GDPR is not a simple tech solution, which can be implemented by ticking of a box. As mentioned in our last article »GDPR – an organizational change«, many organizations operating in Europe are not adequately prepared for the new data protection regulation that comes into force this May 2018. Navigating through the new compliance standards requires organizations to hire experienced compliance specialists and change managers that can guide and implement the new GDPR standards within the organization. Many organizations are struggling, because the EU’s GDPR Guidelines set only the ultimate goal of compliance, and it is then up to companies and organizations to use the latest methods and technologies available to achieve full compliance. The mindset of people have to change, which is confirmed by Financial Times stating that GDPR legislates a complete restructuring of how we are using and storing personal data.
In a time, where data has become the world’s most valuable resource, navigating the way through new compliance standards, such as GDPR, will be the top priority on the security agenda for many organizations according to a recent PwC study. The data economy demands new regulations that hold organizations more accountable for how they treat personal sensitive data. Customer data must be secured and protected, but how organizations go about this involves a lot of uncertainty. Therefore, organizations will follow different paths to compliance, but the result will most likely be the same. In the following you will get a take of how two of our 7N specialists handle GDPR compliance with success.
GDPR compliance from a process analyst’s view
Our 7N specialist, Mette Ditzel is a process analyst with extended GDPR knowledge. She is currently on assignment for a larger Danish insurance company, where she has been part of the implementation phase of the GDPR compliance process.
Translating legal text into hands-on business initiatives requires practical experience. When asked how Mette translates the regulatory framework of the EU into the corporate culture of the organization she advises, she says, writing manuals and standard operating procedures are not adequate. In some case she has used Data Governance to upgrade the existing Data Governance structure to comply with GDPR, where existing business processes had to be updated and customized, new business processes had to be implemented and new roles with new responsibilities had to be allocated.
“It is one thing to write manuals and standard operating procedures for an organization, and a whole other thing to get roles and responsibilities rooted in the organization.”
Involve the business
It is important to involve the business during the process to get their input, and start with a pilot group at rollout instead of involving the entire business. It is not easy to satisfy everyone, especially when the organization is represented globally with several branches. Therefore, Mette argues that the goal must be to find a general solution that is both sufficiently effective to ensure compliance with GDPR, but also minimize the consequences (e.g. efforts and delays) for the business.
Some of the greatest challenges that Mette has experienced while advising organizations in regards to GDPR are cooperation and communication. The entire organization is involved with GDPR, and while the business is running their usual tasks, they must also be available for the GDPR specialists.
“Fortunately, both cooperation and communication improve over time. When you explain the business, why we do as we do, they can understand and follow us”.
The power of knowledge sharing
While there are numerous challenges involved with GDPR compliance Mette highlights especially two challenges. There is a great challenge in the continuous replacement of staff and consultants, in particular key employees, and the ability of specialists to constantly have an overview of the entire compliance process. As Mette says, most issues can be solved or become visible by open and honest communication, as well as through knowledge sharing. For example, she often tries to get the overview and solve the challenges by looking at the same tasks from multiple angles. Unfortunately, not all challenges can be avoided, like the change of staff / consultants, but knowledge sharing definitely helps to minimize the consequences.
So how is it even possible to gain an overview and set a framework for the GDPR compliance process, when there are so many uncertain factors and challenges involved? As mentioned EU’s GDPR guidelines provide only the ultimate goal of compliance, and it is up to the organizations to use adequate methods to achieve full compliance. Mette believes it is important from the beginning to define and agree upon what the main ultimate end goal is for the organization. For a process analyst that could be a Data Office that takes care of various tasks. The next step will be to work backwards and identify how it can be resolved within existing frameworks, and / or by using fewest possible additions. The deadline for compliance is approaching, therefore, Mette says, focus should be on the target rather than making too ambitious solutions from the start. In this regard Mette presents another great takeaway for stakeholders involved with the GDPR compliance process: “GDPR only succeeds, if employees comply with the guidelines that are being issued. You can make so many great solutions to ensure data security, but if the business does not agree with the idea, they will no be able to use the solution, and data security will be worse”. Again, Mette points to the fact that involving the business from the beginning and continously sharing knowledge are both crucial, in order to embed the GDPR guidelines throughout the organization.
As in other compliance projects, it is important to have both top-down and bottom-up approach. Management must be in charge of the decisions, but because it is the business that is mostly affected, it is vital that they are heard and participate in the decisions whenever possible.
GDPR compliance from a project leader’s view
Our 7N specialist, Jens Christian Petersen is a project/program leader with extensive GDPR experience from several compliance projects. He has strategic, as well as hands-on knowledge of GDPR projects within leading finance, banking and telecommunication providers in Denmark. He has both acted as the chief program manager and the chief project manager on GDPR compliance projects/programs.
A common characteristic for the compliance projects Jens Christian has been part of is the high level of project complexity. When asked about how to translate the regulatory framework of the EU into the corporate culture of the company or organization, Jens Christian says, it is a good idea to start GDPR compliance by defining it as a program. It is vital that it is a structured process, where the entire business, lawyers and IT are all involved. Secondly, it is a good idea to establish working groups, which each have defined activities within the various areas of compliance.
It is important that management decides how to be compliant. And in fact, it depends a lot on management’s risk appetite. How confident will they be to reach an acceptable level of compliance, and what might be an acceptable level of compliance for the management? Is the management’s level of compliance aligned with the level of the Danish Data Inspectorate? GDPR compliance projects can be rather large complex projects, but in some situations it may also entail less complexity. It depends on how compliant the concerned organization is at the moment with the current Personal Data Act. There are great similarities between the Personal Data Act that is enforced in Denmark and EU’s GDPR enforced 25 May 2018. Based on Jens Christian’s experience the greatest difference is that GDPR requires that the concerned organization is able to prove and document to the Data Inspectorate that they are compliant. If you can not document it, you are basically not compliant. As it is of today the current Personal Data Act enforced in Denmark also states that personal identifiable information must be deleted and not stored on the systems of the concerned organization. The challenge is then to know, when exactly the organization is fully compliant. If personal data is observed 100% today, and the Act is fully enforced, then it can be an affordable task to become GDPR compliant. Conversely, there are probably not many companies that can say yes to being fully compliant, according to Jens Christian. There are some organizations that will choose to comply to a minimum of the law and others that will almost completely comply with GDPR. Those who live up to the regulation 98% will probably not get a fine, but it will be exciting to see how others that are not as compliant will be treated in relation to the legal aspect. It is very important to take a risk based approach towards GDPR. The applications fronted the internet with sensitive personal data should probably be at highest risk, and then again backend minor applications not exposed to the internet with a minimum of personal data would probably be considered low risk.
If Jens Christian should point to some of the greatest challenges in connection with the GDPR compliance projects there are four prominent ones:
- Anchoring decisions at management level
- Managing compliance levels
- Cross-cutting coordination within larger organizations
- Linking the project to the remaining business
Anchoring decisions at management level
First of all, a GDPR project must be rooted in a very high level of management, and a 4 or 5 line manager should not be the designated person responsible for the entire compliance project. So what exactly triggers management’s attention to GDPR? Some larger organizations have already been notified by the Danish Data Inspectorate that they will be audited, creating a sense of urgency at the organization concerned. The fines have a size that should generate attention for the Executive Board. In addition to the size of the fine and the 72 hour data breach notification, a front page story might even be worse. Loss of clients due to poor publicity in the press should be enough to ensure focus for the Executive Board. If the project is anchored at 3-4 management levels, it can be difficult with limited decision authority to get the right decision through. For example prioritizing resources can be a huge issue. Typically, the sense of urgency often means that GDPR program managers are placed higher within the organizational hierarchy, and anchored in the Executive Board, meaning that the CEO will attend information meetings about GDPR.
Managing compliance levels
Managing compliance levels is also a great challenge. How risky does the concerned organization want to be? It is often a decision management must agree upon. If management is not represented on the board of the steering group of the project, it has the potential of complicating and delaying the entire project. With 25 May 2018 approaching, many organizations should reconsider, who they involve and who they designate to lead the GDPR compliance project.
The cross-cutting coordination within larger organizations in itself makes the GDPR compliance project a rather complex task to solve. For example in the case of deleting data, how do you ensure that deletion is done in the same way in thousand different applications, and how do you run quality assurance afterwards? Do you send a manual to people, do you do a workshop? As Jens Christian confirms, it is certainly hard to get everyone along in the organization, and even harder, when it is across countries.
Link between project and the business
Linking the project to the remaining business is vital if the goals of full compliance has to be reached. It is important to ensure that the designated project or program manager considers change management within the entire business, also the customer advisors. Everyone has to be prepared to meet the customer in a different way with GDPR regulation. It is no longer acceptable to place sticky notes on the screen with personal identification numbers (CPR numbers) or the like. It is a very big change for customer advisors that they must understand the GDPR requirements going forward. Organizations must understand that they exclusively borrow the information from the customers. Going forward organizations should prove that the customers can trust the way the organization handles their personal identifiable information.
Even though organizations consider these four challenges in connection to GDPR, there are other challenges that are maybe even more difficult to manage and control. Although, management sets the framework for GDPR, there is still much to be interpreted, and this pose a great risk to organizations. The different departments operate with many IT applications, often separating business and IT. This means that data deletion is done in different ways, in different departments, at different times, based on similar rules, agreed bilaterally upon with part of the business. How can it be ensured so that all systems work again after May 2018, when parts have been deleted by different departments? This is an important point Jens Christian puts forward. It is hard to get the business to understand how data deletion might suddenly result in some things not working or not showing in the programs the employees work with. When such an issue is identified, it is important to escalate the risk regarding inconsistent data after deletion, according to Jens Christian. The action plan should be to have as much cross-functional tests as possible, and the approach should be a risk-based test, so that the areas with the greatest risks are tested first and with great focus.
The importance of internal communication
If Jens Christian should highlight some of the hands-on tools that he uses as a GDPR project leader, a lot of them involves communication. Besides the usual PL tools, there is a need to have a communications expert or department involved in the GDPR project. It is important already during the initial phase to inform employees internally about major changes that will impact the entire organization. In the case of GDPR, it is important to provide people with general information about the regulation. Thereby, organizations can avoid bilateral inquiries, and put to rest the worries and concerns arising from employees attending external GDPR, security courses or the like. A great idea could be to engage employees by creating interactive programs or video content that can create awareness about GDPR. Apart from communication tools, anchoring data and centralizing logs are other areas, where tools are needed. When it comes to anchoring data about the organization’s compliance level, some organizations use a simple tool as Excel, whereas others purchase solutions at NNIT, DPOrganizer, Bech or the like. Centralization of logs from all IT applications in relation to the GDPR requirement about traceability, there are good but expensive solutions. Arcsight and Splunk are good examples. The burden of proof lies at the organization, therefore, it is important that they can show logs that eventually can show, when profiles have been hacked, thus disclaiming the responsibility of data breach.
Make the GDPR project suit the organizational needs
As illustrated by the points Jens Christian has made, it is clear that the complexity of a GDPR project or program is high. A project or program like that can not be solved by a simple technical solution. However, Jens Christian has the view that depending on the organization, you must always ensure that you do not make the GDPR project bigger and more complex than the needs of the organization. A rough estimate for sizing GDPR projects, depending on current compliance level, is that in large Danish companies, a three digit million amount should be calculated, medium-sized companies may spend a two million digit amount, and smaller companies may be able to handle an adequate compliance level for a one digit million amount. As Jens Christian points out:
“Of course the local pizza shop that has all its customers registered in one system so that they can order online, doesn’t need to launch a GDPR project to 15 million DKK. The economy of the company will not be able to bear this. In this case, you may be able to do some days work in relation to various descriptions, as well as implementation of procedures such as delete rules etc.”
The most important thing is that organizations have described, why they have data and how they process it, including the rules for deletion set in place.
To finalize this article about GDPR from our specialists’ view it is important as a project leader or program leader to get management onboard, and get the steering group organized properly so they work towards your goals. According to Jens Christian, a GDPR project is typically 50 % business project and 50 % IT project. Therefore, it is really important that everyone is involved to a certain degree to ensure organizational compliance in the future.