GDPR is still months away from going into effect but many professionals in the data security space are warning customers to act now to avoid pain later.
Technology-wise, an individual's right to be forgotten may be one of the most vexing issues related to the new EU’s General Data Protection Regulation (GDPR) which goes into effect in May, 2018, notes Pete Zimmerman, VP of client services and operations at Sonian, a public cloud information archiving company. Sonian provides services to OEM partners and their end customers that allow them to preserve, analyze, and access their electronic communications for legal, regulatory and continuity purposes while gaining organizational insights.
The right of an individual to have their data removed will be a key challenge for many companies, said Zimmerman, noting that he wonders how many companies are truly going to be able to know where that data is—not only in their core systems but also legacy systems, CRM systems, and lead-gen services that may not even be in active use.
And, from a business perspective, the leading challenge may be that many newly minted data protection officers, rather than spending their time protecting data as they should, are going to be focused on responding to questions regarding readiness and reporting and other time-consuming activities. That will go away in time, but in the first several months after GDPR goes into effect, there will be a lot of soul searching, he said. This will revolve around how much they are expected to respond to in terms of information requests, and legitimate complaints may fall through the cracks since it is a relatively new role and set of responsibilities, he noted. For example, he said, if a technology provider has 10,000 resellers and service providers that each have hundreds of customers themselves, and just 50% of them start asking questions about breach policies or security controls, the data protection officer will have to decide when it is possible not to respond, or decide how much time there is to issue a response, he asked.
According to Zimmerman, organizations that buy Sonian’s services are typically buying the services through a partner, who buys them from another company such as IBM or GoDaddy, which in turn has bought them from Sonian, and sometimes there is even another company in between.
Zimmerman said he is confident that organizations that are up the technology stack are in compliance or are aware of anything they need to tweak before GDPR goes into effect because months ago he was receiving requests for information from these companies to look at Sonian’s readiness. But the challenge is that smaller partners, MSPs, and technology providers have limited staff, a lot of products, a lot of services, “and those are the people I am getting a sense are not as ready as they should be.”