DCN September 2017 - Page 55

final thought ‘GDPR is a business issue just as much as an IT one.It is a business opportunity, where technology can help.’ IT-focused legislation, so there it should lie. That’s a mistake. GDPR is a business issue just as much as an IT one. It shouldn’t simply be offloaded to network engineers and made a technology problem – it is a business opportunity, where technology can help. There is often greater traction in looking outside the organisation for help. But again, the key question is where to look. Firstly, there are a host of companies in the marketplace that are making a lot of noise - saying come and speak to us - we will make you GDPR compliant. However, it is unlikely that a single company operating alone could ensure a customer will meet all the demands of this new GDPR legislation. So, businesses should be very wary about taking this supposedly catch-all path to compliance. It is likely to turn out to be anything but. The right approach thing on their ‘to do’ list. In some businesses, the legal department is even formulating policy for the rest of the business to follow. Many boards, however, still try to shift the problem to the domain of the IT department. There are far too many CIOs attempting to abdicate their responsibilities in this area. The rationale is often that they are simply too busy thinking about the future strategy of the business to spend time considering what they see as essentially It is clear what businesses can and should be doing today to make sure they are ready in time, especially with regards to good data management. For many organisations, ensuring their data classification processes are up to scratch is one of the very first actions they should take. Every business should know what data it has; where that data resides (and that means not just the primary data stores but what information is held on laptops and in off-site back-ups for example), and how they manage, control and audit access to it. They should also, in the context of GDPR, be aware of the CIA triad, (Confidentiality, Integrity and Availability), with the emphasis on the first two of these. When it comes to managing personal data, confidentiality and integrity need to be high on the agenda. Businesses must restrict access to just those people who need to view the data, and they need to ensure that the data is accurate and any relevant updates have taken place. Other key technological measures that can be taken to help protect sensitive personal data include data loss prevention and encryption, whether that is of data held in a data centre, on-premise, in the cloud, or elsewhere. Only the beginning In a sense, much of this is simply about adopting a best practice approach. The IT industry has long tried to educate businesses about risk mitigation and cyber-security by espousing compliance and reputational protection. GDPR is, however, only the start of a journey, the minimum standard that organisations should be aiming for. It’s about enforcing a decent baseline of security – however organisations that fail to act appropriately and in a timely fashion will find that it’s a regulation with teeth. By January 2018, we foresee many organisations starting to panic about May 25. They will suddenly realise that time is short and they need to act immediately in order that they are adequately protected procedurally as well as technically. By then, however, it may be too late. The message for the boardroom is a simple one; if you are not already running a best practice approach where you know what you have, where it is, and who has access, it can take more time than you have to be fully prepared. Put this on the boardroom wall: Stop passing the buck - if you have not already got your GDPR house in order, you better start doing it right away. Tempus Fugit. Se FV&W"#rS