EU data protection: a torment or rather an enabler for the CIO?
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. So it’s high time for organisations to put GDPR at the top of the agenda.
You can look at the new GDPR from different perspectives. The responses we see from our customers are diverse and vary from panic to indifference. But, some IT leaders realise that this is the ultimate opportunity to roll out long-awaited security and compliance projects and increase the ROI on technology investments. This is the vision we share at Spikes
Most organisations, and in particular the CIO, view the GDPR with concern and resignation. The concern is there because the GDPR includes a number of far-reaching measures to secure personal data on customers, suppliers and employees (in the EU). People gain control of their own data. You have to be able to provide comprehensive information on the use of this information. The consequences, if one is not compliant, are unfortunately larger than just a blush of the cheeks. High financial penalties that can run up to 4% of a company’s annual turnover are imposed in cases of negligence. The resignation is there because the reformed EU legislation creates many more responsibilities, so also more work for the CIO. Your organisation must be GDPR-compliant by 25 May 2018. This means you must activate all available resources and people to satisfy the operational and legal requirements, and also to survive a possible GDPR audit in the future.
But we can also look at the GDPR in a different way, not as a barrier but as an opportunity. An opportunity to provide IT with the necessary new resources and tools. An opportunity to analyse and improve your data security & data management, to take a big step forward in the transformation process that exceeds the requirements of the GDPR, and build something that you can scale for the future. Maybe it is the ideal lever to bring about changes that have long been overdue … and the enabler for all this: Microsoft technology.
A new wind, not a hurricane
Belgian state secretary De Backer puts it clearly: “ The new privacy law is a new wind and not a hurricane. It is an opportunity for companies to consider how they save data, how they process it, and look again at the protection of the data”
The changes that the GDPR requires of companies and their data management are considerable. Taking a critical look at the challenge, and certainly at the price tag, is no more than logical. When personal data on contact persons is used maliciously, it can have far-reaching consequences. But is it not something that you as company also genuinely want to put in good order anyway? That (personal data from) your customers and employees are always secure?
GDPReady for change?
The new regulations on privacy and data protection are intended to increase the protection of the individual in this digital economy, to gain trust, and to generate more business for all companies. So when you only see the GDPR as a tiresome regulation from a European bureaucracy, you are missing the transformational opportunity. It heralds social, cultural and economic change that requires companies to look at the management of data in a new way. And this in the context of an emancipated, worldwide digital society where people are taking back control of their personal information.
Know your business
When you as a CIO at a company or institution have to rise to this challenge, the GDPR is the ideal opportunity to fully map out the data flows and processes at your organisation. As a result, you create opportunities to gain insight in the behaviour of employees, suppliers and (potential) customers and all the technologies involved.
So in the first place try to clearly map out the business structures at your enterprise. Look critically at which data are available, where they are saved and how they are used (so also how they can be misused). Be sure not to forget your unstructured data (documents, Excel files, etc.). These can also contain person-related data and are covered by the regulations. Just imagine that someone unintentionally sends an Excel file with person-related data to an unauthorised addressee! Also make a distinction between the different business processes and understand the mutual exchange of data. You can then ascertain how data can be used better within the bounds of the new legislation… which processes can be better, and particularly how this fits in the wider ‘transformation’ picture. Examples for business can be: Finance/Accounting, HR, Operations, Sales, Marketing, IT, Legal, … The diversity of processes will vary depending on the size of you company.
It is also important to map out the culture of your organisation – how data is processed and used. This is indeed the biggest challenge: the GDPR is truly a cultural change relating to how organisations must use personal data. It involves how an organisation obtains personal data, how it must save it, process it, protect it, secure it, share it and delete it. Entire business processes will have to be fully overhauled. The GDPR is therefore absolutely not only applicable to the IT department, but to each employee who comes into contact with personal data in whatever way. The right technology and tools cannot only assist here, it can also force a real culture change.
The GDPR as catalyst for innovation
The conclusion: This is the ultimate time for the CIO to integrate data protection in his/her strategy, processes, structure and corporate culture. It is a task that the CIO cannot complete alone – everyone in the organisation has their part to play. This must be supported by an appropriate strategy, structured processes and the right mindset. With the GDPR as catalyst for (these) new investments.
Besides a strategic organisation change, companies will also need the right tools in support of their compliant data management. This does not, however, necessarily mean the replacement of the entire existing infrastructure. Flexible and adaptable solutions are needed to allow companies to change and evolve. The GDPR will for the first time compel companies to create a realistic roadmap to make every workplace a secure modern workplace. Obviously new regulations will always cause a cultural shift in the business community. But the GDPR will be one of the first regulations to truly have consequences worldwide.
25 May, a new start
So, do not see 25 May as the end of a road, but as a new start. The start of a totally new look on privacy and how we consider it at an organisation. We believe that privacy is a fundamental right. And we believe that the GDPR is an important step towards clarity on individual privacy rights, and towards compliance with these rights. But we also see that the GDPR pathway represents a significant challenge for the CIO. We will be happy to help you rise to this challenge. Use the assistance of Spikes and contact us using the form below for a clear assessment of your data management, a realistic approach, and the right tools to also make your workplace a secure modern workplace.