GDPR – Why it’s more than an IT issue

From May 25th, 2018, The European Union (EU) General Data Protection Regulation (GDPR) will be more than just a four-letter acronym. GDPR will see a ruling that will strengthen and unify data protection for individuals within the EU. GDPR will also control the export of personal data outside of the EU. Management of data security across companies will soon become a large-scale business issue.   

The data protection regulation will apply to any organisation or person that is based in the EU or in the handling of data of EU residents. Anything that can personally identify someone, whether it be their name, address, financial details or posts across social media, will be covered by the regulation. As a result, more data than ever before will fall under regulation. 

Whilst this will both reinforce and expand the data privacy of individuals, it will also subject any business that fails to comply with GDPR to vast financial penalties. Should misuse or a data breach occur, a company can be fined up to €20 million or up to four per cent of their annual turnover worldwide. A fine of such a scale could lead to business insolvency.   

However, with just under a year until GDPR comes into place, nearly half of businesses admit they are not ready for the new data regulations, according to Experian. There is also the belief that GDPR focuses on data and technology, and thus becomes an IT issue rather than one which affects the whole of a business. The reality and the consequences of ignoring GDPR is a different very picture – it is in fact all processes that have to be reviewed.    

Does it apply to me? 

As the United Kingdom is set to leave the European Union, now that Article 50 has been triggered, there is much misunderstanding as to whether European regulations will continue to apply. In fact, one in four businesses across the UK claim to have ceased any further preparations for GDPR as a result of Brexit. A survey of IT decision makers at UK companies by information management firm Crown Records Management has found 24 per cent are no longer preparing for the regulation. A further four per cent have not even begun to prepare. 

This is despite the fact the regulation is due to come into force ten months before Britain completes its exit from Europe. Alongside this, the UK Information Commissioner’s Office has stated that it will follow GDPR for its future data protection best practices. All companies will have to comply with GDPR, regardless of any potential upheaval. 

Outside of Brexit, there remains a lack of clarity over whether specific organisations or sectors may see exemptions, such as government or public service agencies. However, all public sector bodies will have to comply. All businesses, regardless of industry, will need to review their existing privacy policies and procedures and update accordingly.   

Setting the correct culture

As with any significant change in a business, the example has been set by the senior leadership team. Their support is necessary to drive cultural change, alongside the rolling out updated processes across the company. Part of the cultural change will also be setting up and agreeing an accountability framework, monitoring processes, and ensuring that staff are trained and educated in the role of GDPR. Without thorough understanding of what is happening and why, the business will struggle.   

Collaboration is key   

General Data Protection Regulation will require an increase in collaboration across different departments with the IT team at the heart of this. If single departments are tasked with implementing GDPR, then projects will run at risk of failure. Whether through working amongst legal teams to determine the company’s current position around compliance, or working closely with marketing teams in terms of data collected and stored, it is important to determine what the data landscape looks like. It will require a data processing and mapping exercise, resulting in the collection of information set out in Article 30. This includes data transfer processes, the purpose of the processing and a description of what is in place to safeguard the data. The outcome of such an exercise would allow the organisation to determine the data they have, where it is processed, why and who is storing it.  

Cross team collaboration can lead a business on a road to discovery, specifically in finding out where data is saved versus where it is generated or stored in real life. In addition, it can uncover multiple datasets which were previously unaccounted for or additional assets which were previously unknown to the IT department. These instances of “shadow IT”— the use of systems and technologies without explicit organisational approval — can uncover a number of concerns around accountability, should one of these outlets lead to a data breach.  

Auditing your data – where is it going? 

In addition to identifying the assets in ownership across the company and where data is stored, businesses must also be aware of their data “supply chains.” This involves where their data is coming in from and where it is being shared or sent onwards to. According to EU GDPR regulations, “the responsibility of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established.” In other words, the business will remain responsible for its customer data when a third party has it.   

Collaboration with suppliers on their security procedures is therefore necessary. Any of these endpoints can be vulnerable to a security attack, and without understanding where or how the data is shared, a business is fighting a battle they simply cannot win.    

Many organisations have not considered the level of preparation required, nor the resources needed to implement the correct procedures around GDPR. Many have put together their departmental budgets without GDPR in mind. As the sheer scale and impact of this regulation becomes known, companies will increase the amount of resources they devote to compliance. It will be a company-wide effort that will ensure a successful roll out.   

Darron Gibbard, Managing Director, EMEA North at Qualys

Image Credit: Wright Studio / Shutterstock