Current Filter: Network>>>>>Opinion>

   

The EU's General Data Protection Regulation (GDPR) comes into force in 2016. It replaces a hotchpotch of EU-wide data protection laws and will affect any business operating from within the EU that does business with EU organisations or stores data in EU countries.

We found in a recent survey that businesses are gearing up to the changes, but slowly. One in five UK businesses still don't know if the changes will apply to them despite confirming that they store and process personal data, and significant investment will be required to process and store the data based on the new standard. Respondents cited encryption technologies, analytics tools, perimeter security, file-sharing and mobile device management as potential future investments.

Based on the current timetable for the regulation, businesses will need to be compliant in a little over two years. Some of the changes will be relatively straightforward and businesses should already be compliant in some areas. Gartner analyst, Carsten Casper notes that elements of the regulation are "principles we've seen in the past, carried forward in different words".

Other aspects will require C-level buy-in, inter-departmental collaboration, resourcing, budget sign-off and technological investment. Those two years may pass quicker than you think, and there is a compulsion to get started. Some focus will help here.

TECHNOLOGY
We think that over two thirds of businesses will have to invest in new technologies or services. This will depend a lot on what's already in place and how well it works. In the survey the top two were encryption technologies followed by analytics and reporting technologies. After those, just over half expected to invest in perimeter security and 42 per cent in file-sharing technology.

TRAINING
Preparing your team for GDPR is just as important as preparing the technology. All the technology in the world will not suffice if employees don't know what's required. There is good news though, because around half of respondents have allocated training budget and resource to help their staff to understand and comply with the GDPR.

Training can take many forms. The GDPR will affect any area of a business that handles personal data, so frontline customer service staff, HR and IT are examples of the departments that will need to be trained.

For those organisations who haven't allocated budget, or for those who didn't know if money and resources were available (nearly a fifth of respondents), getting the senior leadership team on board urgently is the next step.

LEADERSHIP
This is a C-suite responsibility. GDPR demands strong leadership so that new policies and processes are implemented effectively. Although compliance is often seen as a strain on resources and productivity, it can also be viewed as an opportunity to improve security measures and processes. The high-profile data breaches suffered by Carphone Warehouse, the White House, Ashley Madison and others are a stark reminder to the C-suite, not the IT professionals, of the benefits of improving security.

If learning from the mistakes of others is the carrot then the stick will be the proposed breach penalties. Current estimates expect it to be 1m euros or 2 per cent of global turnover, depending on the seriousness of the breach; this message should propagate to the CFO's office.

How a company chooses to prepare for the GDPR will depend on multiple individual factors. The three building blocks of GDPR preparation highlighted here will help organisations to achieve compliance, but there will be variations - for example some will appoint a data protection officer whether the regulation requires it or not, because it is a more effective route to achieve compliance.

Whatever you decide, leadership, training and technology will be indispensable to the process.