EM360Explores: Our trusted board advisers share their best tips for GDPR
Our new EM360Explores feature will see members of our distinguished advisory board share their own unique perspectives on the latest industry trends. From CIOs, to analysts, to data scientists, our board members are as varied as they are experienced offering a well-rounded analysis on the hottest topics. However, with the EU General Data Protection Regulation (GDPR) enforcement date just 20 days away and organisations everywhere feeling the pressure to get their compliance structures in order, we decided to dedicate this special first edition to giving our readers some good advice. So scroll down and read some of Enterprise Management 360's trusted board advisers' best tips for GDPR.
Data & AI ambassador
Most large organisations have spent much effort, time and budget on the GDPR, and will be prepared. This will include things such as data protection officers, process for breach notification, adequate consent, etc. And if they are not fully prepared, they will be working on it and will have plans in place. Large organisations will have most problems with automating the execution of the new rights of data subjects such as the right to be forgotten and data portability, especially if this will be massively requested. This is unlikely in the near future to happen, but might change over time when customers authorise third parties to do this on their behalf. So, large organisations holding a lot of customer data should carefully monitor the data portability activity. Smaller organisations (SMEs) will have a much harder time to get prepared, mostly because of a lack of expertise, skills and resources. Most risks of data breaches will be here, rather than in large organisations. SMEs who outsource customer data management to third parties should require a GDPR compliance statement from them, so they are at least covered from the “data processor” perspective.
Senior Cybersecurity Consultant
The EU General Data Protection Regulation (GDPR) which focuses on personal data privacy and individual rights is just the first step towards the effort of protecting your personal information on a global level. It's critical for senior leadership to drive and shape the data privacy program across all business units. The process of protecting personal information is no longer an IT security effort. To ensure that personal privacy programs extends to all business units requires senior leadership to become the driving force behind your organisation's efforts.
Deal Assurance Manager
In our recent whitepaper The Digital Business Continuum we described regulatory changes (like GDPR) as one of the sources of disruption in a model we called the “Disruption Trinity”. Like any disruptive force, there is no doubt that GDPR creates both challenges and opportunities.
My tip regarding GDPR would be to think about how you can really embed it into your approach to software development (rather than treating it as an “add-on”). I remember discussing how you can embed security into Agile software development with Larry Maccherone (who wrote the DevSecOps Manifesto), and I think similar principles apply when it comes to data protection. It will never be enough to only have a “gatekeeper” who checks that GDPR requirements are being met: rather everyone involved has to feel responsible for ensuring that data is managed in a way that is not only legally compliant, but also morally and ethically justifiable.
Former Chief Data Officer
LLoyds Banking Group
My 5 quick tips to people enjoying their GDPR journey to compliance:
- Don't believe in the silver bullet, no tool will make you compliant!
- Be proficient at your Metadata, knowing at any point in time and space where critical data it's tough but it is an extraordinary vantage point
- Be mindful of your Achilles' heels: Data Quality and Record retention
- True awareness is required across the whole organisation, edge on the side of overcommunication
- It is not tick-the-box-compliance, it is a lifestyle change of attitude in the regards of Data (all of it not just Customers')