How to Support the GDPR, Make Whistleblower Hotlines Compliant, & More
This 4 part blog series is based off our webinar, It’s Official: The GDPR Is In Effect…Now What?. If you missed the live recording, be sure to catch the full discussion — a replay link is available when you register. Because it was such a fascinating and collaborative dialogue, we wanted Keith Read to share further commentary.
- Part 1: The GDPR is in Effect… Now What?
- Part 2: Lessons Learned From the GDPR
- Part 3: GDPR Collaboration Across the Organization
- Part 4: What’s Next for Data Privacy & the GDPR?
Recently, I joined Adrienne Williams (Lead Attorney at Microsoft) and Bill Brierly (Head of Ethics & Compliance at Liberty Latin America) on a webinar to discuss life under the EU’s General Data Protection Regulation (GDPR). Prior to the May 25th implementation date, we talked a lot about what to expect and how to prepare, but this webinar was the first time Convercent gathered compliance professionals to talk about the realities of the GDPR.
During our talk, we touched on topics like:
- How organizations can support GDPR compliance, including real-world examples from the organizations the three of us work with.
- Some of the most important issues to watch out for, like proper redaction and retention of data related to whistleblower hotlines.
- Lessons learned from the GDPR, including insights about the importance of people, processes, and technology.
- How GDPR compliance is an ever-evolving journey that requires collaboration and communication across departments.
- Why it’s so vital to align the compliance and IT departments.
- The core issues around third-parties, and how to best approach those relationships from a data privacy standpoint.
- Key takeaways from the GDPR, including what we can do to weather future regulatory changes.
As you can see, we covered a lot during sixty quick minutes. Over the next four blog posts, I’m going to share some of the key insights that you can take back to your own organization. As you read, be sure to note any questions you have for me, Adrienne, and/or Bill. We talked about “open-source compliance” at the end of our webinar, and the three of us would be more than happy to answer any GDPR, or general compliance, related questions you might have. You can find our contact information at the end of this post.
How can organizations support the GDPR?
Reading about different organizational approaches to GDPR support can be a helpful way to brainstorm how your organization might enforce its own policies. Convercent, Microsoft, and Liberty Latin America each had different challenges to meet as they sought to become compliant.
For example, in my role as Chief Compliance Officer in Convercent’s European office, I helped implement a four-pronged approach to the GDPR:
- Address Internal Consequences. First, we looked at internal consequences of the GDPR, particularly as they related to the Ethics Cloud Platform. The main goal was to create a substantial report that would be the roadmap toward demonstrable compliance.
- Assess External Consequences. Next, we looked at what our customers would face following the GDPR. For our customers in particular, hotlines are at the epicenter of an entire series of conflicting legislation. They’re trying to compare regulations around GDPR, Duty of Care, local legislation, and more. We needed to get into the shoes of our customers to really understand the issues they would be facing. With these insights, we could determine how to truly support them through regulatory changes.
- Look at Indirect Consequences. During the third phase, we created solutions to the indirect consequences our customers might face as a result of the new rules. For example, I talk to Works Councils often, particularly about how to manage those relationships.
- Look at the Big Picture. Finally, we wanted to determine how we could best support the global compliance and ethics community in relation to the GDPR. To that effect, I think that we became a trusted advisor to many of our customers.
Before moving on, let’s take a closer look at whistleblower hotlines, because the GDPR gets a bit tricky here.
The GDPR and whistleblower hotlines
80% of retaliation occurs within three weeks of a report being made on a whistleblower hotline. 90% of retaliation occurs within six months.
This can be problematic, because the GDPR introduced the Right to be Forgotten principle, which mandates the right for individuals to have their personal data erased. Compliance is mandatory, but losing surrounding data can hurt a program’s ability to identify patterns and potential hotspots where attention may be necessary. In the case of whistleblower hotlines, by the time you go back to follow up on a retaliation report related to the original issue, important data could be deleted.
This is why Convercent invested heavily in a world-class redaction tool. It’s the best of both worlds: protection of data and retention of analytics ability.
Adrienne’s experience at Microsoft leading up to the GDPR was similarly robust from an internal readiness perspective. The company had to make huge investments toward security, totaling more than $1 billion annually.
Microsoft also had to make sure everyone in the company understood the privacy requirements, and that they were absolutely imperative. Legal and Compliance experts translated GDPR requirements into language other internal departments could understand, and then the business and engineering departments implemented any necessary processes.
Not surprisingly, significant organizational changes were required to align privacy and compliance across engineering. But, the result was an end-to-end view of security across teams, products, the various devices employees use, and across Microsoft locations.
One initiative was called Next Generation Privacy, a company-wide framework that includes policy, processes, technical infrastructure, and customer experience information to address privacy at all levels of the organization. To support customers and partners, Microsoft put GDPR commitments “out front” in their agreements, highlighting the fact that their cloud services meet stringent security requirements.
Confirming compliance is particularly important — it’s one of the most common requests Microsoft, Convercent, and other companies that deal with personal data receive. Additionally, publishing commitments externally allowed Microsoft to reduce additional paperwork and get ahead of the question.
I highly recommend you take a look at the Microsoft Trust Center. It contains a lot of useful information you can review, plus key learnings in the journey toward GDPR compliance. You’ll also find assessment tools, white papers, and other resources.
What does the GDPR mean for Latin American countries?
Bill Brierly has a unique take on the GDPR, since Liberty Latin America operates in 20 countries across Latin America and the Caribbean. As a spin-off from Liberty Global (one of the world’s largest cable providers), his organization has the benefit of being a relatively new company with a substantial amount of resources. They have the ability to learn from a great team who has been through the entire GDPR process, which will be even more helpful in the future.
The GDPR doesn’t directly apply to Liberty’s data, but the organization is still following the regulatory developments closely. They want to see how the EU handles extraterritorial applications of data for its citizens, and they’re also looking at the GDPR as inspiration for how to fashion their data privacy regulations. For example, Bill notes that similar legislation exists in Bermuda, Chile, and Mexico.
Up Next: What We’ve Learned From the GDPR
Now that you have some background information about what it takes to prepare for data legislation such as the GDPR, stay tuned for the next installment in this blog series: Lessons Learned.
Tomorrow, I’ll share some of the top lessons we’ve learned in the short time the GDPR has been effective, including some public mishaps made (and why they aren’t the end of the world).
As promised, here’s how you can reach me, Adrienne Williams, and Bill Brierly: