The GDPR lash will fall upon heedless companies
The EU General Data Protection Regulation becomes enforceable from 25 May 2018.Although the current regulation leaves many unanswered questions, one thing is for sure. GDPR will set many challenges for the IT industry.
Although the regulation is kind of general, it includes some specific aspects concerning IT industry and some of them are listed directly by the name for example: data encryption, BCP (Business Continuity Planning), data backup, and data disaster recovery.
IT industry will have to deal with tasks as providing data privacy integrity and availability. Besides, every organization has to make available a report of data process operations to the controlling institution.
At a request from client, every company will have to inform, what kind of information it owns. As they are dispersed across multiple systems, this results in specific effects and technological requirement.The real breakthrough for the organization will be setting up a position of the administrator of the personal data. GDPR imposes an obligation on the administrator to deploy a data protection policy and prove that data is processed according to the purpose.
The regulation lists three persons: an Administrator, data protection Officer and Processor. The Officer should be strongly linked to IT department but we need to keep in mind the law department importance as well. Administrator is an IT role. But who is the processor ?- if you keep your data in a public or hybrid cloud you cooperate with the provider of cloud computing services, someone who will process and take care of our data on your order- processor. …and believe me- these roles are not funny at all, as organizations itself don’t make it easier for them. Hardly any company can admit that they don’t have correct backup, archiving and personal data safety policy. According to GDPR it will be a reason to punish not only organizations but also persons responsible for this. I don’t want to be Mr “A”, Mr “O” or Mr “P” neither.
Coming back to the regulation- it still leaves many questions – it isn’t precise. It doesn’t indicate exact requirements, but it defines the dates , penalties, and the time to report the data leak (72 hours). Governments of EU countries are working now on adjusting their law to the GDPR requirements. New law will clarify data processing in HR systems, ERP, CRM systems and database cyber-security and communication subjects. That’s why not only none of the vendors have universal solution but also only few of them know how to deal with it.
We have to manage altering guidelines. In the beginning it has been mentioned that only big organizations, employing over 200 employees, will have to create a position of the personal data administrator. Next it included also smaller organizations. Sample question is: will pharmacies or small online shops that process personal data, have to create this kind of position?And last but not least there is one more question: How can we prepare for GDPR?
It isn’t about being compatible with GDPR, it’s about answering organization’s needs- security and data availability. Because of that assumption, many companies, as mine, have created the appliance solution: based on mass storage systems, archiving, and dispersed data analysis systems. It could provide clients with the comprehensive solution – data encryption and backup – also on mobile devices. Such an appliance should be modular and flexible, should allow you to select all, or only specific functionality. Only this way it will be attractive for small, medium, and large companies.But remember, every single solution covers only part of GDPR.
But it is worth to have something on start up at least. Isn’t it?
Jan Sobieszczański, Storware CEO