If you’ve ever ridden a horse, you’ll be familiar with the phrase, “Dangerous at both ends and uncomfortable in the middle.” It applies just as well to the looming GDPR as it does to the equine world. The General Data Protection Regulation comes into effect on May 25, which for the complexity of the regulation – and depending on your level of readiness – is very soon.
We’ve all seen the considerable media coverage and the countless conferences dedicated to the technical measures and requirements. Much less, however, has been written about the human in the middle of it all. If you think about the human beings (otherwise known as your colleagues) in the midst of all this, there are at least three considerations shaping the human impact of GDPR – tone at the top, execution in the middle, and employee and contractor implications at the other end.
Tone at the top
It may sound like an obvious point, but unless there is executive sponsorship, a GDPR program will not reach deeply enough into the organization to be effective. It’s surprising how many organizations continue to make this mistake. Executive sponsorship ensures that the necessary change management and training programs will get properly funded, be adequately deployed, and have the necessary ongoing attention for a business as usual inclusion.
Sadly, a 2018 PwC study on the global state of information security found that less than a third of boards directly participate in a review of security and privacy risks. Without a solid understanding of the risks, boards are not well-positioned to exercise their oversight responsibilities for data protection and privacy matters.
Put bluntly, without executive sponsorship, GDPR programs are likely to become compliance tick-box programs, will not change how people behave, and are likely to ultimately fail.
Execution in the middle
Having a host of corporate policies and mission statements is one thing, but ensuring that named individuals are responsible for guaranteeing enforcement across the business is another. Article 5 of the GDPR requires controllers to demonstrate how they comply with the accountability principles. Article 83 talks about intentional or negligent violations. It is as much about certifying as guaranteeing.
The Information Commissioner’s Office (ICO) talks about rolling out the GDPR as “… a framework that should be used to build a culture of privacy that pervades the entire organization.” This requires middle management to push the message down and throughout the organization. People need to do this, not technology. People must take ownership of ensuring understanding and use of policies as standard operating procedures.
Execution also covers gap detection, escalation and mitigation, and disciplinary activities. People need training to understand what is acceptable and unacceptable within the parameters of the corporate data-privacy culture. There is frequently no single owner for developing a GDPR program. By virtue of its scope, GDPR is highly distributed and sits with legal, marketing, HR, procurement, customer support, analytics, R&D, and M&A.
Imbuing an organization with the correct data privacy culture will reduce the risk of breaches and sanctions. And of course, people come and go, get promoted, take temporary roles and sabbaticals, and go on holidays. The burden of ensuring that this is handled cost-effectively, consistently, and safely, in a “business as usual way,” lies with the people involved. In other words, preventing people from falling back on old habits and bad behavior sits with management teams and business process owners.
Execution also puts the equally essential bottom-up feedback channel back into the change management program. And if it is recorded digitally (software exists for this), an auditable trail of evidence of actions can persist to “police the police.”
Employee and contractor impacts
People who are deeply engaged with personal data, or who have access to systems and processes that contain personal data, need awareness and procedural training – with refresh enablement because GDPR is not a one-off occasion.
Every internal process, policy, and workflow ends up with a human being at the end who is required to perform an activity. Companies must ensure that this end-user behavior fits within the corporate data-privacy culture. (It’s surprising how many organizations make this assumption without checking or don’t have processes in place to confirm how well it is done.)
Former U.S. Deputy Attorney General Paul McNulty is often quoted saying, “If you think compliance is expensive, try noncompliance.” He’s right. The Ponemon Institute estimates noncompliance costs 2.71 times the cost of maintaining or meeting compliance requirements. Noncompliance costs come from those associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.
With a little planning, GDPR doesn’t need to be “dangerous at both ends” nor “uncomfortable in the middle.” The ICO has a great training checklist for SME organizations. In your pursuit of GDPR compliance, I’d urge you to consider the human being in the middle of your processes, policies, and technical requirements who will be on the receiving end of guaranteeing their adherence and enforcement.
This article originally appeared in Accountancy Age and is republished by permission.