Countdown to the GDPR Deadline: Preparing for Compliance
It’s nearly May 25: Do you know where your data is?
If you don’t, the consequences could be severe.
On that date, the General Data Protection Regulation (GDPR) will go into effect, a regulation that was designed to protect an individual’s personal data. With the compliance deadline upon us, concerns are being raised among nearly every industry where personal data is being used.
The GDPR allows anyone to request to be alerted as to how and when their information is used. And through that request, individuals have the right to have their data corrected, removed or retrieved. The risk of not complying with GDPR is substantial: organizations can be fined as much as 4% of their annual revenue or €20 million, whichever is higher.
Many businesses are working to develop and maintain infrastructure models that can protect organizations against modern threats to achieve compliance. In addition, backup and discovery tools are being put in place to prevent data loss and ensure the availability of replicated data.
With the compliance deadline near, we have asked industry technology experts of data storage and IT security companies for their thoughts and recommendations on GDPR compliance.
Ziv Kedem, CEO, Zerto
“The quickly approaching GDPR deadline has many companies distressed about how to handle their customer data like never before. Despite a clearly defined compliance date since 2016, there is still a lot of uncertainty around it just weeks before, and this – combined with the threat of fines of up to $24 million – means many organizations are still wary of the impending regulation.
“Affected companies need to ensure that their businesses are IT resilient by building an overall compliance program. By developing and maintaining a stable, unified and flexible model of infrastructure, companies can protect against modern threats. There are backup tools out there, namely continuous data protection (CDP), that can help companies combat and prevent the loss of data, ensuring the availability of replicated data for full IT resilience.”
Matt VanderZwaag, Director of Product Development, US Signal
“GDPR compliance is a daunting task, especially with the deadline quickly approaching on May 25. The reality is that compliance and the heavy fines associated with non-compliance can be overwhelming, especially if you are not a GDPR expert. In fact, the US Signal 2018 Security “Health of the Nation” Survey found that nearly half of respondents will not be ready to comply when the regulation goes into effect, or are unsure if it applies to their organization.
“However, moving to an infrastructure provided by a managed service provider with GDPR compliance expertise is one solution. Service providers can offer a variety of GDPR-ready solutions, in addition to advice and education to ensure your business has the skills to manage and maintain its compliance. In the future, GDPR, and data protection in general, should now be part of all conversations with managed service providers, to ensure that compliance is a top priority, and that companies don’t fall behind due to lack of internal resources.”
Setu Kulkarni, VP of Corporate Strategy, WhiteHat Security
“GDPR applies to any company, inside or outside the E.U., that interacts with the data of European citizens. The world is recognizing how data is the lifeblood of applications. Privacy of this data, integrating security training and formalizing data boundaries, all require applications to be secure by design. Just as there are multiple layers of security in the most secure buildings, we have to create the same level of insulation for our digital information. By understanding how applications, both web and mobile, handle sensitive data and how they authenticate via best practices in development and operations, you can understand the context of data in use, and prove everything is being done to protect the data.
“We are living in an API-first world, and it is increasingly important to create the right separation of concerns between personal data and application data. Companies like WhiteHat focus on this as a business, offering both dynamic and static application security testing (DAST and SAST) products to help customers know what information is visible externally, while protecting the information they are allowed to collect.
“For potential breaches stemming from web applications, DAST products can identify web application security risks with the ability to customize asset importance/ranking according to what privacy data it touches, and how to avoid potential privacy breaches. Further, to address training compliance, companies can implement eLearning, to provide individuals a path to learn how to code securely, and better comprehend general security awareness. WhiteHat Security believes GDPR isn’t just about finding data — it’s about making certain it’s secure.”
Khash Sajadi, CEO and Founder, Cloud 66
“Cloud 66 believes in a holistic view of secure, compliant operations — empowering developers, but approved by operations. Our tooling always provides an operational opinion for developers, combined with the opportunity for savvy users to assert as much control as they need.
“We believe compliance with GDPR criteria should include important operational details like alternate deployment models, fine-grained user access control, advanced secrets management, vulnerability minimization and scanning, ease-of-use with private registries, and various security tools.”
Neil Barton, CTO, WhereScape
“More than ever, ensuring data is both identifiable and accessible is a dominating theme for companies on the path to GDPR compliance. The good news for tech companies is that, as the May 25 compliance deadline advances, businesses are investing in long-term data protection strategies.
“As an example, for businesses managing large data sets, investing in data infrastructure automation software can be extremely beneficial. Automation software can be used to automatically tag data, ensuring data is identifiable, auditable and quickly retrievable if an organization should receive a GDPR-related request for access. To protect their organizations and the customers they serve, companies must proactively invest in the data protection strategies and technologies needed to avoid the pitfalls, and corresponding penalty fines, associated with the GDPR.”
Scott Parker, Director of Product Marketing, Sinequa
“GDPR was created to ensure what its creators see as a fundamental right for EU citizens to protect their personal data. The penalties for non-compliance will be steep, so organizations with EU operations or customers are understandably investing heavily in GDPR initiatives. But instead of seeing it only as a costly burden, organizations should view the regulation as an opportunity.
“With the challenge of quickly and accurately identifying and finding personal data, organizations with large datasets should embrace an information-driven approach that processes all relevant content and data from across the enterprise intelligently and securely into information that is contextual to the task at hand and aligned with each user’s goals.
“By extracting relevant information from enterprise data and using it for better decision making, organizations will be able to achieve superior customer service and operational efficiency, while at the same time complying with GDPR regulations.”