GDPR and the case for ethical data handling

GDPR enforcement is almost upon us. Rather than simply seeing it as a necessary evil, we should remain mindful of the value to be gained from the approaching EU regulation. Businesses ready to embrace GDPR will have the opportunity, not only to enhance data protection, but implement a more ethical approach to data handling.

Indeed, personal data is considered one of the most sensitive categories of information an organisation has access to and perhaps, the most valuable. Look at the HR function, for example. Our recent cloud report showed that 95% of HR apps are not enterprise-ready further underlining the importance in keeping data secure.

As the value of personal data increases, so should the controls needed to protect it. Personal data should only be processed with clear consent given by the subject owner, with a transparent agreement and with an organisation-wide focus on preventing data theft or misuse.  

In a GDPR-compliant future, a star rating system could be implemented whereby customers and shareholders could see how proactive and well-equipped a business is for protecting their data. An initiative like this would provide added impetus to organisations to not only get their data protection standards in check, but to pursue innovative approaches to the measures to truly enable and grow a business.

With the countdown to GDPR well and truly on, here are my top 3 tips for becoming compliant:

1: Plan for the GDPR future, not just enforcement day

The 25th May is enforcement day for the GDPR and while many are fixated on this date, it is now widely accepted that no business will be 100% compliant to every requirement. Rather, businesses should see the GDPR as the beginning of a new era of data protection. They must be armed and in a position to ensure compliance now and into the future and not simply paint over the cracks. 

The guidance that comes with this regulation will also evolve over time, so businesses must be ready to keep up with further changes to data protection standards. The first six months post-enforcement date will be critical; organisations should be looking to learn, adapt and adopt best practice as they continue to hone their data protection obligations.

2: Remember due diligence and data governance

Uncertainty in your organisation will prove to be a fast track to GDPR disaster. To gain transparency and put in place strong data governance, businesses will need an accurate picture of what and how personal data is being used to identify misuse and broken business processes.

Data governance and regulatory compliance is not just the responsibility of the Data Protection Officer (DPO) and the legal team, but for all business functions across the organisation. The 2018 Netskope Cloud Report found an average of 139 HR apps in use across organisations, and these are not necessarily all sanctioned. This underlines the importance that all departments and individual employees must act to enforce and support their data governance and regulatory compliance commitments.

3: Automation is essential

(Image credit: Creative comms)

Maintaining an accurate record of processing (Article 30) is a critical requirement of the GDPR ruling that all personal data processing activity must be recorded, managed and updated to a granular level – a significant task in today’s cloud-first world. Human error in data processing will continue to be a problem, and the only way to effectively eliminate this is to automate maintaining this record where possible. Automation will help to create consistency in how data is safely collected, processed and ultimately retained until being destroyed.

GDPR is a great opportunity for businesses to embrace change and reaffirm a commitment to customer privacy; an opportunity that properly harnessed will ultimately lead to greater levels of customer trust. 

Neil Thacker is CISO EMEA at Netskope 

Want to know more about GDPR? Check out our guide to the new rules.

Neil Thacker

Neil Thacker, Chief Information Security Officer EMEA, Netskope.