PSA TEC 2019 Guest Blog: Missed the GDPR Deadline? Here’s How to Recover
TEC 2019 is the premier education and networking event for all professional systems integrators in the security and audio-visual markets. This year’s event pivots around a changing market and ways to stay relevant within the industry.
By Dr. Joel Rakow |Partner, Cybersecurity Team | Fortium Partners, LP
You may be late to comply with GDPR’s original deadline, but it is not too late to avoid problems and penalties. According to the web site Inc.com, 52% of U.S. businesses are impacted by the General Data Protection Regulation (GDPR, or the Regulation). Many of these companies are late because they mistakenly believed they operated outside of the purview of the GDPR. Now, those companies are somewhere between panicked and confused. They needn’t be if they are able to be “business-like”, take a moment and read the writing that is actually on the wall. Over-reaction and no-action will likely have costly consequences.
Here is a good way to approach the GDPR and stay on the good side of this new law enforcement agency:
- Find out where you stand and where you want to stand in regard to the GDPR. Since nobody makes you do business with European citizens, you may determine the cost of doing so to be too high or simply unnecessary for your organization. In this case, simply send a letter to GDPR stating that you process no information subject to the GDPR.
- If you do intend to conduct business in the EU or with EU citizens or EU businesses located in the U.S. or — and here is a big “or” — as a supplier to an EU business, including as a supplier to a supplier (think elevator subcontractor to an electrical contractor renovating a UK-owned building located in the US), you will need to register with the board and have your GDPR plan approved (you may want to re-read the previous sentence). More than most small to medium size businesses can do this for less than $5,000 in outside costs spent over a few months by using a part-time Data Protection Officer (DPO). Many of those businesses will find that trimming a few low-profit activities will result in less exposure to the GDPR and create a net gain when all is considered. This is often achieved when a business trims back certain business activities to become, in GDPR terms, a Processor rather than a Controller, or a Supplier rather than a Processor. This is similar to selling off certain assets to benefit from a lower income tax bracket.
Embracing the GDPR and your role, whichever you choose as best for your organization, is your best course of action. The outside cost, for system integrators, who usually are Suppliers, will likely be less than $5,000 over a few months of time and may be in the range of $20,000 for Processors and still more for Controllers.
Don’t panic and don’t let confusion cause you to lose customers and create IRS-like compliance problems. The cost of establishing a standing with the board and the Regulation is likely to be much less than doing nothing if you wish to do business indirectly or directly with European citizens or businesses.
Attend Joel’s Session at TEC
GDPR: A Practical Solution
Tuesday, March 12 9:15 AM – 10:15 AM
Similar to tax returns, the GDPR is an obligation many security and A/V integrators in the U.S. must contend with even if, like taxes, we must file each year to report that no taxes are due. The General Data Protection Regulation (GDPR) is such a big and important regulation that there is an actual treaty between the U.S. and the European Union authorities that govern commerce on the matter of data privacy. Many organizations are using the GDPR as an important opportunity to improve the relationship between the data they process and the business activities they manage. One of the biggest challenges when addressing the GDPR is knowing where to start. In fact, it is a challenge even to know if you are (to use the language of the GDPR) a controller, a processor, a supplier… or none of the above. It is not always clear which classification you want for your organization, or which classification the Data Protection Board might believe most suites you, or how you might re-position your company vis-à-vis the Data Protection Board so you can have a classification that is more favorable to your vision of your organization. Any security and A/V integrator will do well to approach the GDPR in very much the same manner as they approach tax planning and submission of tax returns.
Joel helps system integrators and their customers buy, sell and implement secure solutions, making the IT supply chain stronger and able to conduct business more easily. It all starts with each party embracing its own cybersecurity hygiene.
Joel Rakow is a Partner with Fortium Partners, LP, a firm comprised of approximately 100 of the world’s foremost C-level technology leaders. Dr. Rakow’s current thought leadership in cybersecurity, data protection, data privacy addresses IT vendors and their customers, frequently as part of Ingram MIcro’s Professional Services Group. Dr. Rakow frequently serves as a part-time CISO, DPO and CIO for small and medium size businesses, bringing to his clients the experience he garnered with more than sixty Fortune 1000 and emerging, start-up companies.
Rakow is a former adviser to the Secret Service, the LA Electronic Crimes Task Force, a member of the FBI InfraGard, Adobe Software’s Advisory Council, and the Receivers Team for the Courts of CA. He has provided executive and technical leadership for more than 300 enterprise deployments of security systems and platforms. Included in this is work with SSP Litronics, a firm that secure communication between the White House and the DoD, and ICANN, arguably the most secure site in SoCal. He has developed more than 40 commercially successful software programs and won numerous industry awards including Microsoft Partner of the Year, PC World Best Product of the Year (three consecutive years) and Microsoft’s Implementation of the Year. He is a Harvard University Postdoctoral Fellow, National Science Foundation Fellow, Phi Beta Kappa award winner.
Rakow has extensive experience with security across health care systems, software development, identity management and smart card design, manufacturing, office systems, learning management, instructional design and eLearning, and vendor security addressed by many security standards (e.g. GDPR, NIST, CIS, HIPAA, FERPA, SOX, and others).