- Security TWENTY
- Women in Security
Richard Shreeve, Consultancy Director at software firm Civica Digital looks at the steps organisations must take to ensure full compliance with the EU GDPR when it comes into force in May 2018.
Around the world, IT professionals, lawyers, and business owners have been highlighting concerns about the potential business risks and challenges they face around the implementation of the EU General Data Protection Regulation (GDPR). With less than a year to go until the legislation is enforced, most of the press surrounding compliance has been negative. Organisations have long faced financial penalties from the Information Commissioner’s Office for data breaches but the GDPR’s eye-watering fines, onerous obligations and challenging practicalities are all causing panic as businesses start on their journeys towards compliance.
With the government recently announcing its intention to keep the UK in line with the EU’s regulation through a new Data Protection Bill, organisations can’t risk burying their heads in the sand. As we move towards the deadline, taking a step by step approach to the GDPR is crucial – as is looking beyond May 2018. There are practices and infrastructure that need to be introduced, which may feel like an arduous process, but will offer far more benefits than just GDPR compliance. And the first step, is getting to grips with data.
With worldwide data generation predicted to increase tenfold by 2025, marketing, sales, finance and IT teams in organisations of all sizes and sectors are hosting increasingly large quantities of customer information – all of which is used, managed and shared by different people inside and outside the business.
These multiple data access points and gateways not only make it more difficult to secure and manage customer data, but also hard to understand what is being held and where it is being used.
Organisations need to be aware of all the data that exists in their business to not only facilitate subject access requests, but to reap the benefits that it can provide beyond GDPR compliance. Until organisations have a better understanding of the data they possess, it will be very difficult to become compliant.
After identifying the sources of the data, organisations need to consider why they have it and the permissions that surround it. Is the data necessary to deliver the service that they are providing? Do they have consent from the individual? Businesses need to be positive and proactive when it comes to communicating how and what customer data is used for and ensuring they have a sound legal basis for holding it.
Understanding and managing this data is a big task and to tackle this challenge, it’s beneficial to pull customer data into a single view. Initially, organisations need to present an honest appraisal of their current data environment. Business leaders then need to invest in the necessary employees, training and infrastructure.
It is an organisation’s people that are key to making this work. Without their commitment to GDPR, employees become a huge risk to organisations – and their bottom line. Even if unintentionally, they may cause an organisation to fail to be compliant with the new legislation. According to Sharp, almost a quarter of employees store confidential information on the public cloud, even if their organisation hasn’t sanctioned it, which puts both the company and customers at risk of data leaks.
GDPR will force a culture change and those that embrace it to its full extent, will prosper the most. As well as enforcing better practices, GDPR will make data security everybody’s business and will develop people’s digital and data skillsets. Employees need to move from treating customer data as their own property to understanding that it’s the consumer that’s in control. Customer data is effectively on loan to the organisation and it’s every employees’ responsibility to take care of it and make sure it doesn’t fall into the wrong hands.
Aside from trust and transparency, changing the way an organisation views and manages data can help improve decision-making, customer reach and customer satisfaction. Getting your data in order will lay the foundations for better insight, driving better services around what people want and need and helping to reduce waste. A customer-centric view of your data will not only enable your teams to provide a more personalised service and experience, it will also support a wider digital transformation programme across the organisation.
There’s no denying that the journey to GDPR compliance will not be easy and will require a lot of time and effort. However, it’s time to ditch the daunting and negative headlines and look forward to the benefits of this legislation. Getting it right will engender trust and advocacy from your customer base. Ultimately, it’s these benefits that will become competitive differentiators, in the near and distant future.