Since the European Union began enforcing GDPR in May of this year, enterprises around the world have been caught up in a wave of anxiety and panic over their compliance.
What seemed like a faraway era has become the present, and reports of enterprises scrambling to make up for lost time have become widespread. But while the penalties of failing to comply with GDPR can be staggering, greeting GDPR as an enemy might be the wrong approach. According to Morten Boel Sigurdsson, Founder of Danish identity and access management and identity governance solution provider, Omada, GDPR represents a new license to operate for enterprises.
To find out more, we spoke with Mr. Sigurdsson about GDPR, the new license to operate, and how identity and access management can help companies embrace the new era. Here’s our conversation, edited slightly for clarity:
Solutions Review: From what you’ve seen so far, how are enterprises adapting to the GDPR era?
Morten Boel Sigurdsson: There was a lot of focus on GDPR leading up to the May 25 deadline. It was similar to the Y2K, with both having a huge impact and a firm deadline, but the difference between Y2K and GDPR is that GDPR will not go away – and it has not gone away. Quite the opposite, in fact, as other regions are considering GDPR-like legislations.
GDPR is materializing into a legislation which has a continuously enormous impact on businesses. Even though there has been a lot of focus on GDPR, many enterprises are only just starting to realize that this is actually being executed by governments and being taken very seriously. Governments have already begun to exercise the legislation by issuing fines and trialing the legislation, although the legislation is still not always completely clear. GDPR has grey zones, which will be interpreted through these fines, which so far ranges from a French optician which got a 250,000 Euro fine to the UK’s Carphone Warehouse and Ticketmaster—both of which are expected to get large multi-million fines for their data breaches, to name just a few of the most recent data leaks.
It is currently also being discussed whether a breach which occurred before May 25 can also be fined according to GDPR—hence awareness is, maybe not surprisingly, increasing after May 25, and businesses are therefore continuing their efforts to get GDPR compliant. Many organizations made a start before May 25 to show action, but still need significant work to get fully compliant and show constant care. The three pillars of people, processes, and technology are key to full GDPR coverage, and one of the cornerstones of the technology needed is identity management and access governance.
SR: Does GDPR offer a new “license to operate” for enterprises? What does this mean, and what does it entail?
MBS: It absolutely does. What this means is that because of the strong liability that GDPR introduced to both the data processor and the data controller, data controllers are screening their processors very carefully. The data processors’ lack of fulfilling or protecting their data in an adequate way can have a financial as well as a reputational impact on the data controller; therefore the processor as well as other businesses which collaborate in some way or other need to prove that they are worthy to do business with. Fail to prove this, and they will simply lose those business opportunities—both existing and future relationships. That is what we mean by GDPR as the new license to operate.
This then means that if you cannot check the box on these important issues, you simply do not have a license to operate. In a way, GDPR is an extension of the traditional license to operate, seen among others in the banking sector and with the German banks’ BAFIN regulation. The difference is that GDPR cannot shut down a business if the business does not live up to certain compliance regulations, but B2B partners can take the company out of business. Partners want proof of compliance, hence the need for audits and continuous compliance is key, being able to provide proper reports to the business partner, validating that everything is in order.
GDPR is here to stay and organizations are realizing that this is positive news. The fallouts of non-compliance and poor data handling now lead to not just enormous fines, but perhaps much more damagingly a loss of reputation and loss of business partners. If you are not in control—not in compliance—chances are your pool of current and potential future business partners is fast diminishing. An organization’s license to operate and reputation inevitably go hand-in-hand, operating through the same channels, with and between the same stakeholders. Lose the license to operate, and your reputation is headed in the same direction.
In the new GDPR eras, it is increasingly being said that good data security is an important competitive factor going forward, and that to remain GDPR compliant organizations must risk-evaluate their suppliers regarding system security and data usage. In other words, companies which do not have adequate security will not have anyone to sell to.
SR: What do enterprises need to do to embrace this new license to operate? How do their corporate cultures need to adapt?
MBS: As always, security has to do with the three pillars of people, processes, and technology. When talking about culture, it is vital to introduce a security-aware culture and install this on a continuous basis across the enterprise. Technology does not do it alone, however; technology is needed to support that way of working, and technology used the right way can also help on a daily basis, among others via continuous dashboard views, constantly reminding the user keeping it top of mind. Protecting the kingdom is a collaborative effort between the different roles in an organization, it is about engaging the organization, with training, communication, and awareness, but also providing the right tools to empower the organization to help protect the kingdom.
Companies need to ensure that they are in control, they need to live up to all the requirements of the GDPR, and a cornerstone of this is identity management and access governance, ensuring you are in control of who has access to what, and why, and that you can maintain this control. This is vital in an organization’s license to operate.
SR: Will this new license to operate under GDPR translate into more secure enterprise IT environments/ fewer data breaches?
MBS: Yes, absolutely it will. Businesses of all shapes and forms—and even those who have claimed compliance—have had a lot of work to do so getting these investments in place and ensuring that this is not just a one-off but rather a continuous effort, is crucial.
At Omada, we say, ‘Get in control, Stay in control’. The ‘stay in control’ is the continuous governance effort to make sure that this is not a one-off control, but rather that the organization is continuously in control of the kingdom. These investments paired with the mounting pressure for GDPR compliance has made this not an IT issue but a boardroom issue. It is now about having earned the right to run the business and that attention paired with funding will help protect the kingdom.
Having said that, it remains a race, because the hackers and cyber criminals are also getting more sophisticated. Hence it is a race between who is smartest.