Part 3 in the “Postmodern CIO” series
The European Union’s most sweeping law regarding data privacy, the General Data Protection Regulation (GDPR), is set to take effect in May 2018. Yet the GDPR isn’t just about data management. Nearly half of the articles in the regulation are related to business procedures associated with policies, controls, record-keeping, and the accountability of different roles and entities. Running a successful digital business requires governance excellence just as much as it requires information excellence. This requires a robust, consistent and holistic approach across your entire enterprise. To avoid costly penalties once the GDPR is implemented, you must clearly define and document your policies, processes and people.
However, complying with the GDPR doesn’t have to be an onerous task that you dread performing. Rather, think about how you can achieve business benefits alongside GDPR compliance. This will require you to focus on automating risk, compliance and audit management processes, and also monitor the enforcement of your policies and the effectiveness of your controls.
The three stages below offer concrete steps for moving toward GDPR compliance while also reaping benefits for your business.
1. Streamline access control
In order to be compliant with the GDPR, you first need to know who has access to your data at all times. This is the only way to ensure that the privacy of your data subjects is not being violated, intentionally or unintentionally. Achieving greater visibility into access control doesn’t have to be a drain on your IT resources, however. For one, you should be able to take advantage of automation by detecting and remediating access-risk violations, and automating reviews of user access, role authorizations, risk violations, and control assignments. You should also have compliance checks and mandatory risk mitigation baked into your business processes. Finally, to satisfy yourself that you are on the right track, you should create a comprehensive audit trail describing all the user- and role-based activities surrounding access control.
2. Enhance control monitoring
Data access violations can happen more quickly than the blink of an eye. Adhering to the GDPR requires you to constantly monitor your compliance efforts and respond quickly when required. Again, automation can help identify, prioritize, and remediate the issues you face in complying with the GDPR, as well as other laws or regulations that govern your business operations. To begin with, develop a road map by documenting policies and controls centrally and mapping them to all relevant requirements of the regulation. Evaluate the design and operating effectiveness of the controls in place, and look at ways that you can raise, track and remediate issues with them. In particular, you should use automated solutions to do exception-based monitoring that can locate and potentially resolve problems across heterogeneous application landscapes. An independent view often uncovers things you might have missed so consider external assessments as part of your controls strategy.
3. Keep personal data secure
Cyberattacks don’t just violate your customers’ privacy; they also serve to damage your reputation among the general public, ultimately harming your company in the long term. According to IT research firm Juniper Research, the total annual cost of cyberattacks may climb to an astounding $2 trillion by 2021. Combatting cyberattacks to keep your data secure is a vital step for any organization affected by the GDPR, and also makes business sense. However, this needs to be done in real time to have any real impact in protecting unauthorized access to your critical business processes and data. Regulation as a catalyst for change is being seen by many business leaders as an opportunity to strategically address the ever-increasing data-management challenge. Many leaders still believe that too large a proportion of the IT budget is being spent on “running their companies.” GDPR gives weight to the fact that digital transformation needs to be across the end-to-end customer experience.
For more on risk management in government, see How Governments And Industry Respond To Digital Risk.