Security Central: What Clients Might Have Missed in GDPR Prep

By Security Joan

We are mere weeks away from the European Union’s May 25 GDPR (General Data Protection Regulation) deadline, and many organizations still feel unprepared. 

If you’ve missed the headlines on this, let me give you a quick primer: GDPR, a regulation first adopted in 2016 in Europe, has had a two-year adoption grace period. Affected businesses have until May 25 to be in compliance. It’s a common misconception that this regulation will only apply to EU organizations; any organization that processes the personal data of EU residents is required to comply with GDPR — that means businesses worldwide are impacted.

But clearly many businesses just aren’t ready. An independent survey of 500 cybersecurity professionals in the U.K., Germany, France and the U.S, conducted in December by security-products vendor Varonis, found three in five (60 percent) respondents in the EU and half of respondents in the U.S. believe they face some serious challenges with GDPR compliance. Being compliant by May 25 doesn’t look promising either, with nearly two in five (38 percent) respondents noting that their organizations do not view compliance with GDPR by the deadline as a priority.

What are the implications for not being in compliance? Fines and penalties for GDPR noncompliance are hefty, with a maximum fine of up to 4 percent of annual global turnover, or €20 million — whichever is greater. That is a significant amount of cheese.

With that mind, what suggestions should you bring to the table now with clients who need guidance with getting compliant?

First, advise them not to fret, says Parri Munsell, director, Microsoft 365 partner marketing.

“We see GDPR creating amazing new opportunities for partners to demonstrate their security, privacy and compliance services for customers,” says Munsell. “Ultimately, GDPR compliance requires an end-to-end perspective spanning people, policy and process adjustments. There is no single intervention or technology that will get an organization to GDPR compliance.”

Parri Munsell

Parri Munsell

And that’s because what needs to be done to get compliant will vary from business to business, says Oded Moshe of SysAid, a provider of IT service management solutions. Moshe, who spearheads SysAid’s GDPR implementation efforts, believes while many organizations are aware of GDPR requirements, many are missing what he calls “blind spots” that could end up costing them if they are not identified.

“There are a number of technical blind spots that aren’t being considered,” says Moshe. “For example, let’s say I’m an IT guy and I’m performing a remote control of machine to help an employee resolve and issue, and it’s being recorded. During the session, we are working in Word, and there’s information in the Word doc that contains PII (personally identifiable information). Where is the recording of the session being stored afterward? Does the information contained in the document apply to GPDR? To what extent does the right to be forgotten (a GDPR requirement) extend?”

Moshe notes this is just one of multiple examples of areas where clients might not be considering where data lives when they’re tackling GDPR compliance. Other things that might contain PII that clients might not have considered: pictures of customers where they are identified, and client testimonies on marketing materials. As Moshe points out, the list goes and on.

In order to gain a comprehensive view of your possible blind spots, start by advising clients simply to map their data.

“What information do you hold and where?” he says. “There are so many blind spots that are often overlooked, how do you manage it?

MSSPs need to come to the table armed with knowledge and understanding of these so-called blind spots in order to serve as a trusted service provider in helping clients get ready to comply. Next week, we will dive into some tips and best practices for getting prepared for the May enforcement deadline.

Who is Security Joan? We’ll never tell, but all you really need to know is that she’s a huge Steely Dan fan (as if the nom de plume didn’t give it away). She’s also a veteran infosec journalist who has covered the evolution of the cybersecurity industry, its shadowy criminal underworld, and the good people trying to stop them for more than a decade. In addition to our weekly Security Central column, Security Joan helps inform the Channel Futures cybersecurity coverage with her sizable expertise. Say hi on Twitter @Security_Joan or shoot her an email at [email protected].