Arrow

GDPR

We know that getting ready for GDPR is a priority for many of our customers, and it's a priority for us too.

The Countdown to GDPR Compliance: 25:05:18

GDPR is coming, and yes, it does bring the potential for larger fines, but there’s no need for panic.

For most organisations, GDPR doesn’t mean starting from scratch, it means assessing current systems and processes, finding the gaps and filling them. And you don’t need to do it alone, Arrow can help.

Working with Arrow you’ll have access to subject matter experts. From a technical perspective, this is what we do every day - it’s business as usual. We've identified four key areas that we believe organisations need to look at. And for the wider, non technical implications we have a carefully selected ecosystem of expert third parties who can guide you through the whole process. Together we provide a holistic view. We’ll take a complex legislation and make it simple, and easily actionable.


Workshops and training

Outside of ensuring that your organisation is technically safe and secure, compliance requires many organisations to transform the way data is handled, and these changes impact almost every part of an organisation. From staff training, to HR policy and the development of third party contracts, the requirements are far reaching.

These sessions range from identifying the gaps and developing a plan for compliance, through to the detailed requirements for various departments or processes. 
 

Sessions can be built to cover the issues you want to learn more about, including:

  • Gap analysis and planning a roadmap to compliance
  • GDPR and the supply chain
  • The Data Protection Officer
  • GDPR for sales and marketing covering specifics around consent, the purchase of data, privacy policies and more
  • Policies and process for HR and employees

How can we help?

Connect with Arrow

So what is GDPR?

General Data Protection Regulation (GDPR) is a new EU wide legislation that will regulate how businesses use and manage personal data. The rules build on existing data protection regulation and will be standardised across the whole of Europe. The regulations introduce much tougher fines and give people a lot more say over what companies can do with their data, including the right to be forgotten if the data is no longer needed for the purpose for it was collected.


What are the main points?

  • More rights for the individual including the right to be forgotten, the right to restrict processing and the right to have data rectified.
  • The requirement to employ a data protection officer (DPO) for organisations including public authorities (except for courts acting in their judicial capacity); those that carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or those that carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
  • An obligation to put into place comprehensive but proportionate governance measures to protect against breaches and misuse of data.
  • The need to report a breach within 72hrs.
  • The need to prove valid consent has been gained for the use and sharing of personal data.
  • The need to implement data protection by design and by default.


What is Data Protection by Design?

Data protection by design and by default is an approach that integrates privacy and data protection compliance into all services and business process that make use of personal data. Using this approach privacy should be taken into account during the whole life cycle of the system or process development, and the strictest privacy settings automatically apply once a customer acquires a new product or service.


But we’re leaving the EU?

Yes, we’re leaving the EU, however, the new GDPR comes into force before we leave so businesses need to be covered. Plus, it’s widely believed that the UK will implement a similar set of rules, and any business processing data in the EU, or of EU citizens will still need to be covered.

There is still time to get your plans in place and we can help you make sure you’re covered. The checklist lists ten areas that we think you should look at now. Plus ask yourself:

  • Do you know what personal data you hold and process?
  • Do you know where it is?
  • Do you know who has access to it and how it moves through your organisation?
  • Have you reviewed your information risk management process for data privacy?
  • Have you reviewed your security controls against privacy requirements?
  • Do you have robust detection and monitoring processes?
  • Do you have the most up-to-date software and protection?


Checklist

Our checklist offers some practical advice about the areas you need to consider now, to make sure you’re covered.

View Checklist >

Keeping it simple

The GDPR states that data controller and processors should implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk. So what does this mean?

There is no one size fits all solution. The new regulations require all parts of your infrastructure and IT solution to be as secure as you can make them and that includes protecting against breaches from within, as well as attacks from outside. Plus you need to ensure that you know what data is held, where and for what use and that you can access it, and if requested, delete it under the right to be forgotten.



Locate and Search

These days, data doesn’t just sit on physical servers or desktops. With the number of mobile devices growing, the cost of portable flash drives dropping and organisations operating bring your own device (BYOD) policies, there are more places than ever before that personal data could reside.

Communication happens over an ever-growing number of devices, platforms, and apps. And whilst these developments are great for business, they also make the chance of a data loss more likely.

However, there are lots of products available that can help you, whatever the complexity of your network. These products can help you to:

  • Determine what data you hold and where it is - even if it’s held within forms or images
  • Control who can access it, even from unmanaged locations or devices
  • Police what level of access a user has
  • Monitor user access to sensitive data and identify risky behaviour or security compromise
  • Revoke access to users, effectively digitally shredding a document
  • Manage data loss policies



Minimise

Under GDPR, any personal data held must be accurate and up to date, and you must be able to demonstrate consent and for what purposes. Having multiple records for an individual can make this difficult.

Using a de-dupe product can help you to ensure your records are accurate and up-to-date, even when someone appears multiple times, across multiple platforms potentially with slightly different spellings (Rich, Richard etc).

Using de-dupe products can also have other benefits. In today’s world of shrinking budgets and growing requirements, many organisations have a list of, often competing, requirements and priorities to manage.

As data explodes, storage needs grow and keeping up with demand can be costly. Storage management and de-dupe technology can help to reduce the demands on an already stretched infrastructure whilst also keeping your data safe and making sure you know what is where, whenever you need it.

Despite the best laid plans, disasters can, and do, happen. The key under GDPR is to have a disaster recovery (DR) plan in place to ensure you can restore the data that you hold and that your system will meet the required standard. A few key questions to ask are:

  • Should something happen, will customer data be accessible and available in a timely manner?
  • Are your DR providers ISO27001 certified?
  • Where is your data held - remember if it’s outside the EU it will need to meet stringent conditions under chapter five.



Protect

Once you have a view of the data you have, where it is and how to recover it, then it’s time to look at protecting it. Network security is an area that most organisations will have at least some coverage - be that firewalls, malware protection or encryption. Products in this area will help you to:

  • Manage passwords and ensure they remain strong and regularly updated
  • Keep your devices and data secure if lost or stolen using multi layer encryption in transit, and at rest, and automatically encrypt or block sensitive data in emails.
  • Protect encryption keys
  • Stop malware and ransomware
  • Stop attacks at your network perimeter
  • Keep individual files secure even when they leave your network or devices
  • Ensure that only authorised recipients can access sensitive files



Monitor and Manage

Having security tools in place creates data and that data is only useful if it can be analysed and understood. Security and behavioral analytics products help to make sense of the information created and provides teams with the ability to rapidly discover advanced persistent threats.

If you don’t already have one in place, a log management or Security Information and Event Management (SIEM) tool will help you to test, assess and evaluate your data security effectiveness. SIEM tools are important for monitoring all users and system activity so that you can quickly identify suspicious or malicious behaviour. It’s also important to monitor data stored, or processed in cloud environments.

With a 72 hour time limit on notifications of breaches it’s vital to have a programme in place that identifies and flags breaches if they happen. The right product can gather real-time log data from your distributed applications and infrastructure in one place to enable powerful searches, dynamic dashboards and alerts, and reporting for real-time analysis.

We work with the world’s leading vendors and channel resellers to offer solutions, tools and resources to help businesses transform. Our aim is to bring the right people together to facilitate new business models and help our customers stay ahead of the competition. Because if you’re successful, so are we.


Working with Arrow

As an Arrow customer you’ll benefit from our extensive supplier relationships. We’ll give you access to experts and predictable service levels. Our aim is to simplify and streamline processes to help you do business more easily. Providing expert support and a reliable service is at the core of our business and that’s why over the last few years we’ve won over 20 Distributor of the Year awards. Our team are on hand to support you every step of the way. They’ll work with you to develop new practice areas, solve any problems, develop new solutions and help your business grow.


Are you Five Years Out?

Our strategic vision is expressed in our commitment to being ‘five years out’. Arrow knows how the market is changing and how the future is evolving. We know what lies around the corner.

We help innovators to innovate. We help designers, engineers and partner companies to create all kinds of tools and apply technology in new ways to create better cars, better homes, better planes, better hospitals.

If you want support in your GDPR journey, get in contact with our team today. We’re here to guide you through the process and introduce you to our partners where needed.

Tel: 0844 8588299
Email: andreas.hadijandreou@arrow.com