Director’s View: Get the Board on board with GDPR
A few weeks after our fourth workshop for IT in hospitality, I am reflecting on the discussions we had and how our guests felt about the upcoming General Data Protection Regulation.
It was apparent that attendees were looking for a solution early in the event on where to start. Many were looking for information that would enable their start in policy, process and systems changes to achieve GDPR compliance:
“What I would struggle with is mapping the key compliance issues with what we do now. What would need to change? What would be a process issue?”
GDPR is a regulation which ensures that companies prioritize the privacy and safety of the customer information they hold. To achieve this, the following needs to happen:
- Understanding how information is accumulated
- Certainty on how information is stored
- Clarity on information that is shared
If the above are incorporated when designing company processes (also known as privacy by design), it’s likely we wouldn’t experience as many breaches as we do today. I would even suggest the scope for cybercrime and the dark web would be significantly reduced. The fact that companies have had little to no concern about the safety of their customer data is one of the primary reasons why the regulation has been created.
Attendees wanted to know how to get answers to the points above, to be able to give their organisations the information they need to kick start the journey to compliance. Knowing where to begin was one of the key concerns for attendees, especially for those with global sites.
“Because we’re global, it [GDPR] affects lots of areas and the directors are split up across various countries. Trying to get engagement from all of them can be difficult.”
In addition to changes to policies and systems, we also discussed the challenges of changing company cultures and behaviours. GDPR is not just about the policy changes and impact to the general business and customers, but also to employees and internal staff. To fully implement a successful GDPR the whole company must be engaged and understand the regulation, from the Board down.
We recommend businesses engage with an auditing exercise, one that checks the flow of all personal information used by the company. This should look at the policies you currently have in place to handle customer information, the policies and procedures that staff must follow when handing information, and finally additional systems to ensure heightened security. Most importantly, the security measures needed to protect personal information from cyberattacks are essential – SMEs are prone to such attacks now more than ever before.
An IASME governance standard check should then follow to determine where the gaps exist in your security (gap analysis) and first steps to compliance to provide a road map for your journey.
This is just the tip of the iceberg
If you can prevent breaches from happening – a fundamental reason for the GDPR – you are far less likely to compromise the safety of your customer data, thus reducing the risk of sanctions, claims and reputational damage.
Get in touch
For information about our GDPR audit please email me directly on firstname.lastname@example.org or 0800 292 2230.
Another great way to start learning about the regulation is through our GDPR events. You can find more information on our events here.