Q&A: As GDPR looms near, CEOs must take action or suffer the consequences
What is GDPR and why has it come about?
The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. It is designed to unify data protection and regulation across the European Union while addressing concerns over the export of data outside the EU. This simplification of the regulatory environment will provide efficiencies and savings for businesses.
The aim is to protect EU citizens while providing them with greater control over how their personal data can be used. GDPR will apply to all businesses that provide goods and services to anyone in the EU or handle personal data for any EU citizens.
Are CEOs in the UK fully aware of GDPR and its implications on their business?
The same question 12 months ago would have provided a different response. In my experience through customer engagement, yes, there is definitely greater awareness at the board level.
Since the turn of 2017, most discussions I have had with business leaders have either involved or revolved around GDPR and how they can prepare to meet the numerous obligations. I would, however, distinguish between high-level awareness and deep understanding of the implications.
Most are aware of the potentially strict fines – up to €20 million or 4 per cent of global annual turnover, whichever is greater – but do they really know what it means to their business? We have transitioned to a position of widespread acknowledgement which hasn’t quite yet turned into widespread action.
With less than six months to go, how ready are organisations in the UK for GDPR?
I have spoken to many businesses over the last 12 months on this topic and some are readier than others. I find the better-prepared organisations have a more pragmatic view. It is important to acknowledge that while GDPR represents a significant shift in regulation, we have been required to adhere to data protection regulations for many years.
The UK already has some of the strictest approaches to compliance and data protection in the world. A business that looks at existing processes and procedures will likely find they can map many of the controls they already have in place across to GDPR, and then focus on any exposed gaps, rather than treating it as an implementation of a completely new framework.
How important is having a robust data security solution to GDPR compliance?
A good security posture will inherently make for a good compliance posture. Getting security right will, by default, assist with GDPR compliance, but more importantly it will ensure the business is sufficiently protected. Hard-hitting fines aside, a business that does not secure data and is breached still faces the resulting financial costs of a clean-up, as well as the reputational damage incurred.
Now is the time to partner with experts who understand the technologies that can mitigate this risk
On top of any GDPR fine, this could amount to millions of pounds in the short term and a potentially immeasurable cost in the longer term. Now is the time to partner with experts who understand the technologies that can mitigate this risk.
Do you think GDPR is being discussed in boardrooms as much as it should be?
Organisations that take security and compliance seriously should ensure GDPR is afforded time and focus at the very highest levels. This is becoming more common, but not yet prevalent.
It is crucial the CEO has direct lines of communication with the relevant sponsor, be that the chief security officer or chief information security officer (CISO), with regular dialogue a matter of routine. This will better ensure that security and compliance strategy, including GDPR obligations, is properly aligned to business goals and objectives to enable the business rather than constrain it. A business must not find itself in the position where the first time the CEO and leadership team hears from the CISO is during a major incident or breach of regulatory compliance.
How important is it that CEOs take a lead in ensuring their organisation is compliant?
Cybersecurity and compliance are increasingly at the forefront of the minds of most companies. The challenge for leadership is to find the balance between implementing the necessary controls and obligations while continuing to enable the business. Preparation is best achieved when clear direction on strategy is given. This must resonate from the very top to gain traction and ensure resulting security policy delivers against strategic directives.
What should organisations be doing now to ready themselves for the regulation?
GDPR is extensive, significant and will undoubtedly affect businesses. As with many action plans and operations, the challenge is during the planning and implementation phases, so proactive preparation is the best form of defence. In terms of preparation, leadership should consider business priorities for security and compliance requirements.
Question what is most important to the business and what is already being done to protect it. What capabilities and resources have been invested in to protect the business and how effective are they? A next logical step will be to conduct a GDPR gap analysis to identify the work required to address those business requirements. If you don’t have the ability to do this, make sure you find a partner that can help you.
Who should CEOs work with to help prepare their business for GDPR?
As GDPR approaches, there is an inevitable proliferation of “solutions” being presented. CEOs should be wary of these because there is no catch-all fix for a regulation that comprises 99 articles. Compliance requires a layered approach, considering multiple, interoperable and interchangeable features and functions that are both internal and external, as well as technical and organisational.
Like all aspects of cybersecurity and compliance, GDPR requirements should first and foremost be tackled as a business challenge rather than an IT problem. The solution starts at the top as a business-driven strategy, not a technically led conversation in the engine room.
Businesses concerned with meeting GDPR obligations and particularly those faced with the challenges of constrained resources could consider using a managed security service provider (MSSP) as a means of advising their data protection officer or security team. This will assist in identifying a range of solutions that not only help with preparation and readiness for GDPR, but also sustain a compliant security posture post implementation.
To connect with an experienced MSSP, who can assist with GDPR requirements, please visit Rackspace.com/GDPR