Who is responsible?
As Kaspersky's recent guide, Fighting fit: running rings around GDPR compliance, suggests, GDPR is a company-wide responsibility, and effects departments in ways that aren't immediately obvious.
Legal team
The most notable of these is the legal team, which already has to deal with a host of other regulations. Instead of managing everything, legal should be focusing on specific areas, such as contract management and supply negotiations. Those contracts that extend beyond the implementation of GDPR need to be revised and updated, while new contracts need to be built upon the revised regulations. The legal team will also need to have ensured suppliers are also in compliance, and that their systems are robust enough to deal with information requests.
Sales and marketing
For most businesses, sales and marketing are at the front line of dealing with customer data. It is no longer enough to rely on pre-ticked boxes or customers who fail to unsubscribe from marketing material. Businesses must ensure their marketing teams are targeting consumers who have 'opted in' to receive that material, with accompanying consent text that is clear and noticeable. Sales teams need to keep an accurate audit trail of those customers who have decided to opt in.
Finance
The regulations will also significantly impact the way finance and accounting operate within a business. Enormous amounts of personal data can pass through the finance department, and the biggest GDPR fines tend to be issued to businesses that fail to secure this pillar. GDPR compliant data breach notification systems must be in place immediately report any issues while automating some processes will help reduce a significant risk to security - human error. If you are lagging behind in GDPR compliance it's worth noting you won't need to start from scratch with policies, as many can simply be updated.
HR
Even HR plays its role for a business to fully comply with GDPR. The regulations will enhance the rights of employees, giving them greater protection over their data. The department as a whole will, therefore, must be as transparent with employee data as the business is with customer data. The legal justification of data processing needs to be made obvious in any dealing with employees or job applicants. In most cases, it may now be prudent to appoint an individual in charge of reacting to data breach incidents, as well as issuing regular training to employees to help them identify threats and respond accordingly.
IT
Underpinning all of this change is the IT department. While not explicitly affecting these teams directly, GDPR has a dramatic effect on the way IT provides support. Internal software needs to be easy to use and data should be accessible in the event a request for data is received, and the use of hardware should be heavily audited. Privacy is now paramount, therefore systems must be in place to prevent, or minimise the likelihood of data breaches, such as authentication or encryption.
Data breach notifications
One consequence is that businesses, large and small, now find themselves required to report most data breaches that impact personal data. That means notifying both the Information Commissioner's Office (ICO) and the individuals whose data has gone walkabout.
"Loss of client data is a major risk to any business, and the stakes are only getting higher," said John Michael, CEO at iStorage. "The feedback from iStorage clients is that most data losses arise from human error, rather than any conscious contravention of the rules, or a lack of internal compliance effort." This implies that the shift in emphasis to pro-active self-review and analysis should cut mistakes and limit data losses.
"The increase in financial risk from the new penalties will also see greater investment in encryption technology and tools to reduce the risks arising from the human element," Michael suggested.
What does GDPR mean for your business? Register to watch our live webinar, sponsored by SolarWinds, first hosted on 2 March, to find out from the experts.
