Working From the Top Down to Ensure Data Compliance

Published : Sunday Business Post, 13th May 2018.

With GDPR fast approaching, larger organisations should make sure they have buy-in from all areas, especially from executive level, writes Quinton O’Reilly.

With GDPR finally coming into effect soon, the onus is on businesses to ensure they have taken the necessary measures to be compliant.

While smaller organisations may find it challenging due to a lack of resources, larger organisations shouldn’t assume they’re safe because they have the budget and or resources. GDPR requires every department to do their part, not just IT, and this is particularly the case for those in board of management or executive positions.

For compliance to work effectively, there needs to be a buy-in from the board along with every tier in the management structure of an organisation, said Louise Kidd, AIG Ireland’s head of liabilities and financial lines.

“It’s about understanding that there is now a need for long-term strategic planning around how a lot of existing processes within a business will need to change and adapt,” she said. “Most companies are aware of the financial risks associated with data breaches, but it’s also important they understand the cyber threats facing them".

“Expensive data breaches are now a fact of corporate life, and therefore it has never been more important that businesses consider a well-designed risk management framework to stay ahead of these various threats.”

One major part of GDPR compliance is how management communicates to the business. Since this is something that has a significant impact on day-to-day operations, communicating the roles each employee must play, and providing the necessary training is crucial.

Chances are that most companies are aware of their current obligations, thanks to the existing data protection framework.

This acts as a benchmark to enhance the current framework they have in place to comply with GDPR.

“As part of this enhanced framework, it’s important to implement prevention methods where cyber-resilience should be a primary focus,” said Kidd.

“Virtually all companies have a business continuity plan (BCP) to deal with fire and flood events – all key stakeholders and management know what to do in an event of a serious incident like a fire by following its agreed BCP, but do they know what to do in the event of a serious cyber-attack?

“A resilience plan is best developed by working across cross-functional groups like IT, marketing, and finance where roles and responsibilities are delegated to monitor threats both internally and externally.”

All of this ties in with the key advice Kidd provides: be proactive. Most companies don’t need to be reminded of the pitfalls associated with a reactive approach in any context, and the same logic applies to security.

“At AIG, we provide emphasis on our risk-mitigating solutions to stay ahead of these various threats,” said Kidd. “These include providing our clients with pre-loss services and providing them with access to best in class legal, data, PR and IT professionals who have experience in dealing with live emergency cyber breaches.

“We also provide clients with knowledge, training & compliance solutions, IT security assessment services along with many others so they have a better understanding of their risk profile.”

With that in mind, the best way to prepare for a data breach or cyber attack is to have a strong plan in place. Kidd said it is essential that companies have a disaster recovery plan in place, as well as adequate cover in case something goes wrong.

She also recommended that companies carry out simulations of a data breach and investigation, as it can show you how ready a company is and potential weak points which they can later refine.

“Carrying out a simulation is vital, so every employee knows the role they need to play and processes they need to follow,” she said.

“Having a seamless breach plan in place should a breach occur is crucial, and it includes things like notifications to customers, putting a helpline in place, and an internal and external communication plan.”

For the Sunday Business Post PDF, please click here.