Despite the many nuances about the new General Data Protection Regulation (GDPR) and questions about how it will be enforced, panelists at Tuesday’s GDPR panel during ISACA’s EuroCACS conference provided some straightforward guidance to organizations – if you don’t need the data, don’t collect it.
Operating within that basic framework can prevent many of the GDPR-related headaches organizations are facing, panelists in Edinburgh, Scotland, said. The panel, moderated by ISACA board chair Theresa Grafenstine, included ISACA board directors Mike Hughes, RV Raghu and Jo Stewart-Rattray, along with Andrew Neal, president, Forensic Technology & Consulting, TransPerfect Legal Solutions, and Ken Macdonald, head of ICO Regions, Information Commissioner’s Office.
Several of the panelists noted that the more stringent data privacy regulation brought on by GDPR must cause enterprises to re-evaluate what data is truly essential to gather and protect.
“It’s just amazing how organizations, just sort of by habit, ask for things that are highly risky to ask for that have nothing to do with the business process for which they’re asking, but they just got in the habit of doing that,” Grafenstine said.
Macdonald brought a regulator’s perspective to the discussion, saying the immediate aftermath of the 25 May compliance deadline has been relatively quiet, although a holiday weekend surely factored in.
“But we will soon be seeing a surge, probably from organizations needing a bit of clarity on the implications of the new act, but also individuals who are starting to enforce their new [privacy] rights,” said Macdonald, who noted that regulators will be more apt to look favorably upon organizations that are making a clear effort to comply, even if they have not yet achieved full compliance.
While there is widespread curiosity about how GDPR penalties might be enforced, Neal said organizations should not expect to get by with lax compliance efforts.
“Governments have a significant amount of coercive power they can bring to bear, and we don’t know what that’s going to look like. … I would recommend against saying ‘I dare you’ to a government,” Neal said.
While the EU has been the epicenter of the wave of GDPR publicity over the past couple years, organizations in other parts of the world that do business in the EU also need to comply. Stewart-Rattray, from Australia, said more awareness about the regulation still needs to be created outside Europe, and called on boards of directors to set a leadership tone at their organizations for more responsible data privacy policies.
Neal said organizations with strong governance programs will be best equipped to thrive in the GDPR era.
“Make no mistake – most of what’s going on with GDPR is a governance problem,” Neal said. “It’s managing your data to be in line with the company’s or organization’s best interests. The ability and the incentive to reduce your data footprint while increasing your data relevancy, and the importance and the utility of that data, I think is a very positive direction.”
Citing recent ISACA data on the challenges of cross-departmental collaboration, Raghu said all stakeholders within organizations need to have more dialogue about the risks and rewards of collecting data, and potentially make changes to their business processes based on those insights.
As the panel concluded, an audience member questioned Grafenstine on whether, given the potential pitfalls of GDPR, the emphasis on big data is becoming a double-edged sword. Grafenstine said she does not view valuing data and valuing privacy to be an either-or scenario.
“I still believe that data is going to be perceived as the air that we breathe because it is absolutely what is going to fuel innovation and move society to the next level,” Grafenstine said. “We just need to make sure that we’re mindful and deliberate in how we do that.”
Editor’s note: For more of ISACA’s resources on GDPR, visit www.isaca.org/GDPR.