One of the more intriguing aspects of the General Data Protection Rule (GDPR) implemented by the European Union is that organizations are required to appoint a chief data protection officer. That person doesn’t necessarily need to have that formal title. But GDPR makes it clear someone in the organization needs to be responsible for data protection.
As simple as that may seem, it turns out that issue gets to the heart of one of the longest standing problems in IT. In theory, IT organizations are responsible for managing data. But, internal IT teams don’t generate the data. They don’t even necessarily know why data is being collected. To the average IT person it is all just data. It’s the line of business executives that decide what data should be collected. Before data gets backed up, it’s important to know what data is being collected about whom and for what purpose.
A new survey of 500 IT and cybersecurity professionals published this week by Avecto, a provider of privilege management software, suggests that most organizations have yet to fully appreciate the implicit and explicit data management requirements of GDPR.
Only 27 percent of the survey respondents from North America said they work at an organization that has an internal data protection officer, compared to 63 percent in the United Kingdom and 52 percent in Germany. Naturally, that doesn’t mean someone in IT isn’t responsible for data protection. But there’s a world of difference from a compliance perspective when there is someone being specifically responsible for data. Auditing data storage and usage is an integral part of the GDPR regulations. But 27 percent of survey respondents admit they do not conduct data audits.
The MSP opportunity
The GDPR opportunity for managed service providers (MSPs) at this point is essentially two-fold. It’s clear most organizations need some level of business consulting to help them understand the full import of the GDPR rule. Most of them are assuming, for example, that a CIO or equivalent function as a chief data officer to whom the chief data protection officer should report. The truth is a little more complicated because someone in the business needs to be able to identify what data where needs to be protected, and for how long.
It’s safe to assume that the practices they have in place for managing data are haphazard at best. Most organizations don’t have data management processes in place that can definitively show who in the organization has control of any given data set. Most of them in truth are lucky they can even recover data at all because no one has tested whether the backup really worked in a very long time.
Awareness of GDPR creates the business issue that motivates business and IT leaders to at the very least want to have these conversations. Prior to the GDPR rule being implemented by the E.U., getting anyone inside an organization to focus specifically on how data is being managed was very hard. Unfortunately, too many business and IT leaders still think that if they have a way to identify personally identifiable information they have all their GDPR bases covered. Auditors undoubtedly will soon be disabusing many of them of that notion. MSPs might want to consider providing audit consulting services specifically for GDPR compliance. Most business and IT leaders are keen to know whether they could pass a GDPR audit before it happens. Most of them probably won’t, which from the perspective of the MSP is going to be the point from which the rest of data management conversation will really start to flow.
Photo: PopTika / Shutterstock.