Part 3: GDPR Collaboration Across the Organization

How Does Teamwork Across Departments Help Manage Risk?

Why Aligning Ethics and IT Is so Vital to Data Privacy

This 4 part blog series is based off our webinar, It’s Official: The GDPR Is In Effect…Now What?. If you missed the live recording, be sure to catch the full discussion — a replay link is available when you register. Because it was such a fascinating and collaborative dialogue, we wanted Keith Read to share further commentary.

During Parts 1 and 2 of this series, I recapped some of the conversation I shared with Adrienne Williams (Lead Attorney at Microsoft) and Bill Brierly (Head of Ethics & Compliance at Liberty Latin America). We talked about life under the GDPR thus far, how organizations can support compliance, and important lessons learned.

Today, I’ll pick up where we last left off, with the idea of promoting collaboration across an entire organization, particularly between Compliance and IT. I’ve had a lot of firsthand experience with this recently, as we rolled out our GDPR-specific capabilities at Convercent. It’s been so interesting to see the level of organic collaboration that’s happening between these various departments relative to data privacy.

Of course, it’s not smooth sailing 100% of the time, but I’ve noticed that a sincere desire to communicate and collaborate can make a massive difference.

However, I also recognize that a bit more than sincere desire is needed to achieve effective collaboration. In Bill’s experience collaborating with IT, compliance professionals absolutely must define their role in the process. A lot of what goes into data protection, data privacy, and cyber security is an IT application, so IT has to be responsible for a big portion of the process.

We can “set the table” by simplifying requirements, setting policies, and making sure the tech adheres to the letter of the law. But, the implementation has to be the responsibility of the operators and IT. Ethics and Compliance can oversee things and help out, but we clearly can’t assume full responsibility.

Perhaps even more critically, we can be there when things go wrong. We all agree that perfection shouldn’t be the standard, because the cost to achieve perfection would be astronomical. When Bill said, “The hallmark of an ethical organization, or one that’s focused on doing business with integrity, is the response when something goes wrong,” I couldn’t agree more, because mistakes are going to happen. The key is to learn how you might prevent them from happening in the future, while any fixing mistakes (including making any necessary reports to the authorities, which is a GDPR requirement to keep in mind).

What does it mean to align ethics and IT?

There’s a large body of research that stresses the importance of having an IT program that’s aligned with the compliance and ethics program. Usually, that research highlights the requirements for a robust records system and automation of other systems, typically around reporting and policy management.

The research also stresses the need for real-time dashboards and root cause analysis. We need to do more than just see what happened, we need to know why it happened and if anything could have been done to change that. From managing data silos to understanding the full scope of third party relationships, we can’t do that without IT’s expertise.

Third parties, IT, and the GDPR

To highlight why aligning ethics and IT is so vital, I often talk about third parties in relation to the GDPR. Whenever I mention this, most organizations assume I mean vendors and suppliers. However, I believe there are four distinct categories of third parties:

  1. Upstream: Vendors and suppliers.
  2. Downstream: Agents, distributors, resellers, etc.
  3. Service: Legal services, accounting services, etc.
  4. Others: Joint ventures.

Because four categories exist, there usually isn’t a single place compliance professionals can look to for an accurate representation of all the third parties that an organization is doing business with.

The GDPR has made it abundantly clear that organizations are accountable for data breaches caused by their third parties. Third parties are implicated in 63% of all data breaches, and organizations share data with them frequently. Unfortunately, you can’t assume that your third parties take general security and compliance seriously, let alone GDPR compliance.

(Third parties can also play a role in certain FCPA violations, which further underscores the importance of vetting third parties.)

This large risk underscores why it’s so imperative that organizations protect themselves, and the only way it can be done is through technology. Bill agrees that this relationship is incredibly important. He feels that helping IT (and HR) evaluate the partners they’re choosing is an ideal role for the Compliance team.

That’s because we use specific, rigorous standards to assess third parties from an anti-corruption standpoint, and those same standards can be used to meet the GDPR’s requirements.

Compliance for cloud services is a shared responsibility

Adrienne also emphasized that the responsibility of securing cloud data should be shared across multiple teams within an organization, and even with third parties. Every team in the organization, and every third party that you do business with, has an obligation to assess risks on an ongoing basis to ensure compliance. Often, this involves protecting sensitive data throughout the organization and implementing security measures across devices, applications, and other tools.

These measures, and others, can’t be undertaken without the assistance of IT. The good news is that, when you do collaborate successfully, you can turn GDPR compliance into a business opportunity. During Part 4 of this series, we talk about how to make collaboration a reality for the good of the company, consumers, and others.

If you’d like to reach out to me, Adrienne Williams, or Bill Brierly with GDPR-related questions, find us on LinkedIn via the links below:

Keith Read

Adrienne Williams

Bill Brierly