Introduction
I did invest time in understanding the impact GDPR (back in 2017 and 2018) will have on existing businesses and future IT implementations mixed with an attempt to stay updated on the various threat scenarios we are facing today.
During this period I noticed a pattern which lead to some reflections I would like to share with you. As a start I recommend reading the first post here.
Observations noticed
During this period I noticed an interesting pattern in the online community like
The wording in various marketing material could give the reader the impression of this IT product would make you GDPR compliant
Consultants using a lot of buzz words in an attempt to brand themselves as the
GDPR specialist your company needs in order to be compliant on May 25, 2018
Announcements related to the cost a company had in order to bee GDPR compliant on May 25, 2018
Introduction of new roles in the organization
Increase in the number of security patches being issued
Increase in the number of time slots during the day, where access to an online service has been close to “none existing” …
Limited talk about the other risk scenarios related to customer data like paper on the desk or in the bin
With reference to my previous posts here I would have appreciated observations that made me – as a private citizen – feel more confident in relation to how my personal data had been and will be treated forwards. I missed the non-IT parts of being GDPR compliant.
It would be interesting to see a comparison to this approach
It would be interesting to see what would have been required of extra resources in order to be GDPR compliant if the same company had chosen to follow the “Best Practise Approach” I was introduced to in the years from 1996 to 2003.
The “forbidden” methodology:
“Best Practise Approach“
Among the learning’s I have in mind are
Separation of network at device/ functional level
Separation of Development/ Test/ Quality Assurance/ Production/ Guest environments
Strict control of which data an end-user were allowed to access
No private data on your business computer
In the event you were granted to use the business computer (read: hardware) for personal use, it was configured with dual boot
Two-step sign-on, i.e. first to computer, second to company network
Documentation of IT platform, i.e. infrastructure at device level
Documentation of Business Data Processes
Documentation of Business Processes
Regular training’s related to business data security, i.e. how to handle the company data at any physical location
Regular full scale roll back, i.e. verification of that the backup system was reliable
Frequently assessment of roles, processes and procedures
The human factor – or the evolution of the unrestricted access to data
Working in the role as the guy representing the business team during the implementation and use of a business critical platform, I have experienced many scenarios where end-users claimed an urgent need for access to data in order to close a deal or handle a hot customer.
In the early days the various systems had a few if none options for exchanging data. Most of the times you had to ask your colleagues for information or convince management that you needed a login to the system containing the data you required.
Later some vendors started on creating solutions, where more and more business processes were handled by the same core, i.e. SAP R/3.
IT solutions like SAP R/3 got better and better in providing access to specific detailed information from other processes, i.e. Sales vs Accounting. Parallel to the development of features within the same platform the global community started on agreeing the global standards for data structure, interfaces and communication.
As IT got more and more integrated in our daily life solutions changed from being an “On-premises” solution to a service available on-line – often with an attractive price list and a faster pace for implementation or changes.
Over the years IT has to often been seen as an internal service function and not as the strategic asset IT are for the business.
Using IT as a strategic asset requires a culture, where focus is on how INFORMATION are handled and used in the business processes being supported by the TECHNOLOGY.
In my humble opinion the human factor has managed to take away the right focus on data handling despite – as within organization theory – this is valid for IT
You can delegate the authority to make decisions, but not the responsibility
I have in an earlier post mentioned the importance of having everything documented and not just relay on the knowledge within the employees. Having the approach of replacing staff members to fit the required skills rather than giving them the required training increases the risk for loosing knowledge about the real configuration of the IT platform.
Companies will need to catch up on having the full overview of the match between the Business Strategy, Business Processes, Data Processes and Legal requirements. I recommend using the models mentioned in this post with an open mind – I do believe in it is better to use a reference model with identified holes than no reference model at all.
In an other post I addressed why securing the match between the Business Strategy, Business Processes, Data Processes and Legal requirements are critical.
Having smart applications is not an excuse to be without deep knowledge in how data are handled in each business process, i.e. who will have access, where are data stored, open interfaces, documentation, etc.
This article was published initially on LinkedIn on 18 July 2018 (with one spelling error) – minor revision of the text in this version has been executed.
Image Credits:
| Time for reflections | Photo by Juan Rumimpunu on Unsplash |
| The Sparkling Light | Photo by Matt Palmer on Unsplash |
| BMIS Triangle | Figure from ISACA |
Thank you for having read this article – hope you have enjoyed it and that it has given you some ideas of where to start improving your own business or individual role, when it comes to the use of IT.
Best wishes for the future.