Complex Made Simple

Why is GDPR compliance not just an ‘IT issue’- Part II of II

By Claude Schuck, Regional Manager, Middle East and Central Africa, Veeam Software

There are still a vast number of organizations that have not taken the necessary steps to ensure GDPR (General Data Protection Regulation) compliance. The problem surrounding GDPR compliance is that it’s thought of as being just an ‘IT issue’. Lots of businesses seem to either have an inflated sense of confidence around how they already handle data, or they’re shrugging it off as someone else’s problem – which is to miss the point entirely. Compliance with the GDPR, in terms of both preparation and maintenance, should be a company-wide effort. Not least because companies who are found to be non-compliant could face hefty fines that would affect everyone.

READ: Ahead of time: How is Dubai driving region’s smart commerce

And if the stipulations of the GDPR seem significant, it’s because they are. We’ve not had any updates to data protection laws since 1995 and things have changed a lot since then. The way businesses collected and stored personal data back then is no doubt very different to the way they do it in 2018.

When you put it like that, the GDPR seems pretty overdue. Today’s organisations should be welcoming it as an opportunity to update their whole relationship with data protection and make it fit for the future. To implement a methodology that’s built into the fabric of the organisation – not an afterthought or just something for IT to deal with.

The way we see it, there’s a very simple way to frame your approach to GDPR compliance. The five steps detailed below is the process we at Veeam went through to prepare. Now, we’re sharing it with you, in the hope that you’ll be able to complete your journey to compliance.

Protecting your data

Having gained better oversight of your data and implemented standardised processes to manage it, it’s time to make sure the right security controls are in place to protect the data – but that doesn’t just mean encryption. To be compliant you can’t simply turn security ‘on’ and put your feet up; the GDPR requires constant monitoring and diligence, and also much quicker action in the event of a data breach.

READ: Why is Bahrain going big on real estate?

It’s true that technology will play an important part in that journey, but technology alone will not bring about compliance. Rolling out a new company-wide approach to data protection requires a combination of security techniques, standardised workflows, internal education, access control, backup solutions, and much more besides. Keeping on top of who has access, where and when, with constant auditing and monitoring will enable much swifter responses to the data breaches that, despite everyone’s best efforts, are probably still inevitable.

Documenting and complying

One of the GDPR’s hottest topics is the introduction of data requests, which means an individual will have the right to request the correction or deletion of the data held about them. Businesses will be expected to comply with these requests and show that they’ve done so, which is why visibility over what data you hold – and where – is so crucial.

READ: Execution challenge: Will it drive the GCC toward another economic crisis?

Ongoing compliance with the GDPR also requires the documenting and auditing of what data you’re collecting, what it’s being used for and how long you’ll be storing it for. When we went through this step, we asked ourselves questions like: Is the data we collected months ago still relevant today? Do we still have visibility of data when it’s moved from one place to another? Are our third-party providers still compliant?

Continually improving

One of the benefits of constantly monitoring and auditing your data protection processes is the opportunity to constantly review and improve them. It’s true that the GDPR is something of a line in the sand, but as the digital world we live in constantly evolves and expands, it’s safe to assume that responsibilities around data privacy and protection will also continue to increase – so businesses will need to continually improve to keep compliant.

The GDPR should be seen by businesses as an opportunity to rethink their entire approach to data protection, now and moving forward. It’s a chance to make their organizations fit for the future – and they should grab it with both hands.

(First part of this Op-ed was published on June 10)