WIREDGOV

Blog posted by: John McDermott, EMEA Portfolio Manager, HP Enterprise and Nick Wilding, General Manager Cyber Resilience, AXELOS, 20 October 2017.

Organizations can use the introduction of GDPR in May 2018 to learn more about their customers while building customer loyalty and increasing efficiency.

According to John McDermott, EMEA Portfolio Manager at Hewlett Packard Enterprise (HPE), the new regulations are a business opportunity and business leaders should not be overcome with ‘doom and gloom’ about non-compliance and large fines.

His comments came during a recent webinar as part of Cyber Resilience Week – GDPR and the importance of protecting your human firewall.

He said: “A strong competitive advantage can be built using GDPR. Preparations for the new regulations give the chance to implement a data strategy to sharpen your strategic market segmentation, de-duplicate the data and improve operational efficiency. This will then give more chances to cross-sell and up-sell.

“There are also other advantages as customers will have more confidence in your organization, when they see how their data is protected, which will help to build their loyalty toward you.”

John also highlighted a key fundamental of GDPR which is the protection of personal data. This prevents exposing individuals to risks such as identity theft. Any company which works in the EU, or handles data relating to EU countries, will have to abide by the regulations and carry out a Data Protection Impact Assessment to ensure it has the right data processes and protections in place.

To maintain compliance it will be vital for an organization to appoint a “controller”, responsible for, and with the responsibility to demonstrate compliance with the principles of GDPR. The data controller will also have to ensure that ‘data processors’, either within the organization or the supply chain, also comply with GDPR in the way they manage data.

Should a breach occur, a breach notification needs to be presented to the regulators. This could attract severe penalties including fines exceeding €20m or up to 4% of global turnover.

During the webinar John outlined the four-step programme which can move an organization towards compliance with the GDPR regulations:

• Perform: carry out a gap analysis and prepare a GDPR readiness report; revise policies, contracts, procedures and data governance model.
• Know: classify data and enforce best practice for each classification; identify who collects data and where from, encryption and breach protection.
• Identify: understand what will change and who will make the change
• Prepare: carry out a data protection impact assessment and get approval from the data protection authority; implement new tools and instigate a company-wide and ‘effective’ awareness programme to educate all employees.

The employee role is vital in achieving GDPR compliance and an organization must demonstrate best practice in its approach to awareness learning and data handling.

This issue and how to prepare and maintain employees’ understanding of data handling and complying with GDPR was addressed by Nick Wilding, General Manager, Cyber Resilience at AXELOS during the webinar.

He emphasized how the right training is the way to achieve this. Nick said: “Human error is the root cause of the majority of breaches. Typically, it happens through unwitting actions of anyone, whether in the boardroom or the ‘engine room’.

“We need to recognize that resilience is a human and behavioural issue as much as a technological one. This is central to GDPR and your ability to demonstrate to the regulator that you can prevent breaches.

“Training helps people make the right decisions at the right time. It is central to having an organizational culture where people feel able to raise questions and speak out when something isn’t right.”

Nick also highlighted that training should not be a once a year, compliance ‘tick-box’ exercise. At best this approach teaches you some essentials, at worst it’s completed as quickly as possible and almost completely forgotten at once. This approach will no longer sufficient or acceptable. It needs to be regular, relevant and engage all staff by helping to demystify the many aspects of cyber-risks we all face and data privacy and protection.

“Effective and engaging online learning can also be combined with a range of techniques including team meetings, lunch and learn briefings, surveys, posters and competitions. They should all work to build confidence so that anyone can deal effectively with issues, as and when they arise,” Nick added.

The webinar emphasized that GDPR has the ability to enhance a business and, with the right support and training for employees, it should mean full compliance. If there is already a good governance strategy in place it really should be business as usual.

Watch the webinar GDPR and the importance of protecting your human firewall.

For more information:

Visit AXELOS.com/resilia-frontline to find out more about RESILIA™ Frontline cyber security awareness training developed by AXELOS Global Best Practice.

You can also sign up for a free 14-day trial of RESILIA Frontline and see for yourself how to make your people your greatest defence against cyber-attacks.