With a little bit of hindsight on GDPR's enforcement date of 25 May 2018, we can now see a real pattern: most organisations developed their compliance programs in two phases, one before and one after the "go-live".
Why is that important? Because the first phase was deadline-oriented and had clearer metrics of success, while the second phase has proven to have subtler aims and to be harder to carry out properly.
BEFORE AND AFTER
Leading up to 25 May, GDPR efforts were mainly tactical, oriented towards meeting a hard deadline rather than on developing a long-term strategy. Most organisations focused on "paper-based" compliance and on establishing privacy foundations, conducting a GDPR gap assessment and then developing a remediation action plan to ensure their readiness (as far as possible) by 25 May. These action plans mainly covered things like new policies and procedures, how to keep records of processing activities (article 30), updates to contracts and information notices, awareness sessions for staff, etc.
After May 25, however, organisations started working towards privacy maturity baselines, with the goal of achieving proper risk-based privacy and technology-enabled privacy processes.
In many ways, this second type of effort has proven more difficult. More than six months later, it is still rare to see privacy compliance programs that consider privacy as a long-term strategy, or that recognise privacy as being far more than a box-ticking exercise.
Here are five areas to consider as you start your long-term privacy journey:
1. Put customers and employees in the centre
A privacy strategy is about all of your staff and all of your customers. Don't be motivated by penalties; be motivated by a vision of how to bring the organisation into a new, privacy-centred world. Tomorrow's leading businesses will ultimately wield their privacy capabilities—and more widely they cyber security capabilities—as competitive advantages.
Along these lines, think about:
- developing a culture where privacy and security become a day-to-day part of employees' efforts; employees will need training to get the right habits and behaviours
- developing an environment where risks and issues can be discussed openly, and where processes can be challenged where necessary
- communicating with customers openly, transparently, and consistently about how their data is being used at each touchpoint of their journey; this helps build trust
2. Understand that data is both an asset and a liability
GDPR was not a static deadline, but part of a journey towards better managing personal data, which is a valuable asset. The regulation is your opportunity to transform your operational infrastructure, and enhance processes that use personal data (e.g. fraud detection, customer analytics, or marketing). GDPR could also be a welcome opportunity to tackle data governance and quality issues, by doing which you can unlock the value inherent in the organisation's data.
The liabilities come not just from the penalties, but from the fact that data is an asset that, if mishandled, will damage the organisation's brand and destroy trust.
Indeed, given the security events that regularly affect online platforms, user trust in such platforms is currently low. Security breaches will continue to happen, but to avoid losing trust and users, companies need to demonstrate how they protect data. If an event does happen, the response is what matters. Reputation and trust are precious attributes consumers seek, appreciate, and act on.
3. Automation and sustainable maintenance
Once an organisation gets the basics right (strong governance, structure, roles, and processes surrounding privacy), it should evaluate how to automate processes and manage privacy sustainably. We have seen many organisations invest too eagerly in technology, believing that digital solutions are what address compliance—but the result was just another layer of complexity during the implementation phase. Your analysis and needs should pilot your technology decisions, not vice versa.
4. Prepare for questions
Privacy is a hot topic, with news of data breaches regularly hitting headlines. It is therefore important to be media-ready, which involves training employees to anticipate questions when they communicate with customers. It can only take one poor and uninformed response to create a negative experience and trigger an investigation.
5. Don't underestimate the impact of the extraterritoriality of privacy
Many organisations have a global network of subsidiaries and service providers, and, for them, the national privacy regulations in other countries of operation are just as important as GDPR. Remember that the data controller is responsible for ensuring that every part of the chain applies the same high privacy standards.
BRINGING THE FUTURE CLOSER
In this changing landscape, privacy shouldn't be considered something that can simply be achieved and then left alone. Rather, a privacy-conscious culture is a goal that concrete steps must be taken towards. Companies that realise this will be better-placed to develop privacy strategies that give them a competitive edge.
How can you start the conversation about how privacy can become part of the business strategy? Here are a few questions to start with:
- Who is in charge of privacy matters?
- Are the right accountability and governance structures in place?
- Is the organisation prepared to speak publicly and to its customers about how it manages their privacy?
- How does the organisation know whether employees are taking an ethical stance towards privacy?
- Does the organisation have a data strategy? Is it focused on what's best for the customers?
- What actions is the organisation taking to nurture a privacy-aware culture to earn and retain customers' trust?
- Does the organisation view the GDPR as a one-off initiative? Or as part of a proactive risk management approach, enabling it to put customers at the centre of everything it does?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.