Much has been said about the potential onslaught of the European Commission’s General Data Protection Regulation, or GDPR. Although the critical survival steps that you’ll need to follow to get compliant have been covered, there’s a big difference between identifying the need and actually addressing it.
Are companies truly prepared? If you’re like most businesses, then your GDPR experience will come down to whether you can anticipate the subtle nuances of regulatory adoption.
Here are three essential questions that you should answer if you want to survive the operational shift instead of finding yourself on the wrong side of compliance history.
Can your company push through regulatory disharmony?
When May 25 rolls around, you might initially take comfort in the fact that the GDPR is designed for regulatory simplicity. Having a single set of rules, however, doesn’t mean that you’ll be able to comply simply by reviewing a few guidelines here and there.
The GDPR is designed to give the Member States the ability to modify and add their own unique regulations. As such, any compliance system that you implement will serve you better if it accommodates local requirements in addition to the general EU rules.
Most businesses probably will not have to wade through a mire of confusing laws or interpret major deviations from the spirit of the GDPR. Nonetheless, your ability to institute a flexible compliance framework could prove crucial.
Are you as ready as you think you are?
A study from January 2018 revealed that only around one-third of startups were GDPR-compliant. The same research showed that many respondents had significant misunderstandings about topics as basic as obtaining consent, notifying users about breaches and safe encryption.
With such a significant portion of the business population seemingly ignorant of the essentials, where do you stand? Although it is easy to understand the general intent behind the GDPR, companies of all sizes need to integrate their compliance strategies into functional systems that let them make the required changes and prove that their efforts are sufficient if challenged.
Are your IT systems working against you?
One of the biggest deciders of how you’ll fare with the GDPR lies in your systems architecture. For instance, if your corporate network is riddled with vulnerabilities, then no amount of after-the-fact correction will make you compliant without addressing the root problems.
Your company may find it necessary to enact sweeping policy changes geared not only towards GDPR compliance, but systems management in general. For instance, if your e-commerce code provides uncontrolled access to a database or programming interface simply because it is convenient to do so, you’ll likely have to institute stricter rules about login keys and credentials.
You may even have to rewrite major software systems or public-facing code so that well-meaning users do not inadvertently weaken your compliance stance or cause breaches.
Firms that never considered personal information security before should start thinking about it fast. Faced with the choice between overhauling major business processes or trying to hide from regulators, many companies might choose the latter.
This Post was originally published on infosecurity-magazine