Type GDPR into Google and you will get just shy of 6 million results. Factor in the complexity of each and every article and it’s easy to see why many are parking it in the ‘too difficult’ pile...
That said, the UKs ICO is doing a pretty good job of busting a few myths and articulating the requirements in easily digestible chunks. When you strip away the layers of GDPR, at its core, it’s similar to the current Data Protection Act (DPA). It’s just been scaled up to reflect the tech-centric environments within which all organisations now operate.
Data has been described as the new ‘oil’. As such, it now holds a value way beyond what it did when the current DPA was conceived back in 1998. It’s for this reason that businesses will be required to protect and use Personally Identifiable Information (PII) in much the same way as we have come to trust financial institutions to invest and protect our money. There is however, one key difference.
For the most part we pay for the financial institution to do a job for us and also accept that investments can work for us or against us. Where our PII is concerned; privacy and security should be taken as a given, whether or not it is fundamental to an organisations ability to deliver the service for which it has been engaged.
Whilst accidents happen in all aspects of our life, data breaches are all too often thought as being simply an unavoidable consequence of operating online. GDPR sets out to change that by enforcing a level of responsibility onto those who rely on PII to deliver their services, be they commercial or otherwise.
As we have said before in other blog posts, GDPR is not about fines. It’s about the customers, patients, passengers, guests, fans, members and benefactors. Regardless of how they are seen within the context of a business, their data needs to be used and protected in line with the GDPR. For most, it should really be a case of ‘beefing up’ what is already being done and putting an organisation into what could be described as a ‘defensible position’.
With no defined standard or audit process like PCI DSS, no certified assessors or pass/fail assessment, compliance with GDPR requires organisations to engage with expertise to support them in the right areas. Some aspects of GDPR will be one off changes to business policies, procedures and processes in compliance with the requirement. Other aspects will be more dynamic, requiring ongoing improvements; particularly those surrounding the security of personal data.
Changes to the ‘cyber threat-scape’ mean that organisations must remain constantly vigilant to signs of a potential data breach. It’s also important to bear in mind that with an insatiable appetite for PII, new bubbles of noncompliance can crop up at any time. This is why dynamic data discovery will prove to be an essential requirement to keep businesses operating as usual.
As they say ‘many hands make light work’ which I believe will very much be the case with GDPR. Not necessarily in terms of getting to a state of compliance, but putting an organisation into the domain of being in a ‘defensible position’.
The business will need to be doing the right things all the time and to achieve this, the onus will be on education. It will be down to businesses to create a culture of awareness, whereby PII is treated with the reverence of cash in a traditional trading environment. From an early age we become unconsciously competent when it comes to money. We value it and certainly don’t leave it lying around, be it our own or that of those who have entrusted us with it. Put simply, we respect it, no questions asked. The same should ultimately apply to PII – can it get simpler than that?