GDPR: How aligning the board and middle management will bring you one step closer to compliance

With the enforcement of the General Data Protection Regulation (GDPR) just around the corner, organizations are finally starting to implement new technologies, policies and processes to become compliant for May 25th. However, conflicting views between the board and middle management employees on the state of their organization’s GDPR readiness and data management capabilities have the potential to skew how prepared they really are to comply with the regulation.

Findings from our latest research study, which surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia, revealed that board members are more confident than management about their organization’s ability to comply with GDPR in time for the May deadline. 41% of board level respondents believe they have all of the necessary processes in place to be GDPR compliant. In contrast, only a quarter of senior management and even fewer middle management level employees (21%) think their organization has what it needs to achieve compliance.

The ability to handle the right to be forgotten (RTBF), one of the most challenging areas of the GDPR, also saw a stark divide in opinion between the board and management. Entitling EU citizens to request organizations delete all references to them, the policy has the potential to grind organizations to a halt if it catches them unaware. Over half (56%) of board level respondents think that their organization is in a position to handle hundreds of these requests at once, whereas only a third (36%) of middle management believe their organization could cope.

Bridging the communication gap and becoming compliant

Middle management employees are your boots on the ground. They’re in the best position to view the data that their organization holds, know where it is saved and understand how it flows through the business. The board is often removed from the day-to-day operations and challenges faced by staff and as a result, may have a misplaced confidence when it comes to their organization’s level of GDPR preparedness. By engaging with middle management, the board will have a much clearer and more accurate view of the state of compliance, and will be able to put measures in place to address and enforce solutions to any issues.

  • People

The way your employees use data is critical to achieving GDPR compliance. For example, if a company doesn’t have its own private file sharing service, then this may drive employees to use third party websites or download data onto a USB, circumventing the safe boundaries of the company network and opening the company up to threats from malicious downloads and transfers. By understanding the way employees work, the board will be in a better position to impose education or awareness programmes and drive the development of correct processes for handling critical data that works for their organization.

  • Process

Implementing correct processes for data handling will make understanding and managing your organization’s data landscape easier. Many organizations fall victim to data duplication, with employees saving documents on personal devices or sending them to private email accounts, making it harder to find, record and delete data when needed. If you’re not aware that your staff are copying data (eg. to USB’s, personal devices or email accounts) then you’re unlikely to be able to execute a RTBF request correctly.

Carrying out a Data Discovery exercise across your organization will provide you unprecedented insight into where all GDPR relevant data is located. From there, you will be in a better position to introduce data protection, management and handling policies to ensure you comply with GDPR.

  • Technology

By understanding the demands GDPR places on front line operations, the board will be able to introduce the necessary technologies that can aid data protection and management. For example, the RTBF will place new demands on middle management level employees and may require the reallocation of resources to handle requests. Adaptive email and web solutions can be used to maintain visibility of critical data flowing in and out of your organization, and provide management with greater control over what data can be shared. Implementing these kinds of solutions reduces the pressures on staff and can prevent a drain on resources that could affect operations.

Download our latest whitepaper ‘The GDPR Divide: Board Views v’s Middle Management’ for additional information on the survey results, as well as a guide on how to improve communication between the board and middle management.


Additional information

Data Discovery with the Clearswift Critical Information Protection (CIP) Management Server and Agent

Getting ready for GDPR: key actions to ensure your organization is compliant

Clearswift Adaptive Data Loss Prevention

A Quick Video Guide to Data Loss Prevention (DLP)