Complying with the GDPR by 25 May 2018 is a business-wide challenge that will take time, tools, processes, and expertise. It may also require significant changes in an organisation’s privacy and data management practices.
But focusing on the scramble to comply with GDPR, while important, misses the broader impact that compliance efforts are having. In many organisations, GDPR has become a flashpoint, focusing senior leadership attention not just on specific sets of data or privacy protections, but on a broader, more strategic view of cyber risk management.
After all, cybersecurity readiness is foundational to establishing that an organisation has, as the GDPR puts it, “appropriate technical and organisational measures” in place. The most prepared organisations use the explicit cybersecurity requirements of the new rules as a starting point — and adopt a broader set of cyber risk management best practices. There is still much work to be done, and room for improvement.
But what sets apart the organisations that have made the most progress?
First, they understand that cyber risk management is a shared responsibility that extends from the IT department to the executive suite. Regardless of size, many of these organisations have set up internal cross-functional task forces or steering committees led by senior executives — sometimes including or reporting to the CEO. These organisations are using the GDPR compliance process to look comprehensively at how they collect, retain, use, and manage data across the enterprise. They are exploring new tools, such as the use of cloud services; champion privacy rights; and have made significant investments to ensure that any information they possess is secure. More broadly, they are reexamining their privacy and data protection practices to make sure that their people, processes, and technology are properly aligned.
Second, they treat cyber events as inevitable. Instead of focusing only on preventing cyber-attacks, they respond to incidents more quickly and reduce the potential damages. They view GDPR’s data breach notification requirement as an opportunity to develop stronger incident management protocols — whether that means purchasing cyber insurance coverage with access to crisis management experts or encrypting their computer systems so that stolen data is rendered useless.
Finally, they take a quantitative and holistic approach. Because the GDPR compliance process requires organisations to implement measures that are appropriate to the potential threats they face, forward-looking organisations rigorously analyse their cyber risk exposures — both internal and external — and put a pound amount on potential losses. As a result, they are not only investing in appropriate cybersecurity defenses, but they are strengthening cyber incident response plans as well as other risk mitigation and resiliency measures.
In other words, these organisations recognise the GDPR compliance process as a game changing opportunity. In preparing for the new rules, they are strengthening their overall cyber risk management posture and turning what is often viewed as a constraint into a competitive advantage.
To discuss your processes and where cyber insurance can benefit you in more detail contact Jon Davies at Riskworks Business Services Ltd on 01625 547754 or email: jonathand@riskworksbusiness.com or visit: www.cyberliabilty.uk.com