The first stage in any plan to prepare for compliance with the General Data Protection Regulation (GDPR) is GDPR awareness with a special focus on staff awareness as the first step towards personal data protection.
Even if it’s just the first step, the awareness stage is very important. You can have the most solid security and information management systems to enhance personal data protection but as we know people are often the weakest link when it boils down to overall security and data protection (Rick Gruijters)
It’s a topic we often mentioned and which can be understood in several ways: obviously you need to be aware about the fact that there is such an impactful regulation as the GDPR coming your way (and not just the GDPR fines in cases of breaches or serious non-compliance), you need to be aware about the precise impact and elements of the regulation (organizational impact and legal GDPR awareness), you need to make your workers aware (and make sure your partners who work with you and handle personal data are) and you need to be aware of the risks and priorities before prioritizing them and coming up with a plan.
As mentioned before GDPR is a strategic business challenge and it does require leadership buy-in, roles and responsibilities, knowing where risks (and personal data and identifies and sensitive data) are and coming up with a plan (as a team), which then needs to be turned into action. As information management expert Rick Gruijters explained in an article on GDPR strategy and information management, GDPR awareness is a quick win: not just making management aware but management and everyone involved in what’s usually a cross-departmental GDPR team in turn making all the employees aware as personal data protection is everyone’s business in the GDPR world of security and privacy by design.
Your people and GDPR awareness: get it right; it is essential and not that hard
It’s a no-brainer and well-known fact that in security, handling data, information and content management and so forth people often remain the weakest link.
So, if your GDPR awareness stage isn’t done correctly there are several important consequences:
- you don’t create a culture of awareness regarding the importance of (and consequences of not properly handling) personal and sensitive data,
- you don’t empower your people who have no clue what can and can’t be done under GDPR (which also means that it doesn’t matter how much you invested in better ECM, records management, security and so forth as the basics are forgotten),
- you can’t demonstrate that you did what you could in case of a control or, worse, breach, as you didn’t take step one into account and
- you can’t create a proper strategic plan if you have left important stakeholders out as a manager (moreover often management itself is even hardly involved).
Despite being really low-hanging fruit and a quick win, GDPR awareness remains an issue, even with May 2018, approaching very fast.
Businesses’ response to the GDPR should become a core element of organizational design and culture. Adopting a fragmented, piecemeal approach as part of a tick box exercise will create more problems than it solves (Kevin Isaac, Senior Vice President, Symantec)
It already starts with GDPR awareness in the scope of the legal aspects, the exact understanding of what GDPR encompasses and how to start prioritizing and planning to be as close to compliance as possible. There are still loads of companies that struggle to understand the full impact and even meaning of GDPR, don’t know when a Data Protection Officer is needed or even don’t know what personal data and identifiers are or what makes someone personally identifiable in the scope of the GDPR text.
As tackled in a previous post there is also a major disconnect with regards to GDPR readiness: the facts versus the perceptions with regards to how GDPR compliant an organization really is.
Management awareness and involvement: culture
However, let’s go back to GDPR awareness and look at the issues and what to do about them. Many business executives still see GDPR as a matter of cybersecurity and/or information management alone: a job for IT, security and legal, with the help of some others.
What they forget is that you need a culture regarding the usage of personal data in your organization whereby people don’t just understand the business value of data but also the importance of valuing personal data and learning what to do and not to do.
The lack of support from senior management and the board is something that always comes back. In our article on GDPR and cloud challenges and perceptions, for instance, we mentioned how only 31 percent of IT decision-makers have governance sponsorship for GDPR at board level.
In our article on the GDPR compliance disconnect we saw that GDPR compliance is not on the executive agenda. Proofpoint (PDF opens) found that, while 74 percent of respondents have a cross-departmental team in place to move towards GDPR compliance, only 26 percent of IT decision makers say their board of directors and executive business management are aware of and involved in their GDPR program. As the company rightfully states without executive buy-in and involvement, organizations struggle to implement the changes required to meet compliance.
GDPR compliance is a holistic given and, again, a business strategy challenge. However, as the chart illustrates it is mainly seen as a matter for IT, security and legal indeed.
GDPR awareness and a customer-centric culture: beware of what consumers want (and you think they want)
The lack of awareness, let alone, involvement of the board isn’t just dangerous from the perspective of being ill prepared, having siloed efforts whereby the crucial user and employee awareness (which is really about workshops, culture and training) is overlooked and so forth.
While as such, given the critical importance of data for ANY business nowadays, this is already problematic there is also the customer, the consumer.
There isn’t one single company on this planet that doesn’t say it wants to improve the customer experience and/or be customer-centric, at least not out loud. When Symantec announced its end 2016 findings on the state of preparedness regarding European data privacy and GDPR the company also found a gap/disconnect (it is by the way saddening there are so many disconnects in the scope of GDPR because for many organizations it was and still is an opportunity to connect what has been disconnected, among others on the level of information silos).
The disconnect that Symantec found was between the expectations consumers do have on the level of data security and protection on one hand and how a large majority of respondents do not see that a good privacy track record is a consideration for customers.
According to Symantec’s State of Privacy Report a whopping 88 percent of European consumers see data security as the most important factor when choosing a company with which to do business. In other words: putting customer first inevitably needs to come with a clear and proven attention and track record with regards to consumer data protection and the likes.
Employee awareness: it matters for ALL
We are not going to tackle the lack of regulatory awareness and technical readiness which Symantec also found (more in the SlideShare below) but want to end with employee awareness, as mentioned in other articles and earlier in this post more than essential (and not that hard to accomplish).
Only 56% of companies have a user awareness program on data protection
The very first thing an authority will likely do after May 2018, with most probably, a focus on some companies and/or sectors, is not looking at your security solutions and data governance solutions and practices. It’s looking at that level of awareness with regards to the human backbone of your organization.
In that sense it is staggering that in the Proofpoint report it turned out that only 56 percent of respondents have a user awareness program on data protection. That is a matter of wrong priorities, lack of management and boardroom involvement, lack of focus on the organizational culture and lack of understanding the GDPR and how it looks from the risk perspective for the data subject combined.
Did you by the way notice where HR was in the chart of involved departments in GDPR compliance? HR professionals, however, need an urgent update themselves.
According to a more recent report than that of Symantec (from end November 2017), conducted by SD Worx, 44 percent of European HR professionals is not familiar with the GDPR. Obviously, HR departments are also impacted by GDPR (and several companies have taken measures with regards to the protection of – by definition – personal data – and retention schemes of current and former employee records). However, if HR wants to play a role in education of staff it of course needs to be on board as well.
Yet, it’s again also a matter of culture. In its end 2016 research Symantec found that only 14 percent thinks that it’s the responsibility of everyone in the company to make sure that data is protected and that less than half of respondents will increase security training.
So, what can you do and how should you start tackling this GDPR awareness issue? The answers are all across this article and our other posts about GDPR.
Just start and if the buy-in is not there get it. Privacy by design is not an option, it’s a must in GDPR. And that includes making everyone aware as well. But in order to get that done you need to make the case and get the facts and the regulation’s ‘spirit’ and stipulations right which is a matter of awareness too.
Check out the SlideShare with the Symantec findings which contains far more than what we covered.
Top image: Shutterstock – Copyright: Kunst Bilder – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.