What challenges does GDPR bring to the channel?
On the May 25, 2018, the General Data Protection Regulation (‘GDPR’) will replace the current Data Protection Directive, demanding a huge cultural and operational change to the way businesses operate. The GDPR is a new law to unify data protection across the European Union and will require any business that operates from within the EU – from small to large – to have data protection measures in place and disclose any breaches. The regulation mandates considerably tougher penalties than the existing rules and if breached, organisations can expect fines of up to four percent of annual global turnover or €20 million – whichever is greater. With the GDPR coming into effect in just over a year, businesses have little time to make the necessary changes, and need to start putting plans in place now if they’re to meet the deadline.
This provides both a challenge and an opportunity for the channel. The challenge is how does the channel partner as a business itself comply, and the opportunity is how, as a technology provider, does the partner help its customers do the same.
The challenge – compliance
It’s often said that when it comes to process, culture and technology that technology is generally last in the line of priorities, however this is not the case for GDPR. Technology is holding the data, managing its processing and its movements. Partners, as technology-centric organisations, firstly need to consider the fact that privacy and protection are two different topics. Privacy is what your customers want you to do, protection is what the law demands that you do. For too long the game has been loaded in the direction of protection, aiding businesses but at the cost of data privacy – and the consumer. The GDPR re-balances that equation and loads the dice in the favour of the consumer.
The opportunity – supporting customers
With this in mind, customers will be expecting suppliers to implement the necessary changes to ensure their data is kept in line with the high information security standard required for GDPR. This is particularly crucial for partners that provide IT equipment such as printers, photocopiers and scanners, that act as a conduit for information within organisations.
Becoming a trusted company with data will not just be the law but can become a competitive advantage if done correctly. It should be seen as an opportunity for partners to promote their companies as those that can keep up with the requirements and demands of today’s data-led world. However, it must be remembered that technology has the potential to expose company networks and linked data repositories to both internal and external threats.
As such, channel partners should consider the following:
- GDPR dictates that data subjects have a right to be forgotten. Does your organisation have the capability to do this for your customers, and to help your customers to this for their data subjects?
- Where is personally identifiable data held? Specifically, where is the sensitive data that needs to be carefully regulated? Partners need to map and catalogue data in their own organisations, highlighting where their technology touches sensitive data, and then consider how their offering can help customers do this
- Is data appropriately protected and managed? Are there protocols in place to report a potential breach? Do your customers have similar procedures?
- New processing demands – Partners – and their customers – must consider the new processing activities they will need to discharge, such as reporting breaches, cataloguing data and logging information security events
- New pressures to adopt innovative technology infrastructure – Partners will need to cope with the volume of data processing needed to expose and analyse potential breach events. As a result, there will be an increased demand for big data analytics and machine learning able to capture, analyse and interpret the vast amount of potential breach events. Do your customers have the resource, skill and equipment to do this?
Over the next 15 months, we will start to see the channel taking data protection more seriously. The GDPR is a challenge the industry must work to overcome but if embraced, is an opportunity that can have a great impact on the relationship between partners and their customers.
Quentyn Taylor is director of information security, Canon Europe