So, you are probably fed up of GDPR at the moment and the amount of content available on the subject, so apologies in advance and despite the title of this blog, I'm not going to try to sell you anything. That's a promise. I have written a number of blogs on GDPR and have tried to avoid talking about technology, for the simple reason that GDPR is atually about 95% business processes, and only 5% technology. Technology will be an aid to compliance, but it is not the Holy Grail and your IT department will not be the only bastion of hope to meet the regulations outlined in the act. That said, IT does have a role to play, and if you avoid all the marketing hype out there, there are some great tools to aid you on the journey.
At this point, some of you will still be placing bets on whether I'm going to sell anything; "here comes the sales pitch", and "which product is he going to push now?", but that is not the case. The first point I want to make is that you probably have a lot of tools already available to you within your infrastructure to aid compliance, it is just a case of deploying these technologies in the right way. The likes of Microsoft, Dell Technologies, Oracle etc., have all done a great job of mapping technologies against compliance areas to help you make decisions on what to deploy. I've included a few links below to show you what is available, but Esteem has also put this information together for you. If you would like a succinct email outlining what's available from each vendor from a GDPR perspective, you can subscribe on the right of this page.
The biggest IT challenge is choosing which tools to deploy, as you will probably have products from a number of vendors that can effectively do the same thing. When this situation arises, you need to look at a number of factors;
By looking at all of these points you will be able to make the most appropriate and measured decision, however, you will probably find that you have already deployed a number of technologies doing the same thing.
But enough about technology, as I mentioned, GDPR is 95% business processes and 5% technology. Do not be lured into the false sense of security that technology vendors offer - it is not one size fits all. The most important thing with GDPR just around the corner is to look at your data strategy and data management processes. Fundamentally, you need to be looking into how you can use the information, technology and features available to you for the betterment of your processes.
For the last few years, the vendors have been reporting on the exponential growth of data and the storage crisis for this vast amount of information. We also have the advent of Big Data to consider and storing the data we gather from social media or sensors. Now with GDPR, the message vendors are pushing is the need to protect or encrypt your data. Whilst the use of technology is important to protect the data you are storing, you should primarily be looking at what is actually being stored and its Information Lifecycle Management (yes, ILM is back, or did it never really go away?). A good way to analyse this, is to carry out a Data Protection Impact Assessment or DPIA. The DPIA is a way for organisations to review their obligations under GDPR and to ensure that they are compliant. The ICO have full details on how you can conduct this within your organisation and you can find out more information here.
Once you have a view of where your organisation is, in relation to data protection, you will then be in a position to make decisions on how you manage data in the future. The major areas you need to focus on are;
By adopting this approach, you will find that most of the policies you require will be in place to meet your GDPR obligations. The most important thing to remember here is that all policies must be clearly documented, so if you ever need to report to the ICO on anything, you have all the evidence you require.
We may find the GDPR message from vendors a little tiring, but there are some great nuggets of wisdom out there. If you are interested in a quick summary of what's out there from each vendor, we're putting together some neat infographics in our blog section, outlining the key offerings from each vendor, including Dell EMC, Oracle, Nutanix, Citrix and Microsoft.