Given the fact that fines for non-compliance with GDPR – the EU’s General Data Protection Regulation that comes into force on 25th May 2018 – could potentially rise to 4% of global turnover or €20 million, it’s perhaps surprising that the whole issue of GDPR isn’t higher up the board agenda.
In its recent FTSE350 Cyber Governance Health Check Report published earlier this summer, the Government stressed how businesses need to continue to prepare themselves for the ‘responsibilities that come with GDPR requirements’. However, in an associated survey, a troubling 60% of respondents reported being at best only somewhat or ‘slightly aware’ of the GDPR requirements for their business. Just 6% reported being completely prepared for GDPR, despite it now coming into force in less than nine months – prompting the Government to advise that it’s now crucial for companies to be stepping up their preparations for meeting GDPR compliance requirements.
Perhaps because GDPR is already a law in EU member states – but won’t actually be policed until 25th May 2018 – many UK businesses simply thought that, post-Brexit, GDPR will no longer apply? Or perhaps others thought that – much like previous Y2K or Euro introduction non-events – GDPR might turn out not to be so much of a big deal. Unfortunately neither of these excuses are any help, as GDPR is already on the UK statute books, and the threat of GDPR non-compliance means that potential fines and reputational damage make the issue one of risk management for many boards.
Complacency isn’t an option
While the UK Information Commissioner has been careful not to frighten businesses – suggesting that GDPR non-compliance fines are likely to be much lower than the maximum 4% of global turnover – there’s still a pressing requirement for firms to establish exactly what they need to do in order to comply.
GDPR compliance needs to be an ongoing process
While a review of all the IT systems being used to track customer data is clearly a necessary part of the exercise, ensuring GDPR compliance is predominantly an issue of process management and adherence. The path to compliance means making processes for harvesting, storing, retrieving and deleting data compliant. However, once a business technically achieves GDPR compliance, that can’t be the end of the process.
What happens, for example, if someone – intentionally or otherwise – gets hold of your process-compliant data and dumps it on the web? Oops, suddenly your business is not only non-compliant, but you can be sure that the GDPR ‘police’ are going to hear about it and come investigating. Only last month, an Equifax breach exposed the social security numbers and other data of almost 143 million US citizens, as well as people in the UK and Canada. These things do happen, and businesses are going to need to have processes in place to protect not just the control of personal data but also its processing.
Not just a technology issue
While GDPR is much more than a technology issue, it’s definitely worth identifying which technologies can provide businesses with assistance when it comes to gaining GDPR compliance. For example, you’ll need some form of technology to help you resolve the requirement for explicit opt-in from data subjects, you’ll need secure means of collecting customer information, and you’ll also be required to immediately identify any customer data that’s been exposed in a breach.
For those businesses only just starting to think seriously about their GDPR compliance strategy, there really isn’t much time to consider the 50+ elements of a business that can provide vulnerabilities to your digital customer assets – let alone how to remedy them. When it comes to documenting processes, implementing vulnerability scanning, and doing the ongoing application testing necessary to ensure security, it’s very unlikely that you’ll have all those skills internally to meet both your process and technical needs.
The good news is that there’s now a growing number of specialist UK and European Sales Partners – 80 at the last count – who are in a great position to bring together many of the key technologies and expertise that organisations will need to manage their way through what now looks like the biggest change in data protection regulation in nearly 20 years.
Analyst firm IDC estimates that GDPR-related security spending will be significant, peaking at just over £1 billion of activity by 2020. For channel businesses, it’s a great opportunity – and one that can start by simply asking businesses what they’re doing about GDPR compliance and security.
The key for the channel will be to first identify those businesses that are currently struggling with their GDPR compliance load. However, instead of just selling software, instead look to provide a more comprehensive managed security offering that will not only support their GDPR programmes, but also deliver the kind of ongoing managed security services that will help ensure they remain compliant.
Guest blog by Stephen Hackett, Managing Director, Intelisys Global
About Intelisys Global
Intelisys Global is one of the leading technology services distributor of business communications services—including voice, data, access, cable, collaboration, wireless and cloud—in the world. Intelisys Global is dedicated to one thing – serving the needs and accelerating the success of the industry’s top producing telecom sales agents, VARs and IT solution providers, as they build vast and vigorously protected streams of recurring revenue for their businesses.
Today, Intelisys Global is focused on empowering and educating the independent sales channel by assisting business telecom and cloud technologies customers in making informed choices about services, technology and cost savings; increasing their purchasing power; protecting their contracts and increasing their revenue opportunities. Intelisys Global delivers the best carrier neutral solutions to end-user customers through its Partner community – an elite global network of telecom sales and consulting professionals.