With just a few months to go, reports and surveys frequently indicate that CIOs and business owners are concerned about and unprepared for GDPR. And the race is on, with a Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by GDPR.
Many organisations are looking to bring their cyber procedures and capabilities up to scratch ahead of its becoming enforceable, May 2018. But, with an evolving IT threat landscape, new technologies introducing new risk, and a cyber-skills deficit, it’s important that CIOs and IT directors not only focus on this critical deadline but also look beyond it.
The GDPR presents CIOs and IT directors with a once-in-a-professional lifetime opportunity to transform both their company’s IT procedures and security capabilities, to future proof the way it approaches cyber and provides services.
A British Approach to GDPR
While many organisations have been slow to prepare, GDPR will dramatically change the way companies globally deal with EU citizens’ data. The new European legal framework provides rules that affect the full data lifecycle from collection, processing, storage, usage and destruction.
While not prescriptive in the controls, the regulation requires organisations to implement appropriate measures to protect personal data. And failing to take the right measures could result in a heavy fine for unlawful processing, data breaches, or not reporting data breaches.
The UK government has vocally backed GDPR, and hopes to use it to improve cyber risk management in the wider economy. In the Cyber Security Regulation and Incentives Review, launched in late 2016, the government pointed to how the breach reporting requirements and fines that can be issued under GDPR present a significant call to action for industry.
From large enterprises to SMEs, many organisations are shifting their traditional business model away from physical assets in favour of a data-driven business model. Cloud, mobility and the advent of Internet of Things are driving this digital transformation, introducing new challenges that organisations must navigate to ensure citizens’ and employees’ data is protected.
While the combination of new technologies and the new regulation may seem an insurmountable task to manage over the next 12 months, CIOs and IT directors should look at GDPR as an opportunity. Rather than approaching it separately and in isolation, the new regulation has put a price on cybersecurity and secure data management – bringing it to the attention of the C-Suite.
CIOs and CISOs should harness this opportunity to get the budget and procedures in place that will enable them to transform their organisations’ approaches to cybersecurity, and reposition IT as a function that enables business transformation and growth.
Creating a Culture of Secure IT
With the fear of hefty fines and concepts such as ‘privacy by design’, CIOs and CISO are likely to find themselves with full-company backing to create a culture of secure IT within the organisation, with a focus on protecting personal data – perhaps for the first time in a while.
This will have a dramatic impact on a number of current security challenges many IT teams are facing, such as the massive growth in Shadow IT. Due to the ease of procurement, the McAfee Labs Report found that almost 40 percent of cloud services are now commissioned without the involvement of IT, and unfortunately, visibility of these Shadow IT services has dropped year on year.
Sixty-five percent of IT professionals think this phenomenon is interfering with their ability to keep the cloud safe and secure. This is not surprising given the amount of sensitive data now being stored in the public cloud and more than half (52 percent) of respondents reporting they have definitively tracked malware from a cloud SaaS application.
For the first time, GDPR gives CIOs and IT leaders the authority to clamp down on shadow IT in their company, with the support of rest of the board who fear the ramifications of GDPR.
Embrace the Change
The innumerable opportunities that digitalisation brings is introducing many new security and data management challenges. To mitigate these new threats, CIOs and CISOs must ensure that future processes are planned securely – especially as we embrace the increase in complexity, and migration to the cloud.
CIOs and IT directors must use the power of GDPR to get and keep board level attention and support in introducing transformational technology and processes that will protect personal data now and in the future.
The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.