LegalRegulation

GDPR: Why People and Processes Are Just As Important As Tech

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

No technology can be a silver bullet for next year’s GDPR

There is now less than a year to go until new Global Data Protection Regulations (GDPR) come into force across the European Union, meaning the countdown is well and truly on for organisations to get their houses in order.

If they don’t, they face receiving hefty financial penalties, as well as potentially losing the trust and loyalty of their customers.

Many technology vendors have released products and services to help solve business’s GDPR problems, but what was made clear at a recent Kaspersky Lab-hosted roundtable attended by Silicon was that ensuring compliance will come down to people and processes as much as technology.

Data privacy

Three-pronged approach

“Technology can be a very important tool, but then having the processes and policies that relate to how technology is applied and people and education all working together is key,” said Sue Daley, head of cloud, data, analytics and AI at techUK.

“Technology can help, technology’s a really key tool that can help particularly small organisations, but technology isn’t a silver bullet either. You’ve got to have technology working with people and then the processes and procedures.”

Jo Bance, head of global marketing at SQS agreed that process is just as important as technology, as the quality and effectiveness of internal policies (or lack thereof) can be equally to blame if something goes wrong from a compliance and regulation perspective.

This point was emphasised by Caroline Hinton, head of HR at radio production company Somethin’ Else, who highlighted some of the process challenges businesses are facing: “I think the key is the process point. There are lots of processes to go through with third party suppliers. We share data with external payroll providers, pension schemes, so it’s about making sure that all the links in those chains are as robust as our own processes.

“Then there’s the fact that potentially everyone in the business has access to certain levels of confidential data. We just need to make sure that we’re following the same standards everywhere and that we’ve got control of people’s information and what happens to it.”

So, we’ve established that getting an organisation ready for GDPR doesn’t just rely on technology. The next question to ask is who drives such initiatives?

“Clearly this [GDPR] is something that is in the focus of business leaders for obvious reasons. They’re the ones managing businesses, but to what extent does it need to be wider than that and affect people at the ground level of an organisation?” asked David Emm, principal security researcher at Kaspersky Lab.

“It’s not going to be an IT problem alone, it’s not necessarily going to just be a legal issue and at every level people are going to have to respond if something happens.”

The general consensus was that any data protection initiative or process needs to be driven from the very top in order for it to permeate effectively throughout an organisation. In order for everyone to be a part of the journey, Daley explained, they have to understand their responsibilities, which depends on the message sent down by the CEO.

IT training, digital skills

Education

Related to this is the issue of education/training. If employees don’t understand the reasons for certain GDPR-related processes, widespread adoption is going to be tricky.

“I would say it’s even more important for a small organisation [then an enterprise] to have everybody across the business educated and bought into it because you don’t always have a specific person responsible and in a small organisation you do rely on everybody coming together,” said Hinton.

Bance took the notion one step further and suggested that, as there are certain policies that everyone has to be aware of, GDPR compliance training and education will eventually become a part of “business as usual training”.

Evgeny Grigorenko, head of public affairs at Kaspersky Lab agreed with this point, saying that data management training will become necessary in order for businesses to show they took necessary measures to prevent a breach.

So, businesses have a lot to do to get ready. The majority may now be moving from an awareness of GDPR into the planning stage but, with less than a year to go, it will soon be time to start turning these plans into reality. 

How much do you know about the European Commission? Take our quiz!