Countdown to GDPR: Checklist to Get Your Infrastructure Compliance-Ready

hyperconverged compliance image
By Bharath Vasudevan, Product Manager, HPE Software-defined and Cloud Group

In a world constantly bombarded by ransomware, viruses, and other data breaches, people want to feel that they and their data are protected. As such, the EU’s General Data Protection Regulation (GDPR) compliance law has caused quite the buzz since it was approved in April 2016. In short, GDPR ensures data protection for any EU citizen. Starting in May 2018, GDPR will require companies within EU countries and any company that sends or retrieves data from EU countries, to comply with new regulations involving data protection and data security. (Yes, that means any global enterprise based outside the EU as well!)

Compliance regulations are not new. In fact, companies work to ensure numerous compliance regulations are met every year. However, according to a PwC Pulse Survey of C-suite executives from large multinational corporations, 54% of respondents reported that GDPR readiness is the highest priority on their data privacy and security agenda. And 77% plan to spend €1 million or more on GDPR compliance. Why are businesses spending so much time and money getting ready for GDPR? First, GDPR actually benefits businesses because it reduces red tape by consolidating the previous 28 laws to just one. This consolidation brings companies an estimated €2.3 billion per year in cost savings. Second, failure to comply with GDPR after May 2018 comes with hefty fines of either 4% of the company’s global revenue or €20 million, as well as a damaged reputation and potential lawsuits.

But what about the other 46% of businesses who haven’t started planning for GDPR? With less than a year before the regulations are enforced, there is still time to plan, revise policies or invest in new technologies – but time is of the essence. To ensure you are ready to comply, consider the following to-do list:

1. Improve data governance
Specifically, you must be able to report how personal (structured and unstructured) data is being leveraged, collected or even edited, including having processes in place that allow EU citizens to easily grant, review, and reject that data. You also need to ensure your infrastructure can keep track of these authorizations and the data lifecycle.

2. Monitor data access
Speaking of authorization, you need to establish employee access authorization policies to limit access to data and ensure privacy. These policies must be constantly updated to reflect organizational need and monitored for breaches. This is particularly important regarding data transfers, which is reflected by Chapter V of GDPR, as transfer destinations outside the EU must also meet the same protection and governance conditions as companies within the EU.

3. Allow for mobility
Not only do EU citizens have the right to take their data with them, but you must also continue to provide work mobility to remote or off-site employees. Those employees that have appropriate authorization to sensitive data must still be able to securely access it from their location. For this reason, make sure you can secure VDI connections.

4. Prepare for disasters
Outside of a data breach, the data must be protected from disasters and accidents. Should this happen even with thorough authorization policies in place (we are only human after all), you must have a solid disaster recovery/backup strategy that limits downtime and reduces the risk of data loss. Ensuring that the backups are just as secure as the original data set should also be a top priority.

5. Assign a DPO
GDPR requires companies with more than 250 employees to have a Data Protection Officer (DPO) to manage and monitor the relevant data and necessary operations enforced by the laws. This person will need to prove they have no conflict of interest when it comes to the protection of data.

6. Seek out the legal team
The legal team is best positioned to help determine where there are gaps within your company’s current data protection policies. For instance, the legal team can help create a compliant process to obtain a person’s consent before their data is collected in any way and how to best implement new policies without reinventing the business wheel.

GDPR is as much a business issue as it is a technology issue. And while companies can handle most of the business needs, the new regulations may cause businesses to consider a technology refresh for their IT teams to ensure compliance. Many vendors – like HPE – recognize the difficulty GDPR compliance will cause many companies and have developed IT solutions solely designed to help companies comply. The HPE GDPR Starter Kit (which includes content management, data management, and data protection tools) and the HPE SimpliVity 380 (which features built-in data protection, back up, and data management capabilities) are just two of many examples. And with just under a year to go before GDPR is enforced, you still have time to make the best decision for your business.

To learn more about how to prepare for GDPR, click here.

To learn more about how hyperconvergence can help IT, download the free eBook.


Copyright © 2017 IDG Communications, Inc.