GDPR compliance is about risk management and governance, not technology

From 25 May this year, organisations across the ASEAN region will have to comply with the General Data Protection Regulation (GDPR), which will apply to any company that collects the personal data of European Union residents.

In the run-up to the looming deadline, a number of technology suppliers have been touting the importance of identifying, managing and protecting the personal data of EU residents, using various data protection and management technologies.

While there’s no doubt that tech suppliers are helping to raise awareness in the market about the GDPR, taking a technologically centric approach to GDPR compliance will further accentuate the dangerous view that data protection is an IT and security issue, and not a business issue.

As we all know by now, data protection and cyber security aren’t merely technology issues. When businesses get fined for data breaches, they are the ones that will draw flak for putting their customers’ personal data at risk, not their legal or IT teams. In some cases, CEOs have even resigned after public backlash over data breaches that took place under their watch.

In a bid to sell their technology tools, some suppliers have over-simplified their messages to suit their offerings, sometimes without having a full understanding of data protection principles and the requirements under the GDPR.

Instead, data protection – and GDPR compliance for that matter – should be approached from a risk management and governance perspective, with technology tools as enablers, not solutions.

Data protection laws such as the GDPR are complex, and can impact a broad range of business roles, including legal, audit, HR and finance, not just IT. In achieving GDPR compliance, organisations should focus on getting these roles to work together in ongoing efforts to ensure governance, risk and compliance (GRC) across an organisation, and not be distracted by the noise in the marketplace.