tashka2000 - Fotolia

Overcoming the GDPR indifference problem

Customers are tired of being told that unless they spend money on IT they are doomed, making life challenging for those trying to help them tackle data protection regulations

This article can also be found in the Premium Editorial Download: MicroScope: MicroScope: Shake off Brexit woes

Though the IT industry probably didn’t invent scaremonger marketing, it’s probably fair to say that the technology sector took fear factoring to new levels.

Anyone around at the turn of the century can remember the fear stirred up by the millennium bug, and there have been various spikes in scaremongering activity since.

User indifference can become a real danger, and with the General Data Protection Regulation (GDPR) looming, those firms trying to get through to customers face additional challenges. The worry is that genuine troubleshooting companies will not be able to get the hearing they deserve.

We asked David Nicholson, technical consultant at Axial Systems, how the company gets around this perception problem.

The latest IT crisis is GDPR. Can you understand someone on the board of a company thinking, “Here we go, not another scare story”? 

This is probably learned behaviour from previous experiences. The real problem is that many board members do not understand why security is so important today and that GDPR has teeth – and will bite. Unfortunately, hoping this will all go away, if ignored for long enough, is not going to work. 

The IT industry has, for a long time, tried to educate boards about best practice, risk mitigation and cyber security by dangling the carrot of compliance and reputational protection, and it just hasn’t worked. After all, GDPR is not the end state, it’s about enforcing a decent baseline of security.    

Can you see companies getting into trouble over GDPR?

Yes, but not immediately. It’s highly unlikely that a company will be audited on 26 May 2018 and maximum fines issued. It could take two to three years for most companies to become fully compliant, especially if starting from scratch, but they will have to evidence continuous improvement. 

Is there a way of identifying the GDPR slackers and targeting those that are most likely to want to use help at the last minute? 

I don’t think so. The point about GDPR and the inception date is it’s exactly that. There is no generalised method of tracking progress. The only way to ensure this is to have regular conversations with customers – identifying where they are, what they need to do and helping them along the way. Trying to drive them is unlikely to work, since every company is different. So the starting point, the culture and the investments required will vary greatly.

Have people taken it seriously enough? 

Mostly, yes. The bottom line is simply this – if you hold any personal or sensitive data that is in any way readable about an EU citizen, you will need to comply. You must think payroll information – you have your employees’ dates of birth, addresses, bank account details, national insurance numbers – all information that can “uniquely identify” an individual. 

Is there a way of securing the company without slowing everyone down?

Yes, but it’s about willingness and education. Most people will be keen to get a change for the better, but at the same time it can be difficult to ensure that everyone puts in the work that will achieve it.   

Isn’t there scope for resellers/service providers to simplify the GDPR issue for clients? 

Only to a degree. Culture is a major factor, as is the maturity of the business, and GDPR is more about process than technology. In many ways, there are two camps – resellers that sell technology and the services around it, and companies that create the processes and procedures and educate businesses and their people. I don’t see too many that can do both.

Read more on Data Protection and Data Backup Services