GDPR - The Cost Effective Response
In analysis / By Guy Deterding / 26 July 2017
You will have seen endless streams of advice on the coming of GDPR, warning of the huge fines that will be forthcoming if you don’t comply. Many of these blogs are aimed purely at scaring businesses into paying for consultancy, and are often no more than thoughtless regurgitations of readily available information, supplied by the Information Commissioner (ICO) amongst others.
You may operate in a particularly sensitive industry, in which case a full on approach is perhaps the appropriate response – in order to avoid expensive publicity of the wrong type. If so, then appoint a Data Protection Officer (DPO), as data protection is an ongoing need, and get them to do the work to align your business with the demands of GDPR.
For the rest of us, do we ignore it and hope it will go away, or wait and see if the threat of fines is real? My advice is do a risk assessment. This is cheap, relatively quick to do, and will serve to clarify what you are up against - something that can be shared with the Board. It may even help drive collective responsibility, rather than leaving you, the CIO, isolated, should the worst happen.
A simple Boston Square will do. This may seem a bit 2 dimensional, but serves to clarify where the big ticket items are. It will help decision making around where to prioritise:
High Risk / Low Cost to Mitigate – probably no brainers to sort
High Risk / High Cost to Mitigate – tricky ones – for the Board to decide?
Low Risk / Low Cost to Mitigate – pick those that are really cheap to deal with, or that generate additional benefits.
- Low Risk / High Cost to Mitigate – prime contenders to ignore, or partially mitigate
It is also worth considering the additional benefits that can be gained from carrying out this work. Archiving old data for instance may improve the speed of systems and make search results easier to manage.
This example is based on a typical recruitment business, so would need tweaking for your own. What it does show though is that some risks will trade off against each other. Data breach prevention for instance, is impossible and/or very expensive to make 100%, so improving monitoring and response to a breach will significantly reduce the impact of a breach, when it occurs.
This basic approach does not require a significant investment, yet is worth doing for peace of mind, if nothing else. Should disaster strike moreover, it is likely the ICO will take more kindly to those who have at least reviewed the risks, than to those who have done nothing.
If you'd like more information on how to put an effective GDPR plan together contact our Professional Services team who will be happy to help.
For information on the ways that Nasstar protects client data please read our short guide.