Why middle management and the board disagree on GDPR

New Clearswift research suggests a difference in opinion on GDPR preparedness between board members and middle management

A new global research study – conducted by Clearswift  – across the UK, US, Germany and Australia reveals that just 21% of middle management believe they are ready for GDPR. This compares to 41% of board members. We speak to Guy Bunker, SVP of products to get his take on the findings.  


Why do you think there is such a disconnect between the views of middle management and the board when it comes to GDPR?

In essence, the Board knows what should be going on (often what they are told is going on) however, the practice is often different – and that’s where the middle management and views from other staff come in. Shortcuts to working processes are frequently done to make things easier for the individual but also frequently create security issues. The classic example is emailing work to the individual’s home email account so they can work on it at home over the weekend… this is where talking to the staff to understand the reality is required to help improve processes without compromising security.


What is the biggest issue here – should the board be asking more questions or should middle management be more proactive?

There needs to be a ‘don’t shoot the messenger’ attitude – coupled with transparency, this is essential to make the workplace more secure. Often the Board needs to improve their security as well, but middle management don’t want to say that they are doing anything wrong. Both sides need to ask more questions, respond truthfully and then improvements will occur. This is also true for ‘mistakes’ – the sooner they are owned up to, the better: I accidently emailed the accounts to ‘…’, what do we do now? It was a mistake, perhaps a change in process is required, or new technology to enforce a policy – spending time pointing fingers and playing the blame game is not good for anyone, especially the company and its customers.

There is still a great deal of confusion surrounding the true purpose of GDPR. GDPR: It's about privacy, not security

Why is the ‘right to be forgotten’ the biggest challenge for most businesses?

For most businesses, they don’t know what their critical information is, including all the pieces of information which is covered by GDPR. They don’t know where it is actually stored, especially that which is outside the database/email system. They don’t know who has access, who has a copy and how it is accessed. Therefore receiving a request becomes a serious challenge which will disrupt the daily business as it is answered. Having a process to follow – “this is the information we are looking for”, “this is where we are looking” and “this is what we are going to do when we find it” really helps. A dry run will show where there may be more tools required to help in the automation of the process. Is the information ‘in the cloud’ somewhere? Is it with partners or suppliers? Approached with a plan and rigor, right to be forgotten doesn’t have to be a big issue.


Where are businesses failing the most overall?

Prevarication is the greatest enemy. Unless a business starts, it cannot actually move forwards towards compliance. Taken as a whole it can be a little daunting, but splitting it up into parts and assigning those pieces a priority gets the ball rolling. So, ask where is the biggest threat: email, the web, laptops? Pick one to begin with and work through the various steps to ensure the data is secure at all points. Then move on. Quite a bit of GDPR is around people and process rather than technology – so get HR involved. Compliance is for the whole business, not just IT – and the whole business can help in driving compliance.


Are you seeing regional differences in perceptions of preparedness?

Yes – for example, in Germany there was an initial feeling that if they complied to existing German law they would be compliant. However there is now a realization that there are pieces of GDPR which will require them to do additional work. Other regions such as the US, who provide services and products to the EU, are also realizing that they need to comply – and that time is running out. There is a cycle whereby the more people understand about the requirements, the less comfortable they are – until they start making progress on the issues they foresee in their business, at which point they become more comfortable again.

The EU’s GDPR rule comes into effect in this year but doubt continues to reign… What we know and don’t know about GDPR

You state the businesses should appoint a GDPR champion – what should this individual look like?

This is someone who has a passion for the business and can see the need for GDPR compliance. It might be the marketing person who sees the opportunity or the finance person who sees the risk. They are most likely different from the DPO who will have ongoing responsibility to remain compliant. The champion will create and drive the team towards becoming complaint and then go back to their day job!


There isn’t long to go now – what can organizations realistically do at this point?

Start. Start with understanding how big the issue is, do a trial discovery on where GDPR information is, look at the tools you have today and what might be missing. Start an awareness program. Look at the data and data flows in and out of the organization. Look at email, use of services such as Drobox etc.  Once there is an understanding on the size of the issue then put the plan in place to secure the organization – and look at how ongoing governance will be achieved with minimum disruption to the business.


What do you think will happen on May 25th?

Very little actually. However, there will then be test cases. We have data breach stories every day, the first of these will have a large spotlight on it as to what the authorities will do. This will no doubt continue with the same vigor as the reporting of stories today – and has been for the past 10+ years. GDPR is not about the fines – it is about making it safer for EU citizens to share their information with organizations who will keep it secure, and protect the individual from financial fraud and identity theft. It is about keeping and growing confidence in doing business online, whether it is with a government, a large multi-national or a small business.


Is there anything else you’d like to share?

The time for action is ‘now’… not tomorrow or the next day. If you haven’t already started, start – it is not too late. Listen to employees, they know what is really going on and will have ideas on how to make the information, the company and themselves more secure.