The result? These business bosses are forming a compliant way of working and establishing a best practice approach that works for their individual cases. Consequently, many have turned the challenge on its head. Instead of seeing GDPR as a threat, they see it as a welcome chance to tackle the previously ill-defined issue of data protection head on.
Strangely enough, it seems one of the perceived weaknesses of GDPR has actually become its strength. The regulations are detailed over no less than 300 pages. Many believe they are too vague and open to interpretation. However, as a result of this, business collaboration has become key. Instead of following the rules to the letter, bosses are thinking about their actions, drill down to what the document really means and then make it relevant to their business and industry.
Many of our customers are still trying to ascertain the difference between what is currently in place and what is needed for compliance. Because of the demand for transparency and accountability, there is little choice but to engage in business collaboration with partners – such as cloud services providers – and suppliers.
In our experience, because everyone in the chain needs to understand what every other part is doing and the part they play, this is leading to open business collaboration. Also, because GDPR involves the entire business, there are similar discussions going on internally, particularly between HR, IT, security and legal departments, who are all in the frontline. C-level involvement is a must and HR involvement is also vital.
Compliance will involve some strong technical controls, but also an adaptation of processes and procedures, all involving different departments and re-training. All departments must work together to ensure there are not several, hidden stores of information held about an individual across the organisation. Business collaboration is also needed on particularly knotty areas such as the “right to be forgotten”. While this right is important, it doesn’t override other legal obligations.
If an employee asks that records are removed, there is still the obligation to retain some as appropriate. Yet, there appear to be no hard or fast rules, so discussions, conclusions and the establishment of guidelines or best practice is the only way forward. These should not necessarily be subjective, but developed objectively, working with partners that understand the need to be transparent.
Only this way will the defined guidelines suit all involved and therefore be both sustainable and successful. Although it’s important not to focus on the fines for non-compliance, it’s vital that all staff understand the implications. This way they will appreciate your motivation and recognise the need for the utmost care.
It’s also imperative to consider how to make GDPR into a positive experience. In particular, the relationships a business builds with other businesses and their partners can only be strengthened through this exercise. The result should be a safer and more transparent ecosystem – and based on this, an organisation should feel more confident about the future.
Charlie Knox is head of technology at SD Worx
Share this story