The transformational potential for GDPR

GDPR presents CIOs and IT directors with the leverage to enforce a culture of secure IT and data management, argues Gordon Morrison

GDPR will have a dramatic impact on how companies across the world manage EU citizens' data. The guidelines, outlined in this new European legal framework, set new minimum standards across the full data lifecycle - right through from collection and processing, to storage, usage and, finally, its destruction.

While the guidelines aren't prescriptive, the new legislation requires organisations to introduce measures that will adequately protect both employee and customers' personal data. And those organisations that fail to may find themselves with a significant fine. Unlawful processing, data breaches, breach of controller's responsibilities, security of processing or not reporting data breaches could all result in heavy penalties (up to the greater of 4 per cent of annual worldwide turnover or €20m).

Astonishingly, though, a recent Veritas study indicated that as of the end of last year more than half of organisations had yet to begin working on meeting the new minimum requirements for data protection outlined in GDPR.

A call to action

Late last year, the government launched the Cyber Security Regulation and Incentives Review and indicated that it would be encouraging British organisations to adopt GDPR to help improve cyber risk management across the wider economy. The breach reporting requirements and penalties that the EU can issue to organisations using EU citizens' data, the government advocated, indicate a clear call to action for all industries.

Ahead of its becoming enforceable in May 2018, more forward-looking organisations are working to bring their cybersecurity processes and capabilities up to scratch. But it's important that organisations not only focus on this critical deadline but also look beyond it and think long term around the cyber challenges that they face - from an evolving IT threat landscape, and new technologies introducing new risk, to Britain's cyber-skills deficit.

CIOs and IT directors should be harnessing the once-in-a-professional-lifetime opportunity that GDPR presents to transform their IT procedures and security capabilities

CIOs and IT directors should be harnessing the once-in-a-professional-lifetime opportunity that GDPR presents to transform the IT procedures and security capabilities of their business, future-proofing the way that it approaches cybersecurity.

Making cyber a C-suite issue

Organisations of all sizes are moving away from the traditional business model of physical assets to adopt data-driven services. Two-thirds of UK businesses now have a digital transformation strategy, according to research from Computing, and the rise of cloud, the Internet of Things and mobility are all creating new challenges for securing data.

While the introduction of this new regulation and the deployment of these new technologies may appear to build an insurmountable hurdle that must be overcome over the course of the year, CIOs and IT directors should approach GDPR as an opportunity to gain the support they need - both in terms of budget and culture.

The penalties outlined by GDPR explicitly put a price on poor cybersecurity, so it presents a unique opportunity to get the C-suite on board with future-proofing the company's cybersecurity and secure data management.

Creating secure tech culture

With hefty fines on the table, CIOs and IT directors will probably find themselves - perhaps for the first time - with full company backing for secure IT practices. This will have a great impact on many of the security challenges that they are currently facing, such as the rise in shadow IT.

A McAfee Labs Report recently indicated that the ease of IT procurement has resulted in almost 40 percent of all cloud services being purchased without involving the IT team. To make matters worse, from a security perspective, is that the visibility of these services has also fallen year on year.

Two thirds of IT professionals indicated that this trend is impacting their ability to keep cloud services safe and secure. Given that more than half of respondents report that they have tracked malware from a cloud SaaS application, it isn't surprising that IT professionals are concerned about their capacity to secure the - often sensitive - data that it holds.

Now GDPR offers CIOs and IT directors the authority to stem the tide of shadow IT in their business, with the support of the C-suite who fear the consequences of its penalties.

Harness the potential

Digital transformation brings innumerable opportunities for businesses to digitise traditional business processes and enable more efficient, effective and intelligent ways of working. However, these technologies present new challenges for CIOs and IT directions in terms of data management and cybersecurity.

It's crucial that data management and cybersecurity processes are planned to not only respond to today's requirements, but are future-proofed against the challenges that new connected devices and cloud services present. This is no mean feat, requiring both investment and culture changes. But finally, GDPR presents CIOs and IT directors with the leverage to enforce a culture of secure IT and data management in their organisation.

Gordon Morrison is director of government relations at McAfee