Since the GDPR went into effect, organizations of all sizes have been re-evaluating how they handle personal data. From our experience, most organizations started taking steps to align with the legislation by tackling the more visible items such as their privacy policies and their data processing agreements. In focusing the bulk of their efforts on these areas, many businesses overlook some less prominent points of data privacy compliance — areas that may not get much attention, but that can affect your compliance status if not addressed.
Before you put away your GDPR readiness plan, make sure you haven’t overlooked these three important elements.
1. Architecting to Respond to Data Subject Requests
GDPR grants EU residents a series of rights related to their personal data, including the right to access, the right to be forgotten, the right to restrict processing, and others. A good GDPR compliance program has the right policies and procedures in place for accommodating these rights … but may stop short of ensuring that internal business processes and technology systems are up to the task. If one of your EU-based data subjects called today and asked you to delete her personal data, for example, would your business processes and technical systems be positioned to enable your team to fulfill the request promptly? If you’re not sure, now is the time to evaluate and make the necessary changes.
Action Item: Do a thorough evaluation of the personal data in your systems — including what data you have, where it is, how you process it, and who has access to it — and make sure that when EU residents exercise their rights under GDPR, your organization will be ready to respond promptly.
2. Monitoring for “Triggers”
If aligning with GDPR were a matter of “set it and forget it,” businesses could relax once they had put the necessary policies, procedures, and architectural updates in place. However, your business, processes, and systems are constantly changing, and many of those changes could require a re-evaluation of your GDPR compliance status. An effective GDPR governance plan incorporates monitoring for triggers such as
- New data privacy legislation/regulations
- New personal data collected
- Policy changes
- New vendors or business partners
- Merger or acquisition
- New applications or processes
- Regulatory and judicial clarifications
- Technology innovation
Action Item: Create a governance plan that calls for periodic re-evaluations of your compliance status and procedures for updating your data privacy practices as necessary.
3. Employee Training Reinforcement
When GDPR went into effect, many companies did a commendable job of training key employees on the new rules of handling personal data. The extent to which those employees retain what they learned is anyone’s guess. The regulation has, in fact, been described as “the ultimate insomnia cure.”
What you need is an actual change in behavior, as we explored in a recent webinar. Workshops and seminars can be effective in communicating information; however, on their own they are rarely enough to change behavior. What if, six months after training, a call center employee receives a call from an EU customer exercising her right to object to automated processing? If the employee won’t know exactly what to do and how to address the situation correctly in the appropriate time frame, you may need to rethink your approach to training.
To learn about one approach to reinforcement — gamification — and how it can make data privacy training “stick,” check out the replay of our webinar.
Action Item: Include regular reinforcement in your data privacy training program to ensure that employees will exhibit the proper behavior when situations arise.
In the effort to address the larger issues around GDPR, it’s important to keep in mind the less prominent factors that can affect your compliance status, both now and in the future. If you have any questions about these or other GDPR requirements — or if you’re struggling to understand what data you have, where it is, who has access to it, why you have it, and whether you are deleting it when no longer needed for the collected purpose — just give us a call.
Connect with the authors:
We're Here to Help
Questions about how to bridge the gaps in your organization's GDPR compliance program? Get the answers you need in a complimentary 15-minute call with one of our data privacy experts: