Compliance Rush: Five Mistakes that Can Screw Your Company

In April 2018, shortly before the GDPR came into force, IDC reported that only 29% of small businesses and 41% of midsize businesses in Europe had taken steps to prepare for the regulation. Now the GDPR has been around for some months, but many organizations are still struggling to meet their compliance obligations. One recent example is British Airways, which revealed last week that the personal and financial data of more than 380,000 customers had been breached. If the airline is found to be in violation of the GDPR, they could face a fine of four percent of their annual global revenue — whether you’re counting in British pounds, Euros or U.S. dollars, such a fine would likely have at least 7 digits.

The protection of personal data is becoming more of a priority in the U.S. as well as in the EU. The new California Consumer Privacy Act of 2018, which goes into effect in 2020, is just one of what are sure to be many more regulations developed to protect personally identifiable information.

Therefore, if your organization is still not prepared to meet the compliance requirements you’re subject to, you definitely need to get moving. As you develop your strategy, be sure to avoid these common mistakes that can harm your company:

Mistake 1: Compliance obsession

With compliance challenges in the headlines every day, it’s easy to run mad and make bad decisions. The most absurd example might be British airline Flybe:  In their eagerness to prepare for the GDPR, they crafted an email advising users to update their personal information and marketing preferences and sent it their entire customer base — including people who had unsubscribed from the company’s emails. That rash action violated an existing law, the Privacy and Electronic Communication Regulations (PECR), and got the company slapped with a £70,000 fine.

If you’re unsure about how to meet compliance requirements, don’t do anything in haste. Seek council from legal advisors and other experienced consultants before taking action. Prioritize your efforts. And keep in mind all the compliance standards you are subject to, so you don’t violate one as you try to comply with another.

Mistake 2: Taking a fragmented approach to security

The GDPR and many other compliance regulations require a comprehensive approach to security that involves not just technology, but also governance, processes and people. However, a recent Forrester report found that 26% of EU firms that claim to be GDPR-compliant are focusing too heavily on IT measures to meet only specific GDPR requirements, such as consent or data breach notification.

Taking superficial measures isn’t an effective way to protect your organization from security incidents and audit penalties. I urge you to see the GDPR and other new legislation as an opportunity to get back to the basics that will improve cybersecurity across your IT infrastructure. In particular, make sure you know where your sensitive data resides, who has access to it, and which services and software are the most critical for your business.

Mistake 3: Being reactive rather than proactive

Most compliance regulations require a proactive approach from your IT department, which is notoriously hard to put into practice. During a recent presentation IT security professionals, I did an informal survey about how proactive they consider themselves to be. It turned out that 80% of them are reactive to new compliance requirements and lack a long-term strategic approach.

If your IT department is overwhelmed by routine troubleshooting, it won’t be able to prevent data breaches, respond promptly to requests to be forgotten, or comply with other requirements of data protection regulations like the GDPR. Try to figure out the root of the problem: Is your department understaffed or lacking the expertise you need? Are your security systems insufficient or poorly managed? Are employees unaware of proper security protocols? Each answer requires different actions, so find the root cause first.

Mistake 4: Putting responsibility on IT only

At the same time, the worst thing you can do is to blame your IT people for compliance failures. In practice, if a data breach occurs, the problem often lies outside of IT department. The Netwrix IT Risk Report found that 65% of organizations have experienced security incidents, and most were due to human errors and malware. You don’t want to get fined because someone copied a file with customer’s ID to his laptop or clicked on a malicious link that delivered ransomware, so make sure all employees who deal with sensitive data (such as your marketing, sales, accounting and legal teams) are trained on your cybersecurity policies and procedures. Make sure your educational efforts go beyond boring lectures about security — include relevant case studies and edutainment programs. More broadly, work to establish a new business culture that puts security and personal data privacy at its center.

Mistake 5: Being too radical

Richard Stallman, president of the Free Software Foundation, has suggested that, instead of protecting and regulating personal data, we should ban its collection. I personally know of companies that have deleted all customer data that could be considered sensitive to try to eliminate the risk of GDPR fines.

These responses aren’t just radical; they’re also ineffective. Getting rid of your customer database won’t erase your obligation to report to auditors; it will just hurt your ability to be competitive. Auditors will be looking for a credible plan to ensure compliance, so make sure you can demonstrate them you are on the right path to better control your security. As for your customers, respecting their privacy and preferences will increase their loyalty. You could easily lose a client who has been with your company for years if you don’t treat him according to his preferences because you ditched all information about him.

For too long, businesses have been collecting personal data from customers to meet their own revenue goals. Now it’s time to recognize the rights of data subjects and become privacy-friendly. The scope of this change might seem daunting, but your customers will reward you with stronger loyalty. Plus, if you address compliance as a strategic business challenge, you’ll be in good shape when the next piece of compliance legislation comes around; you’ll have a simple reporting issue, not a fundamental engineering task, on your hands.

Former General Manager EMEA at Netwrix. Matt holds a CISSP certification and has over 19 years of experience in the cybersecurity industry. He has worked for many organizations, specializing in areas such as risk management, identity and access management, and network and database security. In the Netwrix blog, Matt shares insights on how to achieve greater levels of security and compliance.