The service-provider approach to GDPR - Part 2

The European General Data Protection Regulation (GDPR) has brought up challenges for enterprises doing business in Europe. In the first of this two-part series, we covered what we know on GDPR adoption rates and the industry's efforts to educate enterprise customers on the regulation and its requirements. In this report, we look at the toolsets and other strategies being adopted.

The European Union's (EU's) GDPR will take effect on 25 May 2018. It is a regulation that forces all companies to take a detailed look at how they handle and protect what is deemed to be personally identifiable data, ensuring that they can provide protection and uphold the rights of the individual to whom the data pertains. It covers a range of areas, from the handling of breaches and protection of data to portability of data assets. It also has strong requirements around consent, tracking and handling.

The 451 Take

Personally identifiable data includes any data that could identify a person – from credit card records to R&D on medical devices or pharmaceutical trials; even some Salesforce records and HR repositories contain personally identifiable information. If you can identify, locate or track a person from the information, then you can assume it will be deemed as personally identifiable. This throws up a huge number of challenges for companies that have yet to get their data in order. The key tenants of GDPR cover information security (IS) and information governance (IG). 451 Research has previously identified some of the opportunities this brings up for security vendors, and there are clear benefits for service providers that can help enable customers to be compliant in each of these areas.

Tools and products
Many providers and vendors are developing tools that can combine with products to help customers track their GDPR requirements and measure their own GDPR readiness. Many of these are focused on identifying the data; identifying the risks associated with the data type; identifying the best workload placement options; automating policies around access to data; ensuring that data is secure; and automating ways of transporting the data. Some providers and vendors have gone further along this journey than others, but many are looking at ways to go beyond educational campaigns and offer new product sets and tools to help companies adopt data policies that can easily be enacted and enshrined into the business.

For many service providers, this will often start with assessments, followed by access to tool sets – in many cases delivered with the help of partners. London-based managed services provider Six Degrees Group has developed a 'traffic light' system that measures compliance, providing red-, amber- and green-lighted security assessments that highlight customer vulnerabilities. It is partnering with companies that offer tools that can help with regulatory compliance, such as mobile device management, and bundling these in suites.

Fellow UK service provider Pulsant has also been focusing some of its capabilities on GDPR. It acquired LayerV – a public cloud integration provider – in August for its managed compliance and security skills, and software programs. LayerV developed software that can wrap around public cloud environments to give customers control over how they deploy their environments and over who has access to data, location of data and how data travels through the network. It uses a parameter-driven approach tailored to individual customer needs that does not require complex recoding. This allows customers to select their own levels of security and access for compliance. The program is also designed to provide audits for highly regulated sectors, such as government. It is cloud-independent and, although launched over AWS, will also work across Microsoft Azure and Pulsant's own multi-tenant cloud.

IBM has also built its own GDPR accelerator – a tool that provides a checklist for customized GDPR requirements. Part education resource and organization guide, the accelerator provides insight into how companies can identify their data and its requirements, and helps them plan and organize databases and data systems while providing an audit trail. Similar to Six Degrees, this tool highlights vulnerabilities and has a strong security focus. It also offers insight into how signoff and review processes for GDPR can be facilitated, and can score new applications and provide recommendations. (The first stage of this tool is quite developer-focused.) These reports can potentially win additional business for providers that offer them, opening up conversations around tool sets that can help customers and provide direct insight into enterprise pain points. IBM has also launched products that can tap into this, including its IBM Unified Governance Software Platform, which provides metadata management, lineage tracking and policy enforcement, with a focus on companies that require these tools to be compliant with GDPR.

Micro Focus International (MF) received some instant GDPR-readiness capabilities when it acquired HPE's software business this year. HPE had mapped specific GDPR use cases with software tools to provide a GDPR-ready toolset for customers. The tool determines what data applies to GDPR requirements and how to apply and enforce policies to manage the information under regulation. You can read more about the specific toolsets used to deliver this here.

AWS is also promoting a number of the toolsets it already offers customers as GDPR enablers under its GDPR Center. These focus on access control (including geo-restrictions), monitoring, logging and encryption. Auditing and reporting both feature heavily, as does the determination of workload requirements and location, and who has access to what data. Talend has also developed tool sets to help customers with GDPR requirements, leveraging metadata management, data masking, data quality, data services, and stewardship and governance. It allows for the mapping of data elements across datasets using metadata, and access, reconciliation, stewardship and quality controls for data lakes, and the tracking and tracing of data using audit trails. Data subjects can regain control of their personal data for the rights of accessibility, rectification, portability and rights to be forgotten. Importantly, customer data can also be anonymized so you can't directly identify the data subject. This is something it will make available through a number of its partners.

The right to portability under GDPR means individuals can obtain and reuse their personal data for their own purposes, across different services, or have it erased altogether. Providers need to provide for the copy or transfer of personal data in a safe and secure way, but also in a simple way. Individuals must also be able to view this data. This has been more of a challenge for some seeking to provide benefits around GDPR. France-based web hoster OVH has been committing resources to solving this challenge. It is leveraging VMware technology HCX to allow for one-click migration from a customer's datacenter to any OVH datacenter – and vice versa. It has also been working on providing autonomous management of security for access and control.

Sovereignty
Similar to many providers, OVH has also been focusing on the location of its services, building out datacenters in countries that will allow it to meet local regulatory compliance requirements – such as the UK (for post-Brexit scenarios) and the US (on top of its existing footprint, which covers France, Germany, Singapore and Poland). It expects a lot of customers will move to cloud-based managed security services as GDPR is introduced. With local governments being provided the right to layer regulations on top of GDPR once it is in place, having a local presence only strengthens its value in these markets. Vodafone has also been working to establish compliant cloud and hosting environments through location. It has a partnership with IBM Bluemix to leverage its sites, expanding its presence to 19 additional markets. It also has a large footprint in Germany, where it can offer German cloud and hosting services (a large German customer offering HR services required this for its own business, highlighting that some companies view data residency as a national – not only European – issue). These are two of numerous cases where service providers have looked to build out estates and support functions in-country to overcome what is viewed as an emotional take on GDPR, but could one day become regulation.

Enterprise suggestions
These product sets and tools cover a range of areas enterprises need to be aware of when taking steps to be GDPR compliant. Enterprises will need to have a clear data inventory and map of their data, as well as an understanding of where it has been and where it needs to go to ensure GDPR compliance. This could include data today that is not digitized. They should also be able to track and trace this data, which in many cases could involve steps beyond metadata, such as data lakes. Security and protection of that data should be adopted, and in some cases data will need to be anonymized, but companies should also easily be able to locate their data upon request. Policies governing areas such as where data lives, access to security and how it can be exported should also be adopted, and the workforce will need to be engaged. Enterprises will find that various departments will require responsibility for enacting GDPR, and for service providers this means lines of communication with the customer are also likely to change.

There is a lot more to GDPR than meets the eye when enterprises take stock of their data and the new regulation's requirements. Service providers are stepping up to the challenge, offering ways to make this journey easier, but as yet no silver bullet exists. Furthermore, the requirements of GDPR are expected to change over time, as it becomes clearer how the regulation can be read and met.

New Alert Set

"My Alert"

Failed to Set Alert

"My Alert"