1. Diversify your communication: not everyone needs to know everything
Once you have decided that a breach of address data of five employees need not be notified to the supervisory authority because of a variety of reasons, make sure that you are selective in reporting the underlying reasons to the department involved. They might turn your context sensitive legal argument into a rule and bypass you on the next occasion. Transparency is good, but opacity sometimes better.
2. Build a story about personal data: it’s obvious to you, not to the rest
Yes, personal data is... personal data! But the people in your organisation will probably misunderstand the concept. Invest in a good story about what personal data is - people will be astonished if they realise that - yes, they are also processing that stuff that the GDPR is made of. Avoid ever-lasting discussions on whether IP addresses or data stored without a name but with a personal number is personal data. A good story explaining why most of the data processed is personal, will improve awareness and save you a lot of time.
3. Life is a box of chocolates: bring them at your training sessions
Life is a box of chocolates, but it shouldn’t be full of surprises in the GDPR area. Making privacy your audience’s ‘own’ property will help realise the importance of the subject. Ask the
audience to stand up and start asking questions in the well known field of ‘you have nothing to hide, right?’. Anyone not wanting to cross a border should sit down. Promise the last person standing a box of chocolate. If you have the right questions, you can keep the box for the next workshop or eat it yourself. Another way of relating to everyone’s daily life is coming up with a few examples of recent data breaches and their consequences.
4. A data driven organisation: your organisation can be one too
Scepticism about the GDPR often prevails. The idea that you can actually benefit from becoming GDPR compliant is not yet widely recognised. Personal data will probably be very important to your organisation and its reputation, so knowing what is going on with them is important. Moreover, you can help spread the word. Shouldn’t your organisation put personal data to work in a responsible manner? Even a company processing mainly HR data would benefit from doing so in a responsible and effective manner, so as to improve the loyalty and effectiveness of its workforce.
5. Fear, uncertainty and doubt: use them if really necessary
Yes, fines work. Competition law became a recognised threat in general compliance after huge fines on Microsoft were imposed by the European Commission. So the 4% worldwide turnover fines of the GDPR are a last resort in terms of bullying your organisation into proper
privacy governance. Use with caution, but don’t be afraid if you need to. Remember that the GDPR fines are a real liability and can be a pervasive argument for revenue and profit focused organisations to turn their attention to GDPR compliance.
This blogpost series is based on our whitepaper about creating a successful GDPR privacy compliance program in collaboration with Annemarie Vervoordeldonk, an experienced DPO who has worked for several multinationals and has started her own business with which she provides consultancy and “DPO-as-a-Service”.
Want to know more about the whole process of creating a GDPR privacy compliance program? Download the full whitepaper here.