Applying the MOT model to businesses in a post-GDPR landscape

null

A business is a peculiar thing when you think about what goes into making it up. A set of staff, premises, a service or product that is provided in exchange for money, and a set of resources and technology that staff use to complete their daily tasks. 

What all of these different aspects have in common is that (often despite our best efforts) none are stable: companies expand and shrink, staff will come and go and premises and technologies will need updating to best suit the current organisation. Therefore, not much can be seen as ‘done’ in regards to a business as a whole; it’s simply done for now. Whether you’re moving to new offices or implementing a full digital transformation project, there will always be something new on the horizon. 

This is especially pertinent when you consider legislation. Just as other areas of a business constantly evolve, so does the legislation that businesses need to comply with. The General Data Protection Regulations (GDPR) is certainly the most talked about and wide reaching currently, but this regularly happens; just ask those affected by the NIS Directive or MiFID II over the last twelve months. 

In the build-up to the 25th of May and the advent of GDPR, much of the messaging around the regulation was wrong. The campaign was based on fear; the sanctions, the fines, the looming deadline – all these took centre stage for many companies as the date for compliance approached. And this has, for many organisations, left the impression that, while compliance with GDPR needed to be sorted before the deadline, after the deadline passed they could breathe a sigh of relief and forget about it. This approach simply won’t work.

For a useful comparison, let’s take owning a car. You don’t get the vehicle, have it checked for roadworthiness once and then assume it is fine for the rest of the time you own it. Instead, MOT tests are carried out yearly – a consistent check-up of the vehicle’s health. That’s not to mention people servicing their car voluntarily.

In some respects, a business should be run in the same way. A technology audit, yearly employee feedback, growth projections – regular updates like this are a sure-fire tactic to avoid being blindsided by problems appearing over the horizon. 

The objective of all of this would be to demonstrate that, no matter what the future brings, a quick short-term fix only takes you so far. Instead, the end destination is a continually moving point, comparable to the end of a rainbow, which is why it’s so important to invest in resources that power all of a company’s services – not just a few.

This is especially pertinent when it comes to dealing with regulation, for two reasons. Firstly, remaining compliant is very different to achieving compliance, because, having achieved compliance, your business will naturally change internally, therefore altering the parameters for compliance. Secondly, GDPR is not utterly set in stone and may be tweaked and different areas focused on by the Information Commissioners Office moving forward. 

Of course, it’s easy to talk about what people should do to ensure their business is compliant, but this very much ignores the issue of resourcing and cost for ensuring this compliance. It’s not an easy area to understand and quite often technological solutions can be very expensive. This is leading many forward-thinking organisations to use both internal and external resources in order to address compliance – after all, you’d maybe replace a tyre or top up the oil in your car, but you wouldn’t look to replace a gearbox by yourself! 

In terms of technology, businesses can start by looking for cybersecurity products that place all of their disparate security systems into one view. Visibility is the key to compliance, as without a bird’s-eye view of your technical estate it’s almost impossible to see where issues may arise in line with specific regulation. By combining the alerts and statuses of all of your systems, it’s far easier to get the ‘bigger picture’. Some cybersecurity products can even audit against regulations to give you a clear sense where any problems may lie – again, much like a garage’s diagnostic machine. 

Of course, these systems still need someone to oversee them: the mechanic. Without the human element, tools remain thoughtless quantifiers of data, lacking the necessary insight you get from a skilled employee. The problem is that, within the intertwined areas of security and compliance, there is a considerable skills gap in the UK. 

One way this problem is being addressed is by the rise of ‘virtual staff’ – allowing companies to have a dedicated resource who is highly skilled in a specific area and can oversee this for them. Virtual Chief Information Security Officers (CISO) and Chief Security Officers (CSO) are – owing to this skills gap – increasingly popular. Employing one may seem like another expenditure but replacing brake pads before they fail will always work out more economically in the long run. 

Equally, in order to ensure that new technology is genuinely transformational, many companies (particularly SMEs) across myriad sectors would do well to outsource some of their IT needs to expert external providers. Crucially, these providers have had proven success in providing cutting-edge technology to solutions to countless businesses.

As mentioned earlier, GDPR compliance needs to be reframed as a positive. The regulations aren’t there just to put the squeeze on companies, but to engender a new, more secure way of storing and using customer data. And to ensure that this is a data culture that your organisation has, you need to regularly test, check and update yourself against these regulations, ensuring that the business hasn’t picked up a problem over the last few months. From regular audits and new technology through to a virtual expert put in place to oversee proceedings, GDPR should be a topic that is always on the mind of proactive business leaders as they look to provide the best possible service and practices for their customers.  

Jonathan Bridges, Chief Innovation Officer at Exponential-e 

Image Credit: Wright Studio / Shutterstock