Why is GDPR compliance not just an ‘IT issue’ – Part I of II
By Claude Schuck, Regional Manager for Middle East and Central Africa, Veeam Software
There are still a vast number of organizations that have not taken the necessary steps to ensure GDPR (General Data Protection Regulation) compliance. The problem surrounding GDPR compliance is that it’s thought of as being just an ‘IT issue’. Lots of businesses seem to either have an inflated sense of confidence around how they already handle data, or they’re shrugging it off as someone else’s problem – which is to miss the point entirely. Compliance with the GDPR, in terms of both preparation and maintenance, should be a company-wide effort. Not least because companies who are found to be non-compliant could face hefty fines that would affect everyone.
And if the stipulations of the GDPR seem significant, it’s because they are. We’ve not had any updates to data protection laws since 1995 and things have changed a lot since then. The way businesses collected and stored personal data back then is no doubt very different to the way they do it in 2018.
When you put it like that, the GDPR seems pretty overdue. Today’s organisations should be welcoming it as an opportunity to update their whole relationship with data protection and make it fit for the future. To implement a methodology that’s built into the fabric of the organisation – not an afterthought or just something for IT to deal with.
The way we see it, there’s a very simple way to frame your approach to GDPR compliance. The five steps detailed below is the process we at Veeam went through to prepare. Now, we’re sharing it with you, in the hope that you’ll be able to complete your journey to compliance.
Knowing your data
If you’re a business that has or holds data on EU citizens, formally known as Personally Identifiable Information (PII), then the GDPR applies to you. That means you’re liable to penalty fines if you’re found to be non-compliant after the deadline of 25 May 2018 which has now passed. The best starting point, then, is simply knowing whether you hold this kind of data or not, and if you do, where it’s kept. Creating a visual map of all the data you hold will help you to build a comprehensive picture and get better oversight of this.
A lack of knowledge around the kind of data they hold may be another reason why so many businesses don’t seem to be taking much notice of the GDPR – or just don’t think it applies to them. It could be that they don’t believe they hold any relevant data (hint: if you employ EU citizens, you do), or don’t realize the breadth and scope of the data they do hold (hint: personal data is more than just names and addresses). Which is precisely why just knowing your data is the first step on your journey to compliance.
Managing your data
Once you’ve built up a picture of all the relevant data you collect and hold, it’s time to look at who has access to it and how it’s being used. Different teams and departments in your business will be accessing the same data in different ways and will be using it for varying purposes. Whether it’s a marketing team inputting data on prospective customers and sharing it with the sales team, or a HR team handling data on its own employees, it’s essential that you implement standardized procedures and workflows around the handling of personal data, and that employees only have access when it’s necessary to their business function.
(Remaining three steps of the GDPR compliance op-ed will be released on June 11)