Canadian organizations are only beginning their journey towards compliancy with the General Data Protection Regulation (GDPR). But time is running out, as the May 25 deadline approaches. A new ‚ÄĒ albeit small-scale ‚ÄĒ global survey by Commvault found that only 12 per cent of organizations say they are ready for implementation by the enforcement date.
The EU¬†GDPR was designed to harmonize data privacy laws across Europe in order to¬†protect EU citizens and to reshape the way organizations across the region approach data privacy. Organizations found to be non-compliant could run the risk of heavy fines of up to four per cent of their global revenue.
While some might think otherwise, the impact of GDPR extends far beyond EU borders, says Matt Tyrer, senior manager, solutions marketing, Americas at¬†Commvault in Ottawa. ‚ÄúMany feel that because it‚Äôs an EU initiative the regulations don‚Äôt apply to them. The problem is the GDPR is not just bound by region in terms of people actually in the EU. It extends to anyone doing business or holding data for citizens in the EU.‚ÄĚ
For example, that includes a Canadian company with a website that collects information, whether the user is ordering product or accessing information. ‚ÄúAny interaction with people over there could have implications. It could be an email address or phone number, or some exchange at the cookie level of an EU citizen. Some of the information you collect could easily fall under the regulatory rule set. There are subtle, nuanced things that people don‚Äôt think about.‚ÄĚ
No business is exempt, he adds. ‚ÄúGDPR doesn‚Äôt matter how big or small you are. Rather, it is looking at the data used, the rules around how to handle that data, and how you are able to respond to requests for it.‚ÄĚ
The study showed that a large number of IT personnel admit to still being confused by key elements of the regulation.
- Only 21 per cent feel they have a good understanding of what GDPR means in practice
- Only 18 per cent said they understand what data their company has and where it lives
- Only 17 per cent understand the potential impact of GDPR on their overall business
- Only 12 per cent understand how GDPR would affect cloud services
- Only 11 per cent said they understand what constituted personal data
Tyrer has some words of advice to organizations who haven‚Äôt yet executed a GDPR compliance strategy. ‚ÄúFirst, don‚Äôt assume it‚Äôs not going to apply to you. It will.‚ÄĚ
Second, make sure you have visibility into your data. ‚ÄúThe proliferation of endpoint, mobile devices and cloud services means data exists further outside the walls of the enterprise that need to be tracked.‚ÄĚ
Third, you must have the ability to act on those data sources in the way of classification, retention, collection, staging and security.
Tyrer offers the following basic roadmap to compliance:
Identify all your data sources you can. ‚ÄúCreate a listing of assets: These are the apps we have, the file servers, the mobile devices that we know of, the clouds we interact with. Make sure you can be at a place where you can search across data sets and collect them when needed.‚ÄĚ
Figure out what rules you need to wrap around the data. ‚ÄúThere may be different security requirements for different datasets,‚ÄĚ Tyrer says. ‚ÄúWhat data should be where? Set rules around who can interact with data and where it can go. If you need to do something with that data or find an element in it, what processes do you need to follow? Do you save it or delete it after a certain time?‚ÄĚ
Start small and build. ‚ÄúIf you‚Äôre put off by such a big problem and don‚Äôt know where to begin, start with one thing and move on to the next data set you want to address. Email is often a good place to start,‚ÄĚ Tyrer says. Key areas to look into include the cloud and the endpoints, such as mobile devices.
As the GDPR deadline nears, Tyrer says organizations who have been holding off on their strategies need to do something, ‚Äúeven if you don‚Äôt know what that something is. If you don‚Äôt (act), then you‚Äôre in trouble.‚ÄĚ
Despite the logistics and associated costs, GDPR compliance could be viewed as a competitive advantage, he adds. ‚ÄúIf you can claim some semblance of GDPR compliance, you would be looked on more favourably by the EU as a foreign company doing trade.‚ÄĚ
First published at http://business.financialpost.com/executive/many-canadian-organizations-unprepared-for-the-eus-gdpr-compliance-deadline