How resellers should be preparing for GDPR

clock • 4 min read

Bob Tarzey, director and analyst at Quocirca, explains how firms in the channel should be approaching the incoming data protection rules

What should resellers be doing to prepare for the EU General Data Protection Regulation (GDPR)? Of course, as with any business they should be getting their own houses in order; that means the processing of data regarding employees, personal details of business customers and so on (data subjects) should be compliant. Being UK-located will not help, the government has confirmed GDPR will enter law in one form or another and a Data Protection Bill, based on GDPR, was included in the 2017 Queen's Speech.

However, on the whole resellers are not storing reams of data about consumers. Undertakings (a GDPR term), where profit is made from processing the personally identifiable information (PII) of consumers, are the core focus of the regulation. It is mis-management of such data that attracts the attention of enforcement bodies such as the UK Information Commissioner's Office (ICO) and monetary penalties they can impose.

For resellers, GDPR is all about opportunity, providing advice, products and services for the compliant processing of consumer PII. Technology will only be part of the solution; it is as much about improving processes.

The first activity required is to review the PII that an organisation processes and stores. All will do it at some level, even if it is only for employees (often outsourced to a human resources service provider). Where consumer PII is being processed, first ask; is it necessary? Sometimes data is retained where it need not be. In other cases, it is an isolated activity - for example a customer list maintained by a restaurant chain for sending promotions; the quickest way to compliance may be to outsource.

Where there is a clear need to keep the processing in-house GDPR requires a Data Privacy Impact Assessment (DPIA). This is part of proving to the regulator that due diligence has been applied so, for example, even if a data breach does occur, good practice can be demonstrated and the regulator is more likely to be lenient. Resellers should consider offering a DPIA service (along with annual reviews). 

When it comes to technology data protection by design and by default (Article 25) is at the heart of GDPR. This requires addressing both the security and administration of the processing of PII. The data security requirements should not be new to many - these have been in place for almost 20 years since the UK 1998 Data Protection Act was enacted (based on the 1995 EU Data Protection Directive). Any organisation that does not have basic security measures in place will already be in breach. 

The big changes with GDPR as all about administration. The rules about gaining consent to process data are much tighter, this must be pro-actively given and must be reconfirmed by each data subject if it is changed. Opting out must be as easy as opting in, there is right to erasure (to be forgotten), a right to receive copies of data and so on. The ICO is already as likely to fine for the misadministration of data as it is for lapses in security. A data breach does not need to occur for the ICO to act - processing that has the potential to expose data is enough (that said, is will be mandatory under GDPR to report PII breaches).

Resellers should also offer some reassurance among the heavy dose of FUD (fear, uncertainty and doubt) that comes with much of the messaging around GDPR. This mostly relates to the huge fines the regulators are empowered to impose (up to €20m or four per cent of turnover, compared to £500,000 under the DPA).

The precedents set by the ICO enforcing DPA are less scary. Since mid-2015, is has become aware of about 4,000 breaches but only taken a little over 200 actions. About 90 of these have involved monetary penalties. More than half of the fines have been issued under the 2003 PECR (Privacy in Electronic Communications) legislation for nuisance calls and spam messaging. Of the remainder less than 20 were for data breaches, the rest for mis-use and mis-processing. The average ICO fine since mid-2015 been £83,000, 16.5 per cent of the maximum (the highest under the DPA has been £400,000 to TalkTalk for its widely publicised 2015 breach).

The message a credible reseller should convey is that the UK ICO is not seeking to put its customers out of business, the ICO just wants to protect consumer privacy. No organisation can ignore the legislation, but for many smaller organisation GDPR need not be as fearsome as it is being made out. Review the way PII is being processed, stop it where possible, consider outsourcing and, where it must be continued in-house, ensure best practice.

Bob Tarzey is an analyst and director at Quocirca

You may also like
Tackling the gender gap in AI - Gavriella Schuster

Vendor

In this opinion piece, the former Microsoft global channel chief, and chairwoman of the advisory board at Artificial Solutions, explains what more can be done on this issue

clock 25 November 2022 • 4 min read
German cybersecurity awareness firm SoSafe expands Channel Program across Europe

Vendor

The vendor's head of international partnerships, Dao Tran, talks partner strategy and having a resilient approach to cybersecurity threats in the market

clock 08 November 2022 • 7 min read
Industry Voice: 'We're committed to VMware's partners' - Broadcom

Sponsored

Broadcom CEO shares answers to some FAQs put to the company by VMware's partners amid the ongoing integration process

clock 04 November 2022 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

'Cyber has to become seamless, unnoticed and taken for granted' - XChange UK day one, part two

'Cyber has to become seamless, unnoticed and taken for granted' - XChange UK day one, part two

Delegates looked a decade into the future of cybersecurity and heard how generate value from generative AI

Kelsey Rees
clock 07 March 2024 • 8 min read
Six cybersecurity trends for 2024

Six cybersecurity trends for 2024

Gartner lists six ways the cybersecurity market will be influenced and impacted this year

Kelsey Rees
clock 22 February 2024 • 3 min read
Cybersecurity incident response: Your company's ICU

Cybersecurity incident response: Your company's ICU

Performanta CEO Guy Golan explains why incident response is the beating heart of a cybersecurity service

Guy Golan
clock 22 September 2023 • 4 min read

Highlights

Staff & Salaries 2022

Staff & Salaries 2022

A snapshot of pay and headcount trends in the UK channel

Doug Woodburn
clock 09 March 2022 • 1 min read
Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Stephen Fenby talks to CRN after Midwich’s 2021 results in which profitability exceeded pre-pandemic levels

Josh Budd
clock 08 March 2022 • 3 min read
4 more vendors suspend sales in Russia following Ukraine invasion

4 more vendors suspend sales in Russia following Ukraine invasion

IBM and Microsoft are among a number of vendors which have also announced that they will halt sales in Russia following the invasion of Ukraine.

clock 08 March 2022 • 3 min read