By Elodie Dowling, Corporate VP, EMEA General Counsel at BMC Software
With GDPR now fully up and running, we all aware of the severe consequences organisations will face if they fail to comply with the rules set out by the regulation.
However, despite the onus put on businesses, GDPR actually represents a business opportunity for organisations to gain an edge over their competitors. Those organisations that can demonstrate that they are keeping personal data secure, will gain the trust of their existing customers and attract more.
How do businesses actually protect their data?
A thorough assessment of an organisation’s digital estate and flow are the first steps, followed by identification of any security vulnerabilities. Progress towards compliance should then be recorded, as should the activities that are designed to help the organisation work towards compliance. Combined, organisations should then be able to construct a robust foundation capable of standing up to auditor scrutiny.
Many organisations are placing a great deal of emphasis on the technical aspect of GDPR, but the road to compliance involves more than technology and state of the art. Organisations must break compliance down into three phases – people, process, and technology.
First, organisations should be focusing on instilling a culture of compliance. For example, implementing training sessions so that employees are aware of their role in protecting data.
Next, business need to establish concrete processes, which is where self-assessment and the identification of gaps comes into play.
Technology is the third component and this is where discovery is crucial. How can businesses become truly compliant if they don’t know what’s in their data centres, who has access to that data, what other devices are active and vulnerable, where their sensitive information is stored and how they should be maintaining their devices to ensure they meet auditor standards?
Only by relentlessly examining internal processes can customers discover how their devices storing data are configured, how they’re connected, where any vulnerabilities sit and then piece together a plan to remediate those vulnerabilities and correct them. Data is constantly in flight so in order to transfer it in a secure way, it must be archived to protect it from the recovery implications contained within GDPR.
From start to finish organisations need to discover, configure and automate where required. Victims of breaches have to be right all the time, whereas hackers only have to be right once. Fail to prepare and organistions should prepare to fail.
The business opportunity of the GDPR
Organisations that fail to comply with GDPR could face fines up to $20 million or 4% of their global turnover. Given the severity of the consequences for non-compliance, these have been the focus of the upcoming regulation for both the media and organisations. Preparing for the shift in requirements is something that businesses need to do. However, by doing this right, and with transparency GDPR will present an opportunity for organisations to gain an edge over their competitors.
Focusing compliance around end customers will enable enterprises to better align their business execution to those customers and will help them to build greater relevance and trust for their brand.
Ultimately, successful businesses are those that put the customer first. If your company has a more positive reputation relative to data privacy, customers are likely to demonstrate a preference for your company even when there are other businesses that offer similar products or services at different prices. Customers are also much more likely to engage with your marketing efforts when they know that those efforts are aligned to explicit permissions that they have granted around who can use their data, what data can be used, and how it can be used.
By complying with GDPR, businesses can demonstrate value to their customers who provide data. Those companies that can do this faster and better than other businesses will not only retain the loyalty of their existing customers but will win new ones too.
Emphasising the business benefits
Business leaders are not the only ones who need to concern themselves with complying with GDPR. Protecting a company’s critical data falls to everyone and so it is crucial that all employees are practicing good data hygiene.
If the C suite is to be successful in driving forward the cultural and technological changes needed to comply with GDPR, then demonstrating the improved business outcomes will be key. Highlighting the business benefits rather than the consequences of non-compliance will give everyone the incentive they need to put good data governance into practice.