Companies all around the world hurried to be compliant with General Data Protection Regulation (GDPR) that went into full force on May 25th this year.
Countless hours – and also a lot of money – was spent in GDPR projects. In a short retrospect, it feels that nothing really changed. But that perception is deceiving, as the regulation defines the new normal that EU member states will start to enforce.
Thus, it makes perfect sense to continue working with GDPR compliance due to two major reasons:
- there are business risks associated with non-compliance and
- the effort done so far will gradually erode, if the work is not continued.
Otherwise all the cost would be sunken – and no business leader wants to write off that amount of money while leaving the company adrift in data privacy related matters.
I’ve listed some hopefully handy tips on how to keep the company, people and contracts up with the GDPR obligations.
Continue the work done so far
Compliance is a multifaceted issue in a complex domain. It is understandable that everything is not yet in the final shape.
1. Remember to celebrate the achievements and keep up the good work
The work done so far in the organisations should not be wasted. Processes have been changed, people trained, and systems modified. This process might still continue under the radar, and there could be non-critical processes and systems that are not yet in a compliant state. Continue relentlessly towards compliance, even if there is no pressure from a deadline anymore.
We have done several compliance projects – including one of our own – and I can say from experience that the collective feeling of relief is tremendous when there are no more crannies and nooks to check. Remember to celebrate the achievement and make it visible for everyone.
2. Make sure that non-compliant ways and systems do not creep back in
This happens so easily. People are in a hurry, “we’ll fix this later”, design choices are not considered from privacy angle, and mistakes happen. Non-compliance is hard to spot later, as it leaves no trace.
3. Keep people educated about GDPR
The focus should be on the rights of the individuals, and only after that on the way the organisation handles private data. Everything stems from the rights – all obligations are needed to satisfy the rights.
4. Remember contractual obligations
A lot of data protection annexes have been written, and now they all should be followed. Some of them are too tight, some too loose – revisiting them after a year makes sense for both contract parties.
Continue to develop further
GDPR compliance is not a solid state, but continuous process. Organisations must continue working on the matter, as stagnation allows people to revert back to their old and non-compliant habits.
5. Focus on the mindset
Handling private data is very much a state of mind. The people in the organisation needs to have a buy-in for the fact that private data matters and due care is important. A lot of developers do not take this seriously – yet – and it takes time to convince them. But when it comes to digital services, it is worth the expenditure, as developers set the baseline of privacy compliance.
The credit card industry excels in this. The card numbers and associated data is considered almost sacred; data handling, storage, and passthrough are defined with utter care. Everyone dealing with the data agrees with the importance of proper processes and due diligence.
6. Make sure everyone understands and accepts the importance of privacy
Everyone must understand and accept the importance of privacy. So, organisations need to continue discussing about private data, proper ways of handling it, and the suitable architectures with controlled data flows.
7. Consider arguments that are compelling to developers
When private data management is done well – as required in privacy by design – it actually simplifies systems and makes their architecture more elegant. Debugging and further development is also easier. Consider arguments that are compelling to developers and do not waste their (or yours) time with business driven arguments.
8. Remember not to collect any private data that is not needed
It cannot be stockpiled for later use anymore. Besides, streamlining data collection will result in a better user experience, less churn, and less abandoned registrations. It makes a perfect business sense to focus on things that really matter to the organisation and the users.
9. Share your goals and philosophy with your partners
When working with external parties, it is also crucial to make sure that they share the goals and philosophy of their clients and partners. Remember that beauty is only skin deep – the real situation can be seen only by talking with the people performing the actual work. Discussions, interviews, trainings, and audits help – especially if done in a recurring fashion.
10. Ensure that contracts make sense for the business and are understandable
Contracts must be in a good shape. It is not enough that they exist and contain everything that is stipulated by the regulation. Contracts must make sense for the business and be understandable. Otherwise they are not followed and compliance is lost.
If protecting private data becomes a shared goal in the network, compliance does not need to be controlled – this saves time to focus on matters with bigger impact on the business. And there is one less item to worry about.
And finally, know where you are and where you need to go
In short, know your current position in regards with the regulation – processes, policies, systems, and contracts – and develop it further to reduce regulatory risks and to gain business advantage.
Want to learn more about how to keep up with GDPR?
If you would like to have training for yourself or your staff, join our training courses for open technology companies and for developers at Drupal Europe on 10 September 2018.
If you are interested in a more tailored training, check out what we could offer for you.