A leading study of March 2018 that surveyed nearly 500 IT Decision Makers found that a significant number of businesses were lacking in systems needed to meet the data management requirements of GDPR, continuous encryption of personally identifiable information across cloud and on-premises servers, and data breach monitoring.
Although nations have their own regulations governing data privacy and security, the focus now is fully on individual organizations’ ability to embrace GDPR without reservation. This is understandable given the cost impact of noncompliance by companies; in fact, one can safely assume that from this financial year onwards organizations will have a dedicated budget for regulatory compliance and data security.
Companies in Europe are already setting aside an average of $1.4 million as part of their GDPR readiness effort. The scene is no different in the US, where companies are spending $1 - $10 million towards GDPR readiness. It is also possible that as organizations’ data pool continues to grow, evolve and move, they will start institutionalizing programs on data privacy, security and user experience.
Keeping with the GDPR readiness imperative, organizations are taking measures on a war footing; but they may not be fully compliant with the regulation when it comes into force.The survey mentioned above shed light on three important trouble spots that can cause unforced issues in GDPR compliance.
Fundamental shift in encryption
Continuous encryption can be complicated to implement in modern environments. Understandably, all eyes are on the IT Decision Maker (ITDM), who has to effectively control and manage the infrastructure spanning on-premises and cloud service providers. Despite appropriate levels of encryption and anonymization being a requirement for GDPR compliance, organizations run a risk when managing security and encryption in virtual machines and hyper-converged infrastructure. It is necessary for the ITDM to invest in technology that provides a single point view of the entire encrypted environment, from endpoints to IoT, servers to virtual machines in mixed cloud environments – all need to be manageable on one screen.
Implications of data rights and unaudited storage locations
As GDPR shifts the balance of ownership of personal data from the company to the individual, the latter has greater rights to decide how corporations use their data. This means that a business cannot use their customers’ IP addresses, mobile IMEI numbers, SIM card IDs and website cookies, etc., for targeted advertisements or any other purpose.
With GDPR giving individuals the “right to consent” and the “right to be forgotten,” organizations have a significant challenge on hand; many do not have systems that automatically perform data removal at short notice. Additionally, there is a threat of data movement—accidentally or intentionally—out of a jurisdictional domain, which gets compounded by the fact that a significant number of companies do not always conduct security audits of the storage locations their data processing and storage partners use.
Surveillance & breach reporting capability
In case of a breach or data loss, organizations do not have the tool or talent to deal with the crisis. Although organizations have to report a breach to the relevant data protection authority within 72 hours of discovery, a significant number of them do not have processes ready to meet this stipulation. In fact, WinMagic’s survey showed that 41% of respondents are still unable to meet this criterion, and that 33% lacked confidence in their systems’ ability to identify a breach.
Rise of protectionist regimes
GDPR may spawn other regional blocs to bring out their own version of data protection regime. Although many countries maintain their own data privacy and security regulation, a blurred line separates the rights of the individual and the organizations. GDPR has removed this ambiguity in data management. Of course, there is murmur in certain quarters that data protection should not be driven by the fear of contravention, but by the need for accessibility and user experience.
However, striking the right balance is a challenge to both businesses and regulators. In any case, GDPR remains a benchmark for future data privacy regulations because it is creating an ecosystem of compliance. At its core, GDPR is not about individual or corporate rights; it is about gaining and maintaining consumer trust. Companies that understand the opportunities of using data—within the regulatory framework—for business development and innovation will benefit significantly with their customers and suppliers.
Rahul Kumar is Country Manager, WinMagic
Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).