Executive involvement and holistic approach key to GDPR compliance

One in five (21%) senior executives have little or no idea about GDPR and its impact on their business, despite the legislation coming into effect in under a year, reveals a new survey from Alfresco and the Association for Information and Image Management (AIIM).

  • Thursday, 24th August 2017 Posted 7 years ago in by Phil Alsop
Businesses will struggle over the next few months to ensure GDPR compliance unless they can harness executive support and involvement. The survey also reveals the importance of a holistic approach to GDPR that combines governance, training, process and security, with a majority of respondents (89%) acknowledging that GDPR cannot be viewed a one-off siloed project.
 
GDPR is an information governance problem at its core. The over-riding priority for businesses in the run up to the legislation coming into effect, is developing stronger governance policies for information, according to almost three quarters (74%) of respondents. This is followed by developing and conducting regular training and communications (57%), and maintaining data quality and integrity (57%).
 
George Parapadakis, Director of Business Solutions Strategy at Alfresco, comments, “Brexit is dominating the business agenda in the UK, so GDPR has unfortunately fallen down the pecking order. Coupled with the confusion still surrounding the implementation of GDPR by local regulators, it’s no surprise that our survey shows only a quarter (23%) will be fully prepared for GDPR by next May.
 
“An added complexity is that GDPR doesn’t sit squarely with one department. Responsibility has to be shared across the entire business, driven from the top and involve finance, security, compliance and operations. With less than a year to go, GDPR needs to return to the top of businesses’ agenda” adds Parapadakis.
 
Once a coherent strategy is in place, organisations should start with the basics of determining the data’s origin, purpose, residence, justifications and consents, and implementing the protocols to manage it. The survey pinpoints unstructured data and application systems (32%) including email, content management and shared drives as the business areas that will feel the brunt of GDPR requirements. Followed by the procedural and process areas (21%) that require modification.
 
Even beyond the security of its physical location, the continuous transit of data across systems and across organisations must be considered. As a fundamental part of day-to-day business activity, there are multiple potential weak points where a data breach could occur. Yet nearly a quarter have no clear understanding of what is required of them with movement of data across their enterprise. Other survey results regarding security implications include:
 
·         Almost a third (31%) of respondents experienced data loss or exposure happening within the last twelve months.
·         16% reported internal or HR incidents as the cause of data loss due to staff negligence or bad practices, as opposed to external hacking.
·         14% admit there was an exposure or loss of Personally Identifiable Information (PII) on customers or citizens, which 74% of respondents admit is most commonly stored in email and on email servers.
·         Close to half (47%) reported that their GDPR content is kept with various third parties such as partners and suppliers, opening up further risks.
“While data breaches are an increasing occurrence, they are less often due to unauthorised hackers, but more frequently due to human error, negligence, or the lack of clear policy. This is where strong information governance combined with training, technology, enhanced security measures, and regular auditing of an organisation’s data ecosystem come in. GDPR should be seen as a positive motivator, an opportunity to improve business efficiency by applying structured, disciplined, and secure processes to manage data. A platform that automates information governance and combines process and content management provides the key answers,” concludes Paparadakis.