Yes, the GDPR Applies to your Company

Companies Aren’t Ready for the GDPR

During a recent group webinar with infosecurity-magazine.com (you can watch the full recording of that here), we asked 200 IT professionals to rate their organizations’ preparedness for GDPR. These were their responses:

  • 17% – Very prepared
  • 13% – Almost ready
  • 40% – We’ve got a long way to go
  • 30% – I don’t think we’ve done a thing

With less than a year before it takes effect, 70% of organizations surveyed are not even close to being ready for the GDPR.

The reason for this is complicated, but from my conversations with companies around the world, I suspect two major culprits.

First, we all simply have a limit to how many new tasks and challenges we can address at one time. We naturally prioritize issues with the most urgency – which, more often than not, are those projects that are due tomorrow, next week, or next month. GDPR goes into effect May 2018. That means you’ve got about a year… right?

Second, there is a perception that General Data Protection Regulations are limited in scope to “technology.” Much of the media focus on GDPR is around protecting consumer data collected over the Internet. If your organization doesn’t have a significant web presence or collect personal data online, news of the GDPR may not resonate with you.

Similarly, unless you work in the IT department, processing personal data may not even be a topic you think about. The folks in Purchasing, or Operations, or on the production floor of a manufacturing facility aren’t likely to consider “processing personal data” as part of their core job function.

The Impact of GDPR on Manufacturing

A question was asked during our webinar that sums up this perception nicely:

“How does GDPR apply specifically to manufacturers that allow equipment processes control [via] remote access with vendors, suppliers, etc.?”

The question comes in at the very end of the webinar, but the answer is worth hearing – and I’m not just saying that because I was one of the speakers, this is important to know.

There were three participating presenters: the CTO of an Information Security consultancy in London, a Partner from the London office of a leading international law firm, and the Director of Product Solutions for a Copenhagen-based remote access vendor (hey, that’s me!).

Before getting into the answers we provided, first consider the nature of the question: “How does the GDPR apply specifically to manufacturers…” The implication is that the manufacturing process, including vendors, suppliers, and those involved in remote process control, may not be impacted by GDPR.

The CTO explains that pure manufacturing data, devoid of any personal data, is out of scope for the GDPR. If manufacturing systems don’t contain personal data then there is no risk of processing activities that would comprise the security or privacy of a specific individual.

The Attorney discusses the relationship between manufacturing and personal data processing. If you produce a piece of equipment, or goods of some kind, it is unlikely your manufacturing activity qualifies as processing of personal data.

The question and the first two answers reinforce an idea held by many in the manufacturing industry and in countless other industries – that GDPR doesn’t apply to them. Or, if it does apply, the impact is minimal because the personal data they process is limited.

It is this misperception that is keeping companies from preparing for GDPR more aggressively.

Let me stress…

The GDPR Applies to Everyone

My co-presenters weren’t wrong. They provided accurate information and made valid points, but they missed a key detail.

Remote access involves two endpoints. For a manufacturing facility, one of those endpoints may be a piece of manufacturing equipment. The process controls for said equipment may not include personally identifiable information. However, when you allow remote access to that equipment, you are inviting an individual – along with their personal data – into the process.

The industry isn’t really important. When you access a piece of equipment, or a server, desktop, tablet, or mobile phone, you need to consider more than what is on the remote device. You must also protect the personal data of the “guest” on that device. Network administrators, help desk technicians, vendor representatives, and service professionals – their personal data must be protected.

The IP address, hostname and usernames of your vendors, suppliers and employees qualify as personally identifiable information. Transmitting information between devices and then logging the remote access activity qualifies as processing. The amount of personal data may be small, and the number of individuals may be limited, but the requirement of complying with GDPR remains the same.

The GDPR doesn’t provide a sliding scale for protecting privacy. There is no Article or Recital that says “if you process the data of fewer than 100 people this regulation does not apply to you.” If you are regularly using remote access technology you are processing personal data. You’ve got less than a year to comply with these new regulations. You better get started.

 

And as always, for a comprehensive guide on aligning your remote access solution with the General Data Protection Regulation, check out our white paper “Making Remote Support GDPR Compliant: A Complete Guide.”