GDPR for busy Managers: the implications for IT and security
You probably know about the General Data Protection Regulation (GDPR), and that businesses need to think about security and data from the stakeholders’ point of view by 25 May 2018.
4 August 2017
You’ll also probably know that nobody is exempt from GDPR, not even charities or public sector. Preparation and compliance will bring widespread changes, and there will be huge fines for data breaches.
But after the scaremongering has passed, the questions we’re asking are:
- What are the everyday implications for IT? How do I get secure?
- What have I got right? What do I need to change?
- How can I be proactive? Are there any wider business benefits to compliance?
Assessing the situation: What GDPR means for businesses
Businesses following the current Data Protection Act are already halfway to compliance. Still, most will need to re-assess their strategy, processes and technology, and appoint an official Data Protection Officer.
Many companies are already aware of the technology opportunities around data such as cloud storage, mobile working, and analytics. As well as the risk of device theft or loss, the rise of hackers and data breaches.
Savvy businesses were prioritising data protection way before the regulation came into view. But don’t panic if this isn’t you! Instead, think of GDPR as a timely reminder. Here are the key things you need to know.
GDPR is more than a regulation; it’s a change of culture
The General Data Protection Regulation isn’t just about tick-box compliance, or even merely protecting data. It’s about setting the global bar for best practices around data handling, privacy and sharing.
Businesses are now embracing new technology to improve data management, increase transparency and accountability, and keep pace with security challenges. In turn, this creates a culture of better collaboration, trust and privacy – both internally and with customers.
It starts with location and visibility of your data
Many companies lack knowledge of their data: it’s value, who has access and where it’s stored. These blind spots increase the risk of accidental data leaks, leave you wide open to hackers, and can cause confusion for both employees and customers.
But under the GDPR:
- If a data breach occurs, you need to report it within 72 hours. However, most companies take over six months to even discover a data breach today.
- If somebody requests all the data you have about them or wants everything erased, you need to be able to actually do this. But also do it efficiently.
Technology should enable a single source of truth for business data. This needs to be easily accessed and shared – although, only to those who are authorised, or need the information at that time.
It’s really all about people and processes
Although technology plays a big role, the GDPR is really all about people’s digital identities and how data gets from A to B. Businesses should be making data secure, but also ensuring it’s easily accessed and shared efficiently in a way that’s productive for everyone.
Our recommendation: Microsoft’s Secure Productive Enterprise
Every business is different, so we know that there’s no magic bullet for GDPR compliance. But Microsoft 365, which includes Windows 10, Enterprise Mobility + Security and Office 365 comes close, because it’s adaptable to individual business needs and can solve multiple problems.
Focusing on compliance and the ‘culture’ of GDPR, Enterprise Mobility and Security (part of Microsoft 365) provides businesses with:
- Identity and access management. Digital identities can access data through single sign on, and data for each user is stored in one place. You can revoke or give permissions easily.
- Ongoing, automated protection. Data is labelled, classified, organised and encrypted at creation, and this all moves with it, wherever it goes.
- Advanced, proactive security. Barriers to unauthorised access are unmatchable here, and Microsoft’s Advanced Threat Analytics can detect data breaches before they happen.
- Transparent data sharing. On all applications, your team members can find and share data either in the office or remotely. This is known as ‘unified communications.’
GCI is currently understood to be the only UK Managed Services Provider to offer Microsoft’s EMS Solution as a managed service. We will work with you to define and deploy your requirements for identity, mobile device, mobile application and PC management. GCI also assist with cloud-based file tracking, classification and encryption, and we will determine how your day-today support will be managed with a simple per-user, per-month charging structure.
Plan before action: Getting off the ground with GDPR
Although the months until GDPR comes into force are a ticking time bomb, you shouldn’t rush into technology decisions. The starting point is auditing your current ‘maturity’ for GDPR, and how it aligns with your future strategy.