With the GDPR deadline now passed, the sigh of relief from IT departments up and down the country was almost audible. IT teams were thrown the challenge of working out what was needed to meet the GDPR guidelines as it was thought to be a security issue. It swiftly became apparent, however, that it was a people and process issue and not a technology one. So IT passed the buck on to the legal, HR and finance departments. But as companies gained a handle on the policies and procedures they needed it quickly became apparent the IT department would be required again.
Coming out the other side of the GDPR it is even clearer that it wasn’t a security play; this should have already been in place. IT was, however, an enabler to get the right business processes in place. IT departments have some excellent tools to help ensure the guidelines are met, but they can’t meet them in isolation. The GDPR is a business challenge for companies regarding how they process personal data, therefore ensuring ongoing compliance needs are viewed holistically – with people, process and technology.
The aftermath of the GDPR
With the GDPR now in place, many organisations are undergoing changes in the way they handle, record and store personally identifiable information (PII) data. For most, this will be a lengthy process and therefore arguably a lot of companies may not be compliant as of today. The key is to ensure businesses have an understanding of their personal data flow so they can work towards a GAP analysis and identify what is required to achieve compliance.
Mitigating the risk and being able to display a roadmap towards compliance are the most important elements if an organisationdoesn’t firmly believe it is fully compliant. Also, undertaking Government-backed schemes, such as Cyber Essentials and Cyber Essentials Plus, will highlight commitment towards data security.
The continuing business challenge
The GDPR has been taken seriously by companies because it has serious consequences with significant financial penalties for infringement. However, the ongoing business challenge is how companies process data, and IT systems have a key role to play in enabling the safe and secure handling of relevant data.
Despite organisations sitting up and taking action, an anomaly still exists. Recent industry research found over half (58%) of SMEs think their businesses are at risk of financial loss from poor IT security and data compliance. The research, conducted by OnePoll for Ultima, also found a good degree of realism expressed by SMEs, with 41% acknowledging that spending money on IT security is not a priority, and just over half (55%) acknowledging that they could probably never fully protect their business from IT breaches.
Has the GDPR forced the hand of businesses to continue to change (especially SMEs) and invest in greater IT security to ensure ongoing compliance? It’s a watch and wait scenario. Along with the change in mindset about the GDPR solely being an IT problem, organisations should cease viewing IT security as expensive. There are many ways that firms can improve their IT security which don’t require large expenditure and can help avoid fines or financial loss due to data breaches, which can run into six-figure sums.
The GDPR deadline might have passed, but it is helping to force a business change which is still in progress. Embracing it as a good way of keeping data safe and ensuring compliance will help companies to view the painful process as being worthwhile. And not least, it will help ensure they avoid the more painful media attention and reputational damage which could come from non-compliance.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.