Why GDPR is not just an IT issue

The deadline for compliance with the new GDPR regulation is fast approaching and many organisations are scrambling to get their houses in order. With sky-high fines for breaching the regulation and the fact that court orders can require changes to business processes for those found in violation anyway there’s good reason for organisations of all sizes to be compliant with the new regulations.

Legal and IT teams are already busy making sure their organisations have a clear understanding of what GDPR is, and what changes to gathering, processing, storing, and destroying data will need to be made. But unlike many technology-related initiatives, organisations will not simply be able to leave this one with the IT team. With every aspect of the business likely to be affected, GDPR is a broader business issue that will require nearly everyone – from the board on down — to make the process a success.

Here’s a look at why GDPR needs to be a business-wide issue and how companies can mobilise as the deadline looms.

The changing structure and focus of the c-suite

For larger companies, one of the more apparent changes we’ll see is the rise of CTO – but not the one you might be familiar with.  The Chief Trust Officer (CTO) and will be tasked with building confidence around the use of customer information.  In some cases, the CISO will play double duty as the CTO, and in others the CISO will be separated out, focusing on privacy and compliance.

The role of the CISO will change to include a thorough understanding of business requirements and existing procedures throughout the company across all departments — from marketing and sales to HR and customer care — and work with IT and functional teams to identify any adjustments that need to be made. They’ll also be responsible for working with the legal team to make sure everyone in the company, no matter their role or seniority, has an understanding of GDPR and implement / enforce any new procedures they’ll need to follow to ensure the company isn’t caught out.

The new emphasis on the role and value of data will also see an increase in the appointment c-level executives who will be responsible for ensuring organisations handle it appropriately. For many organisations, this will result in an addition of the CTO to the c-suite. Both the CISO and CTO will need to work together to ensure the business is compliant, enforcing any changes that need to be made before May.

The effect on business operations

The new rules on obtaining consent means that many businesses will have to adjust how they operate to stay compliant. For example, companies will be required to notify any breaches that may result in a risk to the rights and freedoms of individuals, which can be anything from financial loss to damage to reputations. They must notify the relevant authority within 72 hours of the organisation becoming aware of it and if the breach is sufficiently serious, the organisation must notify the public too. So the days of Uber and Yahoo waiting many months to disclose breaches will be long gone, unless they feel like paying up.

GDPR will also enforce data protection impact assessments (DPIAs) to help organisations identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. Businesses will have to carry out a DPIA when using new technologies and if the processing is likely to result in a risk to individual privacy rights. This could be the processing of data that relates to criminal offences, as well as data that may have a legal impact on individuals.

A change in culture

 Once GDPR comes into force both businesses and consumers will have to take note of what privacy really means, and the implications it will have which will affect a number of departments beyond IT, such as marketing. For example, consumers will now have to opt in to allow companies to process their personal data. So if you want to subscribe to a company mailing list you’ll have to physically tick the box instead of the company assuming they can use your email address to send all and any marketing materials, which can only be a good thing for your inbox.

Despite the hesitation and mad scramble we’ve seen recently, it is obvious that GDPR presents huge opportunity for businesses to transform the way they work and relate with consumers and grow in new ways. This new relationship will open new doors but only the teams that commit to a proper implementation will see the best of the benefits.

 

By Gerald Beuchelt, Chief Information Security Officer, LogMeIn


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.