final thought |
|||
|
thing on their ‘ to do ’ list . In some businesses , the legal department is even formulating policy for the rest of the business to follow .
Many boards , however , still try to shift the problem to the domain of the IT department . There are far too many CIOs attempting to abdicate their responsibilities in this area . The rationale is often that they are simply too busy thinking about the future strategy of the business to spend time considering what they see as essentially
|
‘ GDPR is a business issue just as much as an IT one . It is a business opportunity , where technology can help .’ |
IT-focused legislation , so there it should lie . That ’ s a mistake . GDPR is a business issue just as much as an IT one . It shouldn ’ t simply be offloaded to network engineers and made a technology problem – it is a business opportunity , where technology can help .
There is often greater traction in looking outside the organisation for help . But again , the key question is where to look . Firstly , there are a host of companies in the marketplace that are making a lot of noise - saying come and speak to us - we will make you GDPR compliant .
However , it is unlikely that a single company operating alone could ensure a customer will meet all the demands of this new GDPR legislation . So , businesses should be very wary about taking this supposedly catch-all path to compliance . It is likely to turn out to be anything but .
The right approach
It is clear what businesses can and should be doing today to make sure they are ready in time , especially with regards to good data management . For many organisations , ensuring their data classification processes are up to scratch is one of the very first actions they should take .
Every business should know what data it has ; where that data resides ( and that means not just the primary data stores but what information is held on laptops and in off-site back-ups for example ), and how they manage , control and audit access to it .
They should also , in the context of GDPR , be aware of the CIA triad , ( Confidentiality , Integrity and Availability ), with the emphasis on the first two of these . When it comes to managing personal data , confidentiality and integrity need to be high on the agenda .
|
Businesses must restrict access to just those people who need to view the data , and they need to ensure that the data is accurate and any relevant updates have taken place . Other key technological measures that can be taken to help protect sensitive personal data include data loss prevention and encryption , whether that is of data held in a data centre , on-premise , in the cloud , or elsewhere .
Only the beginning
In a sense , much of this is simply about adopting a best practice approach . The IT industry has long tried to educate businesses about risk mitigation and cyber-security by espousing compliance and reputational protection . GDPR is , however , only the start of a journey , the minimum standard that organisations should be aiming for . It ’ s about enforcing a decent baseline of security – however organisations that fail to act appropriately and in a timely fashion will find that it ’ s a regulation with teeth .
By January 2018 , we foresee many organisations starting to panic about May 25 . They will suddenly realise that time is short and they need to act immediately in order that they are adequately protected procedurally as well as technically . By then , however , it may be too late .
The message for the boardroom is a simple one ; if you are not already running a best practice approach where you know what you have , where it is , and who has access , it can take more time than you have to be fully prepared .
Put this on the boardroom wall : Stop passing the buck - if you have not already got your GDPR house in order , you better start doing it right away . Tempus Fugit .
|
September 2017 | 55 |