Only 29 per cent of small businesses and 41 per cent of mid-size businesses in Europe have taken steps to prepare for the GDPR, according to IDC, and there’s no reason to think that organisations elsewhere in the world are any more ready for the May 2018 deadline.
But panicking can do more harm than good — you’re likely to make costly missteps. If your organisation isn’t prepared, you definitely need to get moving. But be sure to avoid these common mistakes that can harm your company.
Mistake 1: GDPR obsession
With the GDPR deadline looming and compliance challenges in the headlines every day, it’s easy to run mad and make bad decisions. The most absurd example might be British airline Flybe: In their eagerness to prepare for the GDPR, they crafted an email advising users to update their personal information and marketing preferences, and sent it their entire customer base — including people who had unsubscribed from the company’s emails. That rash action violated an existing law, the Privacy and Electronic Communication Regulations (PECR), and got the company slapped with a £70,000 fine.
If you’re unsure about how to meet the requirements of the GDPR, don’t do anything in haste. Seek council from legal advisers and other experienced consultants before taking action. Prioritise your efforts. And keep in mind all the compliance standards you are subject to, so you don’t violate one as you try to comply with another.
Mistake 2: Taking a fragmented approach to security
GDPR compliance requires a comprehensive approach to security that involves not just technology, but also governance, processes and people. However, a recent Forrester report found that 26 per cent of EU firms that claim to be GDPR compliant are focusing too heavily on IT measures to meet only specific GDPR requirements, such as consent or data breach notification.
IT processes alone are not the most effective way to protect your organisation from security incidents and audit penalties. I urge you to see the new GDPR legislation as an opportunity to revisit the basics to see how you can improve cyber security across your IT infrastructure. In particular, make sure you know where your sensitive data resides, who has access to it, and which services and software are the most critical for your business.
Mistake 3: Being reactive rather than proactive
The GDPR requires a proactive approach from your IT department, which is often easier said than done. During a recent presentation for IT security professionals, I did an informal survey about how proactive they consider themselves to be. It turned out that 80 per cent of them are reactive to new compliance requirements and lack a long-term strategic approach. Big mistake.
If your IT department is overwhelmed by routine troubleshooting, it won’t be able to prevent data breaches, respond promptly to customers’ rights to be forgotten, or comply with other GDPR requirements. Try to figure out the root of the problem: Is your department understaffed or lacking the expertise you need? Are your security systems insufficient or poorly managed? Are employees unaware of proper security protocols? Each answer requires different actions, so find the root cause first.
Mistake 4: Putting responsibility on IT only
At the same time, the worst thing you can do is to blame your IT people for compliance failures. In practice, if a data breach occurs, the problem often lies outside of IT department. The Netwrix IT Risk Report found that 65 per cent of organisations have experienced security incidents, and most were due to human errors and malware. You don’t want to get fined because someone copied a file with customer’s ID to his laptop or clicked on a malicious link that delivered ransomware, so make sure all employees who deal with sensitive data (such as your marketing, sales, accounting and legal teams) are trained on your cyber security policies and procedures. Make sure your educational efforts go beyond boring lectures about security — include relevant case studies and edutainment programs. More broadly, work to establish a new business culture that puts security and personal data privacy at its centre.
Mistake 5: Being too radical
Richard Stallman, president of the Free Software Foundation, has suggested that, instead of protecting and regulating personal data, we should ban its collection. I personally know of companies that have deleted all customer data that could be considered sensitive to try to eliminate the risk of GDPR fines.
These responses aren’t just radical; they’re also ineffective. Getting rid of your customer database won’t erase your obligation to report to auditors; it will just hurt your ability to be competitive. Auditors will be looking for a credible plan to ensure compliance, so make sure you can demonstrate you are on the right path to better control your security. As for your customers, respecting their privacy and preferences will increase their loyalty. Imagine you lose your client who has been with the company for 15 years because you don’t treat him according to his preferences as you have ditched all information about him.
For too long, businesses have been collecting personal data from customers to meet their own revenue goals. GDPR seeks to redress the balance by recognising their rights and making businesses more respectful of their privacy. The scope of this change might seem daunting, especially with the deadline for compliance fast approaching, but if done properly customers will reward you with stronger loyalty. Plus, if you address GDPR compliance as a strategic business challenge, compliance reporting will be easier and you’ll be in good shape when the next piece of compliance legislation comes around.
Matt Middleton-Leal is general manager EMEA, Netwrix Corporation.