Quick ‘n’ dirty analysis Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to 4 per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad and what should you do?
If you trade in or with an EU country and record personal data from customers and others then you will be affected by the GDPR, which comes into force on May 25, and will likely increase your costs.
What is GDPR? It is meant to return to EU citizens control of their personal data, giving them, for example, a right to be forgotten, and the ability to ask suppliers: “What personal information of mine do you record and what have I consented* to regarding it?”
Personal information can include a name, home address, photo, email address, bank details, social networking website posts, medical information, and even a computer’s IP address. The regulation separates suppliers into data controllers and data processors.
A data controller collects data from EU residents while a data processor processes data on behalf of a data controller. As you delve deeper into the regulations they get steadily more complex; it’s like trying to understand the shape of a jelly.
Junk mail direct marketing people will obviously be particularly affected.
OK? Your business needs to be GDPR-compliant but – this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test.
At an A3 GDPR session, lawyer Renzo Marchini – partner for privacy, security and information at Fieldfisher – said the regulation is non-prescriptive. There is no black-and-white compliant/not compliant state. It’s fuzzy.
You can’t verify compliance; all you can establish is readiness. Wonderful.
To be GDPR-ready means your internal processes and procedures meet the GDPR regulations in spirit.
So virtually all you can do is verify with your country’s independent supervisory authority (SA) and Information Commissioner’s Office (ICO) that you are (probably) compliant. If EU individuals complain that you are not and you say you are then the issue may go to court to establish case law. Great.
Suppose you just want the GDPR issue dealt with, and order an SKU or contract with somebody to fix it. Tough luck. Anyone selling a GDPR compliance kit is flogging snake oil. They don’t exist.
Ricky Patel, UK and Ireland channel sales director at Wasabi, says there is no uniform GDPR kit. Every vendor has their own – limited – take on it. And every organisation is different.
GDPR is both IT-applicable and people-and-procedures applicable. Businesses need to go through a data discovery process; relatively easy with digital documents and mail but considerably harder with multimedia material, if they have any.
Tick, tock motherf… erm, we mean, don’t panic over GDPR
Shadow IT could be a nightmare because, by definition, you don’t know about it. Better get learning.
Reputable suppliers will sell you products that extend others to facilitate GDPR compliance. Joe Garber, global head of information management at Micro Focus, says his company has eight such pre-packaged GDPR starter kit products.
Mimecast has similar GDPR email capabilities, ditto Quantum with its data protection products.
Garber says organisations in less-regulated industries are being pulled full tilt into GDPR. Does that mean GDPR represents an enlargement of the total addressable market for data protection and governance suppliers?
He said: “Yes, no question – you’re bringing in new use cases. Also investigation and e-discovery.” It’s a big boon for e-discovery and legal hold system sellers.
The flip side of that is that organisations’ costs will go up if they are affected by GDPR.
Suppose you think to yourself it’s a storm in a teacup, like the Y2K issue, and doesn’t matter? Bob Plumridge, director and treasurer for SNIA Europe and former Hitachi Data Systems CTO, said: “That’ll be the case for the vast majority but for 20 per cent or so it will involve fines.”
The fines might be quite small, at first, unless the local watchdog decides to make an example of somebody.
You can buy GDPR consultancy services, such as this one from Jawbone. We have no idea how good it is.
But, before doing that, check to see if your country ICO has readiness-checking services. In the UK there are self-service ICO checklists like this one.
If you find out there’s more to be done, note that you’re just six months away from the deadline, and should probably to assign a senior bod to get you ready. Consultancies like Quocirca, Freeform Dynamics, and the 451 Group may be able to offer help to that lucky person. Another route for getting help is with a GDPR-skilled legal eagle.
The basic message here is to take the self-checking test and then, if you need to act, prepare to spend people, time and money, potentially quite a lot of money, to appease the priests at your local GDPR temple, because there’s no way out. GDPR is a tax you are going to have to pay. ®
* Marchini says the consent part of the regulations can be particularly onerous and he suggests his clients take that word out of their contracts with people.
Sponsored: Buyers guide to cloud phone systems
Original article source: https://www.theregister.co.uk/2017/12/19/quick_guide_for_gdpr_laggards/