Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Rob McBride, Director of Enterprise and Telco Solutions at Versa Networks offers some timely advice about what it will take to become GDPR-ready.
The new General Data Protection Regulations (GDPR) rules come into effect on May 25th, 2018. With less than a month to go, most companies are now scurrying to secure the finishing touches to their GDPR plan. The failure to comply to GDPR can have massive consequences, from loss of reputation and customer trust to significant monetary losses levied in terms of penalties. However, complying to the stringent data protection regulations is not going to be an easy feat- for it not only encompasses guidelines on how enterprises collect and consume data but also how they can build and embed security policies right into the very foundations of their enterprise IT architectures.
Let’s take a look at the new GDPR guidelines, what they mean for the enterprise and customers and how IT leaders can leverage existing technologies to better monitor, manage and secure critical data.
GDPR: What It Means
The European Parliament adopted the General Data Protection Regulations (GDPR) in April 2016, replacing an outdated data protection directive from 1995. According to the GDPR official website, the aim of the new regulations is to protect the interest of all European Union (EU) citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 EU Data Protection Directive was established.
GDPR consolidates existing fragmented laws across EU into one single compliance and regulatory framework that will be applicable to all 28 EU member states. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also lays down specific guidelines around the exportation of personal data outside the EU.
Whom Does GDPR Apply to?
Companies that are registered or have any form of operation in the EU will need to comply with GDPR. Any organization that collects, processes or stores personal data of EU residents must comply with the GDPR regardless of where the processing takes place.
However, any company, irrespective of the country of operation, is subject to the regulations under GDPR if they process personal data of EU residents in connection with providing goods or services to consumers in the EU or if they monitor the behaviour of EU residents, such as in connection with targeted advertising.
The GDPR regulation lays down specific guidelines for ‘Data Controllers’ and ‘Data Processors’ and to understand how GDPR will impact your business, it is important to understand which of these two categorizations will apply to you.
The GDPR defines a Data Controller as the entity that collects the data or decides how the data it collects will be processed or used. Most business entities who sell products or services or have operations in the EU would typically fall under this category. A Data Processor on the other hand is the entity that merely processes data in accordance with instructions given by a data controller. These could be vendors who provide services that involve processing the data of EU citizens (cloud vendors, analytics, marketing, HR or payroll agencies etc).
Companies in the EU are also required to contractually commit vendors outside the EU to compliance with the GDPR. This means that a US-based company selling a product or service to a customer in the EU may also need to comply with the GDPR even if it does have a subsidiary in the EU. The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. The regulation also applies to organizations based outside the EU if they collect or process personal data of individuals located inside the EU.
Rights of Data Subjects
The aim of the GDPR guidelines is to primarily uphold the privacy rights of the consumers in EU states. The guidelines not only lay down strict rules governing how data is processed but also clearly defines the Rights of Data Subjects in the EU. These rights and what they entail are as shown in the fig below. t and grow a digital business.
Getting GDPR Ready
One of the most critical and important points under the GDPR guidelines is the provision of Privacy by Design. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. This provision requires data controllers to build and implement appropriate technical and organisational measures to meet the requirements of the GDPR guidelines and ensure data privacy and security for all of EU’s data subjects.
This might sound too simple but any organization that has any security solutions put in place would testify that it is much more complicated than that. As enterprises embrace Multi-cloud and SaaS, organizations must rethink their entire IT landscape and if using Internet for connecting to SaaS or public clouds, must implement a highly secure infrastructure. As businesses adopt new software-defined technologies like SD-WAN as an enabler for their broader connectivity strategies, they must look beyond dynamic connectivity but to an integrated security and SD-WAN approach to further harden their infrastructure for GDPR.
There is no single solution that can help enterprises achieve a complete framework that will assist them in becoming fully GDPR compliant. But CIOs can wisely choose small blocks of smart technologies that can, in conjunction with other security measures, help them to reach their ultimate goal.
There are going to be very few organizations, if at all any, who would face the 25th of May with a full and comprehensive plan for GDPR compliance. For most data collectors and processors, the coming months are going to be a phase of learning, discovering and experimenting with new ideas and technologies. The key here is not to be overwhelmed but take one small step at a time and find the right set of technologies to help get you there.
Rob McBride is responsible for Versa Networks’ software-defined solutions portfolio – SD-WAN, SD-Security and SD-Branch. Rob has spent the last 15+ years designing, marketing and bringing to market a wide range of solutions and products covering SDN/NFV, SD-WAN, Voice (TDM/VoIP), and DC virtualization. He brings a wide range of experience from senior roles in sales engineering, field support, product management and marketing. Prior to Versa Networks, Rob held senior positions at Viptela, Brocade Communications, Enterasys Networks, Alcatel-Lucent and Enterprise Data Solutions (EDS).