The General Data Protection Regulation (GDPR) comes into effect in the UK on 25 May 2018. Yet, many organisations remain in denial, with a typical mindset being: ‘if I ignore it long enough, it will probably go away’, or even, ‘I don’t think it really applies to me’. Ultimately though, any business that holds personal data about their customers, employees or that runs a payroll is going to be impacted by the regulation. That’s because GDPR clearly applies to all companies worldwide that process the personal data of EU citizens.
There is a world of difference of course, between understanding that your business needs to get ready for GDPR and making it happen. There are likely to be a raft of challenges along the way. Many leadership teams immediately baulk at the need to put policies in place. Organisations, and particularly their directorial boards, often feel that they don’t have the time, manpower or the feel the necessity to do this. But what other options do they have?
We are beginning to see legal departments take on some of the strain. The data protection officer (DPO) role that for many organisations will be a mandatory requirement after May 2018 is increasingly finding itself housed within legal teams as another thing on their ‘to do’ list. In some businesses, the legal department is even formulating policy for the rest of the business to follow.
Many boards, however, still try to shift the problem to the domain of the IT department. There are far too many CIOs attempting to abdicate their responsibilities in this area. The rationale is often that they are simply too busy thinking about the future strategy of the business to spend time considering what they see as essentially IT-focused legislation, so there it should lie. That’s a mistake. GDPR is a business issue just as much IT one. It shouldn’t simply be offloaded to network engineers and made a technology problem – it is a business opportunity, where technology can help.
There is often greater traction in looking outside the organisation for help. But again, the key question is where to look. Firstly, there are a host of companies in the marketplace that are making a lot of noise – saying come and speak to us – we will make you GDPR compliant. However, it is unlikely that a single company operating alone could ensure a customer will meet all the demands of this new GDPR legislation. So, businesses should be very wary about taking this supposedly catch-all path to compliance. It is likely to turn out to be anything but.
The Right Approach
It is clear that businesses can and should be doing today to make sure they are ready in time, especially with regards to good data management. For many organisations, ensuring their data classification processes are up to scratch is one of the very first actions they should take. Every business should know what data it has; where that data resides – (and that means not just the primary data stores but what information is held on laptops and in off-site back-ups for example), and how they manage, control and audit access to it.
They should also, in the context of GDPR, be aware of the CIA triad, (Confidentiality, Integrity and Availability), with the emphasis on the first two of these. When it comes to managing personal data, confidentiality and integrity need to be high on the agenda. Businesses must restrict access to just those people who need to view the data, and they need to ensure that the data is accurate and any relevant updates have taken place. Other key technological measures that can be taken to help protect sensitive personal data include data loss prevention and encryption, whether that is of data held in a data centre, on-premise, in the cloud, or elsewhere.
In a sense, much of this is simply about adopting a best practice approach. The IT industry has long tried to educate businesses about risk mitigation and cyber-security by espousing compliance and reputational protection. GDPR is, however, only the start of a journey, the minimum standard that organisations should be aiming for. It’s about enforcing a decent baseline of security – however organisations that fail to act appropriately and in a timely fashion will find that it’s a regulation with teeth.
By January 2018, we foresee many organisations starting to panic about the 25th of May. They will suddenly realise that time is short and they need to act immediately in order that they are adequately protected procedurally as well as technically. By then, however, it may be too late. The message for the boardroom is a simple one; If you are not already running a best practice approach where you know what you have, where it is, and who has access, it can take more time than you have to be fully prepared.
Put this on the boardroom wall; Stop passing the buck – if you have not already got your GDPR house in order, you better start doing it right away. Tempus Fugit.