Charles Nwasor, Director of Global Assurance & Advisory at Ensono, looks at how the looming GDPR implementation deadline will affect MSPs.
EB: How does GDPR affect your business?
CN: The General Data Protection Regulation (GDPR) affects Ensono in two ways. Firstly, as a global business, Ensono employs people across Europe. The effective management of resources and the administration of employment benefits require access to, along with processing of, the personal data of EU residents. As the GDPR applies to the personal data of EU citizens regardless of where the data is held, the company is obligated to comply with the legislation. Secondly, as a global technology service provider, Ensono has clients with significant operations in Europe and beyond.
Understandably, some of these operations involve the processing of EU citizen personal data. As a service provider, we help clients manage critical assets, and that involves understanding and helping them to meet their regulatory compliance obligations. That can be across complex hybrid IT assets, with applications in public cloud, and throughout the managed services we provide.
Ultimately, we view the GDPR as a significant and timely piece of legislation that protects the “fundamental rights and freedoms of natural persons, and in particular, their right to the protection of personal data.” It applies to all companies that process the personal data of EU residents, irrespective of where such organisations are located. Given the broad reach of the regulation, we are helping our clients and contractors understand how this applies to them, and to navigate their way to compliance by May 2018.
EB: Where do you see the greatest risk?
CN: Companies should pay special attention to those parts of the business most exposed to Personally Identifiable Information (PII) and also those engaged in direct interactions with the public. Typicaly, this impacts ‘business-to-consumer’ type organisations the most, but applies to all in general.
For example, under the GDPR, sales and marketing must seek explicit valid consent from individuals, to hold their personal data, where the company is relying on consent as the legal basis for processing. Data controllers must also be able to prove that individuals have explicitly opted in to the data being processed, which may cause significant work for many organisations.
HR departments are subject to significant scrutiny as the GDPR applies to human resource records. This includes incoming job applicant data, as well as employee and dependents’ data. All of it is subject to the GDPR. Companies must also work to balance these and other legal obligations, with the rights of data subjects.
For instance, under the ‘right to be forgotten’ rule, (RTBF) organisations are required to ensure that all personal data (including contact data for an individual within an organisation) is only kept if the individual has explicitly consented to this. Individuals also have a right to request that such records be deleted in their entirity. However, this and other rights are not always absolute; and data retention and deletion must be exercised with due regard for other legal considerations.
To compound this challenge, departments such as sales and marketing that make significant use of cloud services (both legitimate and shadow IT), are not always subject to the same scrutiny and control as those using the on-premise IT estate in many organisations. It’s imperative that the external IT landscape is properly understood and the data risk is managed with appropriate tools, policies and processes.
Another area of significant risk that is often overlooked, applies to third-parties such as subcontractors, business partners, service providers, etc. Factoring these elements into a company’s GDPR obligation and ensuring they are effectively covered in legal agreements, compliance and policy effort is essential.
EB: Where should a company start?
CN: The first logical step is to identify the personal data collected, processed and stored within the organisation. This should include understanding the age of the information and whether it is shared (and with whom it is shared). This captures the flow of personal data throughout its lifecycle within an organisation. With that information in hand, a business can begin to identify gaps, inherent risks and determine the required policies, processes and technology changes that must be made to ensure GDPR compliance going forward.
Another challenge to overcome is managing data across disparate infrastructure and systems. Today, most companies have a complex patchwork of hybrid technologies that are procured and managed by different parts of the organisation.
Those businesses that have already moved to centralise the monitoring and management of their hybrid IT infrastructure with a single team have a distinct advantage. However, the hybrid challenge becomes infinitely more difficult when managing data protection across multiple applications and databases. The GDPR requires comprehensive change in many organisations, especially those that have not already implemented a comparable level of data protection and privacy.
For most businesses, managing the data flows for hundreds of websites, systems and vendors, along with dozens of data types is complex. Assessing privacy and compliance risk is almost impossible without technology and expertise to research, analyse and map your customer and employee data flows.
EB: Can a company outsource its GDPR compliance?
CN: Yes. However, if you asked whether a company could outsource accountability, the answer is of course an unequivocal no. It is reasonable to expect that while processes and execution can be outsourced, ultimate accountability remains with a company’s board, given its role in governance and responsibility for the consequences of non-compliance.
The GDPR requires comprehensive change in many businesses, especially those yet to implement an appropriate level of data protection. Working with a trusted partner to adapt and revise relevant processes within your business can be an excellent way to ensure you’re fully compliant before the May 2018 deadline. Whatever you decide, there is an urgent need to act. Take your GDPR transformation into your own hands before circumstances force it upon you.