Most Canadian groups unprepared for EU’s data protection compliance
‘Don’t assume it’s not going to apply to you’ as May deadline approaches
Canadian organizations are only beginning their journey towards compliancy with the General Data Protection Regulation (GDPR). But time is running out, as the May 25 deadline approaches. A new — albeit small-scale — global survey by Commvault found that only 12 per cent of organizations say they are ready for implementation by the enforcement date.
The EU GDPR was designed to harmonize data privacy laws across Europe to help protect EU citizens and to reshape the way organizations approach data privacy. Organizations found to be non-compliant could run the risk of heavy fines of up to four per cent of their global revenue.
While some might think otherwise, the impact of GDPR extends far beyond EU borders, says Matt Tyrer, senior manager, solutions marketing, Americas at Commvault in Ottawa. “Many feel that because it’s an EU initiative the regulations don’t apply to them. The problem is the GDPR is not just bound by region in terms of people actually in the EU. It extends to anyone doing business or holding data for citizens in the EU.”
For example, that includes a Canadian company with a website that collects information, whether the user is ordering product or accessing information. “Any interaction with people over there could have implications. It could be an email address or phone number, or some exchange at the cookie level of an EU citizen. Some of the information you collect could easily fall under the regulatory rule set. There are subtle, nuanced things that people don’t think about.”
No business is exempt, he adds. “GDPR doesn’t matter how big or small you are. Rather, it is looking at the data used, the rules around how to handle that data, and how you are able to respond to requests for it.”
The study showed that a large number of IT personnel admit to still being confused by key elements of the regulation.
Only 21 per cent feel they have a good understanding of what GDPR means in practice;
Only 18 per cent said they understand what data their company has and where it lives;
Only 17 per cent understand the potential impact of GDPR on their overall business;
Only 12 per cent understand how GDPR would affect cloud services;
Only 11 per cent said they understand what constituted personal data.
Tyrer has some words of advice to organizations who haven’t yet executed a GDPR compliance strategy. “First, don’t assume it’s not going to apply to you. It will.”
Second, make sure you have visibility into your data. “The proliferation of end point, mobile devices and cloud services means data exists further outside the walls of the enterprise that need to be tracked.”
Third, you must have the ability to act on those data sources in the way of classification, retention, collection, staging and security.
Tyrer offers the following basic roadmap to compliance:
Identify all your data sources you can: “Create a listing of assets: These are the apps we have, the file servers, the mobile devices that we know of, the clouds we interact with. Make sure you can be at a place where you can search across data sets and collect them when needed.”
Figure out what rules you need to wrap around the data: “There may be different security requirements for different data sets,” Tyrer says. “What data should be where? Set rules around who can interact with data and where it can go. If you need to do something with that data or find an element in it, what processes do you need to follow? Do you save it or delete it after a certain time?”
Start small and build: “If you’re put off by such a big problem and don’t know where to begin, start with one thing and move on to the next data set you want to address. Email is often a good place to start,” Tyrer says. Key areas to look into include the cloud and the end points, such as mobile devices.
As the GDPR deadline nears, Tyrer says organizations who have been holding off on their strategies need to do something, “even if you don’t know what that something is. If you don’t (act), then you’re in trouble.”
Despite the logistics and associated costs, GDPR compliance could be viewed as a competitive advantage, he adds. “If you can claim some semblance of GDPR compliance, you would be looked on more favourably by the EU as a foreign company doing trade.”