GDPR compliance

GDPR: Compliance Heads into the 21st Century

Compliance is about to take a giant step into the 21st century with the arrival of the highly anticipated EU General Data Protection Regulation in May 2018. GDPR quashes any lingering notion that compliance is a tedious chore, done in dusty back offices on a quarterly basis: boardrooms must implement real-time continuous compliance that polices the use of personal data within EU trading borders – or face draconian sanctions.

Much attention has been sucked up by the hefty fines that await organisations in breach of GDPR after May 2014.  EU fines of 0.5 million euros for failing to protect data under current rules will be hiked to EU20 million – or 4% of annual turnover. It’s a big stick to make senior executives take GDPR seriously, but there’s a carrot – or reward – too. GDPR calls for a new, engaged mindset, rather than a tick-list approach, and that is good for business.

The new mind set for the C-suite executives is to see data protection as a continual evaluation and strengthening of cyber security standards, rather than a one-off effort, In particular, Article 32 stipulates both ‘controller’ and the ‘processor’ of data shall “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.

Emma Wright, partner with technology law firm Kemp Little, advises her corporate clients to adopt a ‘privacy by design’ approach, in the same way that cyber security by design is becoming the new normal. For companies, the onus to demonstrate ‘intent’, means in practice, “there must be a two-way flow of information between the ground and the boardroom, continuously revised to raise best practice,” she says.

Related article: Accelerating GDPR Readiness: Now’s the Time to Get Started

"There must be a two-way flow of information between the ground and the boardroom, continuously revised to raise best practice"
The super-connected supply chain, a hallmark of successful digital businesses, also demands renewed vigilance and a real-time approach to data protection. The risk of customer data being breached when mishandled by a third party is very high according to the SANS Institute, which reports that 80% of breaches start in the supply chain.

To mitigate this risk and ensure data is protected consistently throughout a supply ecosystem, cyber risk management advisor Coalfire, recommends a thorough audit of the entire supply chain, plus periodic spot checks. These bolster strategic relationships and foster good security behaviour and mutual vigilance, says managing director Andrew Barratt.

Audit trails may be getting more convoluted and complex but automation will play a bigger part in compliance. Assisting an always-on approach to data protection are a plethora of auditing tools and frameworks such as DXC Technology’s Cyber Reference Architecture (CRA). Governance will ensue compliance efforts are joined up; and data protection and cyber security teams must work together with the procurement in events such as M&As.

If benefits of greater visibility, transparency and mutually supportive business relationships aren’t sufficient incentive for executives, there’s another stick in GDPR. A 72-hour notification clause makes it obligatory for all organisations – not just telcos – to report breaches. Cyber insurance will partly cover that eventuality, but there’s no doubt that the C-suite will need to reengineer compliance – GDPR and more – for new times.

Helen Beckett

Author: Helen Beckett

Helen Beckett is the Community Manager of the Business Value Exchange. She has been a writer and editor for over 20 years and takes a particular interest in the challenges facing the CIO in today’s business climate.