The General Data Protection Regulation (GDPR) has been on the lips of security professionals for a long time now – but in just over a month, it will become a reality. While it is easy to get stuck with reviewing the potential fines or setting up efficient security procedures to ensure compliance, many are still overlooking what is at the heart of the regulation: transparency.
Getting the bigger picture
It goes without saying that transparency is important for data protection and security. With the recent news around Facebook continuing to grab headlines, businesses are under more pressure than ever to present a transparent and secure organisation. However, this focus can sometimes be lost when it comes to the day-to-day.
The issue lies in the siloed approach that some teams take with their data. Establishing a firewall, patching a particular vulnerability or encrypting a specific set of data can often ignore the wider aim of digital transparency. Even with the long notice period that IT departments have had, GDPR will still throw up numerous challenges in this regard, and these will vary depending on the sector, clients, staff and business size.
Ensuring the business recognises the bigger picture of GDPR can help clarify many of these issues. However, considering the pressures that many security teams are already under, this needs to managed efficiently. If IT teams ask themselves whether decisions will improve data transparency of the business, they will be better able to determine whether these activities will help them comply with the rules set out by GDPR.
Being practical with compliance
There are some practical steps that companies can take to ensure the business maintains an awareness of the bigger picture around GDPR and data transparency. In essence, they will require a collaborative effort between IT, senior management and general staff.
Most IT departments will already have addressed the need for improved security, but this does not necessarily imply digital transparency. While client data can be pseudonymised, or otherwise defended, it may not be able to satisfy GDPR’s ‘right to be forgotten’ requirement.
For example, if the business struggles to pull up client information easily, or remove requested elements of a customer’s profile, it is in just as precarious a position as if it had out of date firewalls. Back-end systems that can provide a clear overview of individual data sets need to be implemented alongside up to date security processes; the business is otherwise leaving a major element of the regulation unattended.
There is also the need to think beyond the technology being used. Data transparency needs to be built into any communication with clients as well. Although GDPR can seem to be solely in the realm of the IT department, other business areas need to be called upon in order to comply. The change to consent, which requires the ‘opt-in’ option for data usage to be created, will extend beyond IT – and in fact encompass a diverse range of areas from marketing to customer services. Having these groups work together to ensure clear communication is a vital part of compliance, and something that the Information Commissioners Office (ICO) will want to see.
Additionally, general staff need to be more aware of the dangers from external threats and understand the need to communicate any data breaches in a timely manner. With only 72 hours to notify the regulator, there can be no delay from the business in this regard. Staff have long been the first line of defence when it comes to flagging an external threat, but under GDPR they will also be responsible for notifying the ICO of any breach.
These factors can be easily viewed as a tough challenge for any IT team, but this is where senior management need to be involved. Leading by example is the easiest way businesses can ensure all teams are working together to ensure compliance. Ensuring that senior leadership understand and accept this responsibility will help establish a consistent and reliable chain of command to comply with GDPR.
Thinking beyond regulation
In just over a month, businesses will be tested on their compliance to this huge piece of legislation. While security teams can ensure the technology is up to scratch, there is a need to highlight the importance of compliance at every level – not just to appease the regulator, but also build a future proofed business.
If all teams can commit to this collaborative approach, the outcome will have lasting effects on the company. The immediate benefits will be legal compliance with the rules set out by GDPR – not only through improved security, but also via communication with colleagues and clients. However, the wider benefit will exist in a business-wide emphasis on transparency – not just in data, but as a company. As pressure continues to mount for businesses to display transparency at every level, GDPR – if handled effectively – has the potential to help address this growing trend.