Protecting your personal data online is really important. Particularly any personal data that would make it easy for people to steal your identity or target you to manipulate your decision making without you being aware. But let’s face it, all of us in our rush to take advantage of the next cool or cutting edge innovation in the IT space have more or less divulged our names, addresses, e-mail, phone and a host of personal preferences to countless organisations, businesses and other participants on social collaboration platforms. I mean seriously, between Facebook, LinkedIn, and SnapChat, what haven’t we yet disclosed?
An additional point
More to the point, as an average small-to-medium sized business, what data do you hold that people haven’t actually exposed already? GDPR is the new EU regulation that is designed to push organisations to handle sensitive personal data of their employees and customers more carefully to avoid causing them harm or distress by exposing personal data inappropriately. So what could your company inadvertently expose or destroy in terms of an average person’s personal data that isn’t already in the public domain? Maybe health care records of employees? Maybe credit card details of your customers? Anything else? Hmmm….
“ GDPR isn’t going to ask you to do a whole lot more than you should have been doing already.”
If your answer to that last question is “not much really”, then I’ve got some really good news. GDPR isn’t going to ask you to do a whole lot more than you should have been doing already. You should be managing those data sets really carefully, having them encrypted both at rest and in transit. You should make sure that people that have access to those data sets, including vendors, are handling them in a way that you can easily verify and you should be able to assure the individuals whose data you hold that everything is being done with care and attention. That’s basically what you promised when you told these people that your company would treat the information they provided as “confidential”.
It’s kind of a pain to get that all together and the processes transparent enough to prove that it’s happening consistently, but it isn’t rocket science. Why haven’t your teams been doing this already? Well, chances are you have had more than one IT or security person in your organisation who has told people that you should and either you, or someone who isn’t an IT person in your company wasn’t listening. It cost too much, seemed excessive or just wasn’t a priority that day….who knows? But now GDPR has given every company on the planet a nice, tangible incentive for taking cyber and information security seriously and a track to run on as to how to prove your doing it too. (Anybody want to save their CFO 20 million Euros in fines?) All you need is a little experience and discipline to get your GDPR programme up and running. Because once up and running, it actually isn’t going to be that big of a deal for most SMEs.
I know, I know…I can just hear it now. “But what about mobile devices and GPS? What about disgruntled ex-employees banding together to demand the right to erasure all on the same day? What about logging in to corporate systems from home computers that other family members access? You haven’t said anything about all of that and its all theoretically covered by GDPR!!!” Ok, keep your shirt on. First off, yes, every company will have to work through a few of their own, specific scenarios and figure out what to do about them if there is a privacy risk posed. But again, you probably should have been doing that already? Secondly, this is a blog, not a definitive white paper or GDPR instruction manual, so give me a break.
For the most part, the average small to medium sized company need a little focus, backing of the exec and a project manager with experience assessing GDPR requirements and implementing GDPR remediation projects to avoid all of the fire and brimstone being whipped up about failure to comply. You might need a few business process analysts for a short while and maybe a security expert now and again for the project. But sooner rather than later, all of that yields to a relatively light-weight, business-as-usual structure to handle ongoing GDPR-related requests that can be covered off by your existing staff. And in the project’s wake you will have made your company more efficient, more aware of its core processes and critical data sets, more resilient in the face of an IT-related incident and you will have acted in good faith toward keeping those safe that have trusted your company with their personal information.
At Y2X we hire former military veterans who have received some of the best IT and process discipline training known to mankind. We then work with those veterans to help them succeed in applying those skills in civilian organisations. Regulatory compliance projects such as GDPR readiness are ideally suited to the strengths of these highly-competent men and women. Contact Y2X today for a free assessment conversation about your readiness for GDPR with one of our senior GDPR practitioners. We can help you understand to make GDPR a success story in your organisation. …And we promise we won’t try to sell you the moon in the process.