In just under 3 weeks, the most far reaching online privacy regulations come into effect for your European customers. Known as the General Data Privacy Regulation (GDPR), they serve to protect consumers private and personal data. Any C-level executive (but particularly CTO) worth their salt would have been all over this change (especially if they have European customers), however some companies have left it too late (7% are compliant) or are abandoning their European customers all-together.
In my view, there needs to be a cultural change in all organisations that deal with consumer data, whether they are in Europe or not. We will soon see an avalanche of similar legislation coming into affect throughout the world as more and more data breaches occur. Consumers are becoming more savvy to where their personal data goes and with whom it is shared. As business owners, we would be prudent to get ahead of this and mould our organisations into ones that deeply and genuinely care for our users security and privacy.
Here are some action points I recommend:
1/ Have a team meeting where leadership declares that user security and privacy is a core pillar of the organisation. Not an afterthought or a given. A conscious choice. By making it clear and not assumed this will put to bed that security and privacy are dealt with by accident.
2/. Leadership needs to talk about this in meetings going forward. What gets talked about and measured gets actioned. Make it an agenda item.
3./ Audit your existing data. Keep a log of what personal/private data you keep and why. Act to remove any data being kept that you do not need.
4/. Any planning around features for a software product needs to incorporate privacy/data protection. This means that part of the acceptance criteria of any ticket is what impact the change has on a users privacy.
5/. QA departments should, as they do with security, performance and functionality, be checking that a users privacy is protected.
A companies culture is exemplified by behaviours from the top down to all employees and cuts across everyones day to day tasks. It isn’t just one persons job to implement.
Take tangible steps now to minimise the pain of doing these things later, as inevitably you will need to do them. The fact your organisation is building this into culture, changes are on the roadmap and employees are aware of the importance will go a long way to satisfying the GDPR compliance officials that your organisation is taking the matter seriously. The changes will benefit your company in many other ways too.