May 2019 marks the first anniversary of the General Data Protection Regulation (GDPR), and early numbers make clear that its implementation has been a success as a breach notification law. As such, GDPR has affected multiple aspects of a business. It has created increased requirements for businesses to deal with issues such as security, compliance, data ownership, training and data management. The new regulation will require, for many businesses, a fundamental change to their internal processes and ongoing focus on compliance.
There are several myths around who manages data inside an organisation which have been challenged as a result of GDPR regulations. From the shift from an IT-centric to a business process owner model, to educating internal teams and reviewing tools, here are the top five myths around management of data that GDPR effectively busted.
- Data Management is an IT function
Data management used to be solely an IT function but, since GDPR came into force, organisations have been increasingly realising the criticality and value of their data assets. This is why the data management function has become a business and IT function. It requires a full commitment by every organisation to build data protection into its culture and all aspects of its operations, from support through accounting to product development. The GDPR is not specific to just IT, it must permeate all aspects of the organisation to ensure a culture of data privacy is built.
- Business organisations have always been familiar with data management
Since the new regulation made data management a business, not just an IT, concern, awareness around GDPR needed to be expanded to different departments in an organisation. Many parts of business organisations were not familiar with data management and had to be trained and managed around the issue. However, a recent paper by Osterman Research showed that only 42 per cent of organisations have trained their employees around data management and GDPR, meaning that 58 per cent left their employees in the dark.
- All departments understand how to manage and control data
As mentioned above, data management used to be exclusively an IT function and IT teams had a good understanding of the way data should be managed and control. Those in business functions tended to accumulate data and lacked access control, putting at that data at risk. Today, the responsibility for compliance is shared across the different functions. Non-IT employees cannot simply close their eyes to the risks they take when handling their company’s data. Raising awareness is crucial to prevent data breaches and impacts on the organisation’s finances and reputation.
- GDPR isn’t relevant for everyone
Departments have been affected in different ways and to different degrees: some have been living and breathing the regulation for several years, for others it may be new. But being data protection-aware is no longer optional, it’s critical and regulated. An ongoing continuous programme of education – from induction through regular refresher sessions – is essential. This helps make data awareness relevant for everyone from the Chairman of the Board to the customer service team and beyond.
- Data protection stops at the organisation’s perimeter
Suddenly, businesses realised that they were responsible not just for their own data protection compliance, but that of all the links in their supply chain. Cloud computing is a case in point where IT and business managers realised that their CSP needed to be just as compliant as they were in order to avoid a huge security gap. From client-supplier, the relationship shifted to that of a collaborative security partnership as the degree of trust and diligence needed between parties escalated.
From myth to reality
Overall, the understanding of the value and risks around personal data had to be propagated through organisations and actively monitored. GDPR didn’t act as a reminder of what ought to be done, but instead as a proper new regulation. It has changed how organisations collect and manage data and personal information, busting the myth that data management lived in the IT department silo and making it relevant for everyone. That has required extensive investment in people and tools to oversee, and a re-evaluation of business relationships with suppliers and customers alike.
By Frank Krieger, Vice-President, Governance, Risk and Compliance, iland
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/