Senior Consultant GDPR is coming…of course you’re aware of it. It’s all over the computing press – it’s hard to miss it. But what are your business users doing about it? It’s easy to sit there and wait for someone else to pick it up and come knocking on your door. But we all know that our users aren’t always that quick to take the lead in problems like this, and rarely think that IT might need more than a couple of months to sort it out.
So what can IT do to help this process? Being proactive in the 2 following areas is key:
1.Engage with the business directly
With just over a year to go before GDPR comes in, you’d like to think that the business has started to think how it will be affected by the new legislation. Find the person that’s taken control and makes sure IT is fully represented in any decisions. If you can’t find that person then maybe they don’t exist yet…perhaps it's time to force the issue with your COO or Risk and Compliance.
2.Make a start on the journey towards compliance
Our experience so far is that the initial stages can take much longer than you might think – setting a framework, then discovery and analysis can take 4 – 6 months for an organisation with 200+ applications.
As an IT function, at the very least, you must be able to answer a fundamental question; is your electronic data secure? Have you done everything you can to make sure it’s safe? If not, start pulling together plans for improving your security. This could involve introducing additional security to existing systems or possibly even moving to a different Cloud provider if the current one can’t provide the correct level of security. That’s something that is totally under IT’s control.
As well as Cloud services, identify all your other data processors and start making enquiries around their compliance. The SaaS provider that you’ve been with for years…have they thought about GDPR? Your email provider…do they have the relevant levels of security; are they willing to certify that they’re GDPR compliant?
The next big one is understanding the impact that GDPR will have on your entire organisation, and then working out which IT systems will be affected. Look at some of the basic rights that GDPR is bringing to EU citizens…the right to be forgotten, the right to have inaccurate data corrected, the right to data portability. IT will have a pretty good idea of where personal data is held, and what systems it is held in, so you can start to identify those that can and can’t satisfy these new rights. It’s not something that IT can do totally on their own but you can make a start.
GDPR compliance may prove to be very difficult to achieve across all elements of the business within the set timeframes. But don’t leave it too late to find out.
Xceed Group has developed a 5 stage approach to becoming GDPR compliant. We would like nothing more than to bring our expertise to your organisation and help you through this difficult journey.
If you have any questions, or would like advice on how to become GDPR compliant, email us, we will be delighted to help.