by Steve Dickson, CEO, Netwrix
Only 29 percent of small businesses and 41 percent of midsize businesses in Europe have taken steps to prepare for the GDPR, according to IDC, and there’s no reason to think that organizations elsewhere in the world are any more ready for the May 2018 deadline.
But panicking can do more harm than good — you’re likely to make costly missteps. If your organization isn’t prepared, you definitely need to get moving. But be sure to avoid these five common mistakes that can harm your company:
Mistake 1: Rushing the process.
With the GDPR deadline looming and compliance challenges in the headlines every day, it’s easy to run mad and make bad decisions. The most absurd example might be British airline Flybe: In their eagerness to prepare for the GDPR, they crafted an email advising users to update their personal information and marketing preferences and sent it their entire customer base — including people who had unsubscribed from the company’s emails. That rash action violated existing law, the Privacy and Electronic Communication Regulations (PECR), and got the company slapped with a £70,000 fine.
If you’re unsure about how to meet the requirements of the GDPR, don’t do anything in haste. Seek council from legal advisors and other experienced consultants before taking action. And keep in mind all the compliance standards you are subject to, so you don’t violate one as you try to comply with another.
Mistake 2: Taking a fragmented approach to security
GDPR compliance requires a comprehensive approach to security that involves not just technology, but also governance, processes, and people. However, a recent Forrester report found that many organizations are focusing too heavily on IT measures and taking a piecemeal approach instead of thinking holistically.
This strategy isn’t an effective way to protect your organization from security incidents and audit penalties. I urge you to see the new GDPR legislation as an opportunity to get back to the basics that will improve cybersecurity across your IT infrastructure. In particular, make sure you know where your sensitive data resides, who has access to it, and which services and software are the most critical for your business.
Mistake 3: Being reactive rather than proactive
The GDPR requires a proactive approach from your IT department, which is notoriously hard to put into practice. During a recent presentation for IT security professionals, I did an informal survey about how proactive they consider themselves to be. It turned out that 80% of them are reactive to new compliance requirements and lack a long-term strategic approach.
If your IT department is overwhelmed by routine troubleshooting, it won’t be able to prevent data breaches, respond promptly to requests to be forgotten, or comply with other GDPR requirements. Try to figure out the root of the problem: Is your department understaffed or lacking the expertise you need? Are your security systems insufficient or poorly managed? Are employees unaware of proper security protocols? Then take action based on your findings, so you can free up your team to be more proactive.
Mistake 4: Putting the responsibility on IT only
Compliance failures are not always the fault of IT. The Netwrix IT Risk Report found that 65% of organizations have experienced security incidents, and most were due to human errors and malware. You don’t want to get fined because someone copied a file with customer’s ID to his laptop or clicked on a malicious link that delivered ransomware, so make sure all employees who deal with sensitive data (such as your marketing, sales, accounting and legal teams) are trained on your cybersecurity policies and procedures. Make sure your educational efforts go beyond boring lectures about security — include relevant case studies and edutainment programs. More broadly, work to establish a new business culture that puts security and personal data privacy at its center.
Mistake 5: Being too radical
Richard Stallman, president of the Free Software Foundation, has suggested that, instead of protecting and regulating personal data, we should ban its collection. I personally know of companies that have deleted all customer data that could be considered sensitive to try to eliminate the risk of GDPR fines.
These responses aren’t just radical; they’re also ineffective. Getting rid of your customer database won’t erase your obligation to report to auditors; it will just hurt your ability to be competitive. Auditors will be looking for a credible plan to ensure compliance, so make sure you can demonstrate them you are on the right path to better control your security. As for your customers, respecting their privacy and preferences will increase their loyalty; ditching the information you have about them makes it impossible for you to do that, and customers will look for someone else who can.
For too long, businesses have been collecting personal data from customers to meet their own revenue goals. Now it’s time to recognize their rights and make the tenets of the GDPR into your core values. The scope of this change might seem daunting, especially with the deadline for compliance fast approaching, but your customers will reward you with stronger loyalty. Plus, if you address GDPR compliance as a strategic business challenge, you’ll be in good shape when the next piece of compliance legislation comes around; you’ll have a simple reporting issue, not a fundamental engineering task, on your hands.
About the Author
Steve Dickson was named Netwrix CEO in April 2018 after joining the Netwrix board of directors in August 2017. Dickson was previously with Dell, Inc., where he served as Vice President and General Manager of the Windows Platform Management business, as well as VP of Marketing for the Systems Infrastructure Management Group. Prior to Dell’s acquisition of Quest Software, Steve held leadership positions including SVP of the Windows Management business unit and the Identity and Access Management business unit. Other positions he held at Quest include SVP Products and Marketing, VP of Worldwide Sales for Microsoft Management Solutions, and VP of Sales for the Western Region. Before joining Quest Software in 1998, he worked for Air Liquide as a general manager. Steve holds a bachelor’s degree in applied mathematics from Weber State University and a master’s degree in business administration from Pepperdine University in Southern California.