IT Briefcase Exclusive Interview: Preparing your Business for the GDPR

After four years in the making, the new General Data Protection Regulation, or GDPR, will finally go into effect on May 25, 2018. GDPR aims to unify and standardize privacy laws across the European Union, as well as protect EU citizens and their data privacy rights.

This is a major update that will require organizations to re-frame how they handle data privacy, and comply to new standards or face heavy fines. Despite its major impact, however, many organizations remain unclear about the real business impact of GDPR, and what steps they should take to adequately prepare.

1)    How will regulations change under the General Data Protection Regulation?

A. While the old legislation served primarily as a directive, GDPR is designed to focus on true regulatory requirements and standards. Under the Data Protection Directive, more power had been delegated to individual countries within the EU, and most of the rules were left to the interpretation of each government to enforce as they see fit. Under GDPR, however, there will be much less room for interpretation on a national level. The objective is to make it easier for EU citizens to understand how their data is being used, and also raise any complaints. As such, creating a single, unified, and cohesively implemented digital economy across the entire EU.

GDPR designates a very strict and far-reaching definition of personal data that must be protected. Any information that could be used, on its own or in conjunction with other data, to identify an individual, must be protected. In contrast, the old legislation allowed each country to define what constituted “personal data,” making it impossible to enforce a standard from country to country.

2)    How do these regulations affect organizations globally?

A. The GDPR doesn’t just affect businesses in the EU. All and any companies doing business in the EU and consequently handling ‘data subject’ information are required to comply. Large corporations such as Microsoft have already begun the journey to ensure compliance and companies based outside the EU have hired employees to specifically help with GDPR compliance. Smaller e-commerce platforms must also take the necessary steps, or risk serious consequences.

It’s possible that the US might adopt regulations similar to GDPR in the future, though it’s hard to say for sure. There are certainly mixed signals, and privacy has a different tenure in the US versus in Europe. Critical events such as the Equifax breach, however, are serving to increase awareness and concern for privacy matters in the US. As a large number of US businesses will need to adopt GDPR for their EU activities, they will already be well-prepared in case the US also adopts stricter requirements. The EU commission is already counting on the fact that other nations, such as Japan and Australia, will soon adopt regulations similar to GDPR.

3)    What are some simple steps organizations should take to make sure they are prepared?

A. The first step towards implementing GDPR is getting your staff prepared and your organization ready. We have outlined six simple steps we recommend organizations take to make sure they are GDPR ready:

1. Create Awareness: The first step towards making sure GDPR is implemented is making sure it gets the correct platform within an organization. An absolute minimum is to make sure the management team is involved.

2. Get Your Organization Ready: The setup of GDPR comes with the setup of some formal roles such as a Data Protection Officer. Assign a member of the management committee as a sponsor for a GDPR implementation. It will help enforce the right level of priority and effort is given to GDPR.

3. Create a Data Map: Start mapping where ‘personal data’ (Data Subjects) is used throughout your entire business are used. Many tools (from basic excel templates to advanced software) exist to help in this process.

4. Identify What Data you Need to Keep: Under the GDPR, you won’t be allowed to keep more personal information than needed, and, you won’t be allowed to keep this data ‘at eternum’. GDPR will encourage a more disciplined treatment of personal data.

5. Put Security Measures in Place: You need to put all levels of security in place to make sure your company’s data is secure from breaches. This is translated into the implementation of IT best practices. The use of ‘multi-factor authentication’ to login into your applications and data, for example, is seen as an absolute minimum.

6. Review Your (Data Facing) Processes: “Data Subjects” have a set of basic rights under GDPR. As a business, you will need to make sure you can comply to exercising any of these rights. Furthermore, individuals need to give explicit consent to the use of their data.

4)    Why should organizations of all sizes have privacy and cyber-security measures in place?

A. In response to the many data leaks of the past decade, larger organizations and governments started to acknowledge the importance of cyber security and made the necessary investments and regulations to cope with the issue. Hackers targeting these organizations, require increasingly more skills, time and resources to succeed in their attempts, which makes it less lucrative.

Small Businesses typically do not have the knowledge or resources to secure and manage their IT infrastructure, resulting in weaker security and therefore also making them an easier targets. Erroneously, Small Businesses often think they have nothing worth stealing. They do however store sensitive data from their customers, like bank account information, credentials and credit card info. In turn, hackers use this data not only to harm the Small Business, but also the customers.

5)    What does Awingu do and how can you help companies prepare for the GDPR?

A. Awingu is a turnkey, solution that offers the flexibility and simplicity needed to meet mobility demands and platform agnostic trends– without compromising security.Users can access all of their applications and data from virtually any device, anywhere. All that’s required is an internet connection and HTML5-capable browser — there’s no configuration or client software installation necessary, which makes administration a breeze.

Awingu helps organization tackle simple security measures in preparation for the GDPR with the use of multi-factor authentication, encrypted data traffic, and usage auditing features out of the box. Our browser-based solution protects personal data by not storing any data on the user’s device, giving companies one less thing to worry about while becoming GDPR compliant.

Walter Van Uytven, CEO at Awingu

Walter worked as Director of Cloud & ICT channels for the Belgacom Group and as CEO of Belgacom Bridging ICT before joining Awingu as CEO. Walter first started working with the Belgacom Group in 2009 to help bring entrepreneurship and business development expertise to the group. Before that, Uytven was President & CEO of the Belgian Informatics Association and owned an IT integrator company. In 2014, Walter received the “ICT Channel Personality of the year” award.