It always strikes me that when I talk to business leaders about GDPR, they think data breaches have to do with hacking and sending mailings to people without consent. Well, at least the ones that have already heard of GDPR.

And they are right, hacking and mailings are real examples, but they represent but a small proportion of possible data breaches.

Paper files lost or stolen, abuse or theft of information by internal employees, verbal disclosure, loss of unencrypted devices are other examples. The number one type of data breach reported in the UK in the first quarter of 2017 is data sent by mail, post or fax to the wrong recipient.

When I share this information, they become very silent and I can almost hear them think: “This could actually happen in my business. And how can I prevent this?”

The answer to that question is not trivial. It needs sound understanding of the business context, the processes and the applications used.

But it also requires people to be aware of the importance of data privacy and a no-blame culture.

It is inevitable that one day or another a mistake is made. Someone mistyped an email-address, a file got lost on the train, or the customers address was not up-to-date. In that case it is important that people know they can come clean and report the incident without fear.

This is the only way to be able to manage the consequences and by doing so, to avoid a much bigger problem. Higher fines, liability suits and reputational damage.

Yes, you should manage the legal consequences of GDPR and yes, you must invest in IT-security.

But most of all, you should invest in your people, processes, and your company’s culture.

CDI-Partners has a pragmatic approach to GDPR, working on processes, the organizational model and culture, giving priority to avoiding breaches, and leveraging your GDPR program to boost innovation. But that will be a subject for a next post.

Want to know more about GDPR: download our GDPR-flyer

Bart Van Bouwel
Managing Partner