While awareness of the General Data Protection Regulation continues to grow, on-the-ground preparations still lag behind. Not that surprising when many of GDPR’s requirements have yet to be translated into actionable guidance. But as the clock ticks down, so the time to transform processes and bring them into line slips away.
According to research carried out by CA Technologies, it takes an organisation an average of three months to create a compliance plan and another three months to implement it. So GDPR projects launched before December should complete in time. But the same survey also found that 54% doubt that their testing processes will be compliant by the time enforcement begins.
“It is true for regulation and compliance in general that what gets passed into law is not prescriptive to the nth degree,” Rob Coleman, chief information officer, UK, at CA Technologies told DataIQ. “So a lot of organisations have been waiting to see how it will be interpreted by supervisory authorities.”
In the meantime, a flood of regtech solutions has been emerging that can help at least part of the way down the road to compliance, not least by helping to plug obvious technology gaps or by applying technology to support new, GDPR-ready processes. As CA Technologies’ research found, only one in eight organisations believe there are no technological challenges to compliance for them to overcome.
Coleman believes there could be a two-speed GDPR compliance movement. “Large organisations are in a better position because they are used to the process of dealing with new regulations. Financial services are especially well-placed to lower the risks from their process silos. But on the SME side, they are going to struggle more,” he said.
Two specific risk factors have been highlighted by recent major data breaches or data losses - controlling user access and managing sensitive information when it moves from production into a test environment. “The hardest part is understanding where their personal information is being stored, from mainframes or data centres through to testing. That is where there are often no proper controls, such as data masking,” explained Coleman.
“Businesses are now spending a lot of time analysing data and combining data from multiple sources on the analytics platform. As analysts become more important for their businesses, they will also be driven to be more compliant,” he said.
“You need to put in place ways of tackling some of the preventable problems. Those will be software-based.”
Privilege access management (PAM) will gain fresh emphasis under GDPR, for example, because it is a straightforward way to manage exposure and deliver against the principle of accountability. Scotia Gas Networks, one of the UK’s largest gas distribution network companies, recently chose CA’s PAM solution to secure its cloud infrastructure. With applications and data management in Amazon Web Services, SGN needed to ensure access is granted based on roles and positive authentication of credentials, with active monitoring to prevent abuse of privileges and to reduce exposure.
Coleman says that deploying regtech is an important aspect of any compliance project because, “humans are humans, so you need to put in place ways of tackling some of the preventable problems. Those will be software-based.”
While GDPR has been helpful in winning executive buy-in for compliance programmes, those major data hacks and breaches have often done more to drive action. The impact on share price, customer retention and company reputation has kept CEOs awake more than the threat of regulators’ fines - at least until the potential to be charged 4% of global turnover becomes a reality.
As Fred Voccola, CEO of Kaseya, an IT solutions provider for MSPs, told DataIQ from Amsterdam where the vendor was holding its annual client event, “I have never seen a piece of legislation have this kind of macro-economic impact or get this much attention from SMEs. Even in the US, it is having more impact than even Sarbanes-Oxley,” he said.
This is driving a big change in the types of IT solution which all sizes of business will consider, with MSPs playing a big role, not least because they are able to deploy regtech solutions that work across hybrid architectures. Kaseya has a two-factor authentication solution - and has just launched a GDPR-specific application - and Voccola noted how mainstream this has become.
“Even my mother who is on Facebook asked six months ago if she should get 2FA ‘so the Russians don’t hack me’. Five years ago, it was only just being mandated in large organisations. It is crazy how fast it has gone mainstream,” he said.
Despite the high profile of data breaches like Equifax, research carried out by Kaseya has revealed a gap between the perceived importance of information security and the level of adoption. In a study of companies with up to 5,000 employees, 40% said compliance and security was their second most important technology challenge in 2017. But only 21% of companies claiming to be “efficient” in their IT operations said security was their main issue. Turning to MSPs for support could be one way to fill that gap. “They need to be very secure or they are toast,” said Voccola.
He sees something similar happening around GDPR: “We have had a tonne of customers in the last 18 months asking us to build a GDPR solution, which is why we are launching a free module for every one of our VSA customers. It allows MSPs to look at their infrastructure and reporting on how it is being governed.”
“Technology used to be a differentiator - now it is the price you pay to play in the game.”
Voccola stated that the Equifax breach would have been prevented if it had been using Kaseya because it would have identified a failure to update critical software, leaving it vulnerable to a hack. “If GDPR was implemented in the US, companies like Equifax wouldn’t exist,” he said.
Regtech can look like the latest marketing ploy by technology vendors, especially where rebadging of existing solutions has taken place. But there is no doubt organisations of all sizes will need new technology and infrastructure to support compliant practices. This investment could also see SMEs closing the gap with large enterprises as they update their IT.
Said Vocola: “As a percentage of the global economy, 85% of all new jobs are created by SMEs. Now we are seeing a perfect storm with this sector investing at ten-times the rate of GDP growth between 2010 and 2016. Technology used to be a differentiator if you were an early adopter - now it is the price you pay to play in the game.”