Virtualization Technology News and Information
VMblog's Expert Interviews: Commvault Talks Preparing for the Arrival of GDPR

In 1 year, GDPR will go into effect and every company that has data from customers in the European Union (including the UK) will need to be compliant with new, stringent regulations - or risk being charged a minimum of $20 million.  To find out more, I spoke with industry expert, Patrick McGrath, director of solutions marketing at Commvault.

VMblog:  What is the most important piece of advice about complying with GDPR that you can give to security professionals working for US companies?

Patrick McGrath:  Let me give you my top three pieces of advice.

First, don't assume you are immune to GDPR. This regulation comes from the EU and aims to protect the privacy of (primarily) EU residents.  However, many US companies who operate globally will be impacted, particularly if they have a presence in the EU. 

It is not unusual to see organizations engage with individuals on a global basis.  Efforts for recruiting, managing or otherwise engaging customers or employees is a common occurrence particularly using websites that are available across borders.   If the personal data of EU individuals is stored or processed outside of the EU, GDPR comes into effect.  Interestingly, individuals from outside the EU are covered by the GDPR if their information is collected or processed within the EU.

Second: GDPR will touch many parts of an organization.  It therefore becomes critical to gain visibility into all information being collected across all channels, sources, devices and repositories.  Start investigating your level of risk and exposure as soon as possible.  Education about GDPR is great, but controls implemented with automation is the key to success.

Lastly, with anything related to compliance, you need to a) have the capability to do the right thing, b) consistently DO the right thing and c) prove that you did the right thing.

VMblog:  The US is breathing easy as this is a euro-centric law, but do you expect this law will move to the US? Furthermore, when will the regulation become a global best practice?

McGrath:  GDPR sets extremely high standards for business and data management practices, that far surpasses those of other regions.  The rights that it grants to individuals, the responsibilities applied to organizations, the expectations for responsiveness and the fines for noncompliance will all have a tremendous impact on organizations.

GDPR will almost certainly help establish new best practices in the US, based on its comprehensive requirements.  I also think it's likely that it will ultimately influence US State and Federal regulations, but doubt that it will happen quickly.  Time will tell...

As a general observation, records management and data handling regulations have become more stringent as time has passed.  This correlates with the availability of new technologies to manage information, the decreased costs of managing information and the effects of automation.  This trend is certain to continue.

VMblog:  What lead to the creation of GDPR? Does Brexit have an impact?

McGrath:  A number of things have led to the creation of the EU. 

  • First, the use of digital technology to conduct and manage business has exploded. The massive growth in data volumes and adoption of the internet, mobile devices, the cloud have also spread information across a much wider area, increasing the threat surface considerably.
  • Secondly, the technology and the data have been poorly managed. Data loss events have become a daily occurrence, whether or not that are reported, and whether or not the breaches were intentional (e.g. lost devices, cybercrimes, etc.). This has created significant outrage from victims globally (individuals, companies and governments). Unfortunately, many of the specific threats particularly those of various hacking are still increasing rapidly.
  • Lastly, despite good intentions, the consequences of poor data handling and data protection have not been serious enough to drive widespread compliance. For example, we hear many stories that under the existing EU Data Protection that it is cheaper to pay the fines (if you get caught out), than it would be to make the structural changes necessary to avoid the fines.

All indications from the British Government indicate that it will retain GDPR and convert to UK law, even as Britain exits the EU.   It would be a mistake for UK and multinational businesses based in the UK to think otherwise.

VMblog:  Breach notifications within 72 hours of the breach discovery will become mandatory. Will the timeliness of breach notifications be improved? What benefits will this bring to organizations?

McGrath:  The GDPR breach notification requirements will certainly drive an improvement in the timeliness of notifications to officials and victims. 

In the US, the Federal Personal Data Notification and Protection Act of 2015 outlines a standard of 30 days to notify, although state laws vary.   Since the GDPR indicates a window of 72 hours to notify supervisory authorities and victims, this is a highly significant change. This window must be used to determine the nature and extent of a data breach: cross referencing the specific data lost to individuals, while activating legal, PR and customer support response teams.

There are clearly benefits to the victims of a breach in the short term and their ability to protect themselves quickly as needed.

Organizations will achieve longer term benefits of more rapid response:
  • They will gain significant visibility and understanding of their managed information that can be used, not only for compliance purposes, but to potentially use to optimize and transform their businesses.
  • The automation required to scale the analysis and processing can similarly be applied beyond compliance purposes.
  • Over time, they will gain a greater level of trust in their ability to manage personal and sensitive data from their customers, employees and partners.

VMblog:  What is the biggest thing companies need to do before May 25, 2018? What are consequences if they do not comply?

McGrath:  Understand what personal data you're holding, what personal data you need that are critical to your business or legal needs, and get rid of the rest. Consent is a big part of GDPR, so you should also investigate how you collect and manage it.

The implications of GDPR are broad and impactful to groups across your organization: 

  • IT, including infrastructure, data management, security, applications, business intelligence, etc.;
  • Compliance and legal
  • The lines of business that engage people (which means most of them). HR, Marketing, Sales, Support, possibly your partner management teams, and so on.

All of these groups store, manage and process information, some of which could include personal and sensitive information.  This information will be stored in silos:   in databases as structured data, or as unstructured data on file servers, desktops/laptops, email servers, applications and content management systems, and cloud service providers managed by 3rd parties.  

After obtaining organizational commitment to a GDPR program with the appropriate staffing and governance, you will need to complete a GDPR Data Protection Impact Assessment (DPIA).  This requires knowledge what personal data you're storing, where it is located and who is responsible for it. 

Published Wednesday, May 31, 2017 8:08 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2017>