What do CIO's really think about the looming challenge of GDPR?

Gavin Whatrup shares new learnings from a recent Northdoor GDPR Round Table event run by Sales Filter.

As the clock ticks down to May 2018, the General Data Protection Regulation (GDPR) looms large in the minds of many company executives. Many of us are discovering that GDPR presents a huge test not just of our company’s resources, but of our flexibility and capacity for strategic thinking.

It’s always a valuable experience meeting with peers facing the same challenges, and hearing how they are approaching GDPR projects. I attended a recent roundtable event run by Northdoor, and it’s obvious that the level of preparedness is variable.

Understanding of the presence of GDPR is high, but not so of how to achieve or head towards compliance – some businesses are yet to get projects underway, despite the risk of fines and reputational damage in the event of non-compliance. Thinking back to the Y2K challenge, I remember board-level understanding being significantly greater than it is for GDPR.

Even among companies from regulated industries such as finance, whom I expected to have a strong grasp of data security, GDPR is causing confusion. For companies from, say, the retail sector, with less experience in data security, the learning curve may be even steeper.

The legislation lays out the rules but not a strict set of instructions how to comply with them. Encryption is a good example. GDPR does not mandate the use of encryption but rather that personal data be made unreadable. The use of encryption is cited as an example of how to achieve this – but is only mentioned four times in the entire Regulation.

Plenty of people are unsure of how all this differs from the old Data Protection Act, whether GDPR replaces or augments the DPA, and how it will co-exist with other related legislation.

This roundtable was able to clear some of the regulatory fog and show that GDPR is not necessarily a bear to be wrestled with, as long as it is addressed now.

So what’s the best way to approach GDPR?

Some execs I spoke to were looking for technology solutions. For sure there are tools out there that may help, we were told, but this is predominantly an organisational and audit issue. Find out where your data is, grade it, and treat it accordingly – it is not a task to punt towards IT.

What is clear, though, is that companies trying to do it all by themselves would run into difficulties. With less than 300 days left to 25th May 2018, when the Regulation comes into force, we’re going to need some good advice to do this properly.

Get a set of measures in place, even if they deliver after the compliance date, and you’ll be well on your way to a favourable GDPR audit. If you prioritise by risk and document the process to demonstrate commitment to GDPR, you can lay the foundations for staying compliant.

By Gavin Whatrup

Source: https://www.northdoor.co.uk/gdpr-event