The General Data Protection Regulation, or GDPR, is drumming up lots of conversation in IT circles—and plenty of uncertainty along the way.
Organizations that handle personal data are hurrying to comply with the new European Union (EU) regulation by the May 2018 deadline. But in the rush to find GDPR-compliant partners, we see companies offering “GDPR compliance” that is too good to be true—or at least too soon to be true.
In the video below, Sumo Logic VP of Security and Compliance George Gerchow discusses the fear, uncertainty, and doubt surrounding GDPR and how you can ensure your vendors are GDPR-compliant.
It’s Too Early to Declare GDPR Compliance
As of October 2017, it’s too early to declare full compliance with GDPR.
The new regulation outlines specific requirements for several components of data protection, including:
- Breach notification requirements in the event of a data breach
- Citizens’ right to access to their personal information
- The “right to be forgotten,” or a citizen’s right to erase their personal data/prevent it from being shared further
- Data portability, or a citizen’s right to move their personal information from one data controller to another
- Privacy by design, or the process of baking data protection into systems, rather than adding it onto pre-built systems
- Data Protection Officers, including requirements for hiring, reporting, and avoiding conflicts of interest
Even companies that already have stringent data protection policies most likely need to do additional work to be GDPR-compliant. Whether it’s hiring a Data Protection Officer or reviewing the DPO’s responsibilities to ensure they comply with the new law, there are certain elements of GDPR compliance that simply take time.
Get Third-Party GDPR Validation (and Ask Questions!)
If a company says “yes, we are GDPR-compliant,” ask them how they know. Have they conducted a thorough self-assessment? Has a third-party auditor verified their compliance? Do they have any steps outstanding before full compliance, or are they ready right now?
If they don’t have third-party verification, or if they don’t know, that’s a red flag.
Third-party validation is the best way to prove GDPR compliance. Without third-party attestation, you are left to “take their word for it”—putting your company (and even your customers) at risk in the event of a breach.
However, most major third-party auditors aren’t even ready to come in and audit for GDPR yet. With several months to go before the deadline, most external auditors are still getting ready for it themselves.
That being said, don’t take it at face value when a potential vendor says they know they are 100% compliant. Ask as many questions as you need to in order to be sure they know what they’re talking about—and don’t be afraid to tell them you can’t sign anything without third-party verification. Organizations that are committed to compliance should expect these questions and this kind of scrutiny.
The Sumo Logic Approach to GDPR
Sumo Logic is working hard to prepare for the GDPR deadline in May. We are prepared to sign data protection agreements right now because we have a strategic path to met GDPR compliance requirements by May 2018. We have already hired a Data Protection Officer, we have a privacy lawyer to prepare for what’s coming, and everything in our environment is properly encrypted and protected according to stringent data protection standards.
We’re in pretty good shape—but we’re not saying we’re GDPR-compliant yet. We believe we’re ahead of the game, but we don’t want our customers to be fooled by vendors who claim total compliance well in advance.
Learn More About GDPR Compliance
Ready to get going? George Gerchow, the Sumo Logic VP of Security and Compliance, shares tips for getting started with GDPR.