GDPR: Don’t forget the human touch

GDPR: Don’t forget the human touch

Neil Patrick, Director of GRC and Centre of Excellence EMEA for SAP, discusses the human impact of GDPR, including tone at the top, execution in the middle, and employee and contractor implications at the other end

GDPR: Don’t forget the human touch

If you’ve ever ridden a horse, you’ll be familiar with the phrase, “Dangerous at both ends and uncomfortable in the middle.” It applies just as well to the looming GDPR regulations as it does to the equine world. The General Data Protection Regulation comes into effect on 25 May, which for the complexity of the regulation – and depending on your level of readiness – is very soon.

We’ve all seen the considerable media coverage and the countless conferences dedicated to the technical measures and requirements. Much less, however, has been written about the human in the middle of it all. If you think about the human beings (otherwise known as your colleagues) in the midst of all this, there are at least three considerations shaping the human impact of GDPR – tone at the top, execution in the middle, and employee and contractor implications at the other end.

Tone at the Top

It’s may sound like an obvious point, but unless there is executive sponsorship, a GDPR program will not reach deeply enough into the organisation to be effective. It’s surprising how many organisations continue to make this mistake.  Executive sponsorship ensures that the necessary change management and training programs will get properly funded, be adequately deployed, and have the necessary on-going attention for a business as usual inclusion.

Sadly, a 2018 PwC study on the global state of information security found that less than a third of boards directly participate in a review of security and privacy risks. Without a solid understanding of the risks, boards are not well positioned to exercise their oversight responsibilities for data protection and privacy matters.

Put bluntly, without executive sponsorship GDPR programs are likely to become compliance tick-box programs, will not change how people behave, and are likely to ultimately fail.

Execution in the Middle

Having a host of corporate policies and mission statements is one thing, but ensuring named individuals are responsible for guaranteeing they are enforced across the business is another. Article 5 of the GDPR requires controllers to demonstrate how they comply with the accountability principles. Article 83 talks about intentional or negligent violations.  It is as much about certifying as guaranteeing.

The Information Commissioner’s Office (ICO) talks about rolling out the GDPR as “… a framework that should be used to build a culture of privacy that pervades the entire organisation.” This requires middle management to push ‘the message’ down and throughout the organisation. People need to do this, not technology. People must take ownership of ensuring understanding and use of policies as standard operating procedures.

This also covers gap detection and escalation and mitigation and disciplinary activities. People need training to understand what is acceptable and unacceptable within the parameters of the corporate data privacy culture. There is frequently no single owner for developing a GDPR program. By virtue of its scope, GDPR is highly distributed and sits with for example legal, marketing, HR, procurement, customer support, analytics, R&D, and M&A.

Imbuing an organisation with the correct data privacy culture will reduce the risk of breaches and sanctions. And of course, people come and go, get promoted, take secondments and sabbaticals and holidays. The burden of ensuring that this is handled cost-effectively, consistently and safely, in a ‘business as usual way’ lies with the people involved. In other words, preventing people falling back on old habits and bad behaviour sits with management teams and business process owners.

This also provides the equally essential bottom-up feedback channel back into the change management program. And if this is recorded digitally (software exists for this), an auditable trail of evidence of actions can persist to ‘police the police’.

Employee and Contractor Impacts

People who are deeply engaged with personal data, or who have access to systems and processes that contain personal data, need awareness and procedural training – with refresh enablement because GDPR is not a once-off occasion.

Every internal process, policy, and workflow etc. all ends up with a human being at the end that’s required to perform an activity. Companies must ensure this ‘end user’ behaviour fits within the corporate data privacy culture. (It’s surprising how many organisations make this assumption without checking or don’t have process in place to confirm how well it is done).

Former U.S. Deputy Attorney General Paul McNulty is often quoted saying, “If you think compliance is expensive, try non-compliance”. He’s right. The Ponemon Institute estimates non-compliance costs 2.71 times the cost of maintaining or meeting compliance requirements. Non-compliance costs come from the costs associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.

With a little planning, GDPR doesn’t need to be “dangerous at both ends” nor “uncomfortable in the middle”. The ICO has a great training checklist for SME organisations. In your pursuit of GDPR compliance, I’d urge you to consider the human being in the middle of your processes, policies and technical requirements that will be on the receiving end of guaranteeing their adherence and enforcement.

Neil Patrick is Director of GRC and Centre of Excellence EMEA for SAP

Share

Subscribe to get your daily business insights

Resources & Whitepapers

Why Professional Services Firms Should Ditch Folders and Embrace Metadata
Professional Services

Why Professional Services Firms Should Ditch Folders and Embrace Metadata

3y

Why Professional Services Firms Should Ditch Folde...

In the past decade, the professional services industry has transformed significantly. Digital disruptions, increased competition, and changing market ...

View resource
2 Vital keys to Remaining Competitive for Professional Services Firms

2 Vital keys to Remaining Competitive for Professional Services Firms

3y

2 Vital keys to Remaining Competitive for Professi...

In recent months, professional services firms are facing more pressure than ever to deliver value to clients. Often, clients look at the firms own inf...

View resource
Turn Accounts Payable into a value-engine
Accounting Firms

Turn Accounts Payable into a value-engine

3y

Turn Accounts Payable into a value-engine

In a world of instant results and automated workloads, the potential for AP to drive insights and transform results is enormous. But, if you’re still ...

View resource
Digital Links: A guide to MTD in 2021
Making Tax Digital

Digital Links: A guide to MTD in 2021

3y

Digital Links: A guide to MTD in 2021

The first phase of Making Tax Digital (MTD) saw the requirement for the digital submission of the VAT Return using compliant software. That’s now behi...

View resource