With just two weeks until GDPR comes into force, IT security experts commented below.
Importance of long-term compliance
Rob Price, Pre-sales Consultant at Snow Software:
In recent months, the overwhelming sentiment of the media furore around the General Data Protection Regulation (GDPR) has been focused on how companies can become compliant in time for deadline day on 25 May 2018. Instead, it should be analysing and scrutinising how those companies striving to become compliant intend to maintain the required standards once the deadline has passed.
With this in mind, establishing enterprise visibility should be at the heart of any organisation’s approach. Companies’ efforts need to be anchored around how they can create a cost-effective and precise strategy to handle and adapt to evolving compliance rules and demands over time.
There is now a burning need to closely examine those databases that have been central to the digital estates of many companies for many years. With new databases, processes and products being created every day, impacting upon every step of an organisation’s journey to become compliant, comprehensively scrutinising already entrenched systems is essential.
The majority of organisations beginning their journey to compliance understand the importance of identifying the location of personal data repositories, meaning that their focus is on systems such as SAP, Oracle databases and middleware like Marketo and Salesforce. But these large systems often represent just a fraction of the systems that process personal data. Like an iceberg, the vast majority of applications are often effectively invisible, unconsidered by the GDPR team and include SaaS applications purchased by business units with little to no involvement by IT.
As the digital estate continues to rapidly evolve, looking beyond the deadline date by conducting an extensive assessment of company software – both old and new – will be paramount to avoiding any penalties down the line – be they legal or financial.”
Impact on company culture
Rob Price, Pre-sales Consultant at Snow Software:
“Though having a watertight process and the performing of rigorous technological checks may be two key components to ensure compliance, instilling the right culture will be critical to guarantee that employees adhere closely to what’s required of them.
Typically, the road to compliance can be portrayed as too technical, which can, in turn, lead to a breeding ground for misinformation. Instead, organisations should be focusing on improving employee understanding, instilling a culture of the foundational tenets of compliance, and, given the harsh realities of today’s cyber climate, providing constant reminders of the importance of protecting data. Only then can they move on to establish concrete processes, which is where self-assessment and the identification of gaps comes into play.
Some basic steps like setting up a cross-functional data governance team, made up of the data protection officer (DPO), IT leaders and business leaders from a range of functions including Compliance, Legal, HR, Customer Service, and Marketing is a solid starting point. These are the individuals who can help the importance of customer data protection become woven into the fabric of a business model.
By repeatedly emphasising the importance of data protection, CIOs will set themselves, their teams and their organisations up for success. And, positioning data privacy front and centre will enforce a company culture that can truly help to deliver GDPR compliance collectively.”
Controlling data sprawl and recognising enterprise accountability is key to GDPR compliance
Chris Mayers, Chief Security Architect at Citrix:
Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.
Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However, it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance.”
How do businesses actually protect their data?
Elodie Dowling, Corporate VP, EMEA General Counsel at BMC Software:
Organisations should be focusing on instilling a culture of compliance. Only then can they move on to establishing concrete processes, which is where self-assessment and the identification of gaps comes into play. From there, organisations can turn their efforts to constructing a roadmap to compliance.
Technology is the third component and this is where discovery is crucial. How can customers become truly compliant if they don’t know what’s in their data centres, who has access, what other devices are active and vulnerable, where their sensitive information is stored and how they should be maintaining their devices to ensure they meet auditor standards?
Only by relentlessly examining internal processes can customers discover how their devices storing data are configured, how they’re connected, where any vulnerabilities sit and then piece together a plan to remediate those vulnerabilities and correct them. Data is constantly in flight so in order to transfer it in a secure way, it must be archived to protect it from the recovery implications contained within the GDPR.”
The importance of tackling fundamental challenges, such as data sprawl
John O’Keeffe, VP EMEA at Looker:
“Many are still tackling fundamental challenges – such as data sprawl – in which masses of data is left dispersed, uncategorised and disordered. Because of this, businesses can easily lose track of what data is being stored, how it’s managed and whether it’s robustly safeguarded. Ensuring these data ‘swamps’ are cleaned, organised and filtered should be the first port of call for CIOs.
“Once organisations have clean data ‘lakes’, they can continue the process of data analytics to drive business outcomes. But – if they want to maintain their compliance with GDPR – leveraging tools that don’t extract the data is key. Data analytics should enable positive business change, not start the data sprawl process all over again.”