Establishing a Culture of Compliance in GDPR: Why does it matter?” 

GDPR Panel

I recently attended the GDPR Summit in Croke Park, Dublin, where Perception, along with Tableau and Alteryx, sponsored the summit. I was also asked to be a panellist in the aforementioned discussion on cultural compliance to GDPR.

My fellow panellists, starting from the far right, were Tom Hulton, who is the An Post Compliance Manager and Chairman of the ADPO (Association of Data Protection Officers), yours truly is next and Melanie Blake, the Group Head of Compliance for Paddy Power Betfair. Our moderator on the far left was Partner & Head of Management Consulting of KPMG, Paul Toner.

The stage was set for a lively discussion with audience questions to follow…

I have summarised my thoughts on the topic below. Let me know what you think!

So why does it matter?

  • GDPR (General Data Protection Regulation) is a regulation – not a directive and is law, i.e. it is not an achievable goal to be striven for, but a law that requires compliance by every business that processes the data of EU citizens.
  • Noncompliance carries tiered and punitive penalties, therefore a cultural ethos demonstrating global company and organisational compliance should be mandatory and filter through an organisation.
  • Opt-out is default and unambiguous opt-in is choice, with; right to be forgotten as well as portability and easy access – how an organisation finds and processes these distinct states easily is a huge question.
  • Noncompliance will render your company or organisation commercially untenable within, and dealing with, the European Union states.
  • Imagine the impact on your reputation if you have been careless with your customers data…

Creating awareness of data protection and its significance in the organisation

  • From the above it is clearly very significant as it is potentially a “show stopper” should an organisation not have easily managed and tracked processes.
  • Awareness must start at the recruitment stage and continue throughout employment at every organisation.
  • Furthermore, awareness should not be siloed to just current employment but needs to be recognized at a community level. Remember recycling?
  • A transparent process and methodology must be adopted by stakeholders under a single canopy of compliance that functions systemically and not manually, i.e. controllers and processors can then provide a service that is scalable and resilient to both an internal and external customer as the compliance percolates down through a system inherently.

Making the case for greater investment

  • Every business will now need to look at how they collect, process and obtain consent for using personal data
    • So from left to right i.e. from data source to visualising or communicating:-
      • Data sources/Databases – are they secure, correctly credentialed, up to date, minimised, easily accessed, easily deleted or pseudonymised etc.? – They will need to be.
      • Can you query your data efficiently? Specifically the meta data, and find specific data, sources, views, who is responsible for the data etc. easily? – You will need to.
      • Can you audit your data to demonstrate compliance in a meaningful, unambiguous way? – You will need to.
      • Can you provide reports and KPI’s (Key Performance Indicators) across the business or organisation to track your compliance effectively and in a timely fashion? – You will need to.
      • Certain companies will also need to make significant investment in staff in the form of Data Protection Officers and this hasn’t even touched the ramifications to IT, Legal, Finance, HR etc.

GDPR

Managing stakeholder expectations

  • Achievable through workshops within Agile methodology where each stakeholder can manage the left to right of their dept., team etc. – this immediately enhances and encourages cultural adoption and stakeholder buy in
  • Each area of the business only has access and credentials for and to the data that they use, and due to the above point, stakeholders manage their own expectation throughout the process, as they are defining it according to the regulation within their own area:
    • Data sources are identified and tagged with the correct meta for direct and easy querying, both in dimensions and measures
    • Those responsible for the data sources and integrity are known and easily queried transparently
    • A social system of should be adopted in order to foster collaboration and transparency
    • Tracking and auditing therefore becomes simpler and stakeholders can believe and trust the data they are using/processing
    • Each data source will be constantly monitored for compliance and can be clearly reported up and down the chain as each stakeholder has visibility across their available sources
  • Stakeholders are positioned as part of the cultural ethos and form an integral part in the methodology and management of the data journey

Training for compliance: creating a training scheme for your organisation that ensures everyone understands what’s at stake

  • Stakeholders can provide two types of “training” and both will reinforce compliance and compliment the method above:
    • Behavioural; where their team or colleagues are physically shown with precision how to be compliant and the tasks and processes associated
    • Socio-cultural; where the above can be leveraged in direct problem solving as a team or group

The GDPR Regulation is coming at us on the 18th of May 2018 – whether we like it or not. The regulation will affect every single company that has dealings with the European Union when it comes to EU citizens data on a global basis. There is no silver bullet to make you compliant and it will therefore be a series of processes and decisions that will get you across the line – and keep you there. Your culture will therefore become of paramount importance, particularly if you are a globalised company dealing directly with EU citizen data. There is a very big stick associated with noncompliance; a business that is not GDPR compliant could face a fine of €20,000,000.00, or up to 4% of its annual global turnover – whichever is the larger!

Perception have the tools and know how to assist you wherever you are on this compliance journey when it comes to the data and reporting on that data. Tools like Alteryx Connect and Tableau can help you track, audit and visualise your compliance KPIs. If you would like to speak to us on any of the above you can contact us here.