Whether you are a small business that sells customized T-shirts online, operate a digitally powered startup service offering SEO and digital marketing consultancy, or are a giant in the cloud-based service industry — your world is about to change because of the need for GDPR compliance.
Anybody who does business, or even engages with people online for business-like or networking purposes, has to store at least some sort of data related to its stakeholders. It could be a list of customers and their home addresses for an online retailer, the enterprise network details and employees’ lists of a company for a cloud service provider, and credit card information of millions of web users for a payments gateway solution provider. Data is power, it’s expensive, and it’s sacred. Data theft and privacy breaches are the biggest worries keeping business leaders and cybersecurity wizards awake at nights. That’s why the world is moving toward structured regulations for data security and privacy. Right at the pinnacle of this movement is GDPR (General Data Protection Regulation). This is a set of regulations slated to be put in place as legally enforceable by the European Union. GDPR is a consolidated set of rules and regulations around data privacy laws, and applicable to all members of European Union — and to any business or individual that exchanges data electronically with an EU citizen. The deadline for GDPR compliance is getting near: It’s May 25, 2018. If you haven’t come up with a GDPR compliance plan yet, you’d better get started. Like right now.
GDPR compliance: ‘The right to be forgotten’
“The right to be forgotten” is not some sci-fi breakup story; it’s one of the most contentious tenets of GDPR compliance. The right empowers any EU citizen to ask businesses to remove his or her personal data from their databases. It’s a nightmare in the making for business organizations.
A Veritas study recently showcased how several organizations were concerned that they didn’t have the capabilities to be able to search, identify, and erase personal data of any person from their systems. Purging or removal of anybody’s personal data poses significant challenges to all kinds of organizations. In most databases, such records are maintained in sequential order, and are cross-linked with several other databases. The maintenance of these cross-links is one of the key hygiene factors for databases. And by reviving one block from one database can render several nodes of interconnected data tables unstable. However, shortcomings that render companies incapable of deleting user information when asked to will also mean they are not in GDPR compliance.
Most organizations are mistaken when it comes to GDPR tenets related to the responsibility of data privacy and security. Whereas most organizations believe that their cloud service providers are responsible for ensuring data protection, it’s actually the “data controller” (that’s the organization that owns the data) that needs to ensure this.
Do you understand the nuances of ‘responsibility’ as defined by GDPR?
Now, there are cybersecurity and data science experts that recommend organizations treat these stringent measures as an opportunity. Businesses that nurture a culture of data protection, secure practices of data exchange, and information privacy, are also the ones that will be able to ensure complete data protection (as GDPR wants it).
However, many modern businesses have adopted hybrid cloud models, with multiple cloud platforms, vendors, and service models involved in the entire ecosystem. For such organizations, now’s the right time to ensure that all vendors are sufficiently aligned with the expectations of GDPR.
Are you keeping your data secure from former employees?
A key requirement of GDPR is that organizations need to implement strong practices to make sure that former employees are not able to access their systems. This includes locking their usernames and credentials in applications, removing their accesses to shared documents and drives of the organization, and making sure that their exit is subject to thorough documentation and system checks. Unfortunately, the fact that former employees and contractors are able to access their systems even after their departure from the company can put thousands of businesses at the receiving end of penalties from GDPR. So, make sure your organization starts building practices to ensure system sanctity.
Are you under false impressions you are already GDPR compliant?
Do you know what’s worse than not being GDPR compliant when the regulations become legally applicable? It’s the false impression of being compliant, and not making the necessary efforts because of the false beliefs.
In the Veritas survey we talked about, a group of respondents (representatives from organizations) claimed that their organizations were already in GDPR compliance. However, when specifically questioned about the regulations, they gave answers that contradicted their beliefs. In fact, the survey revealed that only 2 percent of the surveyed organizations were actually in a state of GDPR compliance.
Visibility of personal data loss incidents is surprisingly low among enterprises. A huge percentage of them are incapable of detecting and reporting a data breach within three days of such an event taking place. All these are deep pitfalls that any enterprise will find difficult to navigate as it tries to reach the safe side of GDPR.
To fare better, make sure you start engaging consultancy services that can objectively evaluate your business’ true GDPR readiness.
Have you budgeted for the expenses of being GDPR compliant?
Veritas’ research revealed that firms are forecasting investment of $1.4 million at an average to ramp up security practices for being GDPR ready. The amount is massive for small businesses; no wonders, several small businesses fear for their existence on account of GDPR noncompliance. However, rather than being consumed by panic, your organization would do well to identify cloud-based solutions that you can avail to make your company data fully secure and compliant with GDPR. Because such services can be purchased in the form of monthly subscriptions, small businesses can effort GDPR-compliance quality infrastructure because of them.
GDPR compliance is going to be a regulatory reality sooner than you think, so now’s the time to take stock and do whatever is necessary to hit the May 25 deadline.