Security Think Tank: Translating GDPR compliance into business benefits

The EU’s General Data Protection Regulation (GDPR) may have taken a back seat to the more pressing issue of Brexit, but GDPR is not lagging too far behind as a high-profile term, which has become common parlance.

Whether raised in a business or social context, data protection is a concept everyone is now familiar with. While the specifics of implementing GDPR requirements are not yet settled, the introduction of the GDPR has certainly coincided with – if not provoked – an upward trend of individuals becoming more zealous about their right to privacy. 

Consumer concerns over privacy mean that investment in a data protection programme brings far more value than simply protecting the business from legal action or financial penalties. Perhaps more importantly, it is imperative to upholding brand reputation and consumer trust. As consumers become more willing to switch allegiance in favour of a business that diligently protects their data, organisations can confidently leverage their compliance with GDPR to secure competitive advantage.

The Information Security Forum has produced a guide to preparing for the GDPR. It provides organisations with practical actions, insightful tips and reusable templates for structuring an enterprise-wide GDPR compliance programme which treats the GDPR as a unique opportunity to translate necessary compliance actions into tangible business benefits.

As organisations look to refresh the way in which they use data and create more efficient processes for upholding the rights of data subjects, various activities related to data protection can be consolidated into a broader information governance programme. Such a programme should do more than simply consign GDPR compliance to a checkbox exercise designed to avoid regulatory fines.

“As consumers become more willing to switch allegiance in favour of a business that diligently protects their data, organisations can confidently leverage their compliance with GDPR to secure competitive advantage”

A high-maturity organisation will have governance roles and responsibilities clearly defined, the risk appetite agreed with the board, as well as data privacy risks prioritised and mitigated effectively with all the right data controls in place, such that there is a minimal likelihood of a data breach. However, the benefit of reducing risk will be realised only if it is underpinned by in-depth knowledge of the business, its operations, strategic initiatives and future plans.

The GDPR touches all parts of an organisation’s operations. To maximise the business gains of GDPR compliance, organisations should extend the breadth of their data protection programmes to embed information security into the design of business applications and technical infrastructure. GDPR should be viewed as an enabler for implementing fundamental security controls, which in turn allow for innovation.

To avoid GDPR fatigue and secure buy-in for the rationale of enforcing GDPR changes, it is important to demonstrate that achieving compliance has the benefit of reducing risk. Instead of focusing on the implications of non-compliance, information security professionals should use scenarios that educate the business about the impact of exposing data.

Ultimately, business gains will best be realised if the motivation for compliance is to protect the organisation, rather than external pressure for change.