Burning Tree’s recent Breakfast Briefing “GDPR: What’s All The Fuss About?” was well attended by representatives from businesses keen to learn what they have to do to be compliant.
Presentations from Burning Tree, Fimatix, Privacera, Beta Systems and Fujitsu showed delegates that compliance with General Data Protection Regulations (GDPR) by 25th May 2018 is relatively straightforward – if you have the right support.
Many arrived with an idea of what might be needed and then experienced a slow, sinking feeling as they suddenly realised that they had a lot to do.
However, they all left knowing that compliance is possible by the deadline as there is plenty of help available. In addition, all the delegates agreed that scrutinising how they use personal data would, in the end, be good for their businesses.
Opening the briefing, David Lello for Burning Tree explained that, for most companies, embarking on a programme of compliance without specialist help is likely to be a false economy. It will consume large amounts of time and manpower and no business can risk failure as prosecution will be extremely damaging both financially and reputationally.
Also, there is no choice. Regardless of what happens in “Brexit”, GDPR will replace the current EU Directives and will be directly applicable to any organisation that processes the private data of EU Citizens. It comes into force on 25th May 2018 and businesses that are not compliant on that day risk fines that can amount to €20 million or up to 4% of global annual turnover, whichever is greater. No exceptions.
David also explained that readiness assessments and process automation will give businesses time to understand how exposed their organisations are to vulnerabilities. Thereafter, they can prioritise what they need to do for compliance and mitigation of a non-compliance finding. The sooner this is underway the better because, once businesses have identified the non-compliant areas, they need time to install programmes to correct and improve them.
Titled “The Age of Networkivity”, Stephen O’Sullivan of Fimatix explained that sharing data may be a mundane daily part of working lives, but businesses must put more thought into how they share data safely without barriers or intermediaries. They advocated that organisations will only be as good as their algorithms, and that Artificial Intelligence (AI) and machine learning will increasingly become the differentiator. Few things will remain private and it is vital to embrace open-source and deconstruct the barriers to access data. He said, “Customers will have increasingly more control over their data; privacy will be owned by the customer, not you”.
Ollie Hart of Fujitsu said that GDPR is an excellent opportunity for businesses because it is a business issue with an IT element – rather than the other way round. He said that GDPR driven improvements would enable businesses to protect all their sensitive information, not just personal data. These regulations will also enable businesses to drive end-user awareness, handling and processing and should initiate a database spring-clean that will make data easier to manage.
Personal data will have to be easily trackable (also a desirable outcome) and, as breach reporting has to be reported within 72 hours, all businesses must now have adequate incident response and crisis management plans. All of these systems and processes should be in place in all businesses already but, if not, now is the time to install them.
GDPR compliance will probably mean new software and processes in many businesses because they will have to demonstrate that they have robust safeguards, the correct consents, pseudoanonymization and encryption options in order to be able to use personal data. They will also need to show that they are constantly monitoring their data for breaches. Therefore, it is now crucial for businesses to identify where breaches/non-compliance could occur so that they can rectify the situation.
Balagi Ganesan of Privacera showed that by using analytics and simple dashboards, businesses can instantly see how personal data is accessed against the consent collected and, therefore, prevent any actions that would be non-compliant. In fact, installing good software now, might be all they need to do. Balagi said that by using AI and machine learning, new tools were better able to discover where data may exist in an organisation. Once discovered the tool will classify, manage and monitor the data.
Beta Systems highlighted the fact that only 30% of UK businesses have started to prepare for 25th May 2018. GDPR affects any business that holds EU Citizen personal data: employee data, customer data or supplier data – it all counts. There have recently been some high-profile prosecutions of organisations who have misused or been negligent with data and their fines went well into six figures. Les Parsonson also explained that businesses cannot be GDPR compliant without an Identity & Access Management (IAM) solution. Although IAM solutions on their own do not guarantee GDPR compliance.
All the speakers then took part in a lively panel discussion where the audience were given the opportunity to ask questions and get views and opinions from the speakers as well as other attendees.
GDPR should not impart panic – but there is an urgency for those businesses who are not managing their data well. This legislation gives you an opportunity for your security, legal, compliance and IT heads to get together and understand how you are collecting and storing personal data; how you are using it and then implement measures to ensure that you are compliant with the legislation. This will benefit your relationships with customers, staff and suppliers and can only improve the way you use data.
Take a deep breath. It is a journey, not a milestone, there are plenty of specialist consultants, and software houses who are well versed in the new regulations who will guide you on your road to compliance.
If you would like further guidance on GDPR and what your business needs to be doing to comply in time, please don’t hesitate to get in touch with the Burning Tree team either by phoning 01252 843014 or emailing richard.menear@burningtree.co.uk.