The enforcement of the GDPR over two years ago has drastically transformed the way organisations collect personal data. As it’s been a transformation that required investment in terms of time and resources, many organisations still find compliance a challenge today. In fact, last year still, out of 1000 organisations, only 28% said that they deemed themselves GDPR compliant. If your organisation is also still in the process of getting your GDPR compliance on track, do not worry: while it’s an investment, it’s a worthy one, that will provide your organisations with opportunities in the long run, for accountability, transparency, and better customer engagement. Our privacy experts have compiled 10 tangible steps that your organisation can take to get started towards compliance.
Start with formulating a privacy governance framework: which departments, roles and persons are responsible? What will be the organisation wide policies? Only after that is in place, is it possible to adjust the existing processes associated to this or introduce new processes, such as getting a processing activity register in place, carrying out data protection impact assessments and registering (and notifying) personal data breaches. For this second phase, it is necessary to know which processes, applications and systems are being used within the organisation. This may sound obvious, but you cannot get the processes in order without having a clear organisation-wide goal and structure for privacy governance.
Everything starts at the top of the organisation. Without backing of at least one sponsor of the program in the organisation’s boardroom, a successful privacy compliance program is almost impossible. It’s very hard to say how to get that sponsor, but anything or anyone helping you to be in touch with a potential sponsor will be useful. You may find a natural ally in the people responsible for HR, risk mitigation or compliance, but they should be in rather than just below the board. The Board is ultimately accountable for these activities and therefore has an interest in making the organisation compliant.
Although the GDPR is a legal instrument, you’ll need at least some IT knowledge to be able to ask necessary questions. What if ‘anonymisation’ is in fact ‘pseudonymisation’? You’d better find out early by asking the IT people you work with. A lack of ‘ownership’ threatens any GDPR privacy compliance program. Therefore, you need to involve other people with other responsibilities and clearly define roles when it comes to data handling and management. This will also ensure better compliance in light of accountability. Information security and privacy are basically two sides of the same coin - you’d rather team up to be stronger together.
4. Don’t mix responsibilities: you cannot combine executive and controlling roles
As a Data Protection Officer, you need to be highly independent. You cannot combine that role with that of e.g. an HR director or an IT manager.
Otherwise you would be assessing your own work and that is in contrast with the responsibilities that come with the role. The European Data Protection Board (EDPB) and the GDPR list requirements for this independency, such as responsibility for your own budget, reporting directly to the board, and access to support (staff and other resources).
You’ve just been appointed as a privacy officer in a large organisation - and the Board thinks that ‘that’s it’. Think again, Board, we’re just getting started. To get the job done, a (chief) privacy officer needs a team doing the work, such as rolling out the privacy governance strategy and getting all procedures in place. What’s more, the procedures have to be followed, and that involves a lot of other people in the business, who have to be managed as well. A single person cannot do that on their own. So yes, you will need a budget for that, and the organisation needs to provide for it.
A good privacy officer is not necessarily a good program manager. So when getting your team together, consider hiring someone for the latter role, especially in large, complex organisations. You can focus on the subject matter and leave the management of the work to someone else. That can be a great relief to you and it can improve the effectiveness of the overall program by giving content and process equal weight. Remember that you need not and cannot be a specialist in all fields that are connected to, and relevant for privacy governance.
The privacy governance framework may not be there, but other procedures will be. If the foundation is already there, why build a new one? Try to identify the most ‘aligned’ existing procedures and policies and build on them. That supports recognition, facilitates efficiency and increases return on investment. In many cases, there will already be extensive security policies, and these can be extended and revamped to match the needs for a comprehensive GDPR privacy compliance program.
Privacy governance and privacy awareness are ninety percent communication. You need to team up with a lot of people in order to have eyes and ears across the whole organisation. This will pay back in terms of reduction of liabilities, created by the tunnel vision of individual departments. Informal communication lines are a must-have to get the information you need. People have to be able to find you in order for you to build your inventories and ask you if an envisaged processing activity can be carried out.
Miraculously, after training the HR department, you get notified of (potential) breaches. Yes, breaches may have happened before, but they were not identified as such, so they never reached your desk. Training people means raising awareness, which will pay out - because an unnotified breach is a bigger liability than one that ends up on your desk. But note that this increase in breaches could be used against you at first. Prepare the Board with information that has been uncovered up till now. Understand that this is a sign of strength and not of weakness.
Once there is sufficient knowledge about the GDPR in your organisation, people will start contacting you spontaneously. Instead of having to be the ‘no saying’ privacy officer, you can switch roles. Questions will be formulated more carefully because people start realising that a project may have severe privacy implications. They will suggest themselves that maybe it’s not such a good idea after all. In such an atmosphere, you can be the ‘enabling’ party, helping to create the circumstances under which the project is possible after all.
GDPR compliance: An opportunity, not an obstacle
To achieve compliance with the GDPR is not easy. At the end of the day though, not only do GDPR compliant organisations experience an increase in accountability, but also in customer trust, business transparency, customer engagement, and even reduced sales cycles. If your organisation is in need of a framework to get started, luckily, there are several tools out there today that can make the process smoother and more efficient. Try our 14-day free trial to experience it yourself.