Are you ready for the General Data Protection Regulation (GDPR)? Its enforcement date of May 25, 2018, otherwise known as G-Day, is fast approaching and businesses large and small still have many concerns regarding their GDPR compliance preparations. The first step towards the road to compliance is to be cognizant of the right questions that you should be asking your current and prospective IT vendors and the kind of responses you should be anticipating. Here are my top five questions that will help you prepare for the G-Day.

How Have You, as a Technology Provider, Approached GDPR Compliance?

If an IT vendor tells you that it has a technology solution that can help your business be compliant with GDPR, ask how the vendor has approached achieving compliance through that solution. The answer is important not only to determine the vendor’s expertise as a business, but also to evaluate its understanding of the legal and technological aspects of GDPR. At the end of the day, you are relying on the vendor to manage and protect your business-critical data. If the vendor cannot provide a satisfactory answer, it might not be the right choice.

How Does the Cloud Play into GDPR?

IT vendors often play down the significance of cloud to GDPR. The opposite extreme is when a ‘clash of cloud and GDPR’ is overstated. In reality, the ubiquity of cloud-based solutions must make cloud a huge part of GDPR discussions, debates, and solutions. Cloud computing has been the greatest disruptor to the data protection industry in the last 10 years. The IT infrastructure landscape is shifting from data being held on the premises to scenarios where data is partly on the premises, partly in the cloud, or wholly in the cloud. Businesses and vendors should consider how the global cloud ecosystem works with regard to data sovereignty, data portability, and ultimately data privacy. Modern data is distributed, dynamic, and diverse, stored across multiple heterogeneous environments and sometimes different continents. The legislation to protect consumer privacy in this current data ecosystem is catching up. Therefore, businesses need to make sure that their operational policies are keeping pace and combine the opportunities of modern data management with the requirements of new data laws.

Are Data Privacy and Data Security the Same?

GDPR and cybersecurity: these two terms are often conflated in discussions regarding personal data. Although both terms are important, they are certainly not the same. It is imperative that your vendor understands the difference and is able to guide you in the right direction.

 

Making your data and network secure is primarily about security systems. Although, this fact is one piece to the puzzle in the context of GDPR, data privacy requires much more, especially robust business and administrative processes that focus on data privacy and a new employee and partner mindset. Data security alone does not guarantee that your organization has appropriate and effective controls in place around personal data and is ultimately GDPR compliant.

Is Technology a Panacea That Provides GDPR Compliance?

If an IT vendor tells you that technology is the ‘be all and end all’ of GDPR compliance, that vendor does not have clarity on the regulation. Technology is only one piece to the puzzle. When it comes to GDPR compliance, businesses need to consider three elements: people, processes, and technology. Technology, although a critical element, cannot safeguard against human error, particularly those errors that are committed deliberately but without the knowledge that they are operationally or legally incorrect. Therefore, it is imperative for businesses to also become culture ready for GDPR. Data processes need to be revisited with an open mind. These processes include understanding the various classes of data, identifying and tagging personal data, and rethinking where the business could do without personalized data. Only then does this approach ultimately lead to the requirements for a modern data management strategy and corresponding IT decisions. A comprehensive strategy involving collaboration and agreement from different areas of business is required. That approach essentially means involvement of not just the chief privacy officer, but also the CFO, CEO, CTO, CMO, and their respective teams. To sum up, GDPR is one of the few legislations that connects technology with the application of the law, which is why businesses need to consider all three elements: people, processes, and technology.

How Would You Suggest That We Structure a GDPR Compliance Program?

A risk-based approach is a good starting point to design and implement a GDPR compliance program. To effectively formulate this approach, teams across different business functions need to assess their respective risks individually and then work collaboratively, drawing on knowledge and expertise from across the business. Again, the program combines those three aspects previously mentioned: people, processes, and technology.

 

It is important for you to understand from your current or prospective IT vendor which elements of the three-part program they can effectively support? Often, a single IT vendor cannot manage all three parts. However, that vendor should be able to embrace the other two and thereby connect all the elements into a single comprehensive program.

Get More Information

For more information about GDPR and to make sure that your data management strategy is ready for the legislation deadline, refer to the resources, opinions, and guides available on NetApp.com.

Dierk Schindler

Dr. jur. Dierk Schindler is the Head of Legal for Europe, Middle East & Africa, as well as the Head of Worldwide Contract Management & Services at NetApp. With almost 20 years of experience, Dr. Schindler is one of the influencers in the legal industry. He is a seasoned speaker at business events as well as at various educational institute in Europe. He also serves as a sworn member of the Board of Examiners of the Chamber of Commerce. Dr. Schindler holds a Master degree in International Law from Raoul Wallenberg Institute for Public International Law at Lund University. Sport is his passion: football as a fan, golf to unplug and tennis to work out.