Compliance & Security

There’s nothing left to say about the GDPR (but plenty left to do)


The market is awash with reiterations of the challenges posed by the GDPR. I’ve intentionally avoiding listing out the ‘horror fines’ that make the headline of every article about the new regulation. Instead, let’s focus on the constructive steps required to make your business both competitive and compliant. Data is a critical currency for businesses today, so ignoring the fines that businesses face, perhaps the bigger question is: “how will the most competitive firms continue to use data to outperform the market?”

This is the question that needs to be answered far beyond May of this year, and IT teams are going to shoulder a lot of the burden here. There are three core areas that Infrastructure and Operations professionals will need to focus on if they are to provide these steps forward:

STEP 1: Understand your goals for the GDPR, but also business success beyond it

While compliance is vital for any organisation, IT teams must be conscious not to get forced into treating the GDPR purely as a box-ticking exercise. Firms must be smart in meeting regulatory requirements while using data to gain a competitive advantage - and IT holds the key to this success.

The storage, protection and handling of data is today recognised as providing a critical edge in the market. Indeed, the ownership of insights that your competition doesn’t have, and the ability to mine and use data better than others, is central to the best businesses. This heightened ‘data-based’ competition is set within a landscape that IDC predicts will see us create 180 zettabytes of data in 2025. So irrespective of the GDPR, companies will be applying pressure on their teams to capitalise on data.

Business leadership, business units and employees themselves therefore need to understand the impact that adhering to changes in regulation will actually have on their business. Knowing which boxes need to be ticked by the organisation is not the answer in isolation; there needs to be a sustainable approach to competitive advantage that supports immediate compliance needs, but critically that can be deployed by IT. This must become a key priority in GDPR strategies in these nervous last months.

Looked at another way, GDPR shouldn’t be the end point - but a reset in the way that businesses use and manage their data to stay competitive.

STEP 2: Create an environment for data success

You can summarise the situation for many IT pros today as trying to find competitive advantage in a data minefield. Remarkably, despite the commercial imperative for data literacy, many firms are struggling to reach this level of expertise. The challenge doesn’t stop there; in many enterprise businesses, infrastructure and data management skills are not aligned. This gap in data literacy and infrastructure management will become an area of intense risk and must be addressed if organisations are to gain a competitive edge.

Despite the prevalence of the data management challenge, it’s becoming seen as a ‘business as usual’ factor by many companies. This perception gap reflects the difficulties IT infrastructure professionals face in turning aspiration to reality. Under the GDPR, it could become a tightrope walk. Aside from the financial implications of the GDPR, we can only imagine how unforgiving the market will be if a business breaches the legislation.

As a result, it’s important that businesses create clear delineations in their processes:

  • Take an all-inclusive approach - Every department will be keen to understand what data its latest application holds - HR will need to play its role, marketing must be smart when it deploys news apps and sales teams will need to be judicious with their customer profiling. Regular and open lines of communication are critical - and sadly for many organisations this may actually prove the biggest hurdle to leap over.
  • Have a shared vision for success – IT infrastructure is used to being pulled in all directions, and GDPR will be no different. But it’s critical to know whether the business is actually being hamstrung by the regulation, or whether there is instead a smart workaround. IT will be custodian of the technology behind the process - perhaps the process itself - and agreeing what a ‘win’ looks like must go side by side with the compliance tick boxes.
  • Avoid the data minefield - To achieve these successes, judgements will need to be made about how to accumulate and use ‘Personally Identifiable Information’ (PII is the type of data to which the GDPR applies). There must be no ambiguity in any decision that will be implemented by, or impact, employees. The regulation itself continues to evolve in its definitions, and these must continually feed into the corporate response
  • Transparency is everything - One thing that’s very clear about the GDPR is that visibility is essential to compliance. IT will be responsible for providing data visibility. Ensure that as part of your internal communications, you’re as transparent as you’ll have to be if the regulators walk through the front door.

STEP 3: Delivering data success after the GDPR by design

There are a great many ways in which IT teams will be hands-on in delivering a GDPR strategy, and increasingly businesses will need to build compliant behaviour into their infrastructure. With the plethora of internal and external applications collecting and using corporate data, a key interface will be where ‘traditional infrastructure’ teams collaborate with developers. Infrastructure and Operations teams will be thinking about this touchpoint for three reasons:

  1. Many businesses use live data within their development teams, meaning usage cases could spiral out of compliance. When you consider the possibility of offshored developer resources, potentially with remote access to critical systems, it’s clear processes need to evolve.
  2. The systems that are built and deployed must have data privacy, and all the facets of transparency the GDPR requires, integral within their design. Organisations will no doubt have to retrofit GDPR-compliance into some of the applications and systems already in use, but going forward this shift in strategy will have to become the norm.
  3. Whether your applications are for the use of marketing, HR or finance, every stage of the process needs to be aligned to the outcomes demanded by the GDPR. The DevSecOps movement is squarely focused on incorporating the expertise of security specialists at the earliest stages of the development process. Introducing this element will put organisations on the front foot when it comes to GDPR.

Conclusion

So compliant behaviour will need to be designed into future plans, if IT infrastructure professionals can return to a ‘normality’ after the GDPR comes into effect.

In summary, the GDPR story is well-covered in the media, but the implications for IT professionals have yet to be fully articulated. At Vertiv we’re focused on ensuring that critical systems continue to run under any pressure. As you become more focused on responding to the GDPR, let us help you get rid of your other infrastructure pain points.