By Gary Southwell
The regulation and compliance landscape is overflowing with companies of all shapes and sizes, all searching for that perfect solution that will not only meet their unique security needs, but also cover data-privacy compliance requirements. As trusted advisers, it’s our job to deliver a reality check, effective tools and advice to help customers navigate conflicting requirements among state, federal and international laws.
The latest cause of anxiety? The European Union’s General Data Protection Regulation. With GDPR on the horizon, partners are in a prime position to be that trusted adviser customers can rely on to guide them through this uncharted territory.
On May 25, 2018, GDPR will be in full effect. It requires any company that houses data on an EU citizen, even if the company is not based in Europe, to adhere to the new regulations or face lawsuits and fines that can go as high as 4 percent of annual turnover – that is, gross revenue – or €20 million, whichever is greater. To be “GDPR compliant,” companies must be able to identify personal EU citizen data, properly manage it, and protect that information from unauthorized access and use. GDPR gives EU citizens the right to verify and control how their personally identifiable information (PII) is being used, regardless of where or who is housing it. Should a breach occur, the company must report said breach within 72 hours, as well as disclose the impact of the breach; specifically, the extent of accessed data and how the breach occurred.
Not only is this a much shorter timeline than other regulations, but it also places tremendous emphasis on accurate and efficient incident response. Customers must be able to quickly perform analysis to validate and quantify whose records affected by the breach.
Sounds serious, and it is. Yet awareness of GDPR is low across the board, especially for midsize and small companies, even those based in the EU. Many are unaware of, or underestimate the impact this regulation will have on their businesses and how it will (or should) change day-to-day operations. This creates an opportunity for channel partners able to lead their customers and prospects to understand how GDPR will impact their data storage, security protocols and IT infrastructure strategies, as well as overall business operations based on number and value of EU customers.
One GDPR change to note is that the role of chief data officer is mandated by the regulation for companies with more than 250 employees. A CDO has a significant role in setting strategies and guiding business operations to stay in compliance. In smaller organizations, this role is often a second “hat” to be worn by a CIO or CTO, a daunting undertaking for a generalist IT executive who must now come to grips with how to deal with these stringent requirements.
Given the importance of this role, most organizations will not want to outsource this service to a third party, where the third party’s compliance could then be taken into question. Therefore, CDO will tend to be an in-house position. Partners should reach out to affected customers and position themselves as trusted sources of advice on best practices.For example, companies should be working now to understand the breadth and depth of EU citizen data it houses, how that data is being used on a daily basis and how easily it can be ported to another organization and/or be wiped clean upon citizen request. The company, typically via the CDO, must liaison with each EU country’s authorities to track, manage and report on how data is being handled. They must have a process and contact to disclose breach details should unauthorized access occur.
Work does not stop once GDPR goes into effect, as other directives will be added throughout the process. While the intention is that this regulation is to apply uniformly across the EU, my take is that GDPR will end up going through a series of clarifications, and there will be an opportunity for each country to “interpret” the rules — especially what must be reported post breach, and when. Therefore, to prove that data privacy regulations are taken seriously, companies must have a living and detailed implementation plan demonstrating a path to compliance, even if finalization of GDPR extends beyond May 2018.
Guidance from channel partners on how to fully comply with GDPR can be extremely helpful to multinationals that are headquartered outside the EU, yet maintain sales offices. U.S. companies with no EU presence, but that hold EU citizen data, must fully comply with GDPR. In fact, for U.S.-based companies, full compliance is more critical as EU citizens can now file lawsuits, and if the case goes to trial, U.S. law states that the company will have to face its accuser in the country of that EU resident’s citizenship.
As you can see, it is a complex, changeable and confusing landscape, providing partners an opportunity to keep customers from falling short. An expert who can advise on best practices to implement systems and processes that allow an organization to meet these challenges will have great influence. Partners, start now to educate your team on these rules, their ramifications, and the technologies that can meet them. The payoff will be great — especially the chief data officer whose career succeeds, or fails, on the critical decisions that must be made over the coming year.
Gary Southwell is general manager, High Performance Security Products at CSPi (@ThisIsCSPi). Gary is responsible for the development of advanced cyber-threat solutions designed to speed up breach identification while decreasing incident response time, as well as providing uncompromising data security no matter whether it is on premise or in the cloud.