How do you survive GDPR? Start with the processes
Your organization might feel overwhelmed when faced with the requirements of the quite-soon-to-be-enforced General Data Protection Regulation.
This is just natural. Change is always frightening, and the GDPR really requires you to think about your processes differently.
Yes, processes. They are the key of surviving beyond 2018, when the GDPR comes into effect.
There will certainly be many technologies to control the data, but as always, technology alone doesn’t bring you success. You really must think through the processes to be able to handle the requirements posed by the regulation. How and what data do we collect? Where is it stored? Who has access to it? Who should be able to access? How to remove the data when time comes?
The first step of getting ready for the legislation is to find out what data you have about your employees and customers, and where it resides. Siloed data just won’t cut it anymore. All departments must work together and the organisation’s data processes need to be transparent. No more jealousy over “your own” data.
A key concept in GDPR is Privacy by Design. It means that privacy must be taken into account in all stages of the data lifecycle. Security has to be an integral part of all business processes and services from the beginning to the end. Most notably, GDPR is quite explicit with the requirement that it is no longer permissible to store all personally identifiable data in eternity “just in case”. So data pseudonymization must be introduced to all the big data efforts of the enterprise.
What does this mean for the IT department? The processes and the company’s technology infrastructure must work in tandem without any glitches. And this most likely means that a more or less thorough overhaul of current processes is in order.
If the CIO, preferably together with DPO, isn’t already cooperating very closely on a daily basis with the business leadership, now is a great time to start. IT must understand the business implications of the new regulation in order to design systems in a way that supports the business in the best possible way.
GDPR is worded in quite generic terms, as you would expect from legislation that is supposed to endure a decade or more of technological and societal development. Therefore, starting from the processes and applying healthy dose of common sense is probably the best course of action right now.
For more information Tieto Security's view on cyber security, please see our white paper.