GDPR: It’s an issue of transparency

Last updated on April 23rd, 2018

The General Data Protection Regulation (GDPR) has been on the lips of security professionals for a long time now – but in just over a month, it will become a reality. While it’s easy to focus on potential fines or security procedures, many still overlook the heart of the regulation: transparency.

Why GDPR compliance is an issue of transparency

Getting the bigger picture

It goes without saying that transparency is important for data protection and security. With the recent news around Facebook continuing to grab headlines, businesses are under more pressure than ever to present a transparent and secure organisation. However, this focus can sometimes be lost when it comes to the day-to-day.

The issue lies in the siloed approach that some teams take with their data. Establishing a firewall, patching vulnerabilities or encrypting a specific data set can often ignore the wider aim of digital transparency. Even with the long notice period that IT departments have had, GDPR will still throw up numerous challenges in this regard, and these will vary depending on the sector, clients, staff and business size.

Ensuring the business recognises the bigger picture of GDPR can help clarify many of these issues. However, considering the pressures that many security teams are already under, this needs to managed efficiently. If IT teams ask themselves whether decisions will improve data transparency of the business, they will be better able to determine whether these activities will help them comply with the rules set out by GDPR.

Being practical with compliance

There are some practical steps that companies can take to ensure the business maintains an awareness of the bigger picture around GDPR and data transparency. In essence, they will require a collaborative effort between IT, senior management and general staff.

Most IT departments will already have addressed the need for improved security, but this does not necessarily imply digital transparency. While you can pseudonymise client data, or otherwise defend it, this may not satisfy GDPR’s ‘right to be forgotten’ requirement.

For example, if the business struggles to easily pull up client information it is in just as precarious a position as if it had out of date firewalls. Back-end systems that can provide a clear overview of individual data sets need to be implemented alongside up to date security processes; the business is otherwise leaving a major element of the regulation unattended.

Thinking beyond IT

There is also the need to think beyond the technology. You will need to build data transparency needs into any client communication as well. Although GDPR can seem to be solely in the realm of IT, other departments also need to comply. The change to consent which requires the creation of an ‘opt-in’ option for data usage, will extend beyond IT. In fact, it will encompass a diverse range of areas from marketing to customer services. Having these groups work together to ensure clear communication is a vital part of compliance.

Additionally, staff need to be aware of external threats and the need to communicate any data breaches rapidly. With only 72 hours to notify the regulator, there can be no delay from the business in this regard. Staff have long been the first line of defence when it comes to flagging an external threat, but under GDPR they will also be responsible for notifying the ICO of any breach.

IT teams can see these factors as a tough challenge, but this is where you need to involve senior management. Leading by example is the easiest way businesses can ensure all teams are working together to ensure compliance. Ensuring that senior leadership understand and accept this responsibility will help establish a consistent and reliable chain of command.

Thinking beyond regulation

In just over a month, businesses will be tested on their compliance with this huge piece of legislation. While security teams can ensure the technology is up to scratch, there is a need to highlight the importance of compliance at every level. This is not just to appease the regulator, but also build a future-proofed business.

If all teams can commit to this collaborative approach, the outcome will have lasting effects on the company. The immediate benefits will be legal compliance with the GDPR – through improved security and via communication with colleagues and clients. However, the wider benefit will exist in a business-wide emphasis on transparency. As pressure continues to mount for businesses to display transparency at every level, GDPR – if handled effectively – has the potential to help address this growing trend.

For information on GDPR, free downloadable resources, events and more please visit our GDPR Resource Centre.

/ Security
What is malware?

Malware (short for malicious software) is an umbrella term which refers to software designed to disrupt, damage or gain access to a computer system, without knowledge or consent of the owner. Malware can compromise computer functions, steal data, bypass access controls and cause other types of harm. A piece of malware is usually categorised into […]

/ Technical
Windows Server 2003 end-of-life is looming: Are you ready?

Businesses have had numerous warnings over the past 18 months, but now the countdown is well and truly on. In just under 11 weeks Microsoft will end support for Windows Server 2003. As of July 14th, Windows Server 2003 will go end-of-life and Microsoft will no longer issue security updates and patches. If you continue […]

/ Technical
How is cloud changing the way technology is sold?

The most significant change in how the customer can now purchase IT services and infrastructure has occurred with the uprise of the cloud. Before, customers would have needed to purchase hardware and software licenses. Then pay the integration and migration costs, and train internal IT staff on new technologies and platforms. With the cloud, however, […]