Next year the EU General Data Protection Regulation (GDPR) will be enforced. From the 25th of May, every organisation, whether public or private, will need to comply with a stringent set of rules and regulations when it comes to customers and their own data, or risk severe fines.
GDPR has not suddenly come to light in recent weeks and months, the regulation was passed by the European Parliament in April 2016 and was an evolution of the long standing EU Data Protection Guidelines. Businesses have had over a year to learn and understand what is expected of them and put the right policies and processes in place to meet these new regulations. However, with only a year left until enforcement, many organisations appear to be sleepwalking into GDPR and are not prepared. This was highlighted in a recent report which found that 48 per cent of companies admitting to not being ready for new data regulations such as GDPR.
Much of the problem comes from a lack of awareness from organisations about GDPR and the targets they are expected to meet once it is enforced. This lack of insight is worrying, if organisations are not aware of what is required of them by the time GDPR is in place and do not meet the obligations of the regulations, they could face fines of up to four per cent of their global turnover depending on the size of the organisation. This is a vast sum of money and could have huge impact on the company, its customers and shareholders.
The other challenge organisations face is where to begin to become compliant. With only a year left to prepare, it’s imperative that businesses learn as much as possible regarding GDPR and how it relates to them, including the differences from any other policies and processes which are already in place, especially those related to complying with other regulations, for example PCI DSS. Compliance is about people, process and technology. With technology able to enforce the policies and drive the processes to keep the people and the critical information safe. The IT industry therefore plays an important role to help industries and businesses meet the necessary standards to achieve compliance.
IT and security professionals may naturally have a greater understanding of networks, systems and how to keep data secure, than someone working on a reception desk or a CEO, but they will need to work with all areas of the business, including legal and HR to create a greater understanding of the how to meet GDPR standards. These individuals need to be sharing this knowledge wherever possible, using their skills and influence to explain to colleagues and those within organisations where they may be acting outside the regulation guidelines and what they can do to correct this.
This doesn’t mean that technology professionals should be going door-to-door preaching best practice, it is more about helping others to become a good data citizen. Ensuring that individuals and organisations are aware of what they may be doing wrong and the ramifications of their actions doesn’t require lectures, grand speeches or acting as some sort of enforcer, but being informative could go a long way to helping improve awareness going forward. Without the awareness of the consequences, people can see security as a potential hindrance and try to work around it.
For example, once GDPR comes into place, one of the regulations that organisations will have to comply by is the right to be forgotten. This means that if a customer wishes for a business to remove their information from their databases, the firm must act and discard any personal details they have of an individual from that point forward. Although GDPR is not in place yet, some organisations may already be operating with a right to be forgotten policy. If someone has asked to be removed from an organisation’s systems but is still receiving contact such with information such as marketing emails, while this is fine now, in one year’s time it could end in severe punishment for the sender. This is a simple case, if the individual has bought something from the company, then the company will have to keep that record for a specified period of time in order to comply with other regulations. A simple ‘delete’ of all information cannot necessarily be made.
Understanding the need of the regulation can help IT put a process in place, for example to find all instances of the individual’s information. Once found, the decision as to what can, and what cannot be deleted is one which will require input from other areas of the business. This is an opportunity to act as a good data citizen, creating awareness and educating users needs to start now. The sooner it can begin, the sooner processes can be refined. The sooner processes are refined, the smaller the impact on day-to-day operations and the cost to comply can be minimised.
Another area where companies can act as a good data citizen is where an email, or information is received in error, especially from outside the organisation. Today, there is usually a disclaimer at the bottom of the email requesting that if this email was sent in error to delete it. Moving forwards, this could actually be seen as a data breach. Putting in place a process for employees to contact someone inside your organisation, for example the CIO or someone in the legal department, rather than just delete the email, can help get better data governance for all. The individual inside your organisation can then speak to their counterpart to discuss what has happened and help them to get their processes in order, or even to recommend technology which would help enforce the policy.
Little acts of encouragement and advice such as this may seem trivial but could have a huge effect on how businesses look at their own systems and practices going forward. Technology professionals are going to be on the front line when GDPR is implemented in May next year as they manage servers and look to ensure the organisations they work for are meeting requirements. If there is an opportunity to share their knowledge with those that are less aware, they should do so not just for the benefit of the individual or the organisation, but for the benefits of their fellow IT professionals who could face huge challenges if the regulations are broken. Being a good data citizen is something everyone should strive to be so that everyone in businesses both public and private are all working together to make sure they are ready for when the big day arrives.