General Data Protection Regulation (GDPR), the EU’s largest and most significant cross-border regulation comes into effect in May 2018. Organizations and businesses operating in the EU are racing to make changes and implement new technologies in order to become compliant. With varying performance across sectors in the race to GDPR readiness, you don’t want to be left in the dust.
Clearswift’s latest research survey asked 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia whether their firms currently have all of the necessary processes in place to be compliant for GDPR. Leading the charge in compliance, the top five performing sectors included technology and telecommunications (32%), education (31%), IT (29%), business services (29%) and finance (29%).
Many sectors are lagging behind, with only 17% of healthcare, 18% of retail and 19% of marketing currently ready for GDPR. As the average company-wide IT-project takes 6 months to roll out, if you’re to stay ahead of the game and become fully compliant for GDPR when it lands in May 2018, you need to start putting things into action now.
The race to compliance: are you off the starting blocks?
Our findings reveal that only 26% of organizations can currently demonstrate GDPR compliance. On the plus side, a further 44% are putting the necessary processes and technological changes in place and expect to be ready in time for when the legislation comes into force. With a total of 64% of organizations expecting to pass the finishing line to GDPR compliance come May 2018, the outlook is not as bleak as previously thought. However, if you’re not expecting to be part of the 64% and are struggling to become compliant, there are key areas you should address immediately.
PEOPLE
Introduce a culture of data consciousness amongst employees
The most common departments to have budget allocated for spend on GDPR are finance and IT (31%). However, every department across your organization will handle critical data that falls under GDPR. Your marketing employees will be using target audience data, whilst your sales employees might share customer contact information and your HR staff will handle sensitive employee data. Educating employees about how to safeguard this kind of information and why, will engender a sense of data consciousness across departments and lower the risk of a data breach. Regular communications and training sessions on how and where to safely store this data, as well as how to safely share it across different platforms will be a key step towards demonstrating GDPR compliance.
PROCESSES
Understand how critical data flows within your organization and across its boundary
Undertake a Data Flow exercise with the various departments of your organization that process and share critical data. Utilize technology to 'monitor' use and help you gain visibility of how critical data flowing in and out of your organization. This will enable you to introduce a hierarchical structure to organize your data based on how sensitive it is, and then ensure that policies are in place that dictate who has access to different types of data based on their sensitivity. Preventing certain types of information from leaving a closed network and creating data security contracts with suppliers dictating how they may use personal data are other key step changes in creating good data governance across your organization.
Locate where GDPR relevant data is stored within your organization
GDPR is forcing organizations to understand where PII data is stored, how it’s being used and shared in order to ensure it is properly protected. Carrying out a Data Discovery exercise across your organization will provide you unprecedented insight into where all GDPR relevant data is located (e.g. laptops, desktops, servers, systems etc.). This will be essential for a ‘right to be forgotten’ request under the new legislation, but it can also be used to better understand compliance complexity and give you complete visibility of where critical data is stored.
TECHNOLOGY
Deploy the right technology to support your organization with GDPR Compliance
Finally, technology. Technology should be deployed to enforce policies and protect your people as well as playing a big part in ensuring your organization becomes GDPR compliant, and demonstrating your organization’s efforts to comply. The results of monitoring and data discovery exercises will highlight gaps in data processing processes and existing security infrastructure, so the technology you choose should aim to close these gaps and enhance critical information protection. Adaptive Data Loss Prevention technology will automate best practice data protection processes, enforce security policy, and provide you with control and visibility of data flowing in and out of your organization across digital collaboration channels.
By choosing technology that augments (enhances) infrastructure you already have in place, instead of ripping and replacing old technology, you can not only save costs, but also become GDPR compliant more quickly.