When the European Union's General Data Protection Regulation (GDPR) takes effect on May 25, 2018, it will not only affect EU-based organizations, but also data controllers and processors around the world. And every company that has data from customers in the European Union (including the UK) will need to be compliant with new, stringent regulations -- or risk being charged a minimum of $20 million. To learn more, I spoke with Frank Krieger, Director of Compliance at iland, a global cloud service provider of secure and compliant hosting for IaaS, DRaaS, and BaaS.
VMblog: What does GDPR mean to US businesses?
Frank Krieger: If your company or institution operates within the EU or targets EU customers this regulation will pertain to you. If you are accessing, servicing, marketing or performing any function with EU customers or clients you must honor the GDRP regulations. The EU has been very clear that if US companies wish to access the Single Market you must play by that markets rules. Ignore this at your peril!
VMblog: What requirements or compliance measures overlap with other IT regulations - FISMA, SOX, GLBA, etc.?
Krieger: ISO 27001 is a very strong element of the GDPR and for US entities SSAE 16/18 SOC2, HIPAA have strong overlapping as well as Privacy Shield for some elements. Additionally, though not specific to compliance ITIL and COBIT both assist in ensuring that processes are generating the correct outputs in a measurable and ongoing manner.
VMblog: What can businesses do to minimize GDPR risks and ensure adherence to avoid penalties?
Krieger: Absolutely begin by looking at implementing an IT framework such as COBIT or ITIL, perform data mapping, review privacy statements and policies, review staffing to ensure that EU required staffing is in place and look at hiring a CIPP/E and CIPM Data Protection Officers (DPO). Though no specific guidance has been given on the requirements for a DPO, having staff that understand the EU regulations (CIPP/E) and how to implement those (CIPM) will help dramatically.
VMblog: Can you expand on some ways businesses can protect personal data?
Krieger: Anonymization and pseudonymization are two major ways organizations can utilize data and protect it, however be careful of falling into the trap of thinking that data is secure; re-identification is possible with enough non-protected data points. Again, as well, limiting access and tightly monitoring access control.
VMblog: Are there ways companies could implement technical infrastructure that will ensure the optimal governance of client data?
Krieger: Maybe if the company is starting from scratch, however most companies have various systems in place already that were carefully connected to function together, such as monitoring, billing, service desk and customer management systems. What is a more realistic is that one or more toolsets will be required to perform a technical solution.
VMblog: How can organizations handle different types of data streams?
Krieger: This requires understanding of data types, locations and access controls but is achievable! The main elements to remember are to begin reviews of data locations and identifying protected or special protected data then take steps to reduce access to applications and personal; if you reduce access to only entities that must use that data you reduce your risks. It is common prior to GDPR that data was collected for the sake of creating more data points and allowing access to that data by various entities such as marketing to use for campaigns - these types of activities will have to be very, very closely watched to ensure that they do not run afoul of the GDPR requirements.
VMblog: What impact do you think Brexit will have on GDPR?
Krieger: For the time being, very little. BREXIT is a multi-year process and currently the UK government has indicated it will adhere to the GDPR regulations upon exit. However, as the UK re-establishes itself into various markets there is a good chance there will be changes to the UK implementation of GDPR.
VMblog: Finally, what's the most important thing companies need to do before May 25, 2018?
Krieger: Point blank, start evaluating data and perform data mappings and classifications ASAP... and hire a Data Protection Officer!
##