I can’t open my inbox these days without someone telling me about the European Union, General Data Protection Regulation (GDPR), the content of these emails ranging from the complex to the scaremongering.
However, what I don’t see are the ones extolling the positives of the regulation.
In my humble opinion, GDPR is a driver for some very positive change in the way that we as businesses, use the data that we have and will continue to collect in ever-growing amounts.
I’m sure we’ve all heard how data is the new gold, oil, etc, and to many of us our data is among the most valuable assets we hold and as I heard recently “the ability to gain actionable insights from data is what will separate us from our competition.” I personally believe this to be true, the businesses that know how to manage and gain value from their data will be the ones that are the success stories of the future.
If data is such an asset, then…
Why do we keep hearing stories about high profile data breaches, such as Equifax and Deloitte, where sensitive information has found itself in the public domain? If data is an asset, then why are we so lax with its security? Are we that lax with other assets?
Data is hard
The problem is, that managing data is hard, we don’t know what we have, where it is, who has access, and when or even if they access it. This lack of insight makes securing and managing data a huge challenge — and why the idea of more stringent regulation is a frightening prospect for many.
Why is GDPR a good thing?
The GDPR is going to force organizations to address these problems head-on, something that, for many of us, is long overdue. Although the regulation focuses on the privacy of “data subjects,” the principles can and should be applied to all of our data.
To be clear, GDPR is not a data management framework. Its scope is much wider than that. It is a legal and compliance framework and should be treated as such. But, while GDPR is “not an IT problem,” it’s certainly a technology challenge, and technology will be crucial in our ability to be compliant.
Why GDPR and technology is helpful
Even If GDPR did not demand our compliance, I would still thoroughly recommend it as a set of good practices that, if you’re serious about the value of your data, you should be following.
I believe the principles of the GDPR, along with smart technology choices, can positively revolutionize how we look after and get the very best from our data.
In the last 12 months or so, I’ve done a lot of work in this area and have found 4 key areas, where the GDPR alongside some appropriate technology choices has made a real difference.
As with any project, we start by fully understanding our current environment. How else are you going to manage, secure and control something if you don’t know what it looks like, to begin with?
Your first step should be to carry out a thorough data assessment, understand what you have, where it is, how much there is, if it’s looked at, what’s contained within it and of course, who, when, where and why it’s accessed.
This is crucial in allowing us to decide what data is important, what you need to keep and what you can dispose of. This is not only valuable for compliance but has commercial implications as well: why take on the costs of storing, protecting and securing stuff that nobody even looks at?
It’s too easy to look at our users as the weakness in our security strategy when they should be our strength. They won’t ever be, however, if we don’t encourage, educate and train them.
Technology can help provide training, develop simple-to-use document repositories or keep them on their toes with regular orchestrated phishing tests. This helps users develop skills, keeps them aware and allows us to develop metrics against which we can measure our success.
We must move away from the annual “lunch and learn” briefing and realize we need tools that allow us to continually educate.
The GDPR places a major focus on our ability to identify breaches quickly and accurately and be able to report on exactly what data we have lost. Traditionally this is an area in which business have been lacking, taking weeks, months or maybe even years to be aware of a breach. In a world where we are ever more data-reliant, this cannot be acceptable.
Technology is the only way to meet these stringent reporting requirements. How else will you know the when, where and how of a breach?
But technology isn’t only about reporting. The ability to have such visibility of data usage — the who, where and when of access — will allow us to quickly detect and stop a breach, or at least reduce its impact.
4. Data protection by design
This is perhaps the most positive part of GDPR, as it will encourage us to build data protection into the very core of our infrastructure, systems and data repositories. Whether on-prem or in the cloud, under our control or a service providers, security has to be at the heart of our design — not an afterthought.
We need to use this as an opportunity to encourage cultural change, one where the importance of our data is not underestimated, where maintaining its integrity, security and privacy is a priority for everyone, not just IT.
Is the GDPR a lot of work? Yes.
Is it worth it? In my opinion, 100%, yes — GDPR is a real positive driver for a long overdue and crucial change and should be embraced.