Is GDPR More About PR Than Data Protection? Ivanti Chief Technologist EMEA Simon Townsend Responds
Simon Townsend joined what is now the Ivanti team when Landesk acquired AppSense last year. But Simon’s been around the IT industry for almost 20 years now. That perspective gives him a refreshing take on one of the industry’s most talked-about developments: the General Data Protection Regulation, or GDPR. Due to take effect on 25 May 2018, the GDPR is intended to protect the private and personal data of every European Union (EU) citizen everywhere. Companies that violate the regulation are subject to significant fines, even if those companies are based outside of the EU.
Simon, can you summarize the key points of the GDPR, please?
As many have likely already heard and read repeatedly, come May 2018, the EU General Data Protection Regulation, or GDPR, comes into force. If you have read most of the information available you will also know why it is coming into force, and who it affects – basically, every EU citizen and every business that does business with EU citizens.
Specifically, organisations that do not demonstrate they are protecting Personally identifiable information (PII) will be fined somewhere between four percent of their annual revenues or 20M Euros, whichever is higher. These fines are significantly higher than anything we have seen in the past, and these fines alone provide enough “punch” to make any organisation or CIO consider a change in how data is processed and protected.
Thanks, Simon. Now, what has the run-up to the scheduled GDPR implementation date looked like to you? Does it remind you of other industry events?
Leading up to 31 December 1999, I recall us folks in IT running around our businesses patching systems in worry of the Y2K issue. Whilst technically there was some cause for concern, it also demonstrated how the IT industry can overplay and exacerbate certain challenges, issues, and threats we face.
I can think of numerous examples where our industry is amazingly quick to jump on the bandwagon of a certain topic and use it to obtain additional budget, sell more services or introduce new products. Whether you are an IT decision maker, a vendor, or a partner, we all do it! “Cloud.” “VDI.” “Security.” “Ransomware.” “WannaCrypt/WannaCry.” “Windows 10.” “Consumerization of IT.” “Internet of Things” or “IoT.” “Artificial intelligence” or “AI.” Each is a legitimate set of challenges, but they are all also IT buzzwords that we attach to – and, if we are honest, sometimes overuse and overindulge in.
The GDPR has fast become one of “those” topics. As I sit here today, far too many IT organisations, vendors, and pundits are trying to attach themselves to GDPR and use it more for PR than to encourage compliance with GDPR or better data protection practices.
Well, then, Simon, how should organizations be dealing with the GDPR?
Unlike the Y2K problem and its “hard deadline” of 31 January 1999, 28 May 2018 is not a date in which organisations and IT need to work towards. Instead, I would argue that 28 May 2018 is the day work on GDPR compliance starts, not completes.
This is because GDPR requires a change to fundamental business and IT procedures and workflows. It requires a business to change it processes so that GDPR compliance is built into the practice of the business. Compliance requirements can’t be viewed as something that IT or the business simply reacts to if and when a change occurs relevant to PII data. Also, whilst some technology can help, some sadly cannot. And none – I repeat, none – provide the “silver bullet” that ensures you are compliant and protected.
GDPR is, in fact, not an IT problem. It’s a business problem. It’s more legal than IT. IT only makes up part of the solution.
But Simon, aren’t you also jumping on the GDPR bandwagon here? Aren’t you simply using the new EU directive to promote Ivanti?
In short yes, I am! But in fairness, I believe we have right to do so, even though I reiterate that there is no silver bullet, and add that no single vendor’s solutions or technologies alone can suffice. In fact, Ivanti have both service management and endpoint security solutions, both of which can help form part of the solution. But where GDPR is concerned, it’s the discipline and methodology and not the technology I speak to people about.
So what specific guidance can you offer?
Under GDPR, any data needs to be accessible, audited and provided on demand at any moment in time. Understanding where your data is and retrieving it in a timely fashion is key. Should that same data be subject to data loss or a security breach, GDPR also states you have 72 hours to report the incident and present what preventative steps and remediation plans are in place.
Simply put, managing and protecting data in its basic sense is a series of requests and actions, something that a true service management platform should provide. Since merging with Heat software in January 2017, Ivanti now has more than 3,500 ITSM customers. And as Landesk and Heat before the merger, Ivanti has years of experience in helping orgnisations automate and unify such processes. Regardless of whether you choose our solutions or not, modern service management should be at the heart of how your business complies with and responds to the GDPR.
In addition, GDPR requires that personal data is “processed in a manner that ensures appropriate security… including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.” After a breach, demonstrating such security measures could impact the amount of fine received. In today’s nasty world of malware and ransomware attacks encrypting said data, it is key that organisations look at better ways to protect the data and the endpoints in the first place.
Ivanti believe that prevention is better than cure, a view endorsed by multiple bodies, notably the US Center for Internet Security (CIS) Their recommendations are supported by organizations around the world, including the Australian Signals Directorate (ASD), the International Organisation for Standardization (ISO), the FBI, and the National Cyber Security Centre (NCSC) of the United Kingdom (UK). All of these agencies agree that timely patching of applications and operating systems, application control, device control, and reining in admin privileges can eliminate some 85 percent of rogue intrusions.
With these basic steps , organisations can protect themselves far better and demonstrate that at least the basic, appropriate levels of protection have been put in place. Again, whilst Ivanti have solutions in this space, I would urge any organisations to investigate how operating systems, applications, and users are being patched and controlled to ensure that attack surface areas are reduced.
Thanks so much, Simon. Great advice. Any final observations?
If, like many, you have yet to start your journey to GDPR compliance, don’t panic. You are not alone. Appreciate that it’s a business problem and not just an IT challenge. Engage your legal department colleagues, and start assessing your compliance today.
Thanks to Simon for his insights. When you’re ready to take on the GDPR, check out Ivanti’s solutions for application and operating system patch management, application control, admin rights management, and control of PCs and macOS systems, iOS devices, and mobile devices. Also explore our solutions for improved delivery of IT and business services. Then contact Ivanti and let us help you to unify and modernize your IT, and make your enterprise more than “GDPR-ready.”