It would have been hard to miss the news that the General Data Protection Regulation (GDPR) was adopted this year, giving companies two years to meet the new regulations.
It sometimes feels like it’s all the industry has been talking about – and with good reason. We’re all aware that the incoming regulations will have a far-reaching impact on how companies in the European Union are able to use the information they gather.
The dramatic increase in potential fines for non-compliance – up to 4% of global corporate revenue – is going to see companies across Europe clean up their act when it comes to their creation, storage, transmission and deletion of consumer information.
What hasn’t much been touched on is what this will mean from a company culture perspective. Everyone is discussing whether corporates will need to employ new Data Protection Officers – but the reality is that this isn’t about a single new employee.
Organisations will need to work out how to quickly implant a much stronger culture around Information protection and cyber security to defend themselves. ‘Privacy-by-design’ is an interesting concept, but one that can only become a reality if every employee across an organisation buys into the principle. If it remains a buzzword on poster in the breakroom, companies will be putting themselves at a potentially crippling level of risk.
Trying to embed a whole new cultural attitude towards cyber security is easier said than done. Company cultures are ingrained and resilient, and often are reinforced from the top down.
The good thing about the GDPR is that it gives companies an even stronger financial incentive to fix their culture if there are issues – and so it presents an opportunity for cyber security professionals to drive their issues up the agenda and make the case for stronger culture change.
Every day, employees are faced with a barrage of corporate messaging from a huge range of sources – whether they are updates about company travel rules or departmental newsletters.
In order to deliver a successful cultural change programme and to protect themselves from the GDPR, cyber professionals will have to be certain that their messaging around the new regulations and requirements pierces through that daily fog of corporate messages.
How do you do that? It’s simple: we need to move away from the current view that compliance issues can be solved with a single, annual online campaign typically followed by a test.
These approaches are typically a shallow, tick-box exercise in compliance that only serve to give companies a false assurance that they are covered in case of a human error breach.
Instead, companies – and their new Data Protection Officers – will need to take a long, hard look at their engagement programmes around cyber and Information security and likely rebuild them from the ground up.
They will need to build a new communications strategy around information, cyber security and the GDPR – one that can make sure staff are aware of, involved with and committed to new policies and practices.
In order to properly engage with staff, communications will need to be regular (rather than rare), fun (rather than tedious), challenging (rather than predictable) and above all, they will need to be written in a simple way that makes it clear what new responsibilities staff have, and how they can better understand what those responsibilities involve.
Sadly, many companies will set about appointing a Data Protection Officer, place the responsibility of complying with the new regulations at their feet and then consider the job well done.
The new perspective on information and cyber security will require a more ambitious and far-reaching approach, and creating a new post just isn’t going to do it. These new regulations should be – and hopefully will be, given the potential financial liability – a huge wake up call to companies who have taken the ‘sticky plaster’ approach to shoring up their information and cyber policies and behaviours.
The time has come to undertake a real cultural shift, and the whole industry is going to have to hit the ground running.
Sourced from Mark Logsdon, head of Market Engagement, AXELOS