Hi, I’m Chris. I’m a salesperson and work for a company that sells software and cybersecurity solutions – so you might think it’s a bit odd that I’m writing about the GDPR…
GDPR Background – My Experience
Probably a lot later than most, but the first time I heard about the GDPR was in the summer of 2016 when a colleague called it a “big thing” during a meeting. At the time, to me, it was just another four-letter industry acronym and I had no idea that it would go on to become so significant. I don’t think even the experts could have predicted the tidal wave of emails that hit our inboxes as we progressed through the first half of 2018.
For those of you living under a rock and not knowing what the GDPR is, here is a clear definition for you: A Regulation, which is aimed at protecting individuals’ rights to data privacy, through a set of processes that organizations will have to implement and manage in a specific and structured way.
In October 2016, SureCloud began developing a suite of applications to help businesses manage and evidence their GDPR obligations, working from information available via the ICO and expert Data Protection Lawyers that were well versed in all things Data Privacy.
By December, SureCloud had launched its suite to help organizations with GDPR. Whilst this work had been happening, the buzz around the GDPR started to escalate. The GDPR was cropping up in more and more conversations, appearing in countless online articles and was discussed on platforms such as LinkedIn. As we moved into 2017, customers and prospects were asking about it and what we were planning on doing.
Everyone quickly became GDPR ‘Experts’
GDPR continued to grow as a buzzword, to the point where it was part of what felt like every single work conversation. It was the first “thing” in my sales experience that had such hype. It was an exciting time, as I’d had no experience of a “new” regulation or wholesale change to a current one. The most I’d experienced prior to this was an update to PCI Data Security Standard.
Given that the GDPR was relatively unknown, I found it extremely interesting that some organizations were already at an advanced stage in their compliance journeys, whilst others were completely relaxed, seemingly unconcerned by the Regulation; one prospect I spoke with actually claimed that they wouldn’t need to do anything differently as they don’t keep their customer data – demonstrating a huge lack of awareness here. Through 2017, there was a surge in the number of “GDPR experts”; organizations were offering quick fixes to become 100% GDPR compliant, which was crazy as there is no such thing. Others were purporting to solve everything and take all of the pain away for their customers/ prospects; at InfoSec 2017, I heard one company claiming that encryption would solve everything to do with GDPR compliance. I was astonished at the level of miss-selling and selling on futures.
Obviously recognizing opportunities to make “easy money”, companies were springing up or adding GDPR to their armory. In many cases, I’m sure that some could help, but I’m confident that lots were struggling to live up to their promises. I knew that SureCloud had years of experience in helping organizations with management of processes and compliance frameworks and what I was selling was of real value to those that brought from us.
Operationalising GDPR Programs
Both before and since the 25th May GDPR deadline, we experienced many organizations attempting to use spreadsheets to manage their GDPR programmes. Maintaining this, as I’ve seen with many other Risk and Compliance programmes, has proved to be complex, time-consuming and difficult to scale. This has and will continue to expose organizations to a whole host of risks. Industry analyst Michael Rasmussen feels the same.
More and more, organizations are looking to tools to make their lives simpler and give them real information that helps them make the business-critical decisions they need to in their roles. SureCloud can take this further and contextualize vulnerability data associated with GRC programmes, again enabling decisions to be made on knowns rather than guess-work.
One of the customers I’m working with explained why they purchased the SureCloud GDPR Suite:
“Due to the complexity of our business and the wide range of services we provide, we needed a bespoke system to record evidence of our compliance with the GDPR. The SureCloud GDPR Suite gives us the flexibility we need to keep the records required under GDPR as well as documenting our compliance with the differing data protection legislation in each of the fifteen jurisdictions where we operate.”
GDPR – What’s Next?
The world certainly didn’t end following the 25th May date passing. It has focussed people’s efforts, and with a few high-profile breaches, it’s making organizations give serious thought to their approaches to compliance. The ICO reports breaches and associated fines as follows:
Equifax fined £500,000
BT fined for sending five million spam emails
Yahoo! fined for putting customer data at risk
It is clear that further fines are on the way and I’m sure there’ll be a big one that will make the world stand up and pay attention. According to the ICO, public perception is still very much that organizations aren’t trusted with personal data. This is further evidence that organizations really do need to ensure that they have the relevant processes in place and that in any event, they can evidence that they’ve taken steps to do as much as they possibly can.
Looking at trends since the GDPR came into force, I’ve noticed that organizations are paying more attention to risks in their supply chains. This is where most breaches stem from so it makes perfect sense to plug any gaps here and ensure a robust process. Organizations are looking more to tools that help with their Third Party Risk Management programmes.
One trend I hope to see is organizations doing more around the security of their Personally Identifiable Information (PII). Demonstrating that you have controls and measures in place to protect PII is absolutely crucial. Penetration Testing and ongoing Vulnerability Scanning are two mandatory (for most organizations) measures that organizations can put in place, which SureCloud can also help with.
I will be at the Gartner Symposium/ ITxpo in Barcelona between 4-8 November. SureCloud is exhibiting and you can talk to me or my colleagues about how we help other organizations. We’ll have copies of our newly released Everton GDPR case study to take away too.
I’ve worked in many different areas and most recently (4.5 years) in sales. Having other experience away from sales has helped me to approach sales the way I do; looking at it from the requirements side and the customer needs. I believe passionately in building relationships and getting to know people and the problems they’re faced with. Selling, to me, isn’t about a quick deal for the sake of it. It’s those relationships that allow trust and the ability to buy into both me and the company I work for, to actually make a difference.
Here are a few useful articles that may be of interest:
ICO GDPR Guide
ICO Data protection self-assessment toolkit
Michael Rasmussen’s GRC 2020 Report on SureCloud’s GDPR Suite
KPMG – https://home.kpmg.com/uk/en/home/media/press-releases/2017/05/gdpr-coming-into-force-what-do-businesses-need-to-do.html