CIOs’ reactions are predictably varied, ranging from panic to utter confidence in their preparation, and everywhere in between. Understandably, those in highly-regulated industries that are used to dealing with such legislation, and were perhaps closer to being compliant in the first place, have been more proactive. As with any regulatory change, there is also the large proportion that remains unaware of even how the regulations will impact their business, or that doubts the enforcement powers of the regulatory body – as James said, that’s seriously high stakes gambling!
This breadth in reaction is not just of its own making however. Vendors have to take their share of the blame for creating the confusion. James mentioned that while he has spoken to plenty of vendors who accurately understand and promote their role in supporting companies’ GDPR adherence, he has spoken to many more who are outright misleading. For instance, many use exaggerated claims of how GDPR is likely to be enforced to attract business. Many others claim their software and tools can deliver wholesale “one stop shop” GDPR compliance. No technology, not even a cloud platform, can do this. In fact, I wrote an article about this very point in James’ publication: Cloud service providers don’t make you compliant.
With all this noise, it’s no surprise that many of even the most experienced IT teams end up not knowing who to believe. The antidote to misleading marketing however is accurate knowledge. If someone within the organisation understands the regulation in sufficient detail to accurately apply it, then they should be able to navigate the business through the conflicting and misrepresentative messaging.
Clearly, this is a job for the Data Protection Officer (DPO). To protect themselves from complacency or imprudent investment, businesses need to appoint DPOs with the correct blend of legal understanding, process management skills and technical knowledge. But such combinations are rarely found in a single person, which is why many are opting to look externally for dedicated resource.
To help these businesses, we have designed our Data Protection Officer as a Service offering, which you can read more about here.
Our GDPR Interview Series is revealing several trends about how GDPR is perceived by various communities, ranging from citizens to business owners, and IT is by far the most varied. The sheer diversity of views amongst senior IT people shows how confused they are, how crowded and loud the supplier market is and how important accurate information is to businesses.
Sign up for the GDPR Interview Series here to learn more about the IT industry’s views and those of many other audiences, including citizens, the regulator, privacy professionals, lawyers and cybersecurity.