Blog
← Back to Blog
September 10, 2018 general

Seven Years: The GDPR Year and What It Taught Us

Business anniversary milestone

Seven years. September 10, 2018. Robell Technologies has now been serving Arizona dental practices, medical offices, law firms, and accounting firms for seven years.

If 2017 was the year of ransomware, 2018 was the year of GDPR and massive data breaches. Here's what year seven taught us.

GDPR Changed the Conversation

When GDPR went into effect May 25, 2018, it changed how everyone thinks about data privacy. Even though most US small practices aren't directly subject to GDPR, it raised the bar for data protection globally.

What we learned:

Privacy by Design Makes Sense

GDPR's principle of "privacy by design" means building data protection into systems from the start, not bolting it on later. This is good practice regardless of regulatory requirements.

Thinking about data minimization (don't collect what you don't need), access controls (limit who sees what), and retention policies (delete when no longer needed) makes systems more secure and manageable.

Data Mapping Is Valuable

GDPR requires knowing what personal data you have, where it is, and who has access. This exercise (data mapping) is valuable even if GDPR doesn't apply to you.

Practices that map their data discover forgotten databases, shadow IT systems, and data they should have deleted years ago.

Vendor Management Matters More

GDPR made vendor data processing agreements standard. Now practices expect written commitments from vendors about data security.

This is positive. Vendor accountability shouldn't be optional.

Major Breaches Raised Awareness

Marriott: 500 million records. Cambridge Analytica/Facebook: 87 million. Under Armour: 150 million. 2018 saw massive data breaches that made headlines.

These breaches changed client conversations:

Clients Ask Better Questions

Practices now ask vendors about security before signing contracts, not just after breaches. They want to know about encryption, access controls, incident response plans.

This is progress. Security shouldn't be an afterthought.

Breach Notification Is Expected

Clients expect to be notified quickly if vendors have breaches. Slow disclosure (like Marriott waiting months to announce a breach) is no longer acceptable.

Cyber Insurance Got Serious

More practices are buying cyber insurance. Insurers are asking harder questions about security controls and requiring specific protections (MFA, backups, employee training) for coverage.

Cloud Migration Accelerated

This year, we completed more cloud migrations than ever. Email, file storage, practice management systems, backups.

Lessons from year seven migrations:

Hybrid Is Often Optimal

Complete cloud or complete on-premise are rarely optimal. Most practices benefit from hybrid approaches: critical clinical systems on-premise, administrative systems in cloud.

Change Management Is the Hard Part

Technical migration is usually smooth. Getting staff comfortable with new workflows and interfaces is the challenge.

Successful migrations include thorough training, gradual rollouts, and patience with the learning curve.

Backup Internet Is Non-Negotiable

Once you're cloud-dependent, internet outages mean you can't work. We now require backup internet for cloud-heavy practices.

What's Working

Security Awareness Training

Quarterly 15-minute security training sessions work better than annual hour-long trainings. Staff retain more, stay current on evolving threats, and develop security mindset.

Simulated phishing campaigns between training sessions reinforce lessons and identify people who need additional help.

Proactive Patching

Automated patch management for workstations and servers prevents most vulnerabilities from being exploitable. Manual patching was inconsistent. Automation is consistent.

Multi-Factor Authentication Everywhere

MFA is now standard on email, remote access, and financial systems for our clients. Initial resistance faded quickly. Account takeover attempts dropped dramatically.

What's Still Challenging

Legacy Systems

Some practices run critical software that only works on outdated operating systems. Windows 7 will reach end-of-life in January 2020, but some dental and medical software still requires it.

This creates security challenges. We can mitigate risks but can't eliminate them when operating systems no longer receive security updates.

BYOD Security

Staff want to use personal devices for work. This is reasonable but creates security challenges. How do you protect practice data on devices you don't control?

We're working on mobile device management solutions that balance security and usability.

Third-Party Risk

Practices depend on dozens of vendors. Each vendor is a potential security weak point. We can help practices vet vendors and manage agreements, but we can't control vendor security.

Looking Ahead

Year eight will likely bring:

We're preparing by developing Windows 10 migration plans for clients still on Windows 7, expanding our security monitoring capabilities, and staying current on emerging privacy regulations.

Growth and Gratitude

Seven years ago, Robell Technologies was an idea. Today, we support dozens of practices across Arizona, helping them stay secure, compliant, and operational.

Some clients have been with us all seven years. Their trust and loyalty mean everything. New clients join regularly, often through referrals from existing clients. That kind of organic growth is the best validation of our work.

To our clients: thank you for your business, your referrals, and your patience as we navigate new technologies and evolving threats together.

To practices we haven't worked with yet: if you're looking for IT support that understands healthcare and professional services specifically, we'd welcome the opportunity to help.

Here's to year eight. Let's keep Arizona practices secure and productive.