWinds

Read more on Data Protection Services