The European Union’s General Data Protection Regulation (GDPR) is set to go in effect in a matter of months, yet according to a SpiceWorks Survey, only 9% of US IT professionals feel they have a good understanding of the regulation. Should the GDPR concern US companies? The short answer is yes. It is fair to assume the level of concern will vary from company to company though.
What Is a US Company’s Level of Risk?
To some extent, the level of risk for a US company depends on how much business they do in the EU. Companies with a physical presence in an EU country, whether that is one salesperson or a full-fledged office, should expect to be under the regulatory statutes. However, there does seem to be language in the regulation that indicates that any US company doing any business in the EU must adhere to the GDPR. With the ease of selling products globally now, it is reasonable to expect that almost every US business will be held accountable to the regulation if their operations process the personal data of European residents.
But, even if US companies decide they are exempt they should not ignore it. GDPR is a sign of the future. There is almost no doubt the US will pass a similar law in the future. Finally, there is the reality that there is a lot of good content in the regulation. In fact, the same SpiceWorks survey indicated that 65% of UK-based IT professionals and 50% of EU based IT professionals are in favor of the regulation. Yes, there is some vagueness like companies must restore access to data in a “timely manner,” and the fines are excessive, to the point of not being practical. Nevertheless, generally speaking, GDPR is a reasonable set of guidelines for all companies to not only adhere to but surpass.
What Should US Companies Do?
While there is a lot of discussion about the GDPR’s “right to be forgotten” language, there are more pressing concerns for US companies found in Article 32; “The Security of Processing” section.
There are statements in this section about 1. “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” 2. “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” and 3. “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures of ensuring the security of the processing.” Lastly, there is also the mention of the specific creation of a Data Protection Officer and the right of that officer to complain to the EU Information Commissioner’s Office if they are not getting the resources they need.
Americans and American companies don’t like being told what to do, and the above paragraph is a mouthful of being told what to do. The reality is, though, that none of the above statements would be out of place in a data protection or disaster recovery seminar. The organization is already pressuring the IT staff to meet very similar expectations that exceed even what the EU requires. If it feels better, call it Organizational Data Protection Regulations (ODPR).
Meeting GDPR and ODPR Demands
Meeting GDPR (and ODPR) can’t be avoided. How, can IT meet the demands of these regulations? The key is to not randomly throw point solutions at the problem, instead make a plan and design an architecture that can meet both GDPR and ODPR.
On our on demand webinar, “How to Design Primary Storage for GDPR,” we take a look at one such approach. Attendees to this webinar will learn how to address the day-to-day performance challenges of primary storage with data protection and retention requirements of GDPR.