The EU General Data Protection Regulation (GDPR) is enforceable in May 2018. The GDPR legally mandates that organizations protect personal data and extends its reach beyond those established in the EU to others beyond its borders. The GDPR requires that companies respect an individual’s legal right to privacy and that organizations must be accountable for the personal data they process. It sounds simple, but in getting “GDPR ready”, businesses are currently reviewing the way they handle and treat personal data, instituting and enforcing adequate business governance, policies and processes to protect that data. The fines for non-compliance could be substantial. More important, this activity makes great business sense.
There is a lot of talk about technology companies making yours compliant. However, no technology company can ensure you are fully “GDPR compliant.” That’s like saying you’re “traffic compliant” when you follow traffic laws – or “out of traffic compliance” when you run a stop light. Simply buying a Mercedes and claiming the car itself is safe will do no good if you’re stopped by the police. You will have had to follow driving processes and made risk assessments every step of your journey and be able to prove them when asked. Aligning with to the regulation is no different and requires an intimate and ongoing understanding of privacy laws, business policy, and how to act correctly in the event a problem arises with someone’s data. Technology alone cannot solve for the lack of a privacy and data protection governance program.
That’s not to say that information technology doesn’t have a part in GDPR preparation and management. Technology can be leveraged as a tool aiding certain compliance functions or data protection tasks. As your organization evaluates the ways that personal data flows through the different functional groups and systems – such as email marketing, human resources or customer data – IT can determine how the data is secured. To begin, IT can align with the how the organization is mapping their data. Privacy consultants may advise clients to create a current data map for personal data controlled by the business or processed on behalf of others which will answer questions like:
- What data do you have?
- Where does it go?
- Where is it stored?
- Who has access to it?
- Who is responsible for it?
- How do you keep it safe?
IT can support activities to further prepare and provide or ongoing compliance with the GDPR, and establish new process and policy updates by assessing the security of personal data throughout the life of that data from creation to expiration. During this effort, IT can use the awareness gained from GDPR readiness assessments and can act as an enabler for identifying how IT secures all sensitive and confidential data such as intellectual property, financial data or contractual data, refining and modernizing its approach to data security along the way. The model illustrates a possible approach to understanding data and its inherent security requirements – what we in IT call data protection.
Figure 1: Essential Data Protection Capabilities Around the Data Life Cycle
The intrinsic security capabilities within the VMware portfolio provide a solid foundation for securing personal data and other sensitive information and may help support business policies which enforce elements of the GDPR (such as security and accountability).
Figure 2: VMware Data Security Capabilities
Preparation for the GDPR is a complex, cross-company effort likely requiring outside guidance and definitely requires the enlistment of your internal subject matter experts. But while at times daunting, GDPR readiness projects forces us all to take a critical look at what data we hold and how we manage that data and information holistically. By improving our business processes to protect personal data, we protect both our customers’ information and our own.
Figure 3: A sample of VMware data protection capabilities
To learn more about VMware Workspace ONE solutions which support data security, read the Accelerate Towards GDPR Compliance Blog.
Learn more how VMware transforms security by making security intrinsic, from the endpoint to the data center.
Follow us on Twitter at @VMwareSecurity