Nearly half a year after the GDPR came into effect, it’s not all ‘explicit consent’ and ‘legitimate interest’. Data protection processes are still not incorporated in the everyday business of many companies.
Senior managers and business owners remain unclear about what data security means in the context of GDPR. Many organisations are still be in the GDPR readiness stage, instead of transitioning to normal business operations.
This time last year Forrester reported that "80% of companies will fail to comply with GDPR". The report claims that 50% of these companies will actually choose not to comply, as they see the cost of compliance as greater than the risks.
It’s true you need to employ team members in GDPR roles and implementing GDPR security of data processing. However, making the transition to GDPR-compliant business as usual doesn’t have to be as daunting as you think!
Here’s the three key things to understand about data security and GDPR, so you can assess what changes you need to make to set up your GDPR cyber security processes:
The post-GDPR reality is that the Information Commissioner’s Office (the ICO) will audit your company in the case of a data breach or a series of complaints, rather than systematically investigating every UK business.
To best prepare in case they do investigate, keep a trail of your GDPR compliance efforts. Are your employees trained to identify and deal with data risks? What processes have you put in place to protect your business against data security breaches? How have you improved your cyber security? Have your answers ready and you’ll get credit from the ICO.
Another key thing to understand is the scope of GDPR. It’s easy for businesses to focus on the marketing aspect of the regulations, e.g. who has subscribed to your mailing list in 2010. But GDPR compliance doesn’t end with consent.
Look at the bigger personal information picture. Having a clear idea about the entire ‘lifespan’ of the data you (or your suppliers) collect will demonstrate your GDPR compliance. This includes records, data storage and security, third-party hosting and ease of access.
Regulations are adapting to constantly changing technologies, markets and working practices by adopting the same flexibility. The ICO focuses on principles and outcomes instead of providing a universal template for everyone to follow.
No two businesses are the same, so you as an organisation will determine what areas you need to look at to achieve the required outcome. It may be paper trails, juggling different regulations or ensuring your business information systems are secure. Consider what the greatest risks for your company are and choose the best course of action to deal with them.
An in-depth cyber security audit will turn up the GDPR pain points in your organisation and help decision makers determine whether the business needs big or small changes. Either way, the CNS experts can help tackle GDPR concerns with our robust cyber security solutions.