As far as titles go, this one will likely prove divisive. On one hand, there are a plethora of IT security solution and service providers who are keen and hungry for the opportunity to work with customers on their preparations for the GDPR. On the other, doubt is sowed by those who question the ability of anyone who claims to know anything about the GDPR, simply because there is nobody with experience in application of a regulation which yet to come into force.
A Hesitant IT Security Channel
The result is mass of unpreparedness amongst organisations and a hesitant IT security channel, reduced to reliance on shifting the risk to solution vendors who attempt to fit their solution into some form of GDPR message. The round hole and square peg analogy comes to mind. Ever since the release of the GDPR’s final draft, I have been a vocal advocate for the opportunities to offer services as opposed to solutions. Dependant on the current position of an organisation and the methods upon which they conduct their businesses, the GDPR could require extensive changes. Something which considering the constant reminders of the global shortage of IT security skills, they may be unequipped to deal with themselves.
Yet, we find ourselves in a scenario where by we have organisations that need help and IT security service providers, sometimes with decades of experience, who have been led to believe that only lawyers can help.
7 GDPR Services
Paradoxically, much of the preparation for the GDPR requires services which many IT security service providers already offer, albeit in slightly different attire. Below is a list of seven such examples:
1. Data Mapping and Discovery Services – Often cited as the first step in any organisations GDPR journey is the need to map all flows of personal information around your network, to external parties and into storage locations.
2. Risk Assessments – For an act of data processing, risk assessments will need to be conducted should the where processing risks the rights and freedoms of data subjects.
3. Solution Recommendation – Where risk assessments reveal gaps, there is an opportunity to recommend and ultimately supply a solution.
4. Incident Response Planning – Protective controls are must but there needs to be plan when the inevitable breach does take place. How to respond, how quickly and armed with what items of information.
5. DPO Services – For small and medium sized organisations who are obliged to appoint a DPO, the use of a DPO service may be more attractive than hiring for the role
6. Training Services – Already incredibly popular, the desire to learn about the GDPR is enormous. Training can range from introduction courses, to in-depth sessions on particular articles.
7. On-going Consultancy – The GDPR will not stop come May 2018, in fact its attention is likely to intensify. Organisations will need continued support to ensure future changes to their businesses are compliant.
There’s Nothing New Under the Sun
Of the seven services listed, nothing can be considered truly radical. Most service providers will recognise services in this list which they currently offer, just without the GDPR pin-badge attached. This familiarity demonstrates why the GDPR is not something which must only remain in the realm of lawyers, after all it is an aspect of information security, something the IT security channel has been working with for decades.
Ultimately, organisations need help in their preparations for the GDPR and who best to assist but those who have helped them with all aspects of IT security, time and time again in the past?