When it comes to address the European Union's new data regulations, many consulting firms assumed their clients had nothing in place and would need to start from scratch.
But InteliSecure took a different approach, according to CTO Jeremy Wittkop.
The Greenwood Village, Colo.-based solution provider conducted a gap analysis of its clients, Wittkop said, and found that most customers were already between 70 percent and 85 percent compliant. Most of InteliSecure's clients had both the technology and data security controls needed to be compliant in place, Wittkop said, and were working to ensure they had all forms of sensitive personal data covered.
Wittkop said InteliSecure's customers therefore usually ended up focusing on modifying their programs and procedures to ensure they fulfilled the intent and spirit of the EU's General Data Protection Regulation (GDPR) rules, which were adopted in April 2016 and started being enforced today. The policy aims to give EU citizens and residents greater control over how their personal data is used.
The most common areas of GDPR where clients have been coming up short have included consent requests, complying with the right to be forgotten, and providing an explanation around how they're planning to use or process an individual's data, according to Wittkop. Organizations have also needed to address policies that are no longer allowed under GDPR, he said, such as buying and selling list of names.
The new GDPR requirements are considered to be the toughest in the world, with violators subject to fines of up to 4 percent of global revenue or 20 million Euros – whichever is higher – for non-compliance. GDPR requires businesses to be transparent about how user data is being handled, and to get an individual's permission before the data can be used.
EU citizens and residents can also ask technology firms, banks, retailers or other businesses what information they hold about them, and then request for it to be deleted. And if a user suspects their information is being misused or collected unnecessarily, they can set an investigation in motion by complaining to their county's data protection regulator.
Many technology companies are rolling out GDPR-related changes beyond Europe since it's hard to determine the citizenship of people logging in to use services, extending clearer explanations as well as new protections to U.S. citizens. However, citizens outside the European Union don't have any recourse if they still have a problem with a company's practices.
Channel partners attuned to GDPR have largely focused on conducting assessments to determine where a customer's GDPR-relevant data resides and how it flows into, through, and out of the organization. But some like Accudata Systems, No. 200 on the 2017 CRN Solution Provider 500, go beyond the preliminary data mapping to provide policy development assistance and remediation services.
The Houston-based solution provider takes an in-depth dive into the customer's policy process to understand how it works and interacts with GDPR, according to Advisory Services Principal Paul Kendall. Any aspects of GDPR that need to be codified in policy such as data retention and managing encryption can both be written and shepherded through the firm's engagement process by Accudata, Kendall said.
From a remediation perspective, Kendall said Accudata's risk and compliance group can help organizations develop strategies and implement an incident response plan.
And for businesses looking to take an approach to GDPR that goes beyond just legal remedies, Finnish tech evangelist Juda Sallinen launched a company two years ago that does exactly that. Sallinen left Veritas at the end of 2016 and launched GDPR Tech, which focuses on addressing security, information governance, legal, and people and processes consideration around the impending regulation.
Sallinen said he's found that information governance is often the biggest area of deficiency for businesses since a good number haven't even had any kind of documented risk assessment. GDPR Tech also focuses on helping clients understand where data comes into the company, Sallinen said, as well as what kinds of risks they're assuming when hiding that data.