Why GDPR will drive a best practice approach
When GDPR was first discussed, many feared that it would force businesses to act more insular and become more defensive about their data. Some even believed there would be a counter-movement against the cloud with organisations taking back data into their internal systems.
Thankfully, the reality has been very different. Instead we’ve seen a new willingness to work together with partners and specialist cloud providers. Now it looks likely that this collaboration will help to carve out a best practice approach towards GDPR. Consequently, many businesses are turning the tables and, instead of seeing GDPR as a threat, they see it as a welcome chance to get their house in order and, for once, tackle the thorny question of data protection head on.
So why the change of approach? First it seems that one of GDPR’s perceived weaknesses could turn out to be one of its strengths. So far the 300-page tome has been seen as extremely vague and, therefore, open to interpretation. Every business is having to learn and understand how the legislation applies to them. They not only have get to the hub of what the document says, they must take it and apply it to their business and industry.
Many of our customers, for example, are still at this ‘gap analysis’ phase, trying to judge the distance between what they have in place at present and what they need for compliance. Because of the demand for transparency and accountability, they have little choice but to discuss what they are doing and where they are going with partners – such as cloud services providers – and suppliers involved in protecting their data.
In our experience, because everyone in the chain needs to understand what every other part is doing and the part they have to play, this is leading to open and engaging conversations. In fact, I can’t remember another security and data protection initiative that has been the focus of so many discussions including those with customers and prospects, allowing all sides to learn through the process and then share what they have learnt with others.
Also, because GDPR involves the entire business, there are similar discussions going on internally, particularly between HR, IT, security and legal departments who are all in the frontline. C-level involvement is a must and HR involvement is also vital; they are already experienced custodians of private and confidential data and need to be part of the process, if only to represent the employee interest. Compliance will involve a combination of adapting processes and procedures, as well as implementing strong technical controls.
All these departments need to work together to ensure that there are not several, difficult to access stores of information held about an individual across the organisation. Collaboration is also needed on particularly knotty areas such as the ‘right to be forgotten’. While this right is obviously important, it doesn’t override other legal obligations, for example, the need to maintain accurate payment records.
If an employee asks that all their records are removed, there is still the obligation to retain some as appropriate. Yet, there appear to be no hard or fast rules, so discussions, conclusions and the establishment of guidelines or best practice are the only way forward.
Some companies see data protection leadership as an extension of an existing employee’s role; others choose to employ a data protection officer, despite the skills shortage. These will have valuable experience of past and existing data protection acts – and in particular adapting them to their own environment.
Whatever the decision, this timely spotlight on the subject should drive the establishment of new, long overdue guidelines. Yet these should not necessarily be subjective, but developed objectively, working with partners that understand the need to be transparent. Only this way will the defined guidelines suit all involved and therefore be both sustainable and successful.
Ultimately, it’s important not to focus on the fines for non-compliance, but consider how to make GDPR into a positive experience for your organisation. In particular, the relationships a business builds with other businesses and their partners can only be strengthened through this exercise – and based on this, an organisation should feel more confident about the future.
As a result, working in this wider and more transparent ecosystem helps everyone step up to the mark and this is key. All businesses will need to be on top of their game to survive and thrive in the post-GDPR age.