Schuck: right approach

Schuck: right approach

Steps on the journey to GDPR compliance

Claude Schuck, regional manager for Middle East and Central Africa at Veeam Software, takes us through five steps that will help firms on their journey to GDPR compliance

July 2018

There are still a vast number of organisations that have not taken the necessary steps to ensure General Data Protection Regulation (GDPR) compliance. The problem surrounding GDPR compliance is that it’s thought of as being just an ‘IT issue’, said Claude Schuck, regional manager for Middle East and Central Africa at Veeam Software.

Lots of businesses seem to either have an inflated sense of confidence around how they already handle data, or they’re shrugging it off as someone else’s problem – which is to miss the point entirely. Compliance with the GDPR, in terms of both preparation and maintenance, should be a company-wide effort. Not least because companies who are found to be non-compliant could face hefty fines that would affect everyone, he said.

“And if the stipulations of the GDPR seem significant, it’s because they are. We’ve not had any updates to data protection laws since 1995 and things have changed a lot since then. The way businesses collected and stored personal data back then is no doubt very different to the way they do it in 2018,” Schuck said.

“When you put it like that, the GDPR seems pretty overdue. Today’s organisations should be welcoming it as an opportunity to update their whole relationship with data protection and make it fit for the future. To implement a methodology that’s built into the fabric of the organisation – not an afterthought or just something for IT to deal with,” he added.

According to him, there’s a very simple way to frame one’s approach to GDPR compliance. The five steps detailed below is the process Veeam went through to prepare to complete its journey to compliance.



If it’s a business that has or holds data on EU citizens, formally known as Personally Identifiable Information (PII), then the GDPR applies to it. That means it is liable to penalty fines if it is found to be non-compliant after the deadline of May 25, 2018, which has now passed. The best starting point, then, is simply knowing whether it holds this kind of data or not, and if it does, where it’s kept. Creating a visual map of all the data it holds will help the business build a comprehensive picture and get better oversight of this.

A lack of knowledge around the kind of data they hold may be another reason why so many businesses don’t seem to be taking much notice of the GDPR – or just don’t think it applies to them. It could be that they don’t believe they hold any relevant data (hint: if you employ EU citizens, you do), or don’t realise the breadth and scope of the data they do hold (hint: personal data is more than just names and addresses). “Which is precisely why just knowing your data is the first step on your journey to compliance,” he added.



Once a picture is built up of all the relevant data, collect and hold, it’s time to look at who has access to it and how it’s being used. Different teams and departments in your business will be accessing the same data in different ways and will be using it for varying purposes. Whether it’s a marketing team inputting data on prospective customers and sharing it with the sales team, or a HR team handling data on its own employees, it’s essential that standardised procedures and workflows are implemented around the handling of personal data, and that employees only have access when it’s necessary to their business function.

Managing a company’s data is about having visibility of the way data lives and breathes in an organisation – even if that’s not in-house. GDPR compliance also depends on the compliance of any third-party vendors or providers you work with, so the onus is on you to make sure they’re abiding by the rules. No turning a blind eye to data management once it’s out of your own
business’ hands.



Having gained better oversight of data and implemented standardised processes to manage it, it’s time to make sure the right security controls are in place to protect the data – but that doesn’t just mean encryption. To be compliant you can’t simply turn security ‘on’ and put your feet up; the GDPR requires constant monitoring and diligence, and also much quicker action in the event of a data breach.

It’s true that technology will play an important part in that journey, but technology alone will not bring about compliance. Rolling out a new company-wide approach to data protection requires a combination of security techniques, standardised workflows, internal education, access control, backup solutions, and much more besides. Keeping on top of who has access, where and when, with constant auditing and monitoring will enable much swifter responses to the data breaches that, despite everyone’s best efforts, are probably still inevitable.



One of the GDPR’s hottest topics is the introduction of data requests, which means an individual will have the right to request the correction or deletion of the data held about them. Businesses will be expected to comply with these requests and show that they’ve done so, which is why visibility over what data you hold – and where – is so crucial.

Ongoing compliance with the GDPR also requires the documenting and auditing of what data you’re collecting, what it’s being used for and how long you’ll be storing it for. “When we went through this step, we asked ourselves questions like: Is the data we collected months ago still relevant today? Do we still have visibility of data when it’s moved from one place to another? Are our third-party providers still compliant?” he said.



One of the benefits of constantly monitoring and auditing data protection processes is the opportunity to constantly review and improve them. It’s true that the GDPR is something of a line in the sand, but as the digital world we live in constantly evolves and expands, it’s safe to assume that responsibilities around data privacy and protection will also continue to increase – so businesses will need to continually improve to keep compliant.

“The GDPR should be seen by businesses as an opportunity to rethink their entire approach to data protection, now and moving forward. It’s a chance to make their organisations fit for the future – and they should grab it with both hands,” he concluded.

More Stories