Certification is essential to navigate the GDPR minefield
With UK companies scrambling to prepare for the European Union’s incoming General Data Protection Regulation (GDPR) Peter Irikovsky, CEO of global software as a service (SaaS) company Exponea, warns that only independent certification can ensure companies achieve full compliance and avoid falling foul of the legislation
On May 25th 2018 the European Union’s General Data Protection Regulation (GDPR) will become legally enforceable. There has been much debate in the media around how companies are preparing to adhere to these new rules, with many organisations openly admitting that they are nowhere near ready to achieve full compliance.
At Exponea, we have spent considerable time planning for this legislation, examining how it will impact our business and our customers as a software as a service (SaaS) provider. Industry research suggests that many businesses are poorly prepared for the GDPR.
A recent report from Crowd Research Partners suggested that 60% of businesses are likely to miss the GDPR compliance deadline, with many citing a lack of budget and staff knowledge as key reasons for this. Shockingly, 28% said they had not even started preparing for the regulations.
A similar report from Deloitte also suggested that only 15% of organisations expect to be compliant in time, with the majority targeting a risk-based, defensible position. Indeed, with GDPR planning it is all too easy for companies to tweak a business process or shift their data management policies and assume they have achieved compliance.
The truth is that many businesses have underestimated the impact this legislation will have on their company and its customers.
With poor planning and lack of funding, the clock is ticking and many companies have fallen well behind in this important period of preparation. Other research suggested that companies have been ‘sleepwalking’ into the regulations without taking firm action to change processes.
Software company Senzing said that three in five (60 per cent) of organisations it surveyed said they were not yet ‘GDPR ready’, while a quarter (24 per cent) were deemed ‘GDPR at risk’, suggesting that companies could face the risk of tens of millions of pounds in fines. One of the main reasons why companies are failing on the GDPR is a lack of planning and effective delegation of responsibility within the organisation.
The truth is that achieving total compliance with the GDPR cannot be achieved by a handful of internal staff and some expensive external consultancy. For e-commerce companies, the toughest thing to control, are their software vendors, the data processors. Most SaaS companies are not ready and hence, companies using them aren’t either.
To make things worse, even some SaaS companies that claim to be GDPR ready, are not fully compliant.
This was admitted in meetings I’ve had with a few CMOs of the largest US companies. Their GDPR issue was handled primarily by Legal and Marketing, largely ignoring the Privacy by Design principle. With many companies adopting a “Do-it-yourself” (DIY) approach to the GDPR, many find themselves far from compliant when they conduct a full examination of their readiness against the specific points of the legislation.
At Exponea, as part of our GDPR journey we wanted to ensure our e-commerce platform was completely compliant and so took steps with an external auditing firm to verify this.
Based on our knowledge, we are the first SaaS company in the world that has achieved the certification. We worked with independent organisation LL-C and itgave a full review of our data management processes. The review included complete auditing of documentation, assessment of anonymised data, security standards, software architecture, disaster recovery and our overall business operations.
The certification we achieved, which lasts for three years, enables all Exponea customers to use the platform, safe in the knowledge that its omnichannel communications capabilities remain in full compliance.
For us this gives our customers peace of mind that all their activities are protected and they can operate safe in the knowledge that they are using an approved platform that has been independently assessed. Moving forward, it is clear that the only way for companies to achieve full GDPR compliance is through independent certification.
Particularly in the Software as a Service (SaaS) sector, where multiple licences and data used incorrectly could leave a company facing a significant fine for a breach of the regulation. The GDPR is coming and whilst many companies are poorly prepared, certification provides a route to high standards of compliance and peace of mind.
Peter Irikovsky is CEO of Exponea the first software as a service (Saas) company in the world to achieve GDPR certification
We are wholly dependent on the kindness of our readers for our continued work. We thank you in advance for any support you can offer.