13 September 2017

  |  CBI Updates Team

News

#CBICyber breakout session review: Tick tock, the GDPR clock is ticking.

It’s 7 hours to midnight what should business do to get ready for new data protection rules? 

#CBICyber breakout session review: Tick tock, the GDPR clock is ticking.

Data protection is on the march, with only 7 months to go before the General Data Protection Regulation (GDPR) comes into force what should businesses be prioritising?

Andrew Rogoyski, Vice President of Cyber Security at CGI UK, urged today’s attendees to focus on the ‘Delta’ or difference between existing rules and the new regulation. Reassuringly, much of the principles in the current rules are replicated in the GDPR but there are few big changes coming down the tracks where businesses need to put their best foot forward. Preparing for the GDPR can seem like a daunting prospective, but today’s key message was that transparency, accountability and being proactive are the golden threads that tie it all together. Neatly summed up that companies can best prepare by “baking data protection in rather than bolting it on”.

Rogoyski ran through how businesses can best prepare for high profiles issues such as data breaches, Data Protection Officers (DPOs), how they share data and ensuring data protection is at the foremost of the businesses mindset.

So what are businesses prioritising?

  • Taking the initial step – First and foremost, the biggest change between the old rules and the new rules is that companies must be able to show how they are proactively complying with the GDPR. Regular data protection audits, privacy impact assessments and showing how you got the consent of consumers will be vital. Companies who take early steps on these issues will be on a good footing to adapt to the new rules.
  • Preparing for the worst – Under the new rules, companies must inform data subjects of data breaches within 72 hours. However, companies should carefully consider how prepared their organisation is to respond to increased public attention. Do they know the full extent of the breach, have they implemented their response plans to protect data subjects from further damage and are staff prepared to deal with consumer questions?
  • Empowering data protection internally – In a strong signal of intent, the clear majority of companies polled in the room already have DPOs with many retraining existing staff to the fulfil the role. Rogouski urged businesses to consider how the DPO’s increased powers, freedom to operate independently and report directly to the highest levels, would fit into the structure of the business. Would it create some conflict between roles and does the DPO have the resources they need to function?
  • Take a bird’s eye view – Companies should be map how and when they share data with third parties. How that data is protected this is key with both new suppliers but also working with longstanding partners to protect historical data. Companies should also consider what third parties and “shadow IT” those partners use in turn.
  • People first – Privacy-by-Design and culture were also highlighted as key for the GDPR. When embarking on a new venture business should ensure data protection is the first item on the table. Data protection should not be the last question asked but a reoccurring and constant factor.

Thanks to our partner CGI for facilitating the breakout session. Join the live conversation on #CBICyber