By: Sarbajit Deb, EVP & Chief Business Officer - Nordic Region
It is less than a year before the European Union’s General Data Protection Regulation (GDPR) comes into effect. As a company that caters to customers across the bloc, are you anywhere near compliance? The legislation requires businesses to take ‘appropriate technical and organizational measures’ to protect the personal data of individuals. How close are you to making this a reality in your enterprise before May 2018?
Encompassing 99 articles, the GDPR aims to standardize the rules for the manner in which organizations collect, process, store, and use personal data. Failure to conform to these norms will attract a penalty of up to 4% of a company’s global turnover. Clearly, the financial incentives for adhering to the measure – not to mention the reputational risks arising from supervisory sanctions –make the GDPR a critical regulation any business operating in the EU must adapt to.
Most of the data protection measures outlined under the GDPR will have to be enforced through a transformation of your IT operations landscape. Considering that the regulation calls for institutionalization of a ‘state-of-the-art’ mechanism to implement next-generation data protection methodologies, you will have to significantly enhance your underlying technology capabilities. Not doing so can render the task of complying with the GDPR pretty challenging, given the massive volumes of data being stored and processed by enterprise systems.
You must urgently undertake a gap assessment exercise to figure out if your existing data security measures suffice. You will then need to tweak or overhaul, as applicable, legacy processes and IT systems, in order to manage known and unknown risks such as the risk of processing a minor child’s data and the risk of cloud storage.
Clearly, all of this will place a heavy demand on your IT resources, given the GDPR’s wide-ranging scope and consequent implications for different front- and back-office functions. So, how exactly can you formulate an actionable, technology-assisted execution plan, based on a comprehensive understanding of the various GDPR clauses? Where do you begin?
IT governance audit
Here are seven key process and technology-related considerations you should keep in mind during your GDPR compliance journey:
- Audit and Gap Assessment: Before you begin your exercise to become compliant, it’s imperative that you completely comprehend the requirements of the GDPR and its potential impact on your organization and its partners. To this effect, your first step will be to identify and hold workshops with all your stakeholders to arrive at a common understanding and the steps forward. Post that, conduct an audit of your existing security measures, and identify the gaps that can result in non-compliance. Make sure you cover all your data channels and workflows – basically, the data lifecycle in its entirety.
- Identify technology bottlenecks and replacements: It’s likely that you may already be aware of some of the impediments, even before initiating the audit. Still, the audit results will help you to narrow down the technology bottlenecks that hinder in becoming compliant. Once you have identified the list of existing problem areas, you will need to prioritize and schedule the required changes to your systems depending on the magnitude of the risks imposed by the bottlenecks.
- Robust Data Management and Governance: While you evaluate your IT landscape, do not forget to examine your core data management and governance practices. Data encryption, anonymization, and pseudonymization are but some of the ways you can make customer information significantly less vulnerable to security breaches and threats. Implementing data lifecycle management can come in handy here.
- IT System Security: Revisit the security controls you have deployed, including firewalls, alarms, and monitoring systems. Consider updating cyber security and email policies, as well as the application security setup. Pay special attention to your cloud implementations where the data is stored and handled off-premise.
- Identity and Access Management: Access management will assume far more importance than ever with the onset of the GDPR. Providing the right access, and ensuring no compromises to data sanctity, will be critical to avoiding data leakages and unauthorized data usage.
- Continuous System Monitoring: Design and roll out a system to continuously monitor, record, and report the GDPR specific compliance processes.
- Risk Management & Exception Handling (Breach Notifications): While it’s important you foster a culture of compliance across the organization, you will also need to plan for possible security compromises and breaches. Do not forget to design an incident response policy and exception handling procedures to handle a security breach.
Though becoming GDPR-ready looks like a lot of hard work, it can actually work in your favor and help you become leaner and agile in the way you handle data. While this entire journey toward compliance will involve substantial costs and efforts, the resulting benefits, in terms of increased customer trust and enhanced brand equity (not to mention the avoidance of heavy fines and penalties), will make it worth the pain.