GDPR: Is time running out or is the clock just starting?

The General Data Protection Regulation (GDPR) will overhaul how organisations store, secure and manage their customers’ data.  EU citizens will have extended rights that include the right to know what information is held about them, the right for that data to be removed, the right to data portability, and the right to be informed if there is a data breach. This data is known as PII (Personally Identifiable Information). The penalties for non-compliance with GDPR are extremely high.

Yet according to research published this year by the Department for Digital, Culture, Media and Sport (DCMS), only 38 percent of UK businesses said they had heard of GDPR – and among those that are aware of it, only a little more than a quarter have made any changes in readiness for the new regulations. It is now late in the day, but GDPR has to be addressed at some point, and as soon as possible, if companies want to avoid fines and reputational damage. The authorities know compliance is an ongoing process, and want to see organisations showing willingness to comply.

As a result, there is still a great opportunity for the channel to get customers started on meeting the challenges of GDPR. Particularly in conjunction with the opportunities around solution selection and implementation, code-of-conduct management and certification.

IT trade association CompTIA has confirmed that the GDPR regulations will also affect ISPs. So service providers will have to ensure that they are meeting GDPR standards, as they are processors of their clients’ data. And they must be able to answer certain questions. If data is processed in the cloud, where is that cloud based? If they are encrypting data, who owns the decryption keys?

Breaches will inevitably happen – this is now an unfortunate fact of life. But if the data is encrypted and proper key management is in place, having a tranche of data stolen leaves no damaged victims. Encryption of data in transit (SSL /TLS) is already almost a de-facto practice, but encryption of data at rest is far less common.

GDPR will be a boon for IT security vendors, particularly those which specialise in encryption and privileged access management. Channel companies should have both elements in their portfolio, if they want to benefit from this market opportunity. And of course, a fundamental requirement is for tools that identify and locate PII (personally identifiable information) since that obviously precedes the deployment of solutions to secure it.

Interestingly, GDPR doesn’t prescribe specific data protection technologies. Instead, it proposes processes, meaning that the channel has broad freedom when it comes to vendor solutions that can satisfy those process requirements.

The channel can also consider offering GDPR compliance audits and evaluation services to customers. This is not just a technology conversation, but it is a means of helping organisations create new policies to identify, secure, report and delete PII, as well as creating security policies that acknowledge reporting. Another potential area for business will be around regular penetration testing which again is still not common practice but again answers some of the ‘due care’ tests of the regulations.

Clients will be relying on their technology providers to help them meet the regulations, and as such, partners need to be ahead of the curve. The role of trusted advisor is a valued one, and so channel firms can use GDPR to strengthen their relationship with existing customers, and create business opportunities with potential new customers that are currently in the dark or confused over GDPR. Given the shockingly low level of take up for GDPR to date, this is a great opportunity for the channel.

It’s important to remember that GDPR is an ongoing opportunity. It’s a continual ‘review and implement’ process rather than merely ‘deploy and forget’. Effective security is a journey, not a destination.

The author Ian Kilpatrick has been a prominent figure in the security channel for many years and is evp cyber security at the Nuvias Group.