General Data Protection Regulation (GDPR) is now in effect, but small-to-medium businesses (SMBs) have been under pressure to become compliant since the law was introduced in 2016. Some responded by changing their IT processes, others placed the burden on their legal team, but others only began to adapt in earnest once the 25th May deadline was just around the corner.
Data protection must be treated with the right level of gravitas. It might be tempting to think you can steer clear of regulatory issues as long as you are not doing anything untoward with people’s personal data, but this is short-term thinking. GDPR may only mark the beginning of a global regulatory push to improve data protection, and regulation will only become more demanding.
Real change requires a shift in culture. The way SMBs govern data has not yet caught up to the way employees use technology, which is why we still see staff taking a lackadaisical approach in many organisations. They save company information to personal devices, use (and sometimes lose) business laptops on the train, and turn to file sharing sites to share sensitive information. All these practices pose a security risk, and they are all too common.
The cost of not complying with GDPR can be significant. Business leaders will be aware of the potential risk of non-compliance (up to 20 million euros or 4% of the company’s global turnover) but there are less obvious consequences too. Data breaches must be made public to the supervisory authority within 72 hours once a company becomes aware of them, and the reputational damage that comes with these if the company does not have a good handle on security, has its own cost.
In addition, a supervisory authority has the power to impose a temporary or definitive limitation including a ban on processing, and data subjects have the right to bring claims for compensation.
This makes GDPR a boardroom issue, but this does not mean SMBs can just appoint someone to take charge of compliance and let them run with it. With an imperative this important, the bucks stops with the CEO.
Business leaders must be figureheads for data protection. For an organisation to manage data more responsibly and stay on top of its data in the long term, it needs buy-in from all staff. Each individual must be accountable for their actions and play their part in compliance, and this understanding must be driven from the top down.
How can business leaders help achieve this? The first step is to make training compulsory. This could include anything from data management training, to workshops on protecting data or even running phish-baiting tests to help employees identify suspicious emails.
Incentives also help drive change. Data protection needs to be as much a part of someone’s job as doing their timesheets, so why not reward team leaders who have ensured all their staff have taken the appropriate training, or include security training as part of employee performance objectives? It will ultimately come down to HR, IT or legal teams to develop these initiatives, but the imperative must come from a company’s leadership.
By Alessandro Vallega, Security and GDPR Business Development Director, Oracle EMEA