This Thanksgiving, many U.S. companies likely are thankful the deadline for compliance with the EU’s General Data Protection Regulation (GDPR) still is several months away because they’re nowhere near ready.

Aimed at improving personal data protection and increasing accountability for data breaches, GDPR presents a significant challenge for organizations that process the personal data of EU citizens, regardless of where the organization is headquartered. This means that any U.S. organization that handles data belonging to EU citizens will be required to be compliant when the regulation comes into force in May 2018.

Executives with Thales eSecurity, Interxion, Trend Micro and Impartner spoke with Channel Partners about the challenges ahead for companies and how the channel can help them along this difficult journey.

According to research by Thales, about 35 percent of U.S. organizations already don’t believe they will be fully prepared for GDPR in time for the deadline. In addition, they are apprehensive about its impact on their business.

Thales’ Michael Rothschild

“(GDPR) goes into effect on May 25, 2018, and brings with it the potential for crippling fines of up to 4 percent of annual turnover or 20 million euros (whichever is greater),” said Michael Rothschild, Thales’ director of global marketing. “This crucial date requires any organization, regardless of location, to make their EU-based customers’ data secure. There seems to be a lot of confusion as to how businesses will be impacted. The channel can occupy the coveted seat of trusted adviser and work with organizations that are behind on addressing these looming requirements to successfully interpret the rules and implement what is necessary ahead of the … deadline.”

No Easy, Quick Fix

Impartner’s Kory Willis

Kory Willis, Impartner’s director of IT, said companies can’t just “go online and Google some software product to make you GDPR compliant.”

“It’s kind of scaring people because when you need an email solution or accounting software, you Google that and you’ve got 20 different options, and just pick something and run with it,” he said. “With this, it’s entirely different; it’s a different monster and the deadline is coming down. We have 184 days until it comes into effect and consequences are pretty dire. They designed this to put companies out of business that are not compliant.”

Patrick Lastennet, Interxion’s director of marketing and business development, said the channel can raise awareness that this is an issue to be addressed at the board level for enterprises and service providers considering doing business in Europe. Break down the value/supply chain attached to IT solutions, and highlight the key standards and processes that each component needs to meet both from the security and privacy perspectives, he said.

“By demonstrating that you have a solid program in place to fulfill privacy by design as prescribed by GDPR, you will win more business in Europe (either as an enterprise or service provider),” he said. “This is not just about dealing with liability in case of noncompliance, it is about demonstrating to the end user that a service is fit/safe to use from a privacy standpoint. With an increased emphasis on portability of data from one service to the other — it becomes even more important to …

Interxion’s Patrick Lastennet

gain the trust of the end user.”

Dan Woodward, Trend Micro’s vice president of channels, said organizations will be looking to their trusted vendors for advice on what they need to do to become compliant and how to do it.

“Opportunities for the channel to help include evaluating current security infrastructure in the context of GDPR requirements (gap analysis), and where data resides in an organization and mapping across systems,” he said. “The channel can also provide organizations with advice on approaches to security and how to address the many threats that exist in the world today, and recommendations of solutions that will address the requirements for data protection and state-of-the-art security. Also, the sale and installation of security solutions that will meet GDPR requirements by the channel will help get organizations where they need to be.”

GDPR will cause an “incredible change” in the way that companies globally handle the personal data of EU citizens, Woodward said.

Trend Micro’s Dan Woodward

“The significant challenge is that many companies are lagging in their preparations for compliance even though they have been given plenty of notice,” he said. “It is possible complaints and even litigation will come against organizations who are not prepared and cannot answer citizen requests. Channel partners can help organizations prepare by providing GDPR audits including technical (access), process (steps, systems) and training (people) and resolution to key findings.”

Pseudonymization

The buzzword within GDPR is pseudonymization, Willis said.

“You can’t just keep a spreadsheet that has everybody’s information all right there in plain text that you can see, and anybody can grab a copy of and get all the data,” he said. “You have to use relational databases, something of that nature where you have one database that has half the information and then another database that allows you to correlate the two together. And you have to control who has access to those databases so you don’t have the same person that can gain the key and the data, and go back and forth with it. It’s rather difficult to achieve actually.”

Many channel partners have invested time and resources to become experts in GDPR and what organizations need to be in compliance, Rothschild said. These partners have aligned themselves with technology vendors that have also invested in channel enablement while providing an offering that clearly and meaningfully addresses GDPR, he said.

“Not all partners nor technology vendors are equipped to address GDPR,” he said. “Conducting the appropriate due diligence will dictate the difference between a dream or nightmare when May 2018 rolls around.”