How managed services can help businesses with GDPR [Q&A]
With GDPR implementation now only weeks away many businesses are still not fully prepared for the impact of the new legislation.
We spoke to Matt Klassen VP of cloud marketing at IT service management specialist Cherwell Software to find out how managed services can help companies to comply with GDPR by the may 25th deadline and to manage the additional workload it's likely to create.
BN: We see a lot of stories at the moment that most businesses aren't ready for GDPR. Is this a fair assessment?
MK: I think it is, it's a global problem though I think companies within the EU are more aware than those elsewhere. Most larger companies have been working on this for two years plus, smaller companies may not be as prepared as they should be. Globally, however, there are many companies that are very ill-prepared and it will be interesting to see how that plays out.
A big part of the problem is that there are so many different components to GDPR. It touches multiple areas of the organization and that makes it hard to manage in a unified manner.
BN: Does there need to be more recognition that GDPR is more than just an IT problem?
MK: Yes, I think many marketing organizations are already somewhat aware because of the notion that you're tracking identifiable information about individuals, either they know you are or not. That's a part that is interesting as they grasp the scope of what is personal data -- IP addresses for example. While marketing teams might be aware of this they need IT's help to understand security and compliance along with perhaps help from the legal team.
BN: There has been a surge in recent weeks of companies sending out emails asking for permission to stay in touch, so is this an indication of progress?
MK: A lot of companies are going to send emails that are probably unnecessary. If you've already signed up for something then the company is probably fine to keep you on its mailing list. It doesn't need additional consent because the customer has already provided information based on a transaction or agreement. The problem is that under GDPR you need to keep that information auditable which many businesses may not have done in the past, so they need to prove they've obtained the information fairly.
BN: What is the role of ITSM in GDPR readiness?
MK: Our role isn't so much in helping businesses become compliant. It's more about helping them manage the information and the workflow, along with the requests they'll receive from their customers in a much more efficient manner.
GDPR can be broken down into four areas to focus on. The first is tracking compliance, we've created a version of our software that uses the correct terminology, framework and structure to do this. This covers the idea of authority documents and controls, not just for GDPR but for anything that requires compliance. Second is incidents, so if an incident occurs there's already a framework in place which covers steps like notifying the regulator within 72 hours, notifying affected users and so on.
The third area is the creation of a self service portal for users to make requests for access or for rectification or deletion of their data. This is something you can simply turn on via your website and once a request has been made you have the ability to track it as it’s dealt with so there's an audit trail. The fourth area is that we provide dashboards and reports to show what is going on. Taken all together these four help you to streamline your compliance and make it more efficient, and give you a single unified view across the board.
The framework isn't GDPR specific, it's been around for over a year used for other types of compliance like HIPAA and payments systems.
BN: Will there be an initial wave of requests for access to and deletion of data before things level off?
MK: It'll be interesting to see what happens. I think requests will peak early in the next few months and then go down. It's hard to say at what level things will stabilize. Some companies will see more requests than others, consumer-based companies, like the Googles of the world, will see more requests than, say software developers.
BN: How does this impact moving systems to the cloud, when it becomes about whether the service provider is compliant too?
MK: The reality is because it's customers' data the service provider is a processor more than a controller. Using a hosted service the company can control the workflows and choose what goes into the system or not. If a company is found to be non-compliant and this becomes public, then pointing fingers between the controller and the processor is counterproductive.
BN: Do we need someone to have a breach or be found non-compliant to provide a wake up call for others?
MK: GDPR has been played up significantly, that means it's good for lawyers and people providing compliance solutions. But a lot of people aren't yet fully aware of how it will work, and some things -- like perhaps data not being removed quickly enough -- will be hard to prove. Large scale repeated non-compliance is what the regulators will be looking for.