It is essential to keep your personal data safe and secured. It has been observed that some companies are engaging in an unprofessional act by abusing GDPR and offering it for sale. This brings us to the question if GDPR needs features like special software, investments, hardware, and suppliers. Are data centers offering compliancy with GDPR as a feasible solution or is it using GDPR as a marketing tool?
GDPR, popularly known as the General Data Protection Regulation is a hot topic for discussion at events and hangouts of every firm. It is important for consultants and every player to play a significant role by showing support with the execution of GDPR. Your preferred data center can play a major part in compliance, and other SaaS products have their responsibilities in being GDPR-compliant. You might be wondering if there is a big deal in this; what the possible solutions are.
Is the choice of your supplier the perfect solution or you might have to choose your lane?
Relax and determine the impact
What is the significance of GDPR to your business objectives? Is there any need for you to be scared of costs that changes will bring to your brand? It is imperative to start observing the personal information utilized and required by your company. You may have to determine if the human resources department or sales department that need to save data. If you are not a cloud provider storing a lot of your clients’ personal data or a company with a marketing environment storing all kinds of client related data, you are probably able to manage compliance on time.
After understanding the required information required by you, you must determine the capacity of the personal data available in your company. You need a spreadsheet, piece of paper, and time. If your brand has an immense personal data from various sources, it can be a massive project. If you notice the human resources department is the only team that submits essential information due to laws and regulations, a spreadsheet can be sufficient to be compliant. You are advised to read the stipulations and rules carefully and have a thorough understanding of its content as well as identify how its mechanism impacts your business.
Assess the risks and determine appropriate measures
GDPR does not necessarily require sophisticated security measures such as PCI-DSS or other ISO standards. Nevertheless, an excellent example of PCI-DSS or ISO standards like ISO 27001 can provide support and ensure your compliance. You may not need the services of consultants or use a special software as the choice of GDPR is dependent on the required data. It is crucial to select the necessary measures carefully. Do not buy products based on advertisement and bogus promises.
Determine the impact on suppliers
All suppliers that process personal data on behalf of the controller need to be included in your GDPR project. If you have a SaaS product that stores personal data the supplier must be considered in your GDPR product. If you are solely responsible for operations such as ‘collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’(http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf), you probably do not have a supplier that need to be included in your GPDR project. E.g., Your data is physically stored in a data center and maybe is considered as a processor due to article 83 of the GDPR. Your risk assessment also can conclude that the data center is no risk for ‘accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf) due to other measures were taken. It is not the data center, cloud provider and/or other suppliers that are leading in GDPR, your company is leading, and your company decides which security measures will be taken to comply.
Maintain the overview of processing personal data
Still, think you need to be afraid of the project, and you need to invest extremely? Importance of GDPR is to have the overview of all personal data processed, being able to show the risk assessment on personal data and take appropriate measures and being able to extract a list of actions to individuals regarding the processing actions when requested.
All you need is time and knowledge of information processed by your company. Do not let your supplier lead you to compliance. It is not the data center that can be compliant for you. It is your company that needs to comply with the GDPR. Make sure you first identify the impact on your business, and maybe it is not as difficult as it seems.
Although we will not be your total GDPR solution, if we can contribute to the measures you want to take to secure your data, do not hesitate to contact our Compliance and Security team to discuss the possibilities.
Blog by Jouke Albeda, Security & Compliance Manager