How resellers should be preparing for GDPR

clock • 4 min read

Bob Tarzey, director and analyst at Quocirca, explains how firms in the channel should be approaching the incoming data protection rules

What should resellers be doing to prepare for the EU General Data Protection Regulation (GDPR)? Of course, as with any business they should be getting their own houses in order; that means the processing of data regarding employees, personal details of business customers and so on (data subjects) should be compliant. Being UK-located will not help, the government has confirmed GDPR will enter law in one form or another and a Data Protection Bill, based on GDPR, was included in the 2017 Queen's Speech.

However, on the whole resellers are not storing reams of data about consumers. Undertakings (a GDPR term), where profit is made from processing the personally identifiable information (PII) of consumers, are the core focus of the regulation. It is mis-management of such data that attracts the attention of enforcement bodies such as the UK Information Commissioner's Office (ICO) and monetary penalties they can impose.

For resellers, GDPR is all about opportunity, providing advice, products and services for the compliant processing of consumer PII. Technology will only be part of the solution; it is as much about improving processes.

The first activity required is to review the PII that an organisation processes and stores. All will do it at some level, even if it is only for employees (often outsourced to a human resources service provider). Where consumer PII is being processed, first ask; is it necessary? Sometimes data is retained where it need not be. In other cases, it is an isolated activity - for example a customer list maintained by a restaurant chain for sending promotions; the quickest way to compliance may be to outsource.

Where there is a clear need to keep the processing in-house GDPR requires a Data Privacy Impact Assessment (DPIA). This is part of proving to the regulator that due diligence has been applied so, for example, even if a data breach does occur, good practice can be demonstrated and the regulator is more likely to be lenient. Resellers should consider offering a DPIA service (along with annual reviews). 

When it comes to technology data protection by design and by default (Article 25) is at the heart of GDPR. This requires addressing both the security and administration of the processing of PII. The data security requirements should not be new to many - these have been in place for almost 20 years since the UK 1998 Data Protection Act was enacted (based on the 1995 EU Data Protection Directive). Any organisation that does not have basic security measures in place will already be in breach. 

The big changes with GDPR as all about administration. The rules about gaining consent to process data are much tighter, this must be pro-actively given and must be reconfirmed by each data subject if it is changed. Opting out must be as easy as opting in, there is right to erasure (to be forgotten), a right to receive copies of data and so on. The ICO is already as likely to fine for the misadministration of data as it is for lapses in security. A data breach does not need to occur for the ICO to act - processing that has the potential to expose data is enough (that said, is will be mandatory under GDPR to report PII breaches).

Resellers should also offer some reassurance among the heavy dose of FUD (fear, uncertainty and doubt) that comes with much of the messaging around GDPR. This mostly relates to the huge fines the regulators are empowered to impose (up to €20m or four per cent of turnover, compared to £500,000 under the DPA).

The precedents set by the ICO enforcing DPA are less scary. Since mid-2015, is has become aware of about 4,000 breaches but only taken a little over 200 actions. About 90 of these have involved monetary penalties. More than half of the fines have been issued under the 2003 PECR (Privacy in Electronic Communications) legislation for nuisance calls and spam messaging. Of the remainder less than 20 were for data breaches, the rest for mis-use and mis-processing. The average ICO fine since mid-2015 been £83,000, 16.5 per cent of the maximum (the highest under the DPA has been £400,000 to TalkTalk for its widely publicised 2015 breach).

The message a credible reseller should convey is that the UK ICO is not seeking to put its customers out of business, the ICO just wants to protect consumer privacy. No organisation can ignore the legislation, but for many smaller organisation GDPR need not be as fearsome as it is being made out. Review the way PII is being processed, stop it where possible, consider outsourcing and, where it must be continued in-house, ensure best practice.

Bob Tarzey is an analyst and director at Quocirca

You may also like
Industry Voice: From OEM to End User: Ensuring the Print Supplies Channel is Secure and Sustainable 

Printers

How to prevent trade-offs between protecting customers and protecting the environment

clock 28 June 2024 • 4 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Opportunity knocks: AI PCs and the doors they may open for computing

Opportunity knocks: AI PCs and the doors they may open for computing

CRN
clock 10 July 2024 • 3 min read
How real is the AI threat for security teams?

How real is the AI threat for security teams?

Scott Tyson, Sophos
clock 28 June 2024 • 5 min read
Leading Cyber founders tackle UK cyber sector's biggest challenge

Leading Cyber founders tackle UK cyber sector's biggest challenge

With more women leaving the industry than ever before due to poor management, former reseller chief Annabel Berry, and business partner Danielle Phillips aim to reverse that trend with their new mentoring and leadership platform

clock 21 May 2024 • 3 min read

Highlights

Staff & Salaries 2022

Staff & Salaries 2022

A snapshot of pay and headcount trends in the UK channel

Doug Woodburn
clock 09 March 2022 • 1 min read
Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Stephen Fenby talks to CRN after Midwich’s 2021 results in which profitability exceeded pre-pandemic levels

Josh Budd
clock 08 March 2022 • 3 min read
4 more vendors suspend sales in Russia following Ukraine invasion

4 more vendors suspend sales in Russia following Ukraine invasion

IBM and Microsoft are among a number of vendors which have also announced that they will halt sales in Russia following the invasion of Ukraine.

clock 08 March 2022 • 3 min read