DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 32, Issue 3

Full Contents Now Available!

Wednesday, 22 May 2019 14:54

GDPR: A Year of Monitoring Data Protection

The first anniversary of GDPR is rapidly approaching on May 25. Tech companies used the past year to learn how to navigate the guidelines set in place by the law while ensuring compliance with similar laws globally. After all, for companies who violate GDPR, the legal ramifications include fines that amount to the higher between a four percent worldwide revenue or around $22.4 million.

Although the GDPR primarily applies to countries in the European Union, the law’s reach has extended beyond the continent, affecting tech companies stateside. As long as a US-based company has a web presence in the EU, that company must also follow GDPR guidelines. In an increasingly globalized world, that leaves few companies outside the mix.

GDPR acts as a model for tech companies looking to focus on the consumer’s security and data protection and compliance. A year into its existence, there is still some work surrounding the comprehension and application of the GDPR’s requirements. For GDPR’s anniversary, we’ve gathered a few experts in IT to shed some light on the GDPR, its global effects and how to ensure data protection.

Alan Conboy, Office of the CTO, Scale Computing:

“With the one-year anniversary of GDPR approaching, the regulation has made an impact in data protection around the world this century. One year later with the high standards from GDPR, organizations are still actively working to manage and maintain data compliance, ensuring it’s made private and protected to comply with the regulation. With the fast pace of technology innovation, one way IT professionals have been meeting compliance is by designing solutions with data security in mind. Employing IT infrastructure that is stable and secure, with data simplicity and ease-of-use is vital for maintaining GDPR compliance now and in the future,” said Alan Conboy, Office of the CTO, Scale Computing.

Samantha Humphries, senior product marketing manager, Exabeam:

“As the GDPR celebrates its first birthday, there are some parallels to be drawn between the regulation and that of a human reaching a similar milestone. It’s cut some teeth: to the tune of over €55 million – mainly at the expense of Google, who received the largest fine to date. It is still finding its feet: the European Data Protection Board are regularly posting, and requesting public feedback on, new guidance. It’s created a lot of noise: for EU data subjects, our web experience has arguably taken a turn for the worse with some sites blocking all access to EU IP addresses and many more opting to bombard us with multiple questions before we can get anywhere near their content (although at least the barrage of emails requesting us to re-subscribe has died down). And it has definitely kept its parents busy: in the first nine months, over 200,000 cases were logged with supervisory authorities, of which ~65,000 were related to data breaches.

With the GDPR still very much in its infancy, many organisations are still getting to grips with exactly how to meet its requirements. The fundamentals remain true: know what personal data you have, know why you have it, limit access to a need-to-know basis, keep it safe, only keep it as long as you need it, and be transparent about what you’re going to do with it. The devil is in the detail, so keeping a close watch on developments from the EDPB will help provide clarity as the regulation continues to mature,” said Samantha Humphries, senior product marketing manager, Exabeam.

Rod Harrison, CTO, Nexsan, a StorCentric Company:

“Over the past 12 months, GDPR has provided the perfect opportunity for organisations to reassess whether their IT infrastructure can safeguard critical data, or if it needs to be upgraded to meet the new regulations. Coupled with the increasing threat of cyber attacks, one of the main challenges businesses have to contend with is the right to be forgotten – and this is where most have been falling short.

Any EU customers can request that companies delete all of the data that is held about them, permanently. The difficulty here lies in being able to comprehensively trace all of it, and this has given the storage industry an opportunity to expand its scope of influence within an IT infrastructure. Archive storage can not only support secure data storage in accordance with GDPR, but also enable businesses to accurately identify all of the data about a customer, allowing it to be quickly removed from all records. And when, not if, your business suffers a data breach, you can rest assured that customers who have asked you to delete data won’t suddenly discover that it has been compromised,” said Rod Harrison, CTO, Nexsan, a StorCentric Company.

Alex Fielding, iCEO and Founder, Ripcord:

“If your company handles any data of European Union residents, you’re subjected to the regulations, expectations and potential consequences of GDPR. Critical elements of the regulation like right to access, right to be forgotten, data portability and privacy by design all require a company’s data management to be nimble, accessible and—most importantly—digital.

Notably, GDPR grants EU residents rights to access, which means companies must have a documented understanding of whose data is being collected and processed, where that data is being housed and for what purpose it’s being obtained. The company must also be able to provide a digital report of that data management to any EU resident who requests it within a reasonable amount of time. This is a tall order for a company as is, but compliance becomes almost unimaginable if a company’s current and archival data is not available digitally.

My advice to anyone struggling to achieve and maintain GDPR compliance is to develop and implement a full compliance program, beginning with digitizing and cataloguing your customer data. When you unlock the data stored within your paper records, you set your company up for compliance success,” said Alex Fielding, iCEO and founder of Ripcord.

Wendy Foote, Senior Contracts Manager, WhiteHat Security:

“Last year, the California Consumer Privacy Act (CCPA) was signed into law, which aims to provide consumers with specific rights over their personal data held by companies. These rights are very similar to those given to EU-based individuals by GDPR one year ago. The CCPA, set for Jan. 1, 2020, is the first of its kind in the U.S., and while good for consumers, affected companies will have to make a significant effort to implement the cybersecurity requirements. Plus, it will add yet another variance in the patchwork of divergent US data protection laws that companies already struggle to reconcile.

If GDPR can be implemented to protect all of the EU, could the CCPA be indicative of the potential for a cohesive US federal privacy law? This idea has strong bipartisan congressional support, and several large companies have come out in favor of it. There are draft bills in circulation, and with a new class of representatives recently sworn into Congress and the CCPA effectively putting a deadline on the debate, there may finally be a national resolution to the US consumer data privacy problem. However, the likelihood of it passing in 2019 is slim.

A single privacy framework must include flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that will be subject to the law. It will take several months of negotiation to agree on the approach. But we are excited to see what the future brings for data privacy in our country and have GDPR to look to as a strong example,” said Wendy Foote, Senior Contracts Manager, WhiteHat Security.

Scott Parker, Director, product marketing, Sinequa:

“Even before the EU’s GDPR regulation took effect in 2018, organizations had been investing heavily in related initiatives. Since last year, the law has effectively standardized the way many organizations report on data privacy breaches. However, one area where the regulation has proven less effective is allowing regulators to levy fines against companies that have mishandled customer data.

From this perspective, organizations perceiving the regulation as an opportunity versus a cost burden have experienced the greatest gains. For those that continue to struggle with GDPR compliance, we recommend looking at technologies that offer an automated approach for processing and sorting large volumes of content and data intelligently. This alleviates the cognitive burden on knowledge workers, allowing them to focus on more productive work, and ensures that the information they are using is contextual and directly aligned with their goals and the tasks at hand,” said Scott Parker, Director, product marketing, Sinequa.

Caroline Seymour, VP, product marketing, Zerto:

“Last May, the European Union implemented GDPR, but its implications reach far beyond the borders of the EU. Companies in the US that interact with data from the EU must also meet its compliance measures, or risk global repercussions.

Despite the gravity of these regulations and their mutually agreed upon need, many companies may remain in a compliance ‘no man’s land’– not fully confident in their compliance status. And as the number of consequential data breaches continue to climb globally, it is increasingly critical that companies meet GDPR requirements. My advice to those impacted companies still operating in a gray area is to ensure that their businesses are IT resilient by building an overall compliance program.

By developing and implementing a full compliance program with IT resilience at its core, companies can leverage backup via continuous data protection, making their data easily searchable over time and ultimately, preventing lasting damage from any data breach that may occur.

With a stable, unified and flexible IT infrastructure in place, companies can protect against modern threats, ensure regulation standards are met, and help provide peace of mind to both organizational leadership and customers,” said Caroline Seymour, VP, product marketing, Zerto.

Matt VanderZwaag, Director, product development, US Signal:

“With the one-year anniversary of GDPR compliance upcoming, meeting compliance standards can still be a somewhat daunting task for many organizations. A year later, data protection is a topic that all organizations should be constantly discussing and putting into practice to ensure that GDPR compliance remains a top priority.

Moving to an infrastructure provided by a managed service provider with expertise is one solution, not only for maintaining GDPR compliance, but also implementing future data protection compliance standards that are likely to emerge. Service providers can ensure organizations are remaining compliant, in addition to offering advice and education to ensure your business has the skills to manage and maintain future regulations,” said Matt VanderZwaag, Director, product development, US Signal.

Lex Boost, CEO, Leaseweb USA:

“GDPR has played an important role in shifting attitude toward data privacy all around the world, not just in the EU. Companies doing business in GDPR-regulated areas have had to seriously re-evaluate their data center strategies throughout the past year. In addition, countries outside of the GDPR regulated areas are seriously considering better legislation for protecting data.

From a hosting perspective, managing cloud infrastructures, particularly hybrid ones, can be challenging, especially when striving to meet compliance regulations. It is important to find a team of professionals who can guide how you manage your data and still stay within the law. Establishing the best solution does not have to be a task left solely to the IT team. Hosting providers can help provide knowledge and guidance to help you manage your data in a world shaped by increasingly stringent data protection legislation,” said Lex Boost, CEO, Leaseweb USA.

Neil Barton, CTO, WhereScape:

“Despite the warnings of high potential GDPR fines for companies in violation of the law, it was never clear how serious the repercussions would be. Since the GDPR’s implementation, authorities have made an example of Internet giants. These high-profile fines are meant to serve as a warning to all of us.

Whether your organization is currently impacted by the GDPR or not, now’s the time to prepare for future legislation that will undoubtedly spread worldwide given data privacy concerns. It’s a huge task to get your data house in order, but automation can lessen the burden. Data infrastructure automation software can help companies be ready for compliance by ensuring all data is easily identifiable, explainable and ready for extraction if needed. Using automation to easily discover data areas of concern, tag them and track data lineage throughout your environment provides organizations with greater visibility and a faster ability to act. In the event of an audit or a request to remove an individual’s data, automation software can provide the ready capabilities needed,” said Neil Barton, CTO, WhereScape