In the age of GDPR and CCPA, there seems to be more conjecture about compliance and personal privacy than there is about the weather. It’s understandable, as predicting the conditions outside seems a lot easier than devising and implementing an effective data protection strategy.
With headlines about data breaches being far too frequent and substantial fines for non-compliance becoming a growing reality, pleading naivety to the issues and impacts is neither sympathetic nor sufficient for organizations of any size or type. The good news is there are a number of tools and solutions available that can automatically detect risks and protect personal data while reducing exposure to legal and financial risks.
Begin With People, Not Technology
But before jumping into any technology solutions, it’s imperative to start with an understanding of how it will impact all organizational stakeholders. Start by circling the wagons and enlisting the cooperation and insights of your business leaders as well as legal and compliance teams. Too often, chief information security officers (CISOs) face growing compliance challenges due to a lack of cohesive efforts across their companies. Resistance from employees is a tough hurdle to clear, especially if they believe that complying with new security policies will make their jobs more difficult.
C-level buy-in is a prerequisite to successful policy implementation. Unless these important influencers see and feel the element of risk, it’s going to be difficult to implement any sort of program. Consider a two-phase approach as a best-practices tactic. Start by identifying the lowest-hanging fruit and implement something that is relatively easy for everybody in the organization to leverage and get behind.
Making changes where they are easiest to leverage is a good way to build confidence and momentum. Even if this reduces only 15% of your risk, you’re on the road—so stay focused on achieving steady, incremental progress. At times, the process can be daunting, at least at first, but don’t be sidetracked by analysis paralysis. Instead, continue holding meetings on what will be implemented next and move forward.