New data regulations are making waves across industry. How prepared is your business?
Share this article
High profile data breaches at some of the world’s largest tech brands including Amazon, Facebook, Gmail and Twitter have put cyber security and the protection of customer information at the top of the agenda for C-level executives.
With the introduction of the General Data Protection Regulation (GDPR) next May set to formalise this further, businesses are faced with a two-pronged challenge of staying compliant and secure, while still being able to harness the power of their data.
GDPR poses a fundamental and permanent shift in the way that organisations should think about data and their approach to cyber security. It will affect every organisation; whether public or private, charity or governmental.
The regulation will introduce harsher penalties for non-compliance and breaches and will provide consumers with more power over what companies can and cannot do with their data.
To stay compliant under GDPR, businesses will need to ensure that all data is processed lawfully, transparently and for a specific purpose. Crucially, once this purpose has been concluded, the data cannot be held and needs to be deleted.
How therefore, can organisations ensure they are compliant with GDPR and are able to combat the technological and skills challenges they could face?
The skillsets in demand
With its emphasis on protecting customer and employee data, GDPR gives organisations a renewed focus on the big data and cyber security skills they need in their organisation. Wider coverage in the media has, by and large, focused on the implications for the financial services market and the problems it could face as a result of the digital skills crisis.
While the finance industry certainly will have to make adjustments, it is already relatively well equipped for the upcoming regulation shift. This is because there is already a robust legal infrastructure in place to protect sensitive customer information, such as individuals’ bank accounts and personal details.
However, businesses in other industries aren’t necessarily tied to such tight frameworks, yet still store huge amounts of unstructured data.
This is particularly prevalent in sectors like retail where businesses accrue data almost accidentally, through every daily customer interaction and purchase. They could now be at risk without realising it, as GDPR will impose big fines on those businesses that continue to operate in this way.
The crucial questions that businesses from every sector now need to ask are: “What data do I have?” and “Why do I need this data?”
Not just an IT issue
It’s easy to think of a data issue as something that only concerns the IT department, or a financial regulation as something that only impacts the finance team. But GDPR will touch every part of the business.
As a result, security and data now represent a challenge for the entire organisation. When GDPR comes into force next year, the key word will be accountability. Businesses must make sure that every department and employee is aware of how to remain compliant with the regulation.
And GDPR won’t just impact the business from a security perspective. The implications are far more wide-reaching. Take marketing for example – as much as 75% of marketing data could become obsolete as a result of GDPR because only 25% of existing customer data meets the regulation’s requirements.
So much customer data is currently collected via individuals’ “failure to opt out” which will no longer be seen as sufficient consent after the May deadline.
Moving forward, marketing teams will have to work very closely with both their IT and legal departments on all day-to-day activity to ensure they keep within the regulatory lines and that there is a clear and consistent permissions trail for all processes.
Take stock and get the balance right
Employers must take a long-term view to ensure they are compliant with GDPR. They need the right skills and knowledge to be ingrained in every department across the workforce without adding endless expensive headcount indefinitely. Here are three steps that businesses can take:
Audit of IT and skills
The first thing every business needs to do is a comprehensive audit of their current capabilities against the legal requirements they will soon face. This applies to both the technology systems themselves and the available skills within the workforce.
This needs to be an urgent priority as businesses may need time to respond to the findings. External experts are often a good option to conduct such an audit; as a third party looking into the business with a fresh pair of eyes may uncover issues that others might not.
Hire contractors to instil the change
Short-term contractors are also a valuable resource to call upon between now and May 2018 to bring the organisation up to speed. They can use their varied experience to get the business into shape quickly without adding any permanent headcount to the balance sheet.
Disseminate compliance throughout the business
In the long-term, organisations must work towards ensuring that every employee across every department is aware of their accountability to GDPR and has the necessary skills to play their role in compliance.
GDPR shouldn’t be perceived as another regulatory hoop to jump through – it can be a competitive advantage.
The insight that can be derived from a company’s data is vital to the way that it operates today and those that get GDPR right will increase the trust that customers have in sharing more of their valuable information.
But business leaders must start today by identifying the gaps within their organisation and engaging the wider workforce to ensure a long-term solution.