Despite the complexity of the forthcoming General Data Protection Regulation (GDPR), boards most need to understand is that it is not just about law, IT and security, according to Herwig Thyssens, ICT director and head of T-Trust at T-Systems Belgium.
“They need to understand that GDPR is not just a project that needs to be implemented, but something that needs to be maintained for the life of the business,” he told EEMA’s ISSE 2017 conference in Brussels.
Although it is not necessary to go into great detail about the GDPR, Thyssens said the board needs to understand why it needs to be done and why the investment needs to be made.
“It really is an investment because, like any good investment, it is something that offers a return – you get money out because it helps build customer trust,” he said.
According to Thyssens, boards are only likely to get confused if they are told organisational changes are required to adapt, that there is a legal and contract basis to implement and some security and ICT processes to do, and that compliance and risk, finance, HR, communications and marketing are involved because there is an opportunity to make money.
At the same time, he said it is important that boards do not lose sight of all that needs to be done and do not develop “tunnel vision” where they believe that preparations for GDPR are on track just because the legal and security aspects are being addressed.
Plug the GDPR gap
“There are often gaps in GDPR implementations, where organisations tend to focus on the legal aspects, contracts, security and data protection officers, but tend to forget other key elements,” said Thyssens.
Organisations are more likely to forget things such as data inventory, data privacy impact assessments and staff awareness, even though proof of all these things will be required in the event of a GDPR audit.
Herwig Thyssens, T-Systems Belgium
“A data inventory can be difficult to create, and many organisations are not completely sure where specific kinds of data are stored and who owns the data, which some organisations find very difficult to answer, but it is key to GDPR compliance.
“If you do not know what you have, where it is and who owns it, you will not be able to provide the necessary assurances around the data and you will not be able to use the added value of the GDPR to get more business,” said Thyssens.
Organisations most commonly fail to address issues around how the organisation will be affected, international data flows, data retention, backups and privacy by design.
“Data retention is likened to inventory, but even if an organisation knows where the data is, some find it too difficult to decide how long to keep it, which is a basic question GDPR auditors will ask,” said Thyssens.
In terms of privacy by design requirements, he said organisations with a high level of maturity should task business process owners to look at their processes to assess the impact of the GDPR and what needs to change.
“In organisations with low maturity, my advice is to make sure the board is involved so it can drive this forward, because it will not happen automatically, and that there is a dedicated team assigned to the project to co-ordinate and drive it across business functions,” he said.
With just over six months to go before the GDPR compliance deadline, Thyssens said organisations should consider if they have done all these things, identify their gaps and address them immediately, because time is running out.