This month has been a security and compliance whirlwind!
The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. I’m sure you’ve received a LOT of emails from companies notifying you that they’ve updated their privacy policies. This is just one step companies are taking to become GDPR compliant.
We’ve been getting a lot of questions about GDPR and compliance, so here’s a brief overview about what’s going on, and what you may need to do.
Does GDPR affect you?
At its core, the GDPR affects any company that processes the personal data of EU residents.
You might be thinking this doesn’t affect you because you aren’t in the EU and don’t directly do business with anyone in the EU. Be careful though – having contact information of an EU citizen may not always be obvious without research.
You also may do business with a vendor or customer that has determined they need to be compliant with GDPR. That business partner could then require you to be GDPR compliant. This is a scenario that we are in ourselves. One of our largest technology partners has an international presence and is requiring us to meet GDPR standards.
What should you do?
If you think you have a compliance issue, we strongly recommend contacting a GDPR Compliance Consultant. The vast majority of the steps to become compliant are business process and procedural. The required changes will impact all aspects of your business. It’s a big undertaking and you should seek professional assistance.
Many organizations have mistakenly assumed GDPR is purely a legal, technology, or operations issue.
In reality, no single department can address GDPR single-handedly. Rather, it requires a holistic view of data and true company-wide data governance.
What is VC3’s role in GDPR compliance?
We have been getting a lot of questions about the impact of GDPR and technology. Specifically, how the services we provide affect or are impacted by GDPR.
From a strictly IT perspective, if you are our client and your systems are in alignment with our best practice standards, then your system likely exceeds the requirements cited in the GDPR. Now, the specific requirements are a bit vague in the GDPR documentation, stating only that “best practices must be implemented.”
All of our managed services clients, including All-In and Core agreements, should include our standard security services. These services include system monitoring and alerting, hosted antivirus, managed firewall(s), spam filtering, managed backups, and OpenDNS. The more of these things you have in place, the closer you are to being in alignment with our technology standards. As a result, the more likely you are to meet compliance requirements.
A good first step would be to reach out to a compliance expert for general administrative advice. Next, contact your IT team for security and data protection updates. You may also consider having a third-party conduct a security assessment. This will unveil any existing vulnerabilities in your system and will give you a roadmap for how to remediate these issues.
If you need help, feel free to contact me and I’ll be happy to help any way I can.