GDPR: What is it all about?
For months and months now all media streams, advertising and conversations have been focused on GDPR and "getting ready", but what is GDPR really all about? Job boards have seen a rise in the amount of positions being created and recruited for looking for "experts" in GDPR, with vendors and re-sellers alike advertising solutions to make you "compliant".
Very recently, I was sat at a round table discussion with some very experienced CIOs and CISOs discussing both this topic and digital transformation. It was only at the point where one of the attendees asked the group "What is digital transformation really? What does that actually mean?”, where the conversation started to make real progress. It was at this point the discussion changed and rather than discussing digital transformation, it was decided that the actual term should be "Business Transformation" and this is really what GDPR is about. It is about changing the way we operate within our businesses and here is the real problem. It's not about the 2018 deadline, it is about change moving forward. It's about making sure that everyone in your business is aware about how they should be handling information. GDPR is not PCI DSS or ISO27001 or any other type of annual compliance. It is and will forever be ongoing, even though there are many that simply wish to get to the deadline and then put it to bed.
This will be the new Health and Safety and if you think of it in these terms you will see where you are in your journey. Every company has a health and safety policy and officer. Every company has health and safety posters splattered all over the place. We report all incidences even the smallest of things and we are so aware of health and safety. I have seen employees request to leave work for the day because there was a mains problem in the area resulting in the loss of the water supply to the building. This issue literally stopped work in the office with people stating that it is against health and safety for the company to operate whilst there was no water. I have no idea whether this is true or false or what the legalities are around the subject all I knew was how aware everyone has become around the issue. Someone spills water in the kitchen and watch how quick the "wet floor" signs pop up. Now why is this? It's not the legislation, it's the repercussions to the company if the legislation isn't followed. Companies have seen over and over again how the smallest thing can lead to the biggest issue. So what do we do? We make sure that everyone is aware or has been made aware of the legislation because the truth of the matter is, nobody wants any part of the blame when something goes wrong.
So back to GDPR. Everybody now knows that they have to look into this and start preparing, yet nobody seems to want the responsibility (blame!!). The message slowly filters to the stakeholders at the top who then once on board, designate the responsibility to management who delegate to the team who then spend time playing pass the parcel. So whilst everybody is working on this, nobody is.
Another problem is that there are many who believe this to be an IT issue. GDPR is a business issue for the whole business to become aware of. It's business policy that needs to change not the IT. The IT is there to make sure that these policies can be carried out and enforced. For many years, IT has been a service to a business but times have changed. IT is now an enabler for business yet still regarded as a service. To invest in your IT team and infrastructure is to invest in your business, because without it..... what type of business will you have? GDPR is not a job for one person, it is a responsibility for the whole company to take on board and like it or not it is coming. So we have two choices, we get in front or we fall behind.
Change doesn't have to be bad.