There are arguments around the technical approach to GDPR that have ringing similarities to those presented when ‘Consumerisation of IT’ first became a thing towards the end of the last decade. I have delved into my archive and found a diagram that was used by one of the big global vendors in their slide deck to demonstrate the benefits of the transition that consumerisation heralded. Then the focus was on empowering the staff, especially as the millennials started to hit the workforce, and enabling the business in the process. The suggestion at the time was that IT teams zealously controlled all matters IT and determined how and where employees were able to interact with systems. Consumerisation was an ideal that placed the emphasis on the users making that determination.
A natural reaction to the impending GDPR deadline, and the potential impact it could have on the viability of an organisation, is to lock down all systems and infrastructure in an effort to prevent any breach. The heavy penalties that are available to the ICO in the legislation will frighten many organisations into a knee jerk reaction as they seek to mitigate all risk. Reasonableness will not apply and the walls of the fortress will be constructed. In seeking to remove all risk in this manner businesses will unintentionally introduce more.
Many of the workforce are used, thanks to consumerisation, to having access to the information they need to be productive when and where they need it. Clamping down on these practises certainly seems like a sensible step; restricting access to data from outside the secure environment of the office or network. Personal devices get forbidden, BYOD becomes a thing of the past. You have control. Your data is safe. The ICO won’t get you for 4% of your global turnover.
This approach is bound to have an effect on productivity. It places restrictions on where and how the staff can operate. It places no trust in their ability to look after and respect the company’s data. People will still want to work in a way that suits their style and lifestyle thus introducing conflict. Sooner or later they will find a way to get the data out of the network and into to a location where they can operate effectively. It usually starts with a C level demand to work away from the office either on holiday or in the comfort of the home late at night. Slowly, and unbeknown to the IT team, the controls are eroded to a point where there is no control over the data. That massive fine could be in the bag.
The alternative approach is to adopt a balance of systems and policies that enable working practises for effective and productive staff. Training your teams to manage data appropriately but also give them the chance to achieve the work life balance. Security measures should back this up and be an enabler and not an inhibiter. This will enable true control and businesses will know where their data actually resides. If there is a breach then it should be identified quickly and reported in a timely manner.
There are elegant solutions that will enable freedom for the users and control for the business. A healthy balance that will enable compliance with GDPR and not inhibit users or the business. The regulations require reasonably appropriate technical steps and not draconian measures, so it is an opportunity to review your IT and systems, improve them where necessary and ensure staff have the appropriate training.
It is important to remember that GDPR is about personal data, not just IT. While IT has tools in place to help secure data and systems, it is only as good as the company’s policies and procedures regarding how data is being handled, and the education of the people handling it; both of which are outside the normal scope of the IT department.
A good starting point for the technical elements of GDPR is an understanding of cyber awareness. We have created a handy guide to this which can be downloaded by clicking below.