In a session at Infosecurity Europe in London, June 8 2017, Adrian Davis, managing director (ISC)2 EMEA declared GDPR a “huge business opportunity, not a compliance thing.” He called GDPR an “opportunity for information security professionals to add true value to their business".
Davis advised the audience to use GDPR to “clean your data up and tighten your processes. Compliance is the consequence of that.” GDPR, he said, is the “best opportunity for business to do things properly in the digital era.”
Davis maintained that GDPR will drive out the bad practices that lead to information security vulnerabilities. “If you get your data protection right under GDPR, you’ll be giving your marketing people the best data that will actually work. At the moment, organizations are spending money on storing, backing up and looking after data that they are not using.
“It’s good to show your customers that you really care about their data and look after it. It’s a business opportunity and a marketing and business advantage.”
Yves Le Roux, co -chair of the (ISC)2 EMEA advisory council and leader of the EAC GDPR Task Force, talked the audience through the twelve areas of activity that are needed for GDPR benchmarking:
- Ensure the support from the board & business units
- Establish inventory of personal information held
- Privacy Notice & Information
- Individuals’ rights
- Data subjects’ access requests
- Data protection impact assessments (DPIA)
- Consent
- Children
- Personal data breaches
- Security of data processing & data protection by design
- Data protection governance
- International data transfers
Le Roux advised the whilst official guidance has not yet been defined - including DPIA and DPO guidance - he said “it is not a reason to wait”.