With the clock ticking, time to take GDPR seriously and put 'consumers and citizens first'
GDPR has been a massive topic of discussion in the Security, Risk and Compliance industry since last year. However, many organisations – large and small – are still struggling to grasp what it could mean for them and how to adapt: They find it difficult to figure out exactly what to do, and feel cornered between a real avalanche of – often conflicting – advice from tech vendors and consultants, and the type of generic guidance currently being produced by regulators.
Old habits die hard and many firms are defaulting to ready-made approaches and legacy ways of working by giving the “problem” either to the Legal department or to the IT department to sort out. Those two positions could lead to serious issues:
Lawyers may not understand fully some complex technical aspects of GDPR compliance (e.g. the capability you need to build to meet the demands of the 72h rule) and may have the tendency to stick to what they know best (e.g. contracts updates), pushed in that way by some of the regulator's checklists.
IT people could follow the path of least resistance and allow themselves to be pushed by countless vendors and look for the magic technical product that would make the problem disappear…
Those approaches just perpetuate the “tick-in-the-box” practices that have been prevalent for too long in that field, and few companies seem to have a clear understanding of the fundamentally transversal nature of “security by design” and “privacy by design” principles at the heart of the new regulation.
It is true that achieving some form of real compliance by May 2018 will be complex, expensive and painful for those firms which are waking up to these issues today after decades of ignorance, denial or lip-service.
Amongst those, some seem to have entered a “wait-and-see” game, either with their heads firmly stuck in the sand (“it doesn’t change anything for us; we only have personal data in HR” …), or truly scared by the human, cultural and financial costs they would have to face and the transformational effort they would need to put in place to reach a genuine degree of compliance.
They seem to believe that nothing will really happen after all, and that should something happen, they’ll just have to deal with it and fix it.
These are dangerous approaches in the context of the increased powers that will be granted to regulators by 25th May 2018 and they also miss the point which, as the UK ICO recently pointed out, is to put “the consumer and the citizen first”.
All that in a context where society at large is becoming more and more sensitive to these issues, and poorly handled media coverage could devastate brand equity and reputation.
The right way forward
Once again, for those who want to make real progress, the key, for now, is not to panic, to start by analysing their current level of maturity around data privacy matters and to build a GDPR alignment roadmap that matches their own priorities and their own resources, looking towards the 25th May 2018 and beyond as necessary: There are things that will be achievable by next year and things that will take more time. This must not become a box-ticking exercise and will be a matter of cultural shift for many firms: There is no magic product or magic checklist that is going to make you GDPR compliant in 6 months if you are truly starting from scratch today.
As many organisations enter their 2018 budgeting cycle, they will need to ensure that the right amount of resources is put aside and ring-fenced. But the problem goes far beyond financial resources and FTEs: It is key to ensure that internal sponsorship is at a level high enough to be audible across silos (legal, technical, operational) and across the firm (business units, geographies, key external partners), and to make sure a governance structure is put in place that will track alignment progress efficiently and effectively.
As we have pointed out before, evidence of strong management backing and a genuine trackable long-term approach towards putting in place the “privacy by design” principles which are at the heart of the regulation, should always play in your favour with regulators, irrespective of the actual compliance challenges you may be facing.
The key is to break from old habits, take all this seriously and start putting “consumers and citizens first”.
Corix Partners, together with DA Resilience, Next World Capital, Wise Partners in Paris and a number of experts have analysed the impact GDPR can have around privacy and security and is offering a real-life perspective on the topic in a white paper which can be downloaded here
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.