Managing directors and CEOs definitely should not downgrade requirements such as the EU General Data Protection Order (GDPR) as expensive obstacles to be overcome or merely exercises in compliance. Doing so would mean gifting business opportunities to others: cyber security nowadays is a strategic success factor which enterprises should also use to acquire customers.
Hand on heart: are cybersecurity and data protection viewed by your company as a mandatory task and a cost driver? If the answer is “yes”, you are not alone. Even in 2018, organizations are not always running their IT anywhere near as professionally as their core business. And that goes for many SME enterprises too.
Without wanting to debate the reasons for it, top management should be making cybersecurity a senior management concern, and not just on paper. Instead, by means of a few steps and decisions, it can ensure that its own organization is amongst the trailblazers when it comes to data security and data protection. And the benefit from that, in addition to complying with the requirements and safeguarding business operations? Successfully implemented data protection projects can also be exploited very effectively for marketing and sales purposes.
That’s because hardly any company so far has been advertising for customers or customer trust by promoting its own efforts on data protection—and that’s a missed opportunity in a digitalized world where customer confidence is more important than ever. Especially in Germany, a country where data protection and privacy are particularly important.
The challenge is to occupy this fallow land, thereby finally dragging the issues of cybersecurity and risk management out of the narrow space given over to compliance. Alongside the positive effect for customer confidence, having coherent cybersecurity concepts naturally also offers protection against damage to image and problems with the supervisory authorities—the kinds of issues we are now familiar with from data failures that have come into the public domain.
It is self-evident that achieving compliance under the data protection legislation or satisfying the GDPR is not the maximum, but rather the minimum requirement for a cybersecurity concept. Accordingly, the budget needed for this should not simply be viewed as a cost block. Rather, it needs to be understood as an investment to boost sales, and something to be actively promoted: the company is letting its customers know the benefits they get from the efforts the company is making on data protection and how it handles its customers’ data.
One of the aims of the GDPR is to give customers greater control over their personal data again. For that reason, companies should also actively inform their customers about control options such as the right to erasure—so long as the necessary preparations for data erasure have been taken.
Moreover, the management should also involve the PR and Marketing departments at an early stage, thereby giving them time to develop suitable, proactive means of communication. By this point at the latest it becomes apparent that cybersecurity and GDPR compliance should no longer simply be mandatory obligations. After all, company leaders are not generally known for placing cost drivers at the heart of their corporate communications.
Data protection and GDPR were subject of the theme world Data Protection at the Command Control 2018.