GDPR Countdown

Uploaded on 2018-04-07 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

When did your company become aware of the General Data Protection Regulation and the need to do something about it?

GDPR has been a running story in DataIQ since it launched in 2011, through the 3,000-plus amendments and four years it took to become law and now in the final few months running up to enforcement.

With the first GDPR Impact research in 2016, 46.0% of businesses said they were very aware of the new data protection law. One year later, however, this figure was stuck at nearly the same level (50.0%).

Yet the last 12 months seem to have been decisive with a dramatic rise in this number to 84.3%.

Compliance is hard won and Never Certain

If this had not happened so close to the enforcement regime starting, it would have been a cause for concern. Companies need to look deeply into their data-driven processes, data management and data governance policies.

What they find is not always easy to resolve, which may explain that only 25.4% describe themselves as very prepared for GDPR.

Compliance is hard won and never certain, so it is understandable if 61.0% describe themselves as somewhat prepared.

With much guidance still pending and legal opinion either conflicting or so risk averse as to make existing business practices often look impossible to bring into line, it is better to adopt a cautious view.

But that is only if the Regulation is viewed from a purely compliance point of view. It certainly merits a legally-oriented perspective at the outset of any programme. Unless those strictures are closely considered and mapped against the operating model of the business, it will be difficult to spot the gaps in which risk might arise.

Ticking the box of compliance should not be the end-point, however. Whatever the letter of the law, GDPR is also a major opportunity to reset the relationship with customers and get ahead of any concerns they might have about data sharing, security and control.

This is why maturity in the adoption of data and analytics becomes a strong indicator of whether the underlying culture of an organisation has evolved or if it is just trying to stay within the parameters set out by the Regulation. In this perspective, there seems to be a positive correlation between preparing for GDPR and data ratification of the business.

Back in 2016, just 39% described themselves as in the upper two quintiles of maturity (Managed and Optimised). This year, the number has risen to 62.7%, meaning the majority of UK companies are putting data and analytics at the heart of how they operate. That is likely to mean they will realise commercial benefits from their compliance efforts, not just risk mitigation.

“It comes down to knowing how and where to focus training and measurement, rather than system fixes.”

So how can your company find out whether it is heading towards both compliance and value-adding data maturity? One way is to carry out a capability audit, like DQM GRC’s RADAR.

As technical director Peter Galdies explains, “this involves a real inspection of practice and process to understand the business thinking and highlight where business process needs to be re-engineered. Often, this comes down to knowing how and where to focus training and measurement, rather than system fixes.”

While it is tempting to believe that organisations only need to assess their compliance with GDPR once, the reality is very different, he warns.

“The law itself requires that the organisation be capable of continually demonstrating its compliance, and if you are the kind of organisation that needs a Data Protection Officer, then a key part of that role is to audit or assess that compliance.”

In fact, when it comes to implementation, the GDPR river runs very deep indeed. The cultural and system changes expected by the legislators cannot be fixed by technology or training alone and require a process of continual self-inspection. This is inherent in the expected behaviours of “privacy by design” and “data protection by default” which the regulators demand of organisations under the GDPR regime.

“To effectively understand your organisation’s ability to comply both today and, importantly, in the future, a robust assessment process (like our GDPR Radar) has to examine not only if you have the right controls, but also if you have the right management systems in place around those controls to ensure they will still be working for you going forwards,” says Galdies.

“That means measuring the maturity of your compliance processes, not just ticking boxes.”

Evidence gained from a data audit of this type provides a powerful basis on which to explain to the board what more might need to be done, above and beyond any box-ticking for compliance purposes.

It is also a useful demonstration of accountability to prove that you are reaching for compliance, too. And hitting two birds with one stone is always a real sign of advanced abilities.

To contact the GDPR Advisory Board please visit:  www.gdpr-board.co.uk

DataIQ

You Might Also Read:

GDPR - Questions & Answers:

« AI And Blockchain In A Disruptive World
Six Steps to Protect Customer Data »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Landry & Associates

Landry & Associates

Landry & Associates is a multidisciplinary firm specializing in risk management, performance and technology management.

Secure Identity Alliance (SIA)

Secure Identity Alliance (SIA)

The Secure Identity Alliance is dedicated to supporting sustainable worldwide economic growth and prosperity through the development of trusted digital identities and the adoption of secure eServices.

Swivel Secure

Swivel Secure

Swivel Secure is an award winning provider of multi-factor authentication solutions.

Avatu

Avatu

Avatu specialise in providing clients the advice, technology and tools they need to fight cyber and insider threats.

Cybersecurity Credentials Collaborative (C3)

Cybersecurity Credentials Collaborative (C3)

C3 provides a forum for collaboration among vendor-neutral information security and privacy and related IT disciplines certification bodies.

BMS Group

BMS Group

BMS is an independent, employee-owned specialist insurance broking group. Broking solutions include Cyber and Technology.

SynerComm

SynerComm

SynerComm is an IT solution provider specializing in network and security infrastructure, enterprise mobility, remote access, wireless solutions, audit, pentesting and information assurance.

Plurilock Security Solutions

Plurilock Security Solutions

Plurilock is a real-time cybersecurity solution that uses artificial intelligence to identify, prevent, and eliminate insider threats.

Secudos

Secudos

SECUDOS is an innovative appliance technology and services provider focused on IT security and compliance.

ProWriters

ProWriters

As a leading cyber insurance company, ProWriters offers flexible Cyber Liability Insurance coverage designed to cover privacy, data, and network exposures.

Billington CyberSecurity

Billington CyberSecurity

Billington CyberSecurity is a leading, independent education company with an exclusive focus on cybersecurity.

Gilsbar

Gilsbar

For more than half a century, Gilsbar has offered insurance service solutions and support for businesses and their employees.

Plerion

Plerion

Plerion is an all-in-one Cloud Security Platform that supports workloads across AWS, Azure, and GCP delivering cloud security posture management, workload security, data security and more.

Allot

Allot

Allot are a global provider of leading innovative network intelligence and security solutions for Service Providers and Enterprises worldwide.

Munio

Munio

Munio is a leading Fortified IT Support and Cyber Security companies in the south east of the UK.

GrayHats

GrayHats

GrayHats is a platform-based cybersecurity company devoted to delivering comprehensive, scalable, and proactive protection for businesses in an ever-evolving threat landscape.