The role of the Data Protection Officer (DPO), is one that’s often met with mounting pressure and increasing challenges due to the complexity of regulations, a huge amount of workload, and dependency of support of other departments. The GDPR also emphasises on the importance of the role the DPO has in major business decisions, since these need to be aligned with the regulation and organisation’s data protection strategy, in order to maintain compliance. With so much going on, getting the right tools, resources, and support from top-levels is absolutely essential for this role. At the same time, DPOs are often faced with reluctance, and are sometimes struggling to gain additional support from C-level management. In this blog post, we provide tangible advice on getting this support.
The struggle is real
As a DPO, your role requires that you become the backbone of your organisation’s data privacy compliance efforts. Along with responsibilities given by your organisation, you also have a huge set of responsibilities provided by the GDPR. Overseeing a company's data protection strategy, ensuring that all security measures are put in place, continuously updating privacy registers, performing DPIAs, handling security incidents, and many more, is tough on anyone. To add to that pressure, according to studies, most designated DPOs don’t have a dedicated privacy team. This makes the urgency for resources and support a much needed factor. In a bid to ensure that all tasks are carried out appropriately, support from management is crucial. So what key steps can you take?
The key steps
While you as the DPO may have a clear understanding on what needs to be done for GDPR compliance, it may not be as clear to others within your organisation.
In order to get your message across to those in charge, you would first need to put yourself in their shoes. A CFO, CEO, or CTO, most likely heard about the GDPR, but might not have had the chance to look into the regulation in too much detail. Besides knowing that the regulation could apply to the company, and reading headlines about the increasing fines being issued, C-level management might not know what exact steps are needed to comply with the many rules, or why they are so important. That's where you, as the DPO, step in, and can resonate the business side of GDPR compliance for the organisation, both the opportunities and the potential threats.
GDPR compliance can directly contribute to several business benefits. Time and money investment for data protection and compliance can help drive strategic and operational gains.
To mention just a few of the many business benefits:• Complying with the regulation creates transparency and accountability towards customers, partners, and authorities, increasing trust and improving organisational reputation.
• To add to that, GDPR compliant companies can make better business decisions and forecasts as they are able to trace customer trends in real time, and determine why certain customer trends are happening, and how sales might be affected.
• Recent studies showed that if your organisation is not fully compliant, you could be experiencing an average delay of 5.4 weeks in your sales cycle, making it almost 60% longer than those experienced by organisations deemed to be GDPR-ready.
• Improved customer confidence for your organisations through transparency could have a significant impact on your churn rates. Did you know that customer acquisition can cost up to 7 times more than selling to existing customers? A recent Capgemini survey showed that 76% of compliant organisations experience strong performance driving benefits such as greater customer loyalty and increases in online purchasing, 84% had a positive impact on customer trust, 81% on brand image, and 79% on employee morale.
If the investment of time and resources dedicated for data protection are not efficient, it may make the organisation vulnerable for a data breach or security incident. It’s important to remind C-level management of just how devastating the consequences can be.
Being deemed non-compliant could mean a fine of up to €20,000,000 or 4% of an organisation’s total worldwide turnover, depending on the circumstances of each individual case, or both.
Next to significant financial costs, it could also negatively affect the reputation of your business - a key element for customers when choosing to make purchases with a certain company.
As data breaches continue to become the business risk of the decade, the ability and importance of being ‘in control’ of your organisation’s personal data handling should especially be emphasised to management. Moreover, as consumers become increasingly conscious over the data they give, it should be communicated to management just how much trust your organisation can gain upon putting data protection at the heart of your organisation. Not only is this important for internal practices, but it could also present itself as a selling point to get even more potential customers that are more likely to use your products and services.
As the DPO, you hold an important responsibility to guide, monitor, and train staff to ensure that they are on track with your organisation’s compliance efforts. However, shifting to a more data privacy centered culture is a task that requires strong support from the upper levels and collaboration between departments. Therefore, it’s important that all employees are involved and made aware of the initiatives you feel are appropriate to achieve a level of compliance, and especially how they play a part in making it happen.
Although educating employees within your organisation on all levels can prove to be a daunting task, ensuring that everyone is well aligned is paramount both to your organisation’s compliance efforts and to get the support to further convince management for investment in data protection.
Creating an overall data privacy culture where all employees take and understand their responsibilities in the value of data privacy will be beneficial for the long-run.Demonstrate your results
Make sure that all the stakeholders and higher-level management see what actions have been carried out for data protection each month and how it contributed to business growth. By sharing summarised reports that give an indication of how much work is involved in the process, and how significant its impact is on the business, can be a strong wake-up call.
The demonstration of your results should be communicated in an easy to understand manner, that’s straightforward. For instance, consider using graphs and other visuals to display the measures of why such initiatives have been positive for your business and where it can continue to improve.
Getting all departments on board and responding to their privacy related questions and requests can be very time-consuming. Some days might fly by just answering emails and phone calls. Therefore a central staff training could help shorten these processes in the long-run, help manage costs, and better compliance for the organisation.
For instance, let’s say you use the GDPR’s data minimisation rule and only acquire valuable key data. It would be important to communicate just how much benefit it offers for sales and marketing, without having to reshape the sales & marketing process your company is accustomed with. Or you could be showing how your organisation’s decision to start a new habit of conducting a Data Protection Impact Assessments (DPIAs) for each new project has led to identifying potential risks ahead, and therefore to making better business decisions. Overall, a strong underlying message that can indicate just how important GDPR compliance is for business growth should be well demonstrated to everyone involved.
Show why having the appropriate resources is crucial
Additionally, with the appropriate software and resources, organisations can make their compliance efforts much more time-efficient and secure. This can directly contribute to spending time on what’s most important, and not having to create an internal system from scratch, that might become chaotic rather quickly. As some organisations rely on spreadsheets that were not developed primarily for compliance, not having the appropriate tooling itself can bring a lot of challenges for compliance.
For instance, if an important document get leaked due to human error by another department, the DPO should have the tools to e.g., quickly identify what documents have been affected and what personal data has been involved, verify how sensitive the data included in the document was, or make the guided decision within a 72 hours time-frame whether the data breach needs to be reported to authorities, or only recorded in the data breach register. Next to that, communication on the accident will need to follow and security rules will have to be re-emphasized.
Overall, the costs saved due to prevention could ultimately outweigh the cost of investment.
What if they still won’t budge?
In some cases, the above mentioned suggestions might not work as well as you’d hoped.
What might be helpful still is to initiate a little experiment. Whether this experiment involves you using a new software solution (free trials) or implementing further efforts in data privacy, you can measure its positive contribution to the business. For example, let’s say you’ve decided on using a software solution to handle your organisation’s mounting DSARs. It could be convincing to show how time and cost efficient your new method can be, when compared to the traditional way management may prefer.
In case you have faced a usual challenge of getting the management team together for a discussion, try introducing your ideas for each individual member of C-level management separately first. It can help solidify your ideas for when the meeting finally does come together. Once everyone is on board and is made well aware about your plans, the process becomes more efficient and can be met with less resistance.
Support is more than just acknowledgement
DPOs need C-level management to help them excel in their roles within the organisation. As such, having open, direct, two-way communication between the DPO and those in charge of business is vital for both parties. It’s so important for C-level to acknowledge the importance of putting data protection at the heart of the company, but also to go beyond, and continuously support the DPO in carrying out the tasks for compliance. Whether it be through staff training, investing in further resources, or growing the privacy team, the organisation will most definitely be able to benefit from compliance through a competitive advantage, for the long-run.