GDPR Compliance: It’s an issue of transparency
April 23rd, 2018
The General Data Protection Regulation (GDPR) has been on the lips of security professionals for a long time now – but in just over a month, it will become a reality. While it’s easy to focus on potential fines or security procedures, many still overlook the heart of the regulation: transparency.
Getting the bigger picture
It goes without saying that transparency is important for data protection and security. With the recent news around Facebook continuing to grab headlines, businesses are under more pressure than ever to present a transparent and secure organisation. However, this focus can sometimes be lost when it comes to the day-to-day.
The issue lies in the siloed approach that some teams take with their data. Establishing a firewall, patching vulnerabilities or encrypting a specific data set can often ignore the wider aim of digital transparency. Even with the long notice period that IT departments have had, GDPR will still throw up numerous challenges in this regard, and these will vary depending on the sector, clients, staff and business size.
Ensuring the business recognises the bigger picture of GDPR can help clarify many of these issues. However, considering the pressures that many security teams are already under, this needs to managed efficiently. If IT teams ask themselves whether decisions will improve the data transparency of the business, they will be better able to determine whether these activities will help them achieve compliance with GDPR.
Being practical with compliance
There are some practical steps that companies can take to ensure the business maintains an awareness of the bigger picture around GDPR and data transparency. In essence, they will require a collaborative effort between IT, senior management and general staff.
Most IT departments will already have addressed the need for improved security, but this does not necessarily imply digital transparency. While you can pseudonymise client data, or otherwise defend it, this may not satisfy GDPR’s “right to be forgotten” requirement.
For example, if the business struggles to easily pull up client information it is in just as precarious a position as if it had out of date firewalls. Back-end systems that can provide a clear overview of individual data sets need to be implemented alongside up to date security processes; the business is otherwise leaving a major element of the regulation unattended.
Thinking beyond IT
There is also the need to think beyond the technology. You will need to build data transparency needs into any client communication as well. Although GDPR can seem to be solely in the realm of IT, other departments also need to comply. The change to consent which requires the creation of an ‘opt-in’ option for data usage, will extend beyond IT. In fact, it will encompass a diverse range of areas from marketing to customer services. Having these groups work together to ensure clear communication is a vital part of compliance.
Additionally, staff need to be aware of external threats and the need to communicate any data breaches rapidly. With only 72 hours to notify the regulator, there can be no delay from the business in this regard. Staff have long been the first line of defence when it comes to flagging an external threat, but under GDPR they will also be responsible for notifying the ICO of any breach.
IT teams can see these factors as a tough challenge, but this is where you need to involve senior management. Leading by example is the easiest way businesses can ensure all teams are working together to ensure GDPR compliance. Ensuring that senior leadership understand and accept this responsibility will help establish a consistent and reliable chain of command.
Thinking beyond regulation
In just over a month, businesses will be tested on their compliance with this huge piece of legislation. While security teams can ensure the technology is up to scratch, there is a need to highlight the importance of compliance at every level. This is not just to appease the regulator, but also to build a future-proofed business.
If all teams can commit to this collaborative approach, the outcome will have lasting effects on the company. The immediate benefits will be legal compliance with the GDPR – through improved security and via communication with colleagues and clients. However, the wider benefit will exist in a business-wide emphasis on transparency. As pressure continues to mount for businesses to display transparency at every level, GDPR – if handled effectively – has the potential to help address this growing trend.