The deadline for General Data Protection Regulation (GDPR) compliance has been and gone. By now, organisations will have refreshed their privacy policies and put in place the necessary procedures to comply with the law.
But have they done enough? GDPR demands that organisations revamp the way they collect, process and handle customer data. But dealing with data is a complicated beast, and my worry is that businesses may not have put in place adequate controls with respect to security and privacy. This isn’t to suggest that they aren’t GDPR compliant, more that they are leaving themselves open to future risk. Let me explain.
The fines for non-GDPR compliance are hefty – between 2% and 4% of annual global turnover in the worst-case scenario. I believe that any breach is likely to be due to one of two things; a lack of knowledge or a lack of advisory overview.
Let’s first look at what I mean by lack of advisory overview.
GDPR can be looked at through various lenses. Some organisations will have placed it firmly within the legal department. The problem with this is that, while they are likely to be looking at the legal points in great depth – how to defend a penalty or litigation from a supervisory authority, for instance – they run the risk of looking at security and privacy with a dimmer focus. They will not necessarily be looking at how to stop it from happening in the first place.
Other organisations will have put responsibility for GDPR within the IT department. Here the security and safety of the data is likely to be top priority, but they may miss out on protecting the company from some of the possible legal ramifications of breaches in their systems or processes.
I strongly believe that we will see the GDPR legislation being tested in the not too distant future. Those companies that have involved every part of the organisation in the GDPR compliance process will be in a much better position going forward. They are more likely to avoid being thrust into the spotlight for non-compliance.
That’s not to say that the segregation of duties isn’t important, but there has to be a process whereby any change to the GDPR infrastructure receives all the necessary approvals from all of those involved in managing it, particularly from a privacy and security point of view.
A lack of knowledge
The other area where I believe organisations might find themselves in serious trouble is non-compliance that happens as a result of a lack of knowledge. A quarter of data loss happens accidentally, such as when an employee sends out information without realising that they are breaking the rules.
The key to avoiding accidental breaches is raising awareness at every level of the organisation. I don’t just mean running every employee through a training programme – which of course is valuable in itself – but I mean a more ongoing process, where email and visual campaigns are a regular thing.
The knowledge given to employees has to be especially clear about the dos and don’ts when it comes to customer information. For instance, a customer may give verbal consent to the collection of their information to someone in the marketing department, but whoever collects that assent also has to make sure that they inform the customer on what and how their information will be processed, and how they can unsubscribe if they wish to.
Sustaining compliance with technology
Technology will play a huge role in sustaining compliance. The whole digital paradigm is going to change, and I believe it is time to harness new technologies.
For instance, businesses need to ensure that they have a mechanism to instantly detect any data breach. There needs to be an incident response plan in place, and it needs to be regularly tested. Any application that is holding personal data needs to be tested continuously for vulnerabilities.
At TCS we are working on both automation and AI for sustaining compliance, especially when it comes to predicting a security incident, as well as responding to one.
As customers become more aware of their new rights, customer requests for information will continue to grow, and businesses need to be ready to handle that.
GDPR compliance as opportunity
GDPR was an important step that organisations had to take to comply with the new law, but it also presents organisations with opportunities. At its heart, GDPR revolves around personal data. If organisations can get very good visibility on how that data is collected, processed and stored, they can use it to create wisdom within the organisation.
Organisations can use data to create a better service to customers, whether that means reducing an insurance premium based on the information they share, or tailoring customer solutions more accurately.
There will also be a need for integration with, and automation of, the different controls deployed for security and privacy on a continuous basis.
Ultimately, an organization’s ability to protect data, detect breaches, respond to those and recover, will go a long way in sustaining their compliance.
It’s time to take this regulation seriously, both from a security and risk perspective, but also as an opportunity to put rigour into a system at a time when data has never been more valuable.
Vikas Choudhary is responsible for Cyber Security business for TCS in Europe. He has over 12 years of experience in Cyber Security, Governance and Compliance space. He has worked with some of TCS fortune 500 clients in the area of Cyber Security.