As every cybersecurity expert and law enforcement pro knows, hope is not a strategy. The upcoming EU General Data Protection Regulation (GDPR) forces those who process personally identifiable information (PII) in any way to have a real strategy in place to achieve compliance. They may be in for a surprise because, perhaps unsettlingly for many IT security experts, cybersecurity tools and techniques are only part of the answer. To think otherwise is to take an incredibly myopic view of the challenge, and opportunity, that GDPR presents.
The sheer amount of rights reinforced or extended by the GDPR demonstrate the scope of the issue for many organizations. In addition to the right for Freedom of Information, which currently keeps many of the EU national governments in check, GDPR touches on much stronger data subject rights around data access and the right to be forgotten.
Let’s look at the right to be forgotten and data access for a moment. In order to meet your obligations to data subjects, you need to catalogue, be able to present all PII data on demand, eliminate those records from your systems, and prove you’ve done so if challenged by regulators or, in the worst case, lawyers.
Nuix’s specialization in helping you build a data map, quickly search massive volumes of information, and keeping data sterile and presentable for forensic inspection by legal professionals makes the whole process way less daunting.
If you have not yet switched to Nuix as part of your GDPR solution, there are five tell-tale signs the regulation may be an issue for you this year.
1. You’ve underestimated the scope of the work
Simply reviewing and upgrading your data systems, cataloguing the data held by your employees on all devices, and reiterating the heightened rules around data privacy is unlikely to be enough to comply with the full range of GDPR rules. Give yourself time to remediate the issues that your preparatory work reveals.
2. You use cybersecurity tools for information governance jobs
Clearly, no cybersecurity strategy is fool proof, and most organizations assume they will be breached (or they should). Despite this, most cybersecurity tools promise to protect against breaches. Don’t believe the hype. Failing to plan for post-breach fallout is unforgivable, and it starts with a strong information governance program to understand your risk landscape. That requires purpose-built software and dedication to using it to its fullest capability.
3. You are fully confident in-house teams are enough
Before GDPR, almost no organization had a Data Protection Officer (DPO). Assuming you already have, or are hiring, a DPO, it is unlikely all the skills you need for ongoing compliance are in-house today. It’s just too expensive to have experts in data privacy law, IT security, IT infrastructure, and regulatory compliance on-hand all the time. Most organizations will use external consultants for some or all of their GDPR planning and program implementation. It’s time to face up to facts and secure the best help you can, before the eleventh hour.
4. You shoot for bare minimum compliance
Before any prosecutions or regulatory actions come to light, many organizations will try to ‘get away’ with minimum compliance. Their rationale? There are many more places for the regulators to look. It pays to realize that those in charge of enforcing the new regulations are incentivized to make examples of those who willfully do too little. There are also a potential 500 million data subjects in the EU, any of whom can invoke some very strong legislation, which will test even the best prepared companies.
5. You are missing the opportunity to ‘clean house’
GDPR is not all bad news. The process to get and remain compliant is an ideal opportunity to log the state of the PII you store and process. Radically improving the data privacy you offer your customers comes with internal benefits too. Once you clarify data processes and clean up your data, you can use big data technologies to focus your efforts, develop new products and services, and reduce the cost of storing useless or outdated information.
In this way, playing by the rules may well put those who do the best job of ‘cleaning house’ in a leadership example.