What did you do when you heard the GDPR klaxon sound?
“GDPR…………erm………….that was the thing that caused my personal email inbox to implode in May 2018 right?” Well, yes, that is right. Though more crucially it is the thing that during its first year of enforcement saw several high profile organisations get hauled over the coals financially by the ICO (and ‘reputationally’ by the press) for breaches relating to personal data usage and security.
Curiously, the context of the GDPR is also hotly debated and largely misunderstood – is it intended to protect the rights of ‘data subjects’ (people) to know how and why their data will be held by a company, or is it intended to enforce cybersecurity best practices so that data that is held securely at little to no risk of being illegally obtained? Well, both. But it is true to say that most companies outside the FTSE 250 are focusing on one or the other, rarely both.
Which one should take precedence for you? GDPR or cybersecurity?
The GDPR is legislation – to not adhere to the GDPR, is to break the law. That feels like a sensible driver to prioritise GDPR compliance.
So why, according to this article in Forbes, is it that only “30% of organisations will spend on GDPR-related consulting and implementation services through 2019”. Seemingly because GDPR spend includes amendments to marketing and sales behaviour, as well as improvements to cybersecurity, so some companies spending money on cybersecurity alone do not consider that as spend on GDPR.
Despite being a legal requirement of a business capturing personal data of subjects in the EU, the GDPR does not go as far as to legislate for the cybersecurity measures that should be taken to protect digitally stored personal data. It recommends best practices, but it is not a legal requirement to enforce specific cybersecurity practices.
For that reason, you really should consider whether your cybersecurity practices are aligned with your GDPR objectives – essentially, are you focusing cybersecurity enhancements on the areas that relate to the storage of personal data?
It is all very well that you use a secure cloud application for your business accounting (sensitive company financial data) which is only accessible using two-factor authentication and only by the CFO, but if you also have a salesperson who has downloaded a copy of the CRM database to their laptop and uses the password ‘Password’ to lock the device, your GDPR risk exposure is severely high – and the penalties for a breach could significantly impact those precious, protected balance sheets.
The GDPR doesn’t discriminate
Big or small, old or new, global or domestic………..no matter what your organisation looks like, it must follow the GDPR for the storage and usage of personal data.
The agenda should not be driven by marketing desires nor by technology visions, your GDPR agenda should be driven by an inherent and non-negotiable view on the responsibility that comes with capturing, storing and using the data you hold about individuals in the EU.
By understanding your organisation’s obligations to those data subjects, it will become very apparent that you can’t deliver on GDPR without sharpening your focus on cybersecurity in conjunction with the blanket email, and tick box, and disclaimer, that caused your inbox to melt in Spring 2018.