How Do You Ensure You Are Compliant?
With less than a year to go until the EU’s General Data Protection Regulation (EU GDPR) becomes law, compliance should be top of mind for all companies. But with little time left, how should you go about ensuring you are compliant in time?
Compliancy will all too soon become an absolute essential for not just companies based in the EU, but also those with privacy data connected to EU citizens. And what happens if you are not compliant? Some rather hefty fines, which could be up to EURO 20 million or 4% of your annual worldwide turnover, whichever is larger. For most, this is incentive enough to get ready for May 25 2018.
Some organizations will already have everything in place for EU GDPR, but for others, there is a long way to go. For those, this can seem like a momentous task, but get started now, sooner rather than later and begin with getting the overview of what data there is and what data the organization truly needs to keep. By getting involved, you get the ball rolling and can begin implementing other factors, such as an incident response plan (you need to report breaches within 72 hours), and getting to grips with whether or not you need a Data Protection Officer.
Not a ‘box-ticking’ exercise
EU GDPR is not a one-off exercise, though, and if businesses take that approach, they will likely have to do it all over again, all too soon.
There are key questions an organization needs to ask itself when starting out, such as what data does the EU GDPR cover, that affects us? If you store information about an EU citizen, then you need to comply with the regulations, regardless of whether you are based in the EU or not. Failure to do so, could risk you being prevented from trading with the EU going forward. The regulations cover all parts of the organization, and it is therefore essential that this also leads to a change in mentality, in culture, across the company.
By seeing this less as a ‘box-ticking’ exercise and more as a framework for privacy data across the organization, companies are more likely to get it right. The EU GDPR is about cybersecurity and data, but it is also about creating a whole new culture of data in an organization – and it is not just something the IT department needs to be focused on. To get it right, companies need to understand that it is about how you process personal data through the organization, how it is stored, who has access to what, why and for how long. Getting compliant, and just as importantly, staying compliant, should be an issue in the board room, just as much as in the IT room. Legal needs to have it as a focus area and top management needs to see not just the relevance of compliance, but the significant business benefit and competitive advantage it can be. Suppliers or external parties can for example sell themselves, in part, as being EU GDPR compliant, which would be a clear benefit over those that are not.
Guiding, not guarding
While many firms still believe cybercrime only affects others, the reality is that any business is a potential target, recent attacks such as WannaCry and Petya have shown. These incidents have shown that good housekeeping is essential, as is having your people and processes in check. The board rooms need to see cybersecurity as an opportunity, a catalyst for optimization and an enabler of digital transformation, and something which needs to become part of a company’s strategy and often reviewed. Some say, the IT departments now need to guide the boardroom, more than guard the company IT.
Compliance is a heavy investment area this year. TechTarget has in its 2017 IT Priorities Survey asked top management and IT responsible persons across UK firms about their top IT priorities. Asked which broad initiatives they are investing in, in 2017, compliance came in second, with 28%, and asked which security initiatives they are investing in this year, identity and access management came in fifth, with 24% investing. The new regulations need to become a continual way of working, ensuring continual compliance. Get the overview of what data there is, get in control of the data and be able to document this control - and remain in control of it. No, not everyone has control of their data right now, but it is possible to get in control.
Read about Omada Identity Suite here.