Maksim Kabakou - Fotolia
Security Think Tank: Benefits of GDPR compliance
What strategies can information security professionals use to shift focus from General Data Protection Regulation fines to enabling business gains and success, changing the way data is used, and aligning data privacy with business purpose?
A full year after the General Data Protection Regulation (DGPR) came into full force, many companies still have a lot of work to do in meeting its compliance requirements.
Perhaps those companies are prepared to risk paying any levied fine – up to 4% of global turnover – should they be subject to an investigation by the Information Commissioner’s Office (ICO), rather than put the required effort into compliance.
But there are business benefits to be gained from achieving GDPR compliance. Could attracting new clients and retaining existing ones by being able to leverage GDPR compliance in marketing terms be viewed as a benefit? I believe the answer to this question is “yes”.
Perhaps the need to improve control over personal data could be obtained through better use of the security features found in access control systems such as Microsoft Active Directory. Might this lead to a more secure IT infrastructure overall? Again, the answer here is “yes”, and more so if those security features are applied across the board and not just to personal data.
Surely, a more secure IT infrastructure is a positive marketing point, one over the competitors perhaps?
The benefits of GDPR compliance could be said to be:
1. Better control over data. This can be achieved by:
- Creating and filling a data protection officer role;
- Identifying a defined owner for each data type (HR, finance, project, etc);
- Clearly defining who can create, access and modify specific datasets (a function of the data owner).
2. Providing better protection of data (both physical and electronic) through:
- The creation of a data asset register;
- Data cleansing, which would lead to the elimination of duplication, create data consistency, and identify and remove illicit copies of data;
- Implementation of fit-for-purpose access controls, such as rigorously applying the “need to know” principle;
- Regular data protection impact assessments (DPIAs).
3. Proof of due diligence:
- The ability to ‘prove’ due diligence in GDPR compliance would be valuable should the worst happen and there was a leak of personal data in terms of the level of any levied fines.
4. Marketing opportunities:
- The opportunity to create a positive marketing message as a follow-on from being able to “prove” compliance and due diligence.
How does a company prove GDPR compliance such that it can leverage it in marketing terms? Public statements about taking GDPR seriously need to be made – on websites and company literature, for example – but these also need to be backed by displaying the certifications obtained.
While policies and procedures relating to the gathering and handling of personal data, particularly where manual processes are involved, are important for GDPR compliance, the role of IT and IT security is equally, if not more important in the protection of personal data.
A GDPR audit is a good starting point, and an internet search using those terms will flush out companies that will do those audits (at a cost, of course). The search will also throw up some websites offering advice, including the ICO website.
A GDPR audit could be added to an ISO 27001 review for large companies. For smaller companies, undertaking an IASME Governance Self-Assessment is recommended as it includes both Cyber Essentials and GDPR questions.
Of course, the IASME Governance Self-Assessment would be an excellent starting point for any organisation, irrespective of their longer-term audit and certification plans.
In closing, it has to be said that GDPR compliance is intimately tied up with good information security, and information security along with GDPR needs to a be board-level responsibility.