Let’s bust some GDPR myths. First, compliance with the GDPR is not a box-ticking exercise. Second, it is not a job that you simply hand over to someone else to do. Third, compliance with the GDPR is not solved with templates, checklists or technology (although they do help).
The run-up to the implementation of the GDPR on 25 May 2018 was hectic. Some organisations panicked and, perhaps, bought a technological solution that they thought would do compliance for them, or hired a consultant with the same objective. Other organisations buried their heads in the sand, crossed their fingers and hoped it would all go away. US organisations wondered why on earth this European law applied to them (if you want to know why it does, see our article on the topic).
Since 25 May 2018, many organisations have sat back and relaxed, either because they think that their work is done, or because having done nothing, the regulator is still not knocking on their door. However, as the recent Ticketmaster data breach shows, organisations have to be constantly vigilant.
What is GDPR compliance?
GDPR compliance is not something with a project end date. It is ongoing. Having the right policies in place, carrying out a data inventory and securing personal data are all fundamental to GDPR compliance, but none of these will stop a data breach occurring. None of these will prevent the bad publicity and fines associated with such a breach. And those risks are relevant as much to US organisations as European organisations (see our article on what US organisations should do in the event of a data breach).
People talk about GDPR compliance being ‘a journey not a destination’. What exactly do they mean by this? Well, those policies that you had drafted need updating. That data inventory that you carried out needs to be kept up to date as you collect more personal data from different sources, share it with different people and process it in different ways. As cybercriminals become more sophisticated or discover new weaknesses, you need to change the way that you keep personal data secure, to keep up to date with evolving industry standards.
It is this never ending compliance journey which keeps an organisation on the right side of the law. But how do you deal with the potential weakness which is your staff? At a conference we recently spoke at in New York, a delegate asked, “What can an organisation do to prevent a data breach?”. The answer from the IT security consultant being asked the question was, “Sack all your staff”. The point he was making was that potentially the weakest point in any organisation as far as personal data are concerned is the individuals that work with it.
You need to turn that potential weakness into a strength. You should build and embed a culture of compliance within your organisation so that the individuals that work within your organisation are all contributing to compliance – they are your first line of defence and they make sure that you do compliance properly.
Why does having a GDPR compliant culture matter?
GDPR compliance is not something that you hand over to someone else to do and it is not something that any one person can do. It can only be achieved if you have a cross departmental team responsible for building and maintaining GDPR compliance and an educated workforce which understands what GDPR compliance is, why they should care and what they should look out for.
The risk of not having a compliant culture is that people don’t understand and don’t care. If your staff only associate the GDPR with annoying emails talking about marketing preferences and cookies then they are not going to spot that phishing email. They will share passwords. They will put documents on unencrypted personal laptops. They will share personal data with third parties without checking first that such third parties will protect that personal data (the recent Ticketmaster breach was caused by a third party processor being attacked rather than Ticketmaster itself).
How to create a GDPR compliant culture
You need to make data protection interesting. Easier said than done we know, but this is the key. Make everyone understand that data protection is more than computer hackers and annoying emails. Connect data protection in your staff’s personal lives with their professional lives. If they understand that it is important for Tinder to keep their online dating profile secure, they are more likely to understand that they should keep their customers’ personal data secure.
The Privacy Compliance Hub contains posters which can be put up around the office to reinforce messages in a user-friendly way. One of our clients had t-shirts printed with key points on them. We provide engaging videos which encourage staff to listen rather than ignore important messages.
The importance of training your staff
By far the most important way that you can make compliance interesting and create that compliant culture is by training your staff. The Privacy Compliance Hub provides different forms of training for organisations to use to train their staff, including video training delivered directly to individuals by the Hub itself, wherever those individuals are located. This is particularly important if staff work from home, on-site, or at a number of different offices.
If all your staff understand the basics of data protection, mistakes with personal data are much less likely to happen. Training should be refreshed periodically so that messages are not forgotten. Ideally, certain staff should be trained in areas of data protection specific to their role. For example, marketing staff should be fully aware of how to send marketing emails within the law (see our article here).
A shortcut to building a GDPR compliant culture?
Everyone wants a shortcut. The Privacy Compliance Hub makes things simpler and easier, helping you build the culture of compliance that you need. It doesn’t do the job for you, but it does help you get started, stay on track and stay on your GDPR compliance journey. To find out how The Privacy Compliance Hub can help you, completed the form below to see a demo or get in touch for a chat.