The countdown to the 25 May 2018 implementation of the EU General Data Protection Regulation (GDPR) has many IT firms increasingly nervous. CompTIA’s 2017 EMEA Member and Partner Conference, at which the international IT channel gathers to gain insight on industry trends, saw Assure Data founder Jim Sneddon, a 17-year cybersecurity veteran, reveal the secret to how businesses will have to transform their products and processes to achieve compliance.
From how to guarantee data privacy in the murky world of shadow IT – the subterranean network of personal apps where employees are moving data around – to the issue of how direct marketing can survive under the new rules, GDPR has many companies worried about achieving compliance. This isn’t helped by the lack of official advice on what they need to do to implement the new law. But, as Sneddon revealed the potential pitfalls and the path to compliance, it became clear that those who succeed will be those who go beyond mere compliance and use GDPR as a business growth opportunity.
Compliance Is About Processes as Much As Products
Among the first revelations was that, under GDPR, a data breach no longer refers only to the loss of personal data but encompasses any unauthorised access to, alteration or destruction of that data. And complying with this is as much about people, processes and procedures as it is about products.
For example, staff training must be transformed to encompass everything from the need for HR departments to delete any unnecessary records of ex-employees to the new imperative for marketing departments not to share contact databases externally without consent. Businesses must shine a light on their shadow IT. They need to find out if staff are inadvertently breaching regulation by sharing personal information on the free version of apps such as Evernote or Dropbox, whose T&Cs state that data can be used by the application.
Direct marketing departments may even have to obtain explicit consent for the harvesting and use of email contacts for B2C and B2B communications such as email marketing. Contracts with third parties, such as partners and suppliers, must be rewritten to clarify their data-privacy obligations and firms should regularly audit their suppliers.
Crucially, reporting processes must be transformed to ensure that, if data is breached, companies can quickly drill into what categories of data were compromised, who was affected and what processes were in place to mitigate against and contain the breach within 72 hours. Sneddon reminded the audience that the more detail that appears in a breach report, the less likely regulators are to levy fines on first offenders.
Companies should take the opportunity to do a thorough stock-check of their data to work out what personal information they hold and where, and then do a data detox to get rid of any unnecessary, non-compliant information. Most importantly, businesses must set up a cross-functional team from every department to share experiences of the challenges and ensure cross-departmental buy-in to the company privacy policy, without which compliance is impossible.
Technology has a key part to play too. Apps or websites that store or share user information need to produce pop-ups seeking user consent. Apprenticeship providers, marketing departments and social media sites need to have age-verification in place, alongside the ability to seek online parental consent for storing children’s data. Companies must also use data-analytics technology capable of sorting out compliant from non-compliant data and quickly identifying any customer’ information that must be deleted to comply with a right-to-be-forgotten request.
A Growth Opportunity
Yet this also presents a huge opportunity for those companies that get it right. For example, companies that achieve compliance can deploy this in their marketing materials and use it as a mark of quality-assurance to attract prospective partners and customers. Mining data to find out if it is non-compliant can also turn up valuable nuggets of information with great potential marketing or research value that the company has been sitting on.
And the very process of learning all the tips and tools to successfully achieve compliance is an opportunity for channel companies to sell those tips and tools to customers and partners. Every gap in a customer’s compliance is an opportunity to upsell a new module or product. In this way, every customer ‘gap analysis’ or health-check is a potential sales tool.
The knowledge, processes, procedures and products needed to achieve compliance are a potential jewel in the hands of those who acquire them.
We all know about the potential legal and financial pitfalls, from customer lawsuits to hefty fines. This talk showed that, for those who get compliance right, GDPR also presents a great potential growth opportunity.
As part of the EMEA Member and Partner Conference, CompTIA challenged its members to take the government’s Cyber Essentials as a first step towards compliance. For more information on compliance, please visit the Cyber Essentials portal.
And click here to get full coverage of the EMEA Member and Partner Conference as it happens!