[BreachExchange] Tips For Getting Your GDPR Compliant Solution Approved
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Jul 20 14:49:54 EDT 2018
https://www.tmcnet.com/topics/articles/2018/07/20/438856-
tips-getting-gdpr-compliant-solution-approved.htm
When you’re tasked with keeping your company compliant with privacy laws,
knowing the right strategies to keep data secure doesn’t guarantee a smooth
implementation. Depending on whose approval you need to implement various
aspects of the job, you might find yourself in a battle over time, money,
and resources.
Human error is to blame for the majority of data breaches, yet most people
who aren’t IT security don’t understand what those errors are. You might
have all of those bases covered in your plan, but convincing others to
embrace it requires more than facts and a declaration of expertise.
With the recent GDPR requirements in place, there’s no time to waste. Being
responsible for compliance means doing everything in your power to get
approval for what you need. Here are some tips to help:
1. Understand why people resist change
You’ve probably noticed some people resist change, even when it’s for the
best. People don’t like change because they get comfortable with what they
know. It’s exhausting to learn a new system and work through the learning
curve. New software takes time to learn, and control panels aren’t always
intuitive.
In other words, to many, change means frustration and more work during the
transition. You can mitigate this perception by being available for
questions and support around the clock.
2. Keep it simple
You know more than your audience about your topic. Focus on what’s
important and leave the other details behind. Don’t get caught up in the
need to assert your expertise through sharing excessive information. Stay
focused on your main points and carefully navigate your presentation.
3. Present the worst-case scenario as a realistic possibility
Nobody expects their data to be hacked, but it happens all the time.
When all else fails, present the worst-case scenario as a realistic
possibility for the company. Be sure to explain more than the financial
impact.
For instance, stolen data compromises the privacy and security of all
customers in your company’s database, which means a class action lawsuit is
a possibility. A class action lawsuit is expensive and time-consuming.
Make sure the decision makers understand that a class action suit can be
brought against the company, even when no court has made a judgment or
determined any wrongdoing. A solid example to demonstrate the exhaustion of
a class action suit is the data breach Target (News - Alert)announced on
December 19, 2013.
After the district court approved a $10 million settlement, in 2017, the
class action suit was derailed on appeal by the Eighth Circuit Court of
Appeals. In 2018, the settlement was officially approved once more,
demonstrating the exhausting, lengthy process of class action suits.
4. Be extremely patient yet persistent
It’s difficult when you have to get approval from someone with a limited or
incorrect understanding of data security. For example, say your CEO
purchased a data encryption product because someone told them company data
should be encrypted. They probably didn’t know what they were buying, and
don’t understand data encryption well enough to identify the product’s
limitations.
In their world, they bought an encryption service, and that should be
enough. When you approach them about the necessity of spending more money
on encryption, they’ll be at odds with the idea before you get a chance to
explain.
For example, many businesses use Microsoft (News - Alert) 365, which comes
with data security features, but falls short for certain requirements.
Native security features aren’t always enough to meet privacy, regulatory,
and data residency requirements. When add-ons are available, they’re often
more difficult to use.
You may have a better solution, but it will take some skill to convince
other people. You’ve got to be skillful enough to educate them without
making them feel wrong.
5. Tell the decision maker how your plan will benefit them
Depending on who you need approval from, tailor your presentation so it
addresses their specific needs and concerns. Find out how a data breach
will directly affect that person’s job and department, and present that
information.
Plan your presentation carefully
No matter who you need approval from, plan your presentation so you convey
the right information to the right people. If you have to get approval from
the head of HR, you may not need to present your request beyond a basic
outline.
Remember that people aren’t only convinced by dollar amounts. Proper data
security saves money theoretically by preventing lawsuits, but it also
makes customers feel safe. Be sure to present all the benefits that will
appeal to the person making the decision.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180720/550e6dfb/attachment.html>
More information about the BreachExchange
mailing list