GDPR Deadline Looms for IBM i Shops
February 26, 2018 Alex Woodie
Have you seen the website with the Grim Reaper counting down the days when support for IBM i 7.1 will end? There are 63 days left, if you’re keeping track. But a scant 25 days after IBM stops supporting IBM i 7.1 on April 30, time will be up for another important IT milestone: compliance with the General Data Protection Regulation (GDPR).
The GDPR is a major new data privacy and protection law that goes into effect on May 25. It was passed two years ago by the European Commission with the goal of standardizing the wide assortment of laws that previously governed how companies in various European countries are allowed to use the personal data of citizens of the European Union.
It also gives European citizens considerable more power over how companies use their personal data, and gives them a new set of digital rights that frankly didn’t exist before. That’s great news for people who are concerned with privacy rights of individuals. But those rights come at a cost, and that cost will be paid by companies who must now take pains to ensure they’re handling personal data in a responsible and lawful manner.
What GPDR Is
The GDPR restricts how and when companies can process or store citizens’ personal data. Companies are only allowed to process personal data under if one of a number of conditions is met, such as the citizen grants consent, or if the company must process the data to comply with a law, protect the rights of a citizen, or some other legitimate purpose.
That means, if a company is collecting and storing personal data of customers just for the sake of stockpiling data, and it didn’t get permission from the individual customers to do this, then it has violated GDPR and exposed itself to potential fines.
The GDPR implements several other new rules that cover:
- Data Breaches — Companies must report a data breach to the EU authorities within 72 hours. However, if the lost data was encrypted, then companies do not have to report it to the authorities.
- Pseudonymisation — Companies cannot use any EU citizens’ private data if the source of that data can be traced back to a specific owner. Encryption and tokenization are two ways companies can comply with this rule.
- Right of Access – Companies must give EU citizens the ability to access their personal data and tell them how they’re processing the data.
- Right to Erasure – A EU citizen has the right to demand that a company erases their data for several reasons, including honoring the fundamental rights of citizens (this is the replacement to the broader “right to be forgotten” that many might be familiar with).
- Data portability – A citizen has the right to demand that a company transfer their personal data into another system, with certain restrictions for data that has sufficiently been anonymized.
- Data Protection – Companies must take pains to ensure that data is protected and that privacy settings are set high by default. It also requires companies hold encryption keys locally.
While the law ostensibly only applies to EU citizens, it covers any company that has EU citizens as customers, which means it will widely impact many companies all over the globe. Fines for non-compliance range up to €20 million or up to 4 percent of the company’s total global revenue for the previous year.
For HSBC, that amounts to $1.9 billion. For IBM, it could be $3.1 billion. For Facebook, Google, and Amazon – companies that some GDPR observers think are the most likely for the EC to make an example out of – the maximum fines would be $1.6 billion, $4.4 billion, and $7.1 billion, respectively.
IBM i Impact
Awareness of GDPR is slowly building in the United States. In its recent 2018 IBM i Marketplace Survey, HelpSystems reported that 11.9 percent of survey takers reported that they comply with GDPR, trailing Sarbanes-Oxley, PCI DSS, and HIPAA by fair margins. Nearly 40 percent said they don’t adhere to any regulations.
“We expect this number to decrease as organizations begin to understand just how far-reaching some regulations, like GDPR, truly are and as other industries, states, and nations look to take action against cyberattacks by implementing additional regulations,” the company stated in its report.
Raz-Lee Security, an independent IBM i security software company based in Nanuet, New York, is ramping up its marketing outreach around GDPR. Raz-Lee CEO Shmuel Zailer says that GDPR and other high-profile security breaches and events together have heightened awareness of the need for better security among IBM i shops.
“We hear more and more about security. People are becoming much more interested in this,” Zailer told IT Jungle in an interview earlier this month. “GDPR has elevated the requirements, mainly in EU but not only in EU. There are many other places which people are exposed to the threat of being fined because of the GDPR and as such they must take the measurements in order to protect themselves.”
Townsend Security, which develops encryption and multi-factor authentication solutions for IBM i, is also ramping up efforts to help IBM i shops comply with GDPR. “IBM i customers will get serious about GDPR,” CEO Patrick Townsend told IT Jungle last month. “Customers in the EU are scrambling to meet the deadlines. Organizations outside of the EU zone are suddenly realizing that GDPR will affect them, too.”
While companies of all sizes will need to abide by GDPR in Europe, not every North American company will need to comply with it. Bigger U.S. and Canadian companies, and those with a more global customer base, are more likely to fall under the GDPR umbrella. That points to financial services firms, manufacturers, and retailers with worldwide e-commerce operations as being those most likely to have a GDPR compliance strategy. By the same industrial measure, distributors, healthcare companies, and government agencies with local or regional customer bases will see fewer GDPR concerns.
The Large User Group (LUG) is watching GPDR closely. “From a security standpoint, the GDPR right now is very hot among a lot of the LUG customers,” LUG spokesman “Dave” told IT Jungle last month. “Trying to figure out how we as members embrace this GDPR, what it means to us, and how we’re going to react has kept that security focus front and center again.”
Vision Solutions, which is now part of Syncsort, is also looking to help its IBM i customers comply with GDPR. In August, it published a 17-page white paper titled Supporting GDPR on the IBM i that functions as a guidebook for complying with the regulation.
Out of the 173 “recitals” in the GDPR, only 14 apply to data protection, says Vision, which did the work to map those recitals to specific data security and privacy processes that IBM i shops must implement to ensure compliance.
Vision has been busy buying up IBM i security software companies, including Enforcive last year and Cilasoft early this year, so it’s well-positioned to help IBM i shops who fall under GDPR’s umbrella comply with the regulation. You can download Vision’s report here.