FEATURE
These laws will
act as a forcing
function to change
the mindset of those
organisations who
only want to do what
they must to meet
basic compliance
requirements.
protection and privacy now, so that when
the regulations are enacted, they can be
assured their organisation will already
be compliant.
I believe as we see more legislation
enacted we will slowly start to see a shift
in attitude and Indian organisations are
clearly leading the way.
Changing attitudes through
best practices
While this shift in attitude slowly comes
to fruition, more organisations will
undoubtedly ask what they can do
to enact data protection and privacy
strategies and policies that work for
their organisation. In speaking with
companies worldwide, a few key
practices come to mind:
• Know where personal data
resides in your organisation: This
sounds self-evident, yet with the
www.intelligentciso.com
|
Issue 11
massive amounts of structured and
unstructured data created daily,
many organisations don’t know
where personal data resides. This
is particularly true when it comes
to unstructured data (emails, files,
etc.). According to a recent article
in the Harvard Business Review, 80%
of data analysts’ time is spent simply
discovering and preparing data and
less than 1% of an organisation’s
unstructured data is analysed or
used at all. Without identifying
what personal data exists and,
more importantly, where it exists,
compliance efforts will be challenged.
• Obtain executive sponsorship and
support: Compliance efforts can be
hindered by internal politics. Because
of the confusion that exists around
compliance, it often becomes difficult
for business leaders to agree not only
on who drives compliance efforts,
but also who is accountable in the
event of questions or, unfortunately,
punitive consequences or data
breaches. Determining executive
ownership is a critical element in
a successful data protection and
compliance programme.
• Ensure data is protected within
and without your organisation:
I recently had the opportunity to
speak with a number of European
security professionals around their
data protection challenges and
they mentioned that driving data
protection requirements of third-
party vendors or partners was a
significant challenge. One quick
way to start to address this is to add
GDPR language to contracts, so it
becomes clear who is accountable
(your organisation or your partner’s
organisation) of data once it leaves
your walls.
Clearly, GDPR compliance will
continue to be a daily challenge for
organisations worldwide. It may well
be that we don’t see a broad push for
compliance until we see meaningful
enactment of this legislation.
In the meantime, I believe that adopting
a mindset aimed not only on compliance
but on good data stewardship is a step
in the right direction for organisations
looking to have confidence in their
handling of personal data. u
39