26th Feb 2018CIO
by Max Cottica – Chief Information Officer, Staycity Aparthotels
I have been busy Busy looking after two aspects of my job related to cyber security and GDPR. I spent a long time talking to vendors, consultants, friends, ex-colleagues and experts in the industry, attending seminars, summits, conferences and reading through tonnes of material (including the unforgiving 99 articles) and here is a list of things that I will or will not do to prepare for both aspects.
Do not panic. The last thing I want to do is to lose sleep over it. Yes both security and GDPR are a headache, they are challenging and ultimately present a high level of risk but ultimately what you need to understand is that the regulator will probably not fine you if you can demonstrate that you are seriously taking precautions and that you have a strategy in place to reach the mirage of compliance.
Work both aspects in parallel. I do believe that security goes hand in hand with GDPR and if you succeed and protect yourself on the first, you will have an easier life around the second. Close those ports, change those default passwords, adopt 2FA, make sure your employees understand that having a lot of files with PII information on their laptop or device is something we cannot close an eye on anymore. Protect yourself with encryption, AI enabled security and access tracking, you name it. There is so much out there you can use to your advantage. Get informed and act accordingly. Other things you might wonder to consider is patching, taking backups, stop people from sending emails with lists of names and mail addresses around the company and if that happens and you get caught don't be a fool: raise your hand and use your breach contingency plans (within 72 hours from discovery).
Set a strategy. Start small, with a diagram for example, showing where your data is generated and stored. Then map the movement of data across your internal processes and make sure you document where data ultimately ends up to, being in the hands of a third party, on a hard drive, in the cloud or on a print out. train your people on new ways to be efficient and protected, stop printing those damn credit card details and leaving the print out on top of the printer for weeks. Also mark down who has access to the data, why you process it and ultimately why you store it for a certain amount of time. Minimize exposure to data if all those fields are not required for your day to day, be smart about it and you'll be fine.
If you work in a large company, partner with a strong vendor or consultant, you might want to consider Deloitte or EY, to me the ones that really show they care and won't leave you in trouble when the regulator shows up. For an SME maybe consider a platform. I can be blunt here and say that OneTrust has the best compliance platform around, hands down. If you are relatively small a platform is still a great tool but you may get away with DIY and some training for your employees.
Make sure that in the end you will be able to demonstrate that you are innocent. I guess that is really what this is all about. Align all your artefacts, prepare to show in detail your data flows, protect yourself from all the obvious bad habits and ultimately you will be fine.
Use consent to your advantage. Be granular and transparent in your cookie policies and in your privacy statements. Don't leave anything out and make it look like you really care about your customer and employees to the extent that you will go through a lot of work to protect their identities and rights as EU citizens.
Lastly, remember that you are not alone. GDPR is a company wide effort, actually a company, partners, relationships, vendors and any other third party endeavour. Do not make the mistake to take it all on your shoulders (also please read 1. again). GDPR is bigger than anybody's single effort. Involve your sales people, your HR managers, your marketing gurus, your legal group, your IT department and your data analytics people. Create a committee and share the load of work with them and talk about it frequently to make sure nobody feels isolated or alone in the process. Together you will be able to defend yourselves from the regulator.
I can probably go on with another 10 points, but that would go beyond my main purpose here which was to demonstrate that GDPR or cyber security are not invincible monsters and that there is a logic behind all of it. It's a culture shift. It's a day-to-day change. It's a great thing for yourself as well if you happen to live in the EU.
Something that might be worth mentioning, besides the obvious conspicuous fines if you are found unaware or poorly prepared, is the fact that your brand will be tarnished if you fail to comply or demonstrate that you have a road map to compliance. No one will ever trust your company again if you are not able to protect people's rights and their identities, you will probably be on the newspapers (that is something I expect to happen but again read 1.) or on social channels and gaining people's trust again will be harder than actually taking action to be compliant.
Max Cottica – Chief Information Officer - Staycity Aparthotels
You have missed out some details, please try again.