Learn More About Managed IT Services

GDPR Compliance Requirements

Transcription

Dan: It is. It's 8:30 right now. It's time for a Bit-Wizards ' Tip of the Wand. On the phone with me, I have Mr. Vince Mayfield, who is part owner of Bit-Wizards, and also chairman of the board for the Fort Walton Beach Chamber of Commerce. Kind of wearing two hats, aren't you, Vince?

Vince Mayfield: Well, that's the truth. I wear a lot of hats around here. You never know which hat I'm going to have on. My wife says I have too many hats.

Dan: I'll bet she does. Is that Sam there with you?

Vince Mayfield: That is Sam.

Sam Blowes: It is.

Dan: Good morning, Sam.

Sam Blowes: Good morning. How are you, Dan?

Dan: I'm good. I haven't talked with you in a while. Hope everything's good with you too.

Sam Blowes: Yeah. It's been a minute. Things are going really well, actually. Yep. Staying dry right now.

Vince Mayfield: I think we're all busier than one-legged men in a butt kicking contest.

Dan: That's a lot of hopping and kicking right there.

Vince Mayfield: That's the truth.

Dan: Now, with all the weather the way it is right now, does that affect you guys when you're trying to get everything accomplished, all the wet weather?

Sam Blowes: Well, one of the things that we do is make sure, because of flooding, we make sure that servers and things like that are off of the ground. We do that for our clients as well, make sure that we're getting everything prepared. Also battery backups usually aren't super cheap, those UPS battery backups right out of the gate, but man, the money you save on shorted out servers and things like that by having those in place. So we always test batteries on those kinds of things. It's how we prepare for hurricane awareness when it's coming in, when we've got a storm coming this way. Of course, we may have mentioned this once or twice in the past, we like to move things to the cloud so that we don't have to worry about Hurricane Sally bearing down on us, because we got everything distributed all over the cloud itself.

Dan: Yeah. I would say that's probably a pretty big deal, huh? Because if you get your things wet, or there's some kind of electronic surge or something, and something happens to your memory, and you don't have a backup, I guess you're in a problem.

Sam Blowes: Yep. That's exactly right. That's exactly right.

Vince Mayfield: I think the key thing there, Dan, is making sure that you're planning for business continuity. You can't live where we live, in Hurricane Alley, and not have business continuity plan, and how you're going to operate if you get hit by a hurricane or lose power or those types of things. Business is just too critical. The reality is is that customers, where they might be understanding, you're under a hurricane or whatever, but the question is can your business sustain a long loss of revenue over a period of time? This is why we really try to drive our customers to go to the cloud and have a virtual business model as well as an on premise. Some things doesn't make sense. If you're renting jet skis or pontoon boats, it may not. But you can still sustain operations by being able to take bookings and things like that, possibly maybe letting your customers know that maybe you're moving up to Lake Lanier or something like that, so that you can continue to do operations. But it's that type of a thinking ahead that really needs to be done by all businesses, small, medium and large.

Dan: Yeah. I would say that, Vince, you are a good person to talk about that, since you are a business owner, and you're also in charge of the IT management and so on with your business. So you, as a business owner, know how important that is.

Vince Mayfield: It is. We have contingency upon contingencies in terms of the way that we operate. I've got three groups here. I've got a group of software engineers that write cutting edge software for firms. Then I've got a digital marketing group that does digital marketing and user experience. Then of course we've got our IT. Our IT group runs the gamut from your small business to right now we're helping Stein Mart in their process of going through bankruptcy. We work with companies like Stein Mart, Mitsubishi and [ Bell's 00:00:04:01], but we also work with Lisa Jo Spencer, and the chamber of commerce, and [Pause 00:04:14], and a number of other businesses in our local area and regionally. So we know how to adapt those specific environments and give them the right amount of IT. I think for our smaller businesses, one of the things we bring is we bring big IT practices, and we've been able to scale them down to small businesses and make them cost effective, so that they can get the benefits of what large organizations have in terms of IT.

Dan: That makes a lot of sense too because, well, you understand it. You have a lot of different, you would say, departments in your organization. All of those people would want to make sure that their information was protected as well. You would know that, with the rest of the businesses that you work with, and I'm sure even some cities, you work with some government facilities as well, I believe, everybody needs to have everything backed up and ready to go with a plan. I'm sure, as clients of yours, you're making sure that all that is protected, especially going into these storms that we have in the storm season, if you will.

Sam Blowes: Yeah. In fact, the key phrase that Vince talked about there isn't just making sure we got backups of things. He used the phrase business continuity. We want to make sure the businesses can continue no matter what curve balls life throws at you. In the middle of your week, when you have got your plan, everyone has their plan, and they're looking forward to where things are going to go. But business continuity is a little different than just backups. Because backups would be considered a disaster recovery solution. Things have gone wrong. How do we get back up on our feet? But business continuity says, " What can we do to anticipate potential problems and make sure that this company keeps thriving, not just surviving, but thriving through any specific issues or even generalized issues that affect a larger area, to make sure that we have what we need in place to continue operating as a business, to make sure we achieve our goals still?"

Dan: That makes sense. Yeah. Business continuity. I like that idea, because no matter where you're at, you can still work your business.

Vince Mayfield: Yeah, absolutely. You're trying to anticipate potential problems before they happen, and make sure that you've got adequate resources and plans in place in order to make sure that your business can continue to operate. It's kind of interesting. One of the things we wanted to talk about today, Dan, was we wanted to talk a little bit about compliance. We've run into a lot of different things from different customers, everything from we've got some local defense contractors that want to talk to us about going into the Office 365 or Azure Government tenants, because those add an extra layer of security for them, to general data protection regulations and privacy compliance, and also things like, with the Americans for Disabilities Act. So we thought we might talk about a couple of those things today, and maybe help and enlighten some folks about some of these different compliance things, what they mean for not just defense contractors, but small and medium business.

Dan: Oh yeah. That sounds great. That sounds very interesting. Let's move forward on that.

Vince Mayfield: Absolutely. The first one we thought we might talk about is GDPR or General Data Protection Regulation. This was born out of the EU. Here in the United States, with social media and some of these other things, we've kind of opened up the door on our privacy. People don't think twice about signing up or giving up their information. But Europe, they're a little, I guess, more skeptical, a little more conservative when it comes to the protection of their privacy. What they've done, as we know that our own Congress is woefully 20 years behind on the latest technology, and enacting regulations and laws and things like that to help make Americans safer, or to deal with the issues of technology as they come up, but Europe was a little forward thinking. They created a thing called GDPR. It applies to how information and systems that collect and store your personally identifiable information, things like your name, your address, your phone number, your demographics about who you are. Therefore they have a compliance regulation that they have on businesses. It's not just about websites. It's about any kind of data that they collect. You've probably seen our signs around town, where we talk about Protect Your Privates. We're trying to get the message across to business owners that the data that you have, you're protecting your own corporate data, but you're also protecting your customer data.

Dan: Right.

Sam Blowes: Now, compliance, to me, it's a scary language. I don't like talking compliance. I don't like having to read through reams and reams of documents for every single different compliance, because every different vertical of industry, even here in the US, probably has its own standards of compliance. Some of them you've heard of, like HIPAA compliance, doctors and medical institutions can't just start handing out your medical information willy nilly. They can't just keep it stored in a paper binder sitting on someone's desk at a doctor's office either, because that would be a violation of the HIPAA compliance. For many of the government contract entities that we work with, they have DFARS compliance or NIST compliance. Then Vince said, there's GDPR, which is a general compliance rule for companies that are storing data about their customers. This is more of a much more general compliance rule. Some are very, very specific to an industry. We work with a lot of land and title association companies. They have the ALTA compliance standard, American Land and Title Association compliance that says, " How are you going to protect your customer's data? How are you going to protect your business for business continuity and make sure that you don't get breached?" So there's all these varying levels. However, in my mind, as I look at compliance, it really boils down to three different parts, at least from an IT perspective. That is how are you going to isolate the data that you have, to make sure that different types of data don't bleed into each other, so your family pictures of the kids ' baseball game aren't also stored with your critical company documents? How are you going to secure the data? How are you going to make sure that nobody can get into it who is not supposed to get into it? And the most important part is how are you going to audit the data? How are you going to make sure that you can track everybody who's seen the data, or looked at the data, or has access to data, or used it in some sort of fashion?

Dan: So in that way, you would find out if you got hacked or anything. You'd find out who got into the information last.

Sam Blowes: Yes. In fact, that's where GDPR really comes in. That's what it was birthed out of was to say, " How can we know if someone's data has been breached?" Because I submitted my information to a website, in good faith, thinking I was signing up for this cool service. I gave them my birthday and my social security number and a few different things so they could verify who I am. Then six months later, they got hacked, and their database that stored all of my private information is now out there for purchase on the dark web. How do we make sure that I'm made aware of that, that I'm protected from that? That's where GDPR comes in. Now, Vince knows a lot more about GDPR than I ever will.

Vince Mayfield: I don't know about that, but I would say that it takes it a step further. Some of the things in GDPR compliance are the fact that I can go back to any entity that I give my information to, and I can tell them, " Hey, I want you to stop collecting my information." That's one thing that I can do. Which you have to stop immediately, which means that you have to have a procedure to handle that, for people to submit and say, " Hey, do not collect my information anymore." So you have websites that do things like they get your email, or they put a cookie when you browse the website, so it can track what you're doing. I can go to any one of those places in Europe, and I can tell them, " Hey, I don't want you to collect my data anymore." Then I can take it even a step further. If I want them to continue to collect my data, I can say, " I want you to package up for me and give me all of the data that you've collected about me," so I can review it if I want to review it. Which means that the business has the requirement to be able to not only take the requests that I want my data, and you have to provide it to me within a timely fashion, but I can also say, if I don't want you to collect my data anymore, I want you to wipe out my data out of your systems, and I want you to be able to prove to me that you've taken the steps and done that, that you haven't held it over in a backup or some other kind of place. It begs the question. It says, " Okay, well, here in the United States, why does this apply to me?" Well, most multinational companies, your McDonald's and your Amazons of the world, automatically, because they operate in the EU and those others, have done it. Some states here in the United States, California passed their own law that piggybacks on top with GDPR. Right now, GDPR compliance in the United States around American small businesses is voluntary participation. However, there are some organizations that are getting together. What they're doing is they have created entities that operate both the United States and in Europe, and then they're going after and suing small and medium businesses for not providing things. Now, the steps that they're asking you to do are really not that difficult. Most of it centers around the web, and it centers around IT systems. What they want you to do, and we've got a 12 step process here, is to identify the types of data that you collect, and identify why you collect that data. Then you want to establish and document data auditing and update procedures. If you're a doctor's office, you do some of these things already for HIPAA. You know what type of data that you collect. You have it audited on a regular basis. By audited, you're not looking at the data. That may be part of it, but what you're doing are things like who has access to that data and where is that data. If it's stored between systems, where does it go between those systems? How are those systems backed up? You're basically keeping track of it. Also you're going to identify what the systems are, and the storage mechanisms that these things are. So you know where the data is at any given time. The other thing that you do is you can go back, and a lot of off the shelf software already has compliance mechanisms built into them so that if you get one of these requests for what data do you have, or somebody wants to wipe it out, it can do those things for you automatically. For those that don't, like maybe your website may not have built in mechanisms for doing it, you've got to create systems and processes in order to make sure that that happens. It starts with that. Then establishing what your retention policies and procedures are for that data. How am I going to keep it? Am I going to keep it forever? Are you a pack rat like Vince, who has hard drives that go all the way back to the 1990s? I never know when that email is going to come up, that I wrote in 1990 when I was in the Air Force, but I do have copies of some of that stuff stored [crosstalk 00:16:50 ].

Sam Blowes: Well, and those retention policies are an interesting point, because for some entities, especially local government entities, they have to keep data retention. Legally, they have to be able to track emails going back, let's say, seven years, which doesn't sound like that big of a deal. If you look at your email, you could probably go back about seven years in your email and find some old emails in there and think, " Well, what's the point of this?" But for, let's say, a local city government, or a defense contractor, or somebody like this, that has certain government regulations that say they have to keep all of that data, that means you have to keep all the emails of employees who haven't worked in your companies for **inaudible** six years. We were working with the Florida ... I can't think of the name of it, but the first district here for working with law enforcement.

Vince Mayfield: Judicial court.

Sam Blowes: Yeah. The first judicial court. We were working with them because government required that police officers have body cams, and they record incidents with their citizens. But what they told us is even a simple traffic stop, for getting pulled over for a taillight going out, could be 10, 20 gigabytes worth of data that they record. The problem with that is where do you stick those 10, 20 gigabytes? Because that doesn't sound too much. I can go to Walmart and buy an eight gig thumb drive for five bucks in the checkout line. But that's not going to last for too long. For the law enforcement, the problem for them was this retention. If somebody is actually convicted on evidence of this video, and then they go to prison, and 25 years from now, they want to appeal that case, we have to be able to pull up that video for them from that traffic stop. So for 25 years or 30 years, there may be a retention policy in place that they have to retain those data for a certain amount of time. It's not just law enforcement. It's not just local government. Lots of different compliance and lots of industries have retention policies. You have to hang on to data for a certain amount of time.

Vince Mayfield: Yeah. And the GDPR, Dan, again, it was born out of you've got tighter restrictions on things with government. You've got payment card industry standards, PCI compliance and things like that, that you've got to do if you're taking credit cards. But this was more of a general. This is more to protect the citizens. For the most part, it talked about public facing websites and how those public facing websites feed into other data. I mentioned before, Sam was talking about retention policies and procedures, and I talked about you need to establish a response process, because when somebody makes one of these inquiries, just like the government or somebody does a FOIA request, a Freedom of Information Act request, there's a process that you go to. On GDPR, there's got to be a process for somebody to be able to say, " Hey, I want to see what data you've got collected on me." " Hey, you need to give me a process for me to give you my consent to collect my data." That started out with creating written public policy and putting it on your website, saying what your privacy policy is, where it's clear and available to anybody that uses your website or uses your web application or software system. Then the next step was to create a data and cookie consent. When you come to the website, you notice that you go to a lot of websites now, they immediately pop up and they tell you, " Hey, we collect cookies, and this is the type of data, and here's our compliance policy." A lot of people just generally accept that. Then when they clear the cache on their phone, they may have to accept it again, or clear the cash in their browser. But most of these companies are required by law in order to do this. There's some huge fines in the EU for not doing it. Then, on top of that, you have to create a public facing web request form, where an average Joe Schmo can come in, and that Joe Bag of Donuts can ask you, " Hey, what data do you have collected on me?" or, " Hey, I don't want you to collect data on me anymore, and I want you to wipe it all out." So you have to have a web request form that's publicly facing where they can make that request. Then you have to have a process of continual review, where you handle these requests, and handle them within a timely manner. Ultimately, you got to have somebody that owns the process to make sure that it happens and it gets done. None of these things is really all that difficult. I think it's a degree of care that I think people should start to demand over their data and their information.

Dan: Yeah. It's good you hit on that, Vince, because I didn't know if there was a way that you could recall your data, like you're talking about, personal data, or how you could protect your data from being collected by others. Because when you look at it, these credit companies that do your credit scores, they take all this information without your consent, and they put it all out there. They're making money off your data, which I thought that just doesn't seem right.

Vince Mayfield: Yeah, you're absolutely right. That's where the laws in the United States here really need to catch up. I don't know if the proverbial cat is out of the bag at this particular point, because we've given up so much privacy here in the United States, and allowed companies to collect data. You've heard me say on the show before, " Free, isn't free." People get on Facebook and they go, " Oh my gosh, Facebook, it's free and I can use it. It's established a thing." But what Facebook is doing is collecting information on you. You're giving up your privacy by consent and giving Facebook information. It doesn't matter if you post in Facebook's timeline after the fact that, " I do not give consent to my data being used." You did it by the use of the application at the very beginning when you downloaded it. There was no rescinding it. Now fortunately, Facebook and a couple of the other large companies, most of the large companies, have signed on to GDPR. They have mechanisms where you can go in and wipe out your account, wipe out your data. For example, in Facebook, you can go in and say, " Hey, I want to download all my pictures, and all the data, and all my posts to my account." You can do that. It's buried deep, and it's a pain in the butt, and it takes time, but you can do it. Then you can wipe out your account completely. Now in between that, that doesn't mean that Facebook hasn't sold your data to five or six other agencies. I can't speak to what the process is on how they might get that data. But when you sign up for the process, you sign up for Pinterest, you sign up for Instagram, you sign up for TikTok, you sign up ... You basically ... By downloading the app, you say, " Hey, I'm giving you access to all my data and all my information, and you can do what you will with it." Nobody reads the fine print, Dan.

Sam Blowes: But the good news is you do get a service that tells you when all your friends ' birthdays are. So it's pretty even trade really.

Dan: It helps your memory out. We all like that. What's the big ... That's a good trade off.

Vince Mayfield: Well, it just goes that we've become flippant. Websites ask for data all the time. You go to a website, and you say, " I want to download this free white paper," and they ask you for your phone number and your email address. It used to be, for a while, people would put a bogus email address or a phone. Well, they've got sophisticated now. They can check those things in real time to see if you're giving them something that's bogus, at least the more sophisticated ones do. But ultimately the whole goal there is to collect your information so that they can sell you something. They're giving you something in exchange for the information. I always, I tell my wife, who's a teacher who uses a lot of free apps and a lot of stuff like that ... She gets upset when she gets a ton of spam or other things. I said, " You need to be more judicious about what you sign up for, because when you do that, you're basically giving them access to your information." The same thing's true of Google, the search engines. They track literally everything that you do, your searches, the different sites that you go to. It's a larger problem. Our thing with small businesses is you may not be subject to GDPR at this particular point, but we recommend that you think about it, because it's good for your customers and it's good for you. It helps you to keep control of the data that you collect, knowing where it's at, protecting that private information, and making sure that it's secure, and making sure that you take care and are good stewards of that information.

Dan: Well, it hits right on the head with the billboards, Protect Your Privates, because that is private information that apparently everybody has access to. But unless you go to each, I guess every single company, right, Vince? You'd almost have to go to every company, say, " Stop collecting my stuff."

Vince Mayfield: Well, yeah. Every one of them has a different policy. This is where there's legislation here in the United States. I just don't think that people here in the United States take privacy is as important, and their personal data as important, as maybe folks in Europe do now. Maybe it's going to take some catastrophic things happening for people to wake up. Or maybe Congress will finally get in and regulate some of this information and data. It's scary, if you think about it. My understanding back, I don't know if it's still going on, but at one point, I know that the DMV data was sold to other people. That's got your personal address. There's a lot of information about there that they make available to other people. They sell that data.

Dan: That's insane.

Vince Mayfield: It is.

Sam Blowes: A good example on just how easy it is ... I know we don't have much time, but I've heard a lot of ads lately for these browser plugins that help you in your shopping online. They'll tell you ... So you're on Amazon's page to buy some hair product or something, and it says, " Well, over on walmart. com, it's $2 cheaper over here." When they advertise this, " It's free. Why would you not install this plugin that's going to save you hundreds of dollars just in the first month of using it?" Well, the reason they're giving that away for free is because you're now willingly telling them every single website you go to, and what you're shopping for. So they have no problem writing a little program that will check a few other websites to see if that product is cheaper elsewhere, because in return, you are giving them every single website you visit, all the things that you're interested in. So now they can sell to all these hair product manufacturers and say, " Well, this person over here is really in the market for this specific product. Go get them." Then they release all of your information to them.

Dan: Go get them.

Vince Mayfield: Or, moreover, they get an idea and make a profile for who you are.

Dan: **crosstalk** you got about 30 seconds left. Go get them.

Sam Blowes: Go get them.

Dan: I love that. Go ahead, guys.

Sam Blowes: We can talk about this for hours and hours really, because we deal with this quite a lot, but yeah. It's important stuff.

Dan: Okay. I just want everybody to know, just in case you didn't know, we're listening to Bit-Wizards ' Tip of the Wand. We have Vince Mayfield and Sam Blowes with us, Vince being part owner as well, and Sam, I guess, the IT expert as he is. I thank you guys were coming on, because this was a very informative time. I hope everybody got something out of it. I know I did. Thank you, guys.

Sam Blowes: Excellent.

Vince Mayfield: All right, thanks Dan. **crosstalk**

Dan: Okay. Till next week, have a great week guys.