The EU General Data Protection Regulation – in short, the GDPR – marks the biggest change in EU data privacy laws in more than 20 years, and it will have a transformative effect on the way companies manage and secure personal data. With less than a year to go until it comes into effect, organizations are really starting to get to grips with what the GDPR will mean in practice. The regulation will bring with it new obligations, but there’s a carrot as well as a stick. Getting data protection right requires an upfront investment, but offers a payoff down the line – not only in better compliance and data breach prevention, but as a competitive advantage.
Instead of searching for quick fixes to comply with the GDPR, organizations should look beyond the May 2018 deadline and focus on sustainable improvements. In the best case scenario, a proactive approach towards data privacy and cyber security can even result in new business opportunities.
To ensure the success of GDPR compliance, it is essential to get senior level buy-in: every successful compliance project starts from an organization’s core business objectives. The key questions that executive leaders should be asking themselves are:
A compliance project will not produce optimal results if it isn’t based on a clear business strategy, no matter how well it would be managed. Consequently, an organization should only move forward with the compliance project after a solid foundation is in place.
In addition to engaging executive leadership, the GDPR also requires extensive cross-functional collaboration if businesses are to comply with the regulatory changes by 25 May 2018 and drive effective long-term transformations within their organizations. GDPR preparation is not just an IT project, and neither is it an initiative solely impacting the work of Privacy or Security Officers – quite on the contrary. Collaboration will be vital in driving compliance. For example, marketers must work closely with the Legal and IT departments in order to be transparent over the handling of customers’ personal data, and IT teams should liaise with legal experts to review supply chain arrangements, revising contracts where necessary.
Why cyber security matters?
From a GDPR perspective, organizations are expected to assess whether their data processing activities, and the potential risks for data subjects resulting from those activities, are covered by their current security measures. In this regard, the regulation does not state the specific security measures that organizations need to undertake to be considered compliant with the legal framework. The regulation simply makes it the organizations’ duty to assess and decide what types of measures shall be implemented to comply with the GDPR, and to ensure that all precautions are undertaken to minimize the risk of data breaches.
Deploying the appropriate people, processes and technology controls puts you in the best possible position to protect your organization from accidental or malicious data breaches. By implementing a sensible remediation roadmap and protecting all personal data, your organization reduces both the likelihood and potential impact of a data breach.
In this sense, solid cyber security operations are an essential part of GDPR compliance – now more than ever all companies need to make sure that they are protected against different cyber threats. Breaches have nasty consequences already, but their potential impact for businesses will be worsened significantly with the addition of the fines and PR damage associated with the GDPR.
In the video below F-Secure’s Principal Security Consultant Antti Vähä-Sipilä discusses the measures companies need to undertake to achieve long-term GDPR compliance.
This blog post serves as a snapshot of our new eBook, which discusses the basic principles and concepts included in the GDPR. The eBook delves into the key factors needed for proper GDPR preparation, and lays out the responsibilities that different organizational functions have in the compliance project. We also consider the role of effective cyber security in maintaining continuous GDPR compliance well in to the future.