How GDPR Requires More than Meets the Eye
The EU’s GDPR is on its way to full implementation, which has led a significant number of organizations to push for changes that will ensure compliance. However, companies will require more than just infrastructure changes to enforce the General Data Protection Regulation.
The deadline of May 25th is rapidly approaching, and companies are beginning to phase in their changes. These changes typically involve adjustments to heavily manual processes, automation investments as they relate to governance processes, and fully modernizing aspects of IT.
One common question that arises within organizations working to meet compliance, is what area of their organization should take on the responsibilities of policy definition and enforcement. A significant number of companies have been wrestling with this question, and deciding exactly where to implement GDPR. This concern not only involves the technology that should be utilized, but which team can manage GDPR compliance most effectively.
Being that GDPR requires some real important changes to pre-existing processes within a business, it should be self-evident that these changes will impact the ways in which companies interact with customers and their data. This means that organizations cannot simply enforce GDPR compliance via new infrastructure tools and new policies within IT departments.
It’s important to understand that conventional IT security teams aren’t in the best position to implement GDPR, as they typically focus on controls and layered protection. GDPR requires not just stricter security measures, but alterations to overall business processes. These alterations ensure compliance. The main concern here is that CISO team members fall short when it comes to highly complicated business processes that will ultimately be impacted by GDPR.
Data Protection Officers
The requirements of GDPR establishes a Data Protection Officer (aka DPO). This position within an organization is meant to support GDPR requirements. In order to achieve this, the DPO needs access an authority as it relates to changes to business processes. Additionally the DPO will require tech investments in order to implement and monitor these processes.
The implementation of GDPR is quite involved, and goes further than many expect. Changes must be made not only to security and controls, but business processes and the management of customer relationships and data. For many organizations, this means that compliance requires a new outlook on company culture, and more specifically data habits. A large factor in this culture shift is empowering the DPO through staffing authority, access to budget, and ensuring that new processes and cultural shifts are consistently executed at all levels of the organization.