Robert Neave, co-founder and chief technology officer at Nlyte, discusses the importance of asset management when it comes to GDPR compliance, highlighting the fundamentals you should be seeking from your software provider.
The General Data Protection Regulation (GDPR) is imminent, and while most commercial businesses have been focussing on the housekeeping of data (what data is stored in their database, who has access to it and what archival and removal processes are in place), the IT infrastructure teams have, until recently, ignored their role in compliance.
I must stress the importance of an IT infrastructure team’s role, as the law provides explicit definitions defining personal data, how it can be used, and how it should be protected and managed; both virtually and physically as all (electronic) customer data is processed on servers, and accessed across a network. If you do not know where your customer’s data is, or how it is physically being accessed, you are in violation of the GDPR regulation. After all, the regulation’s primary intent is to establish processes for the protection of personal data.
Though businesses are starting to put the right procedures in place to ensure their data centres are compliant, the work doesn’t stop there.
The concern of physical infrastructure extends beyond an organisation’s data centre, and includes colocation facilities, managed service providers, hosting services, SaaS vendors, and virtually any X-aaS vendor. GDPR holds you accountable for proper compliance regarding the personal data at your disposal regardless of where it resides. It’s paramount that you have a contract in place with your vendors regarding data protection, as not having a one is an indication that you don’t know what they are doing with your data.
That presents itself as a more significant management issue about the infrastructure you’re using and how you’re treating the data. Vendor management under GDPR requires you to know how your vendors operate including their security framework and how they manage data. Without that knowledge, you don’t know the risk they present.
With 4% of a company’s global revenue at stake for a breach – and the impact that could have on their shareholders and reputation, every commercial organisation needs to be concerned and actively building out their compliance plan.
In this instance, asset management is a fundamental tool in helping your business comply with the regulation. Having the ability to track within the physical IT infrastructure where the data resides, how it is transported from storage, server, to end user, and who has interacted with that infrastructure will give your business, and whoever else needs to know, a clear view of how you are handling and safeguarding data.
The GDPR fundamentals your software provider should provide include:
- Where the critical data is located, geographic location, devices servers/storage/network
- Where the data is replicated, geographic location, devices servers/storage/network
- What and if security tools are deployed on identified devices – and enabled
- Data breach notifications i.e. what ‘data subjects’’ data ran on what assets
- Identification of secondary locations infrastructure for the safe handling of data across borders
Like with any software, simply installing an asset management solution and running it won’t solve all the challenges ahead. Your workforce must be educated from the top to the bottom, creating an understanding of the importance of safeguarding data and the impact that not upholding it will have – both for the company and its users, the data subjects. A reputable software provider will support a business with this through onsite and offsite training.
Ultimately, when it comes to managing data centres and hybrid compute infrastructures, ensuring the solution you choose has proven experience and expertise to eliminate the chance of receiving sanctions and ultimately to protect your customer’s data, is paramount.