Part 2: Lessons Learned From the GDPR

How Are Organizations Responding to GDPR Requirements?

What Organizations Have Learned About Data Privacy So Far

This 4 part blog series is based off our webinar, It’s Official: The GDPR Is In Effect…Now What?. If you missed the live recording, be sure to catch the full discussion — a replay link is available when you register. Because it was such a fascinating and collaborative dialogue, we wanted Keith Read to share further commentary.

During Part 1 of this series, I recapped some of the conversation I shared with Adrienne Williams (Lead Attorney at Microsoft) and Bill Brierly (Head of Ethics & Compliance at Liberty Latin America).

To begin the dialogue, we talked about life under the GDPR thus far. We each shared thoughts about how organizations can support the GDPR, addressed the retention of data related to whistleblower hotlines, and assessed what the GDPR means for Latin American countries.

Today, I’ll review our discussions about the big lessons organizations around the world have already learned from the GDPR. These early scenarios will set the stage for how this important data privacy legislation is enforced throughout the EU and elsewhere, and as expected, there are both challenges and opportunities.

Early GDPR violations

Approximately one month after the GDPR became law, my former company (British Telecom) was fined for a data protection issue related to spam emails. The relatively small fine was incurred under the old legislation, the Data Protection Directive, but this enforcement does show that regulators are increasingly prepared to mount investigations. There’s no doubt they will use their ‘powers’ to enforce the GDPR.

Still, one of my biggest takeaways from the GDPR and similar pieces of legislation is that compliance isn’t a destination, it’s a continual process. Part of the reason for that is because we’re still working through the different aspects of conflicting data legislation. For example, if someone raises an issue about bullying through a hotline, that data may have to be deleted within a few months. But, if I were to raise the issue through my company’s grievance procedure, the data could be held for four years.

I think think we’ll see clarification around such issues eventually, but the nature of these types of regulations is that things are constantly evolving. It’s one of the reasons organizations like Convercent and Microsoft put so much effort into preparing for the GDPR, both within our products and when providing guidance to our customers.

GDPR compliance is a complex journey

Adrienne agrees that compliance in this area is a journey, “especially given the complexity.” This complex regulatory landscape that we live in also, “underscores the imperative [we have] to streamline processes.” Organizations don’t want to get bogged down (or burden their customers) with constant adjustments to ensure compliance. As a result, meeting the requirements of the GDPR have driven further automation of processes to ensure relevancy.

For Microsoft, the core foundation of their preparation was ensuring privacy by design, and they automated certain processes to achieve that goal. The company:

  • Streamlined requests for information, reports, and audits.
  • Standardized contracts with partners and vendors (which is something all businesses should do).
  • Improved collaboration between their Engineering, Privacy, and Compliance teams. (We talk more about collaboration across departments in Part 3 of this series).

Adrienne also shared two additional tips and insights that I think are very useful:

  • Making sure compliance is actionable across teams requires the standardization of data categories. This is the only way a business can effectively search across the entirety of their data estate to capture relevant information.
  • The most effective means of automating processes requires keeping things simple and transparent. That’s exactly why the Microsoft Cloud provides a simplified and complete approach to the governance of data-related compliance responsibilities.

Remember that last tip about simplifying things, because it will come up again.

What other GDPR-related changes can we learn from?

Myself, Bill, and Adrienne all agree GDPR brought with it a number of changes to certain business practices.

For Liberty Latin America, building data privacy into the fabric of the company was incredibly important, and the team did some great work before May 25th to prepare.

As a relatively new company, they looked to other organizations for guidance on best practices for handling consumer and employee data, then used that information to build their own programs. Bill understands that the GDPR and the resulting enforcement actions are setting trends around the world, especially in Latin America.

It’s a helpful reminder that even if the GDPR doesn’t directly apply to your business, you should understand that compliance with similar rules will likely be necessary eventually.

Additional lessons learned and ongoing issues

The additional lessons I’ve learned, and issues that I continue to see, revolve around some key areas:

Information audits to identify the personal data you hold, and what is done with it, are extremely important. I can’t stress this enough. Understanding your greater data ecosystem also requires assessing which employees need access to what information, and then training them accordingly. Training and engaging your workforce will be one of the biggest ongoing challenges, and as Bill cautions, creating a complex set of responsibilities for employees doesn’t ensure compliance. As compliance professionals, we need to work with the entire company to simplify how information is managed and protected.

Identifying the legal grounds for processing data is another thing all organizations should be thinking about. Companies can’t collect data for absolutely no reason, so you need to understand what data is truly needed before requesting personal information.

Contracts of all types will be an ongoing issue, because third parties represent a significant security risk. We’ll talk more about the four types of third parties you should be aware of in Part 3, but needless to say, this is an area where significant attention must be paid.

Data privacy will be an ongoing challenge. If I had to pick one key lesson from the GDPR, it would be this. The legislation is strict, and compliance isn’t easy by any means. But, personal data protection is hugely important. I’ll always remember an instance where an employee of a company was bribed with a simple pint of beer. The bribe-giver wanted the address of a particular couple. Tragically, the couple was later killed.

Of course, not every example is this serious. But it does bring home the concept of what data privacy really means, and why it’s so important.

People, processes, and technology

The GDPR program focuses on people, processes, and technology. Organizations must communicate with a large workforce, many of whom may not understand the intricacies or importance of data privacy.

It’s essential to roll out a risk-based, company-wide awareness and training campaign to ensure everyone is on the same page. This challenge can be compounded if employees are global, and perhaps don’t view the GDPR as being relevant to them.

Maintaining and managing the infrastructure needed for compliance is also massively complex. It’s one of the reasons Convercent offers the Campaigns Manager tool. Most of the capabilities within the software are essential for large and small organizations alike, because they simplify the administration of policy management. In essence, Campaigns Manager helps ensure employees both understand and sign the policies that support your company success.

Up next: Collaborating with the IT department to achieve GDPR compliance

Data privacy and the GDPR means there must be an ongoing conversation between the Compliance and IT departments, amongst both consumer and product-facing teams. Sometimes, other departments feel as though internal compliance teams are rating or judging them. That’s why it’s so important for us to communicate and collaborate. We know that our intentions are to partner with and enable internal team members, but that message can get lost in the shuffle.

To that effect, reading Part 3 of this series will show you how to make collaboration a reality for the good of the company, consumers, and others.

Do you have questions after reading these first two posts in our GDPR series? If you’d like to reach out to me, Adrienne Williams, or Bill Brierly with GDPR-related questions, find us on LinkedIn via the links below:

Keith Read

Adrienne Williams

Bill Brierly