Companies in the UK are bracing themselves for a new challenge this year: GDPR.
GDPR, or the European Union General Data Protection Regulation to give it its full name, has raised many questions for companies, with one of the most complex being how they manage all the personal data they hold on individuals who will be protected by the new rules.
People HR, a Lincolnshire company selling web-based HR software, is one such organisation. The business has just over 60 employees and 4,500 customers, with 120 new ones coming onboard each month.
Sat Sindhar, managing director at the company, tells IT Pro the company has been looking at ways to secure all its sensitive data and began working on ISO 27001 at the beginning of 2016. Although this isn't a guarantee a company is GDPR compliant, Sindhar explains, it gives customers reassurance as to a provider's credibility.
Going through this process, however, the company realised it would need an "army of people" in order to manually sort through log files, and so six months ago it began looking around for a company to help provide a managed service that would solve the problem.
Protect data, protect customers
Sindhar says that in the HR world, data protection has always been absolutely critical.
"We've never been in a position where we've been providing products that didn't really need to comply with the data protection act in this country and in Europe," says Sindhar. "Similarly customer concerns about data security has always been quite high up on the agenda, if not the single most important thing on the agenda."
He says in order for People HR to meet the new GDPR reporting requirements, the company needs to have particular technology and services from their providers.
"It's impossible to really meet the GDPR reporting requirements if you're a company like us with thousands of customers, on a manual basis," he explains.
If a problem arose, then People HR would need to carry out a forensic level analysis of their infrastructure to find out who accessed their data. This would need to happen in order to feed back to their customer and to comply with GDPR laws, says Sindhar.
After looking at a number of offerings, the company ultimately plumped for Rackspace Managed Security.
"Rackspace was interesting for us because not only were they able to provide the technology products, the components we needed to provide GDPR compliance, but they were able to supply the people there as a team who were then using these components," Sindhar explains.
"That was the most important thing to us, to have the people we could turn to in times of need, to have the people there who were actually looking at what we were doing in a proactive fashion, identifying potential issues and problems before they even arose and dealing with them."
Racking up customers
Daniel O'Neill, senior manager of cyber security at Rackspace, says most companies are becoming more aware of GDPR: "GDPR has big momentum amongst many businesses, certainly since the [beginning of 2017]. I would say most business leaders I speak to now the conversation will involve, or revolve around, GDPR. It's on the minds of most business leaders now as they look to prepare themselves ahead of the 25 May 2018."
He wasn't surprised by People HR's proactive approach, but says it was nevertheless "encouraging that a business acknowledges that security and cyber security is crucial to not just protecting the business but enabling the business in the current threat environment".
"I think it's important that businesses have started preparations now. We've known about GDPR for some time," said O'Neill. "A pragmatic approach for many businesses is to look at what they do now. We have data protection regulations in place, we have compliance frameworks. If businesses can identify the processes they do already and map those across the GDPR, they can then focus on the real gaps that they need to address to make themselves compliant."
Sindhar echoes this as many of his European customers are "particularly vocal on the question of GDPR", he says. Those customers need to know People HR have the correct technical and organisational measures in place before signing up.
"This is the singularly most important thing right now when it comes to security conversation for European customers, absolutely," he added.
In terms of why People HR have been so proactive, Sindhar claims it's because the company needs to think of its customers.
"If you centre our universe where our customers are and you think about the HR professionals out there then it's essential that we give them a secure, reliable, safe system that meets all the legislative and regulatory requirements. When you think about it like that it becomes quite easy to understand why we needed to be proactive," said Sindhar.
Sindhar has four pieces of advice for other companies looking to become GDPR compliant: "Don't bury your head in the sand, separate fact from fiction, work with partners that help you and don't do things just for GDPR but use GDPR to make yourself better."
Main image credit: Shutterstock
