Published/updated: December 2017
By Bryan Betts
The deadline for GDPR is now less than six months away, and to judge from surveys carried out by vendors and publishers, there’s a significant number of organisations who don’t think they will be ready for it on time, while some say they have barely even started on planning for it.
But what do “ready” and “on time” mean in this context? That was one of the most interesting topics that arose last week, when I participated in a round-table discussion of GDPR with people from around the data industry. We all had different perspectives on the topic, yet we found a lot of common ground to agree upon.
One of the biggest issues with the GDPR is that it is not directly prescriptive. It is more of a journey, and compliance Is not something that you can buy off the shelf. Compliance is a corporate mindset, one that must be implemented via processes and policies, although of course having the right technology foundation will make it easier to implement those processes and simplify the task for your people.
Despite its reliance on terms such as ‘fair’, ‘reasonable’ and ‘appropriate’, which will probably need to be tested in court, the GDPR is widely expected to become the de-facto standard for privacy world-wide. One reason is simply that any organisation anywhere which deals with the personally identifiable information (PII) of EU residents must follow the GDPR, so it makes sense to apply the same rules to all the PII that the organisation handles.
So if your organisation is one of those that doesn’t expect to be ready by ‘GDPR Day’, what can you do? The vital thing is to plan, rather than panic – all the signs are that the data protection regulators’ main aim is to help, not punish – there’s no indication that they will be issuing €20 million fines from day one.
That said, it is absolutely essential to engage with the GDPR and show willing – to show you have already taken steps, and that you have a road-map for more. The regulators will not tolerate egregious or reckless disregard for the GDPR – indeed, I expect them to be on the look-out for organisations behaving like this. Hitting one of them with a fat fine for a reckless data breach could be just what’s needed to encourage others to fall into line.
And for many organisations, GDPR compliance may not be that onerous, especially if you already handle customer data fairly and transparently, and if the processing of PII is not your main business. As one of the others commented, “If you’re compliant now, that’s a good starting point.” Yes, GDPR does add to the requirements – in particular, most will need extra record keeping, plus you must have procedures for breach notification and people have new rights over their PII. However, the compliance mindset and the underlying processes should carry over.
With all that in mind, here’s some top tips culled from my notes. They are not exhaustive, nor are they in an absolute order, but they are all key steps along the road to working with the GDPR, not against it.
In summary then, whether you’ve already started your GDPR planning or not, don’t despair! Some organisations – those who hold little PII, or who touch it only in one place, say – should find it relatively easy. It will be harder for others, but even here the key thing is to get moving as soon as possible, cover as much as you can by GDPR Day, and have a solid road-map for covering whatever remains.
And in any case, these are all things you should be doing anyway – in this respect, GDPR is merely the motivating force that will embed them as the standard operational practices that they already ought to be. Things such as access controls and the ability to thoroughly delete data, and of course having in place privacy policies, documented procedures and properly negotiated contracts.
Hearty thanks to my fellow GDPR-watchers for their expertise and observations: lawyer Renzo Marchini from Fieldfisher; Joe Garber, the global head of product marketing, information management & governance product group at Micro Focus; Ross Jackson, vice president of customer transformation & innovation at Mimecast; Stéphane Estevez, the worldwide product marketing manager for backup and DR at Quantum; Danny O’Neill, senior manager cyber security UK at Rackspace; and Ricky Patel, UK&I channel sales director at Wasabi.
By Richard Edwards
By Dale Vile
By Bryan Betts and Dale Vile
Yesterdays software delivery processes are not up to dealing with today’s demands, but modernising you approach is not just about implementing Agile, even creating a DevOps culture. You need to focus on some specific, hard-core principles. ...more
By Dale Vile & Jack Vile
Cloud services are increasingly becoming part of the IT delivery mix, but a recent study of 378 senior IT professionals suggests a parallel commitment to ongoing investment in the datacentre. This in turn shines a light on the key role of modern application platforms. ...more
By Tony Lock & Dale Vile
Despite the advent to cloud computing the datacentre remains central to corporate IT. But with demands continuing to escalate, how do you ensure your infrastructure is powered robustly and efficiently? ...more
By Bryan Betts
Many are exploiting cloud computing to drive business advantage, while others are enjoying the flexibility and efficiency of DevOps. But what happens if you use both together in a coordinated manner? The answer is a significant amplification of the benefits of each. ...more