Digital Single Market: 5 Ways to Prepare
As the European Commission continues to progress its plans for a Digital Single Market (DSM), organisations across the region are beginning to think carefully about how the initiative would impact them. Coupled with the impending adoption of the General Data Protection Regulation (GDPR), privacy and security issues are quickly moving to the top of companies’ and politicians’ agendas.
With this in mind, we have developed a five-step checklist for organisations looking to put themselves in the best possible position before DSM related initiatives come into force…
 Assess the risk – the first step is to complete a cybersecurity and privacy assessment for your cross-border business and digital services. Of course, an organisation cannot defend itself perfectly against every threat and therefore technology decisions need to be risk-based decisions. Thinking carefully about the size of the organisation and its appetite for risk, businesses should consider which areas are under the most threat and how it can mitigate priority concerns cost-efficiently. It’s important to understand that there is no one-size-fits-all standard for risk assessment: any successful evaluation is based on a partnership between experts in the organisation’s processes to build a comprehensive and holistic picture of the business risks. Some best practices are outlined in the EU innovation project Wiser.
 Start with the basics and work your way up – businesses should look first for the minimum set of security controls that fit their own risk profile. These are likely to differ between larger enterprises and SMEs as well as across different industries.
 Understand your options – organisations should scrutinise their legislation obligations, building a clear understanding of the data controls and processes that are required for the market. This means taking a close look at all technology options and the consequences of any investment: e.g. what are the implications of investing in cloud services, or in retaining data on premise?
 Identify the Obligatory Reporting Process – perhaps the most important step, organisations must analyse the notification requirement coming from DSM related regulations, understanding exactly which parties need tobe notified in the case e.g. of a privacy breach. Is this the same as for a security breach? Does it change dependent on the size of the incident? Or according to which data is placed at risk? It should also be remembered that most organisations holding data will have a contract in place with a third party to store that information and keep it secure. In the event of a breach or data loss organisation needs to know quickly what its contractual obligations with the supplier are.
 Build for the Future – finally, organisations must check the requirements around the mutual recognition of a notified electronic identity (eID). While many cross-border digital services might use private identity providers for eID services, notified eID (issued by EU member states or under their control) are providing variable levels of assurance that fits different cybersecurity protection requirements that cross-border services might have.
To read more about the Digital Single Market take a look at my previous blog exploring some of the context around the initiative here.
Next time we’ll be looking more closely at the General Data Protection Regulation and what it means for organisations…