The European Union’s General Data Protection Regulation (GDPR) is due to come into force on May 25, 2018. This means that IT teams have more than a year to audit their IT systems, check existing customer records and data, and ensure that these systems respect the new set of rules that will be in place.
However, the gap between intentions and actions can be a big one. So what do I predict will happen around GDPR in 2017?
Prediction #1 - Most IT professionals will be aware of GDPR...
Awareness of GDPR is growing across IT professionals, and even across business leaders. However, this is still low. Dell and Dimensional Research survey results published in October 2016 found that around 80 per cent of respondents had little awareness of the concrete requirements that GDPR put in place.
The IT industry as a whole will conduct huge amounts of marketing to make customers aware of their responsibilities. Other aligned businesses in the finance and consulting sectors will also want to make their clients aware of the issues. This will raise awareness in IT professionals and hopefully spur them towards action.
Prediction #2 - … But budgets don’t match this awareness
This rise in awareness will be good, but it also means that there are very few teams that have dedicated IT budget towards GDPR in the next financial year. In the Dimensional Research report, only three per cent of companies had a defined plan in place for compliance. The lack of awareness issue will be solved in 2017, but it also means that few CIOs have earmarked budget specifically to deal with GDPR right now.
Why is this important? Firstly, it means that many teams will be looking at other projects as higher priority as they have assigned budget to them. Money being spent invariably attracts more attention and more desire to get things right. Secondly, it means that many teams may see GDPR as a “box ticking” exercise rather than a big commitment for the future. This is short-sighted and many IT professionals will start to see how much work is involved when it is too late to change course.
Prediction #3 - Preparation phases for GDPR will take longer than expected
GDPR covers all customer data records within a business, putting new rules in place and requiring new workflows. For larger enterprises, data protection officers will have to be hired or have duties assigned to manage compliance processes.
However, ask many IT teams how much data they have and where it is stored, and the answer will vary from “Look at our storage arrays, that’s where!” through to “Not sure on absolutely everything … can I get back to you?”
Many IT teams are making do with static IT asset lists that don’t fully represent all the devices that the company has; this in itself risks companies’ abilities to comply with GDPR in the future. However, the data that people create will also have to be tracked for customer information, so that any request for data to be deleted can be enforced.
Without the ability to know what data and what IT assets are in place, compliance with GDPR will be incredibly difficult to maintain over time. This should lead to a resurgence of IT asset management and information management technologies in the run up to May 2018.
Prediction #4 - The market for consultants will spike massively six months before the deadline
For many IT projects that have deadlines but no specific budget associated with them, a six -month window is seen as enough to complete activities. However, this lack of specific budgeting can mean that there may not be enough resource within teams to handle the additional work. Similarly, while IT vendors and partners will be doing their best to educate IT teams, there may not be enough skills internally to cope with the intricacies of GDPR.
Enter consultants to help … if they are available. As more companies start hiring in experts to assist in their GDPR planning and compliance projects, the availability of those with the necessary skills will quickly get depleted. This will be particularly problematic for those companies with their own sets of regulations to consider, such as in the banking and pharmaceutical industries.
According to research by specialist recruitment firm Robert Walters, around 47 per cent of hiring managers expect to recruit more IT specialist staff in 2017, with IT security skills in most demand. This growth will be great for those in IT roles or looking for new positions, but for companies this could make acquiring skills around areas like security or compliance more difficult.
Couple this with the demand for short-term contractors or consultants and the costs will go up further in the second half of 2017.
Prediction #5 - More collaboration and consolidation will be needed
The typical image of IT departments is that they are shut away from the rest of the business, sticking to their own goals and not in communication with other teams. While this might have been true in the past, it is not accurate today. CIOs often hold board level positions, while technology and IT play critical roles in helping enterprises be successful.
However, many CIOs will need convincing that GDPR will require additional investment or support. Building a business case around compliance will be required here. The first area to consider is that failure to comply will attract fines of €10million or two per cent of turnover, going up to €20million or four per cent of turnover for bigger breaches.
This cost should provide an incentive to invest in preventing security failures and ensuring compliance. Secondly, these kinds of projects can be linked to other business objectives that can provide return on investment or cost reductions. For example, consolidation of IT vendors and a reduction in suppliers used can reduce spend.
Rather than best of breed, IT teams will look at moving from managing separate areas like web security, IT asset management and vulnerability management to a consolidated approach based on one vendor.
An illuminating process
The impact from GDPR will also increase that collaboration across departments. For GDPR compliance, IT departments will have to collaborate with legal teams on what the company’s current position is around compliance, as well as working with marketing and sales on where customer data currently exists.
This can be an illuminating process, particularly when it comes to where data is officially saved compared to where it is getting created and stored in real life working environments. Individuals saving their own copies of customer databases, or adding links to other applications that can make use of that data, can lead to a proliferation of data sets that can and should be kept secure. By entering into discussions on current working practices, any new IT projects or potential shadow IT deployments, IT teams can see where extra security precautions may be required in order to maintain compliance. At the same time, IT should also offer more guidance for the future on potential issues that may arise and – more importantly – ways that can avoid these issues while still delivering the same result.
Looking ahead, dealing with GDPR will be one of the biggest issues for IT professionals in 2017. The potential costs associated with fines should ensure that business support for compliance activities will come through. However, many IT organisations have not put together their budgets with GDPR in mind. As the sheer scale and impact of GDPR becomes known, more companies will increase the amount of resources they devote to compliance.
Image source: Shutterstock/Wright Studio
Darron Gibbard, Chief Technical Security Officer, Qualys