There is a tendency to think that data privacy or GDPR compliance is mainly an IT problem, but those that think this way may want to have a good lawyer handy.
The belief that data privacy is mainly an IT issue is both short-sighted and dangerous. In the digital age, data is one of the most critical business assets and customers engage with businesses that they trust with their data. Certainly technology plays a critical role in managing data privacy, as it enables efficient and effective execution of controls, but processes and people matter as much as - if not more than - technology.
Regarding people, the influence of human factors has a huge impact on data privacy practices. According to statistics from the UK’s Information Commissioner’s Office, human error is the main cause of data breaches. Almost two-thirds (62%) of the incidents reported to the ICO were related to human factors. To put things in perspective, other causes such as insecure webpages and hacking accounted for only 9% combined. So just bringing in a few more “cyber” security tools is NOT going to solve your data protection problem!
Regarding process, it is impossible to manage any kind of transformation in an organization without a clear understanding of the business processes. In the context of GDPR, processes drive the key activities needed to manage privacy compliance. Processes describe how companies understand, track, and control the flow of data inside and outside of their systems. It’s key to understand and assess the (privacy) risks associated to the organization’s business processes, as well as its supporting IT systems. Controls and procedures for data collection, use, residency, and retention need to be embedded in the processes to ensure data is kept confidential, is accurate, and is available when needed.
Organizations focusing on technology only will soon find themselves in trouble. Firms that are able to include human behavior to meet privacy demands and fully embed data privacy in the way processes are designed, executed and monitored will have a competitive advantage over those who do not.So, rather than seeing the new regulation as a burden, organizations should consider it as an opportunity for assessing their current situation. And then they can build a data privacy-driven business that customers will be happy to rely on.