When you get the opportunity to speak with an Information Security expert, it’s inevitable that GDPR will come up at some point in the conversation. Following our recent executive round table I had the opportunity to chat to our guest Patrick Wheeler, a renowned expert in the field of Information and Cyber Security. He shared an interesting take on GDPR and the wider topic of Information Security compliance.
Regardless of the size of your company, if your business involves collecting or processing information on EU nationals or businesses, you are required to comply with GDPR. You need to take demonstrable steps to only utilise data that you have permission to use or a justifiable reason to process, and to take the necessary steps to secure this data.
The GDPR legislation came into force in May 2018 and whereby many companies have already taken steps to comply, many more businesses are still coming to terms with what is required from them.
I am sure that many people will agree with Patrick’s view that “check-box compliance annoys everyone, it’s an inconvenience and a cost”.
However, as Patrick pointed out, compliance is a must if you don’t want to fall foul of the regulator or to be seen by customers as not taking the security of their personal information seriously.
Patrick’s view is that there is much more to be gained from compliance than merely a tick in a box. “Organisations need to put compliance to good use – look for how they can get it to generate a positive.”
Whether it’s GDPR, ISO or a form of industry-specific regulation, the process of achieving compliance requires a look at processes and, in the case of GDPR, how information and personal data flows throughout your organisation. In taking the time to understand, document and analyse these processes, there is a tremendous opportunity to identify ways to improve the way you work.
Often by streamlining a process, you reduce the amount of data touch points. This inherently reduces the risk of a data breach while at the same time making your processes more efficient and more likely to deliver a better service to your customers.
It’s often the case that people do things in certain ways because that’s the way they’ve always done it. They are often unaware that a process or work practice has any risk associated with it unless a breach has already happened. Involving your people in a GDPR or compliance review is a perfect way of getting them to think differently.
Why is the data held here? Why is a local copy taken? What would make the data more secure? These are not just good questions when auditing for compliance, they are great questions in terms of getting people to think about what they are doing. As mentioned in an earlier blog Why business leaders should not ignore cyber-security, the human factor is critical to cyber resilience and the more that you get your people to think about the risks and how these can be mitigated, the more good practice becomes a habit and part of your culture.
Patrick is quite clear with his advice. “To not fall foul to the regulators, leaders need to evidence that they are on a track of improvement, if they don’t or can’t, then they need to be concerned”.
This is not just for the regulators, it’s the same for customers. If you process data for another business, then it’s highly likely that they will be reviewing your processes more stringently than any regulator. If you’re collecting end customer data, then knowing that you take your responsibilities seriously is not only reassuring but expected.
Contact the Conosco team on 0800 368 8690, email us at info@conosco.com or visit our IT Security page to find out more about how we can help your business.