Although awareness of the new General Data Protection Regulation is increasing, most of the attention has been on technology. The presence of the word “data” in the title means that responsibility for compliance is being wrongly delegated to IT.
The truth is that although technology plays a role in protecting personal data, it will never be the whole solution. In fact, any business relying on IT as their only safeguard for GDPR compliance will never achieve the standards required.
Instead, businesses need to realise that GDPR compliance is an ongoing, company-wide effort that involves everyone. Here are some factors your current IT-focused GDPR compliance program may be overlooking.
1. Access to data
Although your IT department are responsible for keeping systems running and making data available, they will have almost nothing to do with the actual data stored in them. Some systems – like HR – will be completely off-limits. Which means that they do not fully understand what they are trying to protect.
Where IT are not permitted to access data, responsibility for protection will have to be shared with those who are.
2. Data is not just digital
Although the majority of data held by your business is stored digitally, that does not account for everything. Consider the paper copies of invoices and CVs that your business receives in the post – each containing sensitive data that would breach the GDPR if stolen or lost.
The IT manager has no responsibility for maintaining filing cabinets, or the records stored in them. But if your GDPR preparations are not considering these hard copies, you will not be ready for when the new legislation comes into force.
3. Controlling data shared with partners
Increasingly businesses are choosing to work closer with their suppliers, often sharing data to enable collaboration. Take G Suite for instance – the platform is used by many organisations to share information, and even work on the same documents simultaneously.
It is imperative that your staff are educated to share no more than is entirely necessary. They must also be fully aware of customer consent to data sharing, so they do not exceed those permissions.
4. Use of your data by partners
When sharing data with partners, you need to know how they intend to use it. Again, this is not specifically an IT function, but something that all of your employees need to be aware of.
Your GDPR programme needs to identify what information is being shared, with whom, and how it is being protected. You will also need to ensure your partners’ GDPR strategy aligns with your own, so that you can clearly delineate who is responsible for what. In this way you can prevent personal data being used in ways that customers have not agreed to.
5. Do you have subscriber opt-in?
Finally, the GDPR calls for tighter controls on how personal data is used by businesses. It is absolutely essential that your teams are securing those permissions – and that they are being respected.
The IT team can help to delete data for which permissions have not been obtained, but your other teams will need to regulate their own use of the information you hold. Does the marketing team really have permission to send sales letters or marketing emails to the people on their latest mailing list for instance?
Everyone has a part to play
As you can see, GDPR compliance is not an “IT issue”, but a regulation that affects everyone working with personal data in your business. It is a wakeup call to organisations across the world, demanding that they treat data belonging to their customers with greater respect – or face a significant fine.
Call Kimbley IT today to discuss your GDPR provisions, and how we can help raise awareness across your business – not just in the IT department.