The EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and could be good news for CISOs and early adopter companies, and a wake-up for SMEs and industry laggards.
When the General Data Protection Regulation was first passed, there were some contrasting responses from industry. Did it set in place a new framework for organisations, one that would help them keep pace with changes in data management and new ways for doing business, while helping them to assuage their customers’ concerns? Or did it add a new layer of worry to organisations, compelling them to add a new layer of bureaucracy and adding to their costs?
Tim Grieveson, IT and change director at general insurance company Legal & General - and former chief cybersecurity strategist at Micro Focus EMEA, believes that companies should not be seeing GDPR as something “big and scary”, but instead look to the regulation as an opportunity to transform their businesses for the better.
“Everyone’s going to benefit,” he says. “Companies should take the opportunity to understand what data they hold and how to benefit from that”, he continued, suggesting – like others – that GDPR could be a business opportunity
Judith Vieberink, a lawyer at Netherlands-based First Lawyers, supports this view.
“The winners are going to be the companies that see the legislation as an opportunity and embrace the change. They’re going to be the ones who know what processes are involved and what kinds of rights the individual customers have.”
Grieveson gives a concrete example of the approach that could be taken. “It means, for example, that companies will be able to classify data according to how secure it needs to be.” He points out that in the past, organisations have often adopted a ‘one-size fits all’ approach to security; but by undertaking a thorough audit of data, they will be able to establish priorities and “encrypt the crown jewels.”
Taking a holistic view of GDPR
Vieberink agrees that it’s the time to ask some searching questions about your own data and existing security measures. “Do I have to use encryption? Why do I need it? Do I need to implement extra tough measures?”
But it’s not just about the technology, it’s about business education as well. “All staff should be aware of the possible impact,” she adds.
One clear winner should be the IT department; Grieveson envisages that the changes engendered by GDPR will be a real opportunity for IT to add real business value, as long as they make sure they consult with other departments.
“IT hasn’t been good at taking a holistic view,” he says, stressing that the impact of GDPR will be felt throughout an organisation, with the IT department at the heart of many changes.
Another winner will be the security professionals; “I can see a lot of demand for what I call CISO-as-a-service,” says Grieveson, adding that organisations will suddenly find themselves ramping up protection as the regulation – and its potentially huge fines – nears full inception
Are there going to be any losers in the process of getting ready for GDPR? Yes, the companies that aren’t prepared for the changes needed – or have decided not to prepare, Grieveson says, particularly when it comes to small to medium size businesses (“SMEs”).
“There will be SMEs who haven’t had to think about employing a data protection officer before,” he said, echoing comments from other experts that SMEs may be less aware of the GDPR requirements.
But there will be other ramifications too, he adds. “CEOs and CFOs are going to pay much more attention to data protection, the level of fines will make sure of that.”
In short, GDPR offers an opportunity for all companies to be winners as long as executives have a good look at what data they have already, and what data they will require to hold and protect going forwards.
“They should conduct a thorough audit,” says Grieveson, “Micro Focus has the technology to help with this but it’s not just about technology. Bring experienced partners into the mix, if you’re adopting new processes you need someone who’s done this before.”