Ensuring GDPR compliance & managing cyber risk through communication

Company board discussing GDPR

Information Security / A little more conversation: vital steps to ensuring GDPR compliance

A little more conversation: vital steps to ensuring GDPR compliance

Dr Guy Bunker, SVP of Products at Clearswift, discusses how the disparity between board and management is hindering GDPR compliance.

With the enforcement of General Data Protection Regulation (GDPR) just a few months away, organisations are frantically implementing processes and adopting technologies that will ensure they become compliant by the May 25 deadline. However, there are still conflicting views within businesses, specifically between board and middle management employees, on how ready and capable organisations actually are. With this disconnect, there is a huge potential to skew how prepared they really are to comply with GDPR.

Clearswift’s latest research study, which surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia, reveals that board members are far more confident than management-level employees about their organisation’s ability to comply with GDPR. In fact, 41% of board level respondents believe they have everything in place ready for May 25th while just 25% of senior management and 21% of middle management respondents agreed.

Also of interest: The problem of communicating cyber risk to the Board

GDPR and the right to be forgotten

The research also revealed how right to be forgotten (RTBF) requests were also a topic of divide between board and management. RTBF requests have the potential to grind organisations to a halt – through excessive use of resources to ensure all references of an individual are removed from the company’s systems. Clearswift's research findings show that over half of board respondents believe that their organisation is in a good position to be able to handle this. However, middle management respondents seem to be more realistic about the topic, with just 36% believing their organisation could cope.

If businesses do not act quickly to rectify the miscommunication on GDPR, there will be a number of consequences to face. Alongside hefty fines for non-compliance, businesses will be faced with depleted resources, racing to ensure that they put the necessary processes in place, causing massive disruption to day-to-day operations. Therefore, board level employees must turn to their ‘men on the ground’ now to get a real view of their organisation’s readiness.

While the board is often removed from the day-to-day handling of data, middle management-level employees are in fact in the best position within a company to view data. They know where it is stored, how it’s being used and how it moves throughout the organisation and across its boundaries. By engaging with middle management on the topic of GDPR, board members can gain a clearer understanding of the state of their business’ readiness to comply and consequently be in a better position to address any outstanding issues and enforce solutions.

Also of interest: Introduction to GDPR (registration required)

Data processing and risk

Understanding how data is being processed and shared within an organisation is the key to being prepared for GDPR. Talking to management about particular processes that are currently in place as to whether they are a potential risk for the company’s compliance will give the board a better overview of where improvements need to be made. Having the same understanding of critical data control as management-level employees means that board members are in a position to support change implementation and ensure their organisation handles critical data correctly.

Additionally, understanding these processes from management level will give a much deeper awareness of the extent of data sharing within the organisation. Board members are often shielded from the processes that have been put in place at lower levels, which save time despite being improper so do not have a full awareness of where critical data goes 100% of the time. Many organisations will have duplicated data – whether that is through emailing to private accounts or saving to personal devices – without anyone really being aware it is happening. If staff are duplicating data unknowingly, no organisation will be able to actually execute RTBF requests correctly.

Therefore, processes need to be put in place to ensure that an organisation is in a good position to comply with GDPR before the deadline. Introducing data protection, management and handling policies will allow for visibility of critical data sharing and ensure the entire workforce is on the same level of understanding. It is only when these processes are put in place, that technology, which will help adhere to compliance, can be introduced. Implementing these kinds of IT solutions – such as data redaction or document sanitisation – will also mean that if RTBF requests do come in, there will be less pressure on staff to perform the action individually, therefore ensuring that management is more optimistic in their belief that the organisation can cope.

People, processes and technology are the three vital areas that organisation’s need to review to gain visibility and control of critical data in order to comply with the GDPR.  The board must work together with middle management on their organisation’s GDPR project to gain a clear understanding of the state of their organisation’s preparedness, bridging any difference of opinion and supporting management with deploying necessary changes.

Guy Bunker of Clearswift specialises in Data Loss Prevention

Dr Guy Bunker is Senior Vice President of Products at Clearswift, a cyber security company providing adaptive data loss prevention security. Clearswift is owned by the RUAG defense group.

Image copyright kasto80 under licence from iStockpkoto.com