GDPR Basics for Business: Q&A with Ron Gula
Does the General Data Protection Act (GDPR) affect your business? Have you considered the impact to your business if found in violation of the GDPR? Is it all news cycle hype or does the GDPR really have teeth?
To help answer these questions, Eric Bednash from RackTop Systems interviewed Ron Gula, the president of Gula Tech Adventures, to discuss some of the basic elements of the GDPR and help us understand the risks and strategies for navigating the 2018 regulation. The highlights are below, but click here to watch the full video.
Scope, Fines and the Right to Be Forgotten
Eric: You would think that since GDPR was established outside of the United States, it wouldn’t be as big of a deal here, but it is, in fact, a very big deal. Why?
Ron: First of all, just because businesses operate outside of the E.U. doesn’t mean we are exempt. Any business that collects an E.U. citizen’s personal data falls within the scope of the GDPR. Secondly, a lot of organizations don’t have control of their data. They don’t have an asset inventory of all their databases, they don’t know where all of their data is, or which users even have access.
GDPR has a lot of governance issues, as well. One of them is “the right to be forgotten.” So, theoretically, you can be called upon by any of your European customers and asked to have their data removed from your systems. And that’s a great thing from a compliance point of view, but it’s very difficult for companies which brought products and technologies to the market in the last couple of decades to comply with that.
Eric: Yes, and one of the things we do here at RackTop, with BrickStor, is provide an inherent data reporting capability that addresses that need and provides the ability to find that data. So, if a customer calls to exercise their right to be forgotten, you can address their request, find their data, and comply within the allowed timeframe.
Ron: A lot of readers are probably thinking about data loss prevention (DLP) at the endpoint: “I have to find a spreadsheet or a log file that has a certain user ID in it.” It’s too late at that point, you know? That’s why I like RackTop and Brickstor – you have a lot of solutions where you can not only run these databases and applications in a high-powered data center, but the data never really leaves. You have a lot of ways of letting people work with that data – whether it’s video or spreadsheet data – in a way that’s self-contained, which is really good.
Eric: Yes. But let’s talk about repercussions. Let’s say I’m an enterprise, and I get a request – but, I can’t comply. What happens? [Note: The maximum fine for GDPR violations is up to 20 million euros or four percent of global revenues, whichever is higher.]
Ron: Right now, at the beginning of 2018, if Equifax happened again and four percent of their revenue was at risk, I think the U.S. government might step in – I could see President Trump saying “look, we’re not going to pay that,” and call it a European tax on U.S. cyber companies.
But there are two important words: “up to.” That is, the fine can be “up to” four percent of global revenues. So, it’s not a guaranteed hit on revenues, it will be something less than that.
Eric: I have a little background when it comes to regulated industries, specifically in the finance world and the way fines are levied on financial institutions there. To think that the fine is a percentage of your revenue is pretty significant. If you’re a large organization, you may be generating a lot of revenue with a small number of employees – a percentage of revenue could be a huge hit for a failure to comply.
Timeframe to Comply
Ron: A lot of boards and vendors are getting lathered up trying to solve this problem. But there’s another thing that’s scaring people regarding GDPR – that’s the requirement to disclose any cyber incidents within 72 hours.
Incidents are subjective, today. It’s not always clear if and when a business has been hacked, or what data a hack may have touched. Sometimes it takes six months of investigation just to determine whether a hack happened when the investigation was launched. RackTop helps solve this issue with a simplified way of accessing data and keeping everything in one spot – it helps you prove exactly what happened with an incident, what was affected and more importantly, what was not affected.
Eric: Two of RackTop’s specific technologies help address that. Our embedded user-behavior capability constantly monitors the system and tracks the way that users access it, allowing you to detect anomalies quickly and with a high degree of accuracy. Additionally, our continuous reporting feature provides insight into your data both before and after an attack or data exposure. It all comes together to help you discover the extent of an attack within the time 72-hour time limit, ensuring you can meet the disclosure requirements of the GDPR.
Together with Seagate, RackTop has developed the SDP2 drop-in solution to address encryption, reporting, and user behavior all based on top of a high-performance solution while answering both NIST 800-171 and GDPR.
Watch the full video below
RackTop’s flagship products offer an all-in-one data storage management and cybersecurity platform solution integrated with advanced encryption and compliance features – all with a user-friendly design and intuitive interface.
Schedule a demo with RackTop today to find the best storage and data management solution for your company.