23 May 2017
Blogs by author: Guus van Es, GM Security Consulting Worldwide, BT.
During the final year before GDPR, businesses need to step up preparations to make sure they’re in prime position to make the most of the new regulation.
It’s the final countdown…
Over the next few days, you’ll be flooded with advice around getting ready for GDPR. And, with only twelve months left before the new EU Data regulation comes into effect, organisations have no time to waste in their preparations.
These preparations are vital, not just to ensure compliance and avoid penalties, but also as a business differentiator. I firmly believe that leaders in the space of protecting their stakeholders’ data and privacy have a competitive edge as businesses digitalise fast.
Yet, many organisations still underestimate both the risk and the opportunity of this new regulation. In addition, they’re overestimating either the speed with which they can get ready for it, or their ability to minimise impact in the event of a breach.
So, don’t wait for tomorrow: I recommend you kick-start your preparations with the following five actions today:
1. Start now, to ensure the right resourcing and support.
Any organisation will need help to get themselves ready. However, as many organisations underestimate the time required and the implications, I foresee a rush for external professionals to ramp up in the next months.
Such professionals are scarce and will be difficult to find. If you want good people to support you, you need to start selecting your partner(s) as soon as possible.
The recommended approach is to first appoint a Data Protection Officer (article 37 under GDPR) to own the subject on behalf of the board, and to coordinate its handling across internal and external stakeholders.
2. Ensure you understand your risks and your opportunities.
Have you done a thorough implication analysis for your specific business? Does your board know what the risks and opportunities are?
I’m concerned that many people tend to rely purely on word of mouth to gather this information, and this is a dangerous tactic.
As an example, last week I spoke with a customer’s internal legal advisor who told me that part of their mitigation was to split GDPR accountability across their different operating companies. Their reasoning was that, this way, they could minimise any penalty size to a maximised penalty per operating company, effectively protecting the group. This isn’t accurate. As long as such misunderstandings exist within respectable companies and intelligent people, we need to worry.
So, coordinated by your Data Protection Officer, make sure you and your board have a first-hand understanding of the new data regulation — in the context of your business priorities, your specific risks, and your opportunities.
3. Begin with the (digital) end in mind.
Now that you understand your risks and opportunities, decide what the end game is for you. Indeed, according to the regulation, organisations must incorporate data protection “by design and by default” into every level of their business and throughout every aspect of their processes (article 25 under GDPR).
But don’t stop at compliance. Data is the new gold if you know how to protect and leverage it.
If you approach GDPR as a technology risk you need to mitigate, you’ll have a different approach than if you believe being a leader in data protection is a competitive edge. In other words, how can you leverage the new EU regulation as part of your strategy for digitalisation? Or, if you don’t have a digital strategy yet, how can it initiate or accelerate it?
4. Review your position against the six key principles of GDPR compliance.
With the (digital) end in mind, you’re ready for your gap analysis between where you are today, versus where you need to be. An approach I suggest you consider for this is the one Jose Pereiro outlined in his blog on the six key principles of GDPR compliance. Actually, no matter how far forward your organisation may be along the path to GDPR, it’s worth reviewing your progress against these six principles to ensure your security is watertight.
This review should be part of the wider methodology you use to reach compliance. This methodology should include phases such as: achieving awareness and understanding; carrying out assessment and discovery; planning and design; integration and deployment; and establishing how to manage and adapt.
5. Get ahead of the curve — and stay there.
How to obtain, manage and protect data and ensure privacy should be “built-in by design” when it comes to your strategy execution. This requires IT and security to act as facilitators for your business or, better yet, as accelerators. And this requires IT security partners that have the hands-on expertise and (global) resource bandwidth to support you.
So, who is driving your IT and security agenda and budget? What drives your resource and expertise planning? What factors do you use to determine what makes an appropriate IT and security partner?
If the answer is not ‘the business’, you might want to evaluate why that is. And rethink whether you are truly set-up to go beyond mere compliance, and are grasping the full opportunity this age of digitalisation offers.
The clock’s ticking…
Get the final countdown year to GDPR off to a flying start. A good place to begin is with our summary of how to check you’ve got the right security in place for your GDPR journey. You can also take a look at our consulting services to see how we can help.