Introduction
I did spend some time in first half year of 2018 understanding the impact GDPR will have on existing businesses and future IT implementations mixed with an attempt to stay updated on the various threat scenarios we are facing today.
During this period I noticed a pattern which lead to some reflections I would like to share with you.
As a start I recommend reading this article here at my page.
Observations noticed
I noticed an interesting pattern in the online community this year like
- The wording in various marketing material could give the reader the impression of this IT product would make you GDPR compliant
- Consultants using a lot of buzz words in an attempt to brand themselves as the GDPR specialist your company needs in order to be compliant on May 25, 2018
- Announcements related to the cost a company had in order to bee GDPR compliant on May 25, 2018
- Introduction of new roles in the organization
- Increase in the number of security patches being issued
- Increase in the number of time slots during the day, where access to an online service has been close to “none existing” …
- Limited talk about the other risk scenarios related to customer data like paper on the desk or in the bin
With reference to my previous articles here or at LinkedIn I would have appreciated observations that made me – as a private citizen – feel more confident in relation to how my personal data had been and will be treated forwards. I missed the non-IT parts of being GDPR compliant.
It would be interesting to see a comparison to this approach
It would be interesting to see what would have been required of extra resources in order to be GDPR compliant if the same company had chosen to follow the “Best Practise Approach” I was introduced to in the years from 1996 to 2003.
The “forbidden” methodology: “Best Practise Approach“
Among the learning’s I have in mind are
- Separation of network at device/ functional level
- Separation of Development/ Test/ Quality Assurance/ Production/ Guest environments
- Strict control of which data an end-user were allowed to access
- No private data on your business computer
- In the event you were granted to use the business computer (read: hardware) for personal use, it was configured with dual boot
- Two-step sign-on, i.e. first to computer, second to company network
- Documentation of IT platform, i.e. infrastructure at device level
- Documentation of Business Data Processes
- Documentation of Business Processes
- Regular training’s related to business data security, i.e. how to handle the company data at any physical location
- Regular full scale roll back, i.e. verification of that the backup system was reliable
- Frequently assessment of roles, processes and procedures
The human factor – or the evolution of the unrestricted access to data
Working in the role as the guy representing the business team during the implementation and use of a business critical platform, I have experienced many scenarios where end-users claimed an urgent need for access to data in order to close a deal or handle a hot customer.
In the early days the various systems had a few if none options for exchanging data. Most of the times you had to ask your colleagues for information or convince management that you needed a login to the system containing the data you required.
Later some vendors started on creating solutions, where more and more business processes were handled by the same core, i.e. SAP R/3.
IT solutions like SAP R/3 got better and better in providing access to specific detailed information from other processes, i.e. Sales vs Accounting. Parallel to the development of features within the same platform the global community started on agreeing the global standards for data structure, interfaces and communication.
As IT got more and more integrated in our daily life solutions changed from being an “On-premises” solution to a service available on-line – often with an attractive price list and a faster pace for implementation or changes.
Over the years IT has to often been seen as an internal service function and not as the strategic asset IT are for the business.
Using IT as a strategic asset requires a culture, where focus is on how INFORMATION are handled and used in the business processes being supported by the TECHNOLOGY.
In my humble opinion the human factor has managed to take away the right focus on data handling despite – as within organization theory – this is valid for IT.
You can delegate the authority to make decisions,
but not the responsibility
The IT platform design is complicated
As I mentioned in my article related to present challenges the companies will need to catch up on having the full overview of the match between the Business Strategy, Business Processes, Data Processes and Legal requirements are documented.
I recommend using the models mentioned in this article related to documentation – start using a reference model will be beneficial in the long term.
In this article related to the platform I addressed why securing the match between the Business Strategy, Business Processes, Data Processes and Legal requirements are critical.
Having smart applications is not an excuse to be without deep knowledge in how data are handled in each business process, i.e. who will have access, where are data stored, open interfaces, documentation, etc.
With reference to the “Top of the Iceberg” analogy I will continue to scratch the surface of the complexity a company will have to deal with when working with their INFORMATION TECHNOLOGY platform.
This article was published initially on LinkedIn on 18 July 2018. I have made some adjustments to the content in this version.
Image Credits:
| The helicopter Perspective | Dreamstime |
| Looking at the Sparkling Light | Photo by Matt Palmer on Unsplash |
| Bored | Photo by Stefan Rayner on Unsplash |
| Business Portal | Dreamstime Free |
Recent Comments