GDPR is not an IT Regulation

Publication date: Mar 02, 2018

Last Published: Mar 31, 2020

Written by: Payam Pourkhomami, President & CEO, OSIbeyond

Table of Contents
Read Time : 5 minutes
gdpr icon

As a Managed IT Services firm, we’ve had many of our clients approach us in recent months about the new General Data Protection Regulation (GDPR). Often there is concern and confusion about how the new regulation affects their organization, and the first question is always “Is our data safe?”.  Once we’ve explained that there is no need to be concerned and that their data is in fact safe and secure, the conversation then shifts towards what GDPR really is, whether GDPR applies to US organizations, and the steps organizations need to take to be in compliance with the GDPR.

In reality, the technical aspect of GDPR is only a small portion of its requirements. The majority of the regulation are focused on policies and procedures. In this article we’ll overview what the GDPR consists of and what it means for you.

What is GDPR?

First let’s start by understanding exactly what GDPR is. The foundation of GDPR is to give European Union (EU) citizens and residents “digital rights” given the increasing economic value of personal data. The intention is to give control of personal data back to citizens and residents in the EU. In addition, the idea is to streamline the rules for protection of data across the EU by foreign companies who process the data of EU residents.

Does GDPR apply to you?

The next question we get is “Does GDPR apply to us?” The answer to that is somewhat complicated. GDPR applies to organizations that do business within the EU, and can apply to organizations outside of the EU. There are three criteria to determine if your organization needs to be GDPR compliant.

  1. Where is your organization established? If you have a presence in the EU, then GDPR will definitely apply to you.
  2. Does your organization envision doing business with EU residents? If so, then GDPR will apply to you.
  3. Does your organization utilize any kind of technology platform to monitor and track the behavior of EU residents? If so, then GDPR will apply to you.

An organization must carefully analyze its operations to determine if any of these criteria apply to them. For example, if your organization is US based and happens to process an online transaction with a EU resident then the regulation does not apply. But if your organization tracks the transactions of EU residents then the regulation does apply. It’s important to understand that GDPR does not only apply to EU citizens. It applies to any individual in the EU whose data is targeted, including visitors within the EU. In addition, there are gray areas that could indirectly subject an organization to GDPR. For example, a US based organization that uses a third party based in the EU to process its data should comply with GDPR.

What does GDPR involve?

In today’s digital age, almost any service we use will involve our personal data, which in turn is analyzed and possibly stored by organizations. Given that a data breach will inevitably happen, it is the responsibility of your organization to ensure that personal data is gathered legally as per the conditions dictated by GDPR. Additionally, if your organization does collect data then it is your responsibility to ensure that the data is protected and respects the rights of the individual. Organizations who violate these rules will face strict penalties.

One of the key provisions of GDPR is breach notification. In the event of a data breach, an organization must notify the relevant authorities within 72 hours of the breach. In addition, the organization must directly notify the individuals whose data has been breached. Failure to comply with these rules can results in significant fines and penalties.

How to prepare for GDPR?

So now that you have an understanding of what GDPR is and whether it applies to your organization, how do you prepare? First, it is important to understand what needs to be done to prepare for GDPR compliance. There are many useful resources available online. For instance, the ICO outlines 12 Steps to Prepare for GDPR. Note that preparation for GDPR, as an internal function within your organization, requires extensive discussions with people from various departments including management, marketing, legal, and IT.

Second, preparation for GDPR will be more complex for some organizations depending on the nature of their business operations and size of organization. For this reason, it may be appropriate to hire outside consultants who specialize in GDPR compliance to help you prepare for and maintain compliance.

In summary, there is a common misunderstanding that GDPR is simply about security of data. While cybersecurity and data security are certainly fundamental components, the objective of GDPR is to promote accountability and governance by having companies implement both technical and organizational measures to protect the personal data of EU residents.

From an IT perspective, GDPR further underscores the need for organizations to invest in Cyber Security as a preventative measure.  As I explain in a previous article, there are several basic steps that an organization can take to start protecting their data at a relatively low cost, especially when compared to the financial cost and reputational damage that can result from a data breach.

Written by: Payam Pourkhomami, President & CEO, OSIbeyond

Related Posts:

CONFIGURATOR

Tell us about your organization.

What services are you interested in (select all that apply)?

CONFIGURATOR

IT Support for1 users

required licensing for remote control, patch management, and asset management at $6/user.

Remote Monitoring & Management

Retainer Plans

Subscription Plan

Unlimited remote, onsite, or after hours support $150 /user

CONFIGURATOR

Cloud Solutions

Private Cloud Hosting

Do you need an Application server (finance, AMS, CRM, Remote Desktop)? Includes 100GB hard drive, 8GB RAM, 1 CPU, Windows Server 2019, monitoring and patch management.

Yes No

Do you need a web server? Includes 100GB hard drive, 8GB RAM, 2 CPU, Windows Server 2019, monitoring and patch management.

Yes No

Do you need a Database server? Includes 200GB hard drive, 10GB RAM, 2 CPU, Windows Server 2019, monitoring and patch management.

Yes No

CONFIGURATOR

Enhanced Security Services

Includes:

Yes No

CONFIGURATOR

Equipment Lifecycle Management Subscription based equipment provided at monthly fee.

Do you need workstations?

Yes No

Do you need core infrastructure?

Yes No

CONFIGURATOR

Ready to get started?




















    View Itemized List

    Summary

    Organization
    IT Support
    Cloud Solutions
    Cloud Solutions2
    Enhanced Security Services
    Equipment Lifecycle Management
    Final

    Total Monthly Recurring Cost:$500

    SUMMARY

    Services

    • IT Support
    • Cloud Solutions
    • Enhanced Security Services
    • Equipment Lifecycle Management

    IT Support

    • RMM licensing $6/user per month

    Cloud Solutions

    Enhanced Security Services

    • + Email Security
    • + Multi-Factor Authentication
    • + Security Awareness Training

    Equipment Lifecycle Management

    • Core Infrastructure $175.00/mo
    Back to Form

    summaryTotal Monthly Recurring Cost:$