Comment Europe's General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying "buy our stuff or risk fines up to four per cent of your annual revenues." If you haven't done any preparation yet, is it really that bad and what should you do?
If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR, which comes into force on May 25, 2018, and will likely increase your costs.
What is GDPR? It is meant to return to people control of their personal data, and giving them, for example, a right to be forgotten. Personal information can include a name, home address, photo, email address, bank details, social networking website posts, medical information, and even a computer's IP address.
Your business needs to be GDPR-compliant but – and this is the bleedin' EU – it isn't as simple as that; there isn't a single GDPR compliance test. At an A3 GDPR session, lawyer Renzo Marchini – a partner covering privacy, security and information at Fieldfisher – said the regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It's fuzzy. You can't verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR.
Suppose you just want the GDPR issue dealt with, and order an SKU or contract with somebody to make it all happen. Tough luck. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don't exist. Ricky Patel, UK and Ireland channel sales director at Wasabi Technologies, said there is no uniform GDPR kit. Every vendor has their own implementation of the rules, every organization is different, and thus there is no one-size fits-all solution.
Tick, tock motherf... erm, we mean, don't panic over GDPRREAD MORE
Reputable suppliers will sell you products that point you in the right direction to GDPR compliance, setting you on the correct path to avoid any fines. Joe Garber, global head of information management at Micro Focus, said his company has eight such pre-packaged GDPR starter kits. Similarly, Mimecast offers gear with GDPR email capabilities, ditto Quantum with its data protection products.
Garber said organizations in less-regulated industries are being pulled full tilt into GDPR. Does that mean GDPR will increase the addressable market for data protection and governance suppliers? "You're bringing in new use cases, and also investigation and e-discovery," Garber answered.
That's a big boon for e-discovery and legal hold storage system sellers. E-discovery, or data discovery, is important because a business needs an accurate inventory of all the personally identifiable information it holds so it can ensure said info is not mishandled under the new regulations.
The flip side is organizations' costs will go up if they are enveloped by GDPR.
Suppose you think to yourself it's a storm in a teacup, and it'll be easy to implement any necessary changes? Bob Plumridge, director and treasurer for SNIA Europe and a former Hitachi Data Systems CTO, estimated: "That'll be the case for the vast majority, but for 20 per cent or so it will involve fines."
The fines may be relatively small, unless a national watchdog decides to make an example of somebody. Ultimately, any penalties will be proportionate. The UK's data watchdog, the ICO, has ruled out issuing fat fines.
You can buy GDPR consultancy services, such as this one from Jawbone. We have no idea how good it is.
But, before doing that, check to see if your country's data protection regulator has readiness-checking services. In the UK, there are self-service checklists from the ICO, such as this one.
If you find out there's more to be done, note that you're just six months away from the deadline, and should probably to assign a senior bod to get you ready. Consultancies such as Quocirca, Freeform Dynamics, and the 451 Group may be able to offer help to that lucky person. Another route for getting help is with a GDPR-skilled legal eagle.
The basic message here is to take the self-checking test and then, if you need to act, prepare to assign people and time, and therefore money, to appease the priests at your nearest GDPR temple, because there's no way out. GDPR is, one way or another, a tax you are going to have to pay. ®
Editor's note: This story was updated after publication to clarify that the GDPR covers not just EU citizens, as well as tidy up the language used.