With the General Data Protection Regulation (GDPR) coming into place in May 2018, businesses are now faced with the dual challenge of staying compliant and secure, whilst continuing to harness the power of their data.
In addition, organisations will need to undertake a fundamental and permanent shift in the way they approach data and cyber security, with the introduction of new regulations around reporting notifiable breaches.
The regulation will introduce harsh fines for non-compliance and breaches and, in addition to this, will provide consumers with more power over what companies can and cannot do with their information and data.
To meet GDPR requirements, organisations must ensure that all data is not only processed lawfully, but also transparently and for a specific purpose. And, once the data has fulfilled that purpose, it must be deleted.
So, what can organisations do to ensure they not only remain compliant under the new legislation but also have the ability to combat the technological and skills challenges they are likely to face over the coming months?
The skillsets in demand
With GDPR focused on protecting both customer and employee data, organisations need to secure the right big data and cyber security skills their business needs to help them stay ahead of the pack moving forward.
The reality is that GDPR will affect every organisation; whether public or private, charity or government. However, the media has, by and large, focused more on the implications for the financial services market and the problems it could face as a result of the digital skills crisis.
Although the finance industry will certainly have to make adjustments like all other industries, the robust legal infrastructure that’s already in place to protect sensitive personal details means that the sector is relatively well equipped for the upcoming regulation shift.
On the other hand, industries which aren’t necessarily tied to such tight frameworks – such as retail – could now be at greater risk of unknowingly breaching regulations. With the vast amounts of unstructured data they collect and store through daily customer interactions and purchases, they are more likely to be faced with a GDPR fine if they continue to operate without a robust review of their processes. As a starting point, the fundamental questions that businesses from every sector should be asking themselves are: “What data do I have?” and “Why do I need this data?”
Accountability is key – it’s not just an IT issue
Just as GDPR will affect every organisation in every industry, it will also touch every part of the business. The cyber-attacks we’ve seen over the recent years have shown us that a company’s weakest link in its security chain is its people – if cyber criminals can get through to employees, they are almost certain to be successful in hacking into the organisation.
That’s one of the reasons why the entire organisation – not just the IT department – must have a clear understanding of the correct security and data processes, with all departments and employees taking accountability for remaining GDPR compliant.
GDPR won’t just impact businesses from a security perspective. The implications could be far more wide-reaching. For instance, as much as 75% of an organisation’s marketing data could become obsolete because only 25% of their existing customer data meets GDPR’s strict requirements.
Despite this stark fact, a considerable quantity of customer data is still being collected without opt-in consent. Opt-out and pre-checked boxes will not be acceptable forms of consent post May 2018. Moving forwards, it is essential that both the IT and legal departments work closely with the rest of the business to ensure that consent for all processes is ‘lawful, fair and transparent’.
Take stock and get the balance right
For employers to ensure they remain compliant with GDPR, they must take a long-term view across the business and workforce. This will involve ensuring that business has the right skills and knowledge ingrained across each department, without adding endless expensive headcount.
Here are three steps that businesses can start to take today to achieve this:
- Audit of IT and skills
The first step every business needs take as an urgent priority is to carry out a comprehensive audit of their current capabilities and activities against the GDPR requirements. This should include a review of both their technology systems, as well as the skillsets that exist within the workforce. This will ensure they have enough time to respond to their findings and implement any changes where necessary.Hiring external experts can be a good option for an audit, as a third party looking at the business processes with a fresh pair of eyes may be more likely to uncover issues. - Hire contractors to instil the change
Hiring short-term contractors as an additional valuable resource could be worth considering between now and May 2018 to help bring the organisation up to speed. Not only will they bring a fresh perspective into the organisation, but they can also use their experience to get the business into shape without adding any permanent costs to the balance sheet. - Circulate compliance throughout the business
Business leaders must start identifying gaps within their organisation and engaging their workforce to ensure a long-term solution to GDPR.It’s key for organisations to ensure that all employees across all departments are aware of their responsibilities in relation to GDPR and also have the right skills and knowledge to remain compliant in their day-to-day activities.
Despite the disruption it will inevitably cause for businesses, GDPR shouldn’t be perceived as just another regulatory hoop to jump through in time for the implementation – it can become a competitive advantage for the long-term. If businesses demonstrate that they can be trusted with individuals’ data they are more likely to be rewarded with additional insights and increased business over their competitors.