Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Data Privacy

GDPR from a Sales Perspective – Everyone is an expert

GDPR from a Sales Perspective – Everyone is an expert
Written by

Chris Wheatley

Published on

11 May 2018

GDPR from a Sales Perspective – Everyone is an expert

 
 
 

Hi, I’m Chris. I’m a salesperson and work for a company that sells software and cybersecurity solutions – so you might think it’s a bit odd that I’m writing about the GDPR…

GDPR Background – My Experience

Probably a lot later than most, but the first time I heard about the GDPR was in the summer of 2016 when a colleague called it a “big thing” during a meeting. At the time, to me, it was just another four-letter industry acronym and I had no idea that it would go on to become so significant. I don’t think even the experts could have predicted the tidal wave of emails that hit our inboxes as we progressed through the first half of 2018.

For those of you living under a rock and not knowing what the GDPR is, here is a clear definition for you: A Regulation, which is aimed at protecting individuals’ rights to data privacy, through a set of processes that organizations will have to implement and manage in a specific and structured way.

In October 2016, SureCloud began developing a suite of applications to help businesses manage and evidence their GDPR obligations, working from information available via the ICO and expert Data Protection Lawyers that were well versed in all things Data Privacy.

By December, SureCloud had launched its suite to help organizations with GDPR. Whilst this work had been happening, the buzz around the GDPR started to escalate. The GDPR was cropping up in more and more conversations, appearing in countless online articles and was discussed on platforms such as LinkedIn. As we moved into 2017, customers and prospects were asking about it and what we were planning on doing.

 

Everyone quickly became GDPR ‘Experts’

GDPR continued to grow as a buzzword, to the point where it was part of what felt like every single work conversation. It was the first “thing” in my sales experience that had such hype. It was an exciting time, as I’d had no experience of a “new” regulation or wholesale change to a current one. The most I’d experienced prior to this was an update to PCI Data Security Standard.

Given that the GDPR was relatively unknown, I found it extremely interesting that some organizations were already at an advanced stage in their compliance journeys, whilst others were completely relaxed, seemingly unconcerned by the Regulation; one prospect I spoke with actually claimed that they wouldn’t need to do anything differently as they don’t keep their customer data – demonstrating a huge lack of awareness here. Through 2017, there was a surge in the number of “GDPR experts”; organizations were offering quick fixes to become 100% GDPR compliant, which was crazy as there is no such thing. Others were purporting to solve everything and take all of the pain away for their customers/ prospects; at InfoSec 2017, I heard one company claiming that encryption would solve everything to do with GDPR compliance. I was astonished at the level of miss-selling and selling on futures.

Obviously recognizing opportunities to make “easy money”, companies were springing up or adding GDPR to their armory. In many cases, I’m sure that some could help, but I’m confident that lots were struggling to live up to their promises. I knew that SureCloud had years of experience in helping organizations with management of processes and compliance frameworks and what I was selling was of real value to those that brought from us.

 

Operationalising GDPR Programs

Both before and since the 25th May GDPR deadline, we experienced many organizations attempting to use spreadsheets to manage their GDPR programmes. Maintaining this, as I’ve seen with many other Risk and Compliance programmes, has proved to be complex, time-consuming and difficult to scale. This has and will continue to expose organizations to a whole host of risks. Industry analyst Michael Rasmussen feels the same.

More and more, organizations are looking to tools to make their lives simpler and give them real information that helps them make the business-critical decisions they need to in their roles. SureCloud can take this further and contextualize vulnerability data associated with GRC programmes, again enabling decisions to be made on knowns rather than guess-work.

One of the customers I’m working with explained why they purchased the SureCloud GDPR Suite:

“Due to the complexity of our business and the wide range of services we provide, we needed a bespoke system to record evidence of our compliance with the GDPR. The SureCloud GDPR Suite gives us the flexibility we need to keep the records required under GDPR as well as documenting our compliance with the differing data protection legislation in each of the fifteen jurisdictions where we operate.”

 

GDPR – What’s Next?

The world certainly didn’t end following the 25th May date passing. It has focussed people’s efforts, and with a few high-profile breaches, it’s making organizations give serious thought to their approaches to compliance. The ICO reports breaches and associated fines as follows:

Equifax fined £500,000

BT fined for sending five million spam emails

Yahoo! fined for putting customer data at risk

It is clear that further fines are on the way and I’m sure there’ll be a big one that will make the world stand up and pay attention. According to the ICO, public perception is still very much that organizations aren’t trusted with personal data. This is further evidence that organizations really do need to ensure that they have the relevant processes in place and that in any event, they can evidence that they’ve taken steps to do as much as they possibly can.

Looking at trends since the GDPR came into force, I’ve noticed that organizations are paying more attention to risks in their supply chains. This is where most breaches stem from so it makes perfect sense to plug any gaps here and ensure a robust process. Organizations are looking more to tools that help with their Third Party Risk Management programmes.

One trend I hope to see is organizations doing more around the security of their Personally Identifiable Information (PII). Demonstrating that you have controls and measures in place to protect PII is absolutely crucial. Penetration Testing and ongoing Vulnerability Scanning are two mandatory (for most organizations) measures that organizations can put in place, which SureCloud can also help with.

I will be at the Gartner Symposium/ ITxpo in Barcelona between 4-8 November. SureCloud is exhibiting and you can talk to me or my colleagues about how we help other organizations. We’ll have copies of our newly released Everton GDPR case study to take away too.

 

About Me- Chris Wheatley 

I’ve worked in many different areas and most recently (4.5 years) in sales. Having other experience away from sales has helped me to approach sales the way I do; looking at it from the requirements side and the customer needs. I believe passionately in building relationships and getting to know people and the problems they’re faced with. Selling, to me, isn’t about a quick deal for the sake of it. It’s those relationships that allow trust and the ability to buy into both me and the company I work for, to actually make a difference.

 

Useful Information

Here are a few useful articles that may be of interest:

ICO GDPR Guide

ICO Data protection self-assessment toolkit

Michael Rasmussen’s GRC 2020 Report on SureCloud’s GDPR Suite

https://www.pwc.co.uk/industries/financial-services/regulation/our-gdpr-summary-for-financial-services/gdpr-protect-reputation-stand-out-for-the-right-reasons.html

KPMG – https://home.kpmg.com/uk/en/home/media/press-releases/2017/05/gdpr-coming-into-force-what-do-businesses-need-to-do.html

https://www.businessleader.co.uk/business-ready-for-gdpr/34911/

 

Learn more about SureCloud Data Privacy Management Solutions here.