If you’ve ever ridden a horse, you’ll be familiar with the phrase, “Dangerous at both ends and uncomfortable in the middle.” It applies just as well to the looming GDPR regulations as it does to the equine world. The General Data Protection Regulation comes into effect on 25 May, which for the complexity of the regulation – and depending on your level of readiness – is very soon.
We’ve all seen the considerable media coverage and the countless conferences dedicated to the technical measures and requirements. Much less, however, has been written about the human in the middle of it all. If you think about the human beings (otherwise known as your colleagues) in the midst of all this, there are at least three considerations shaping the human impact of GDPR – tone at the top, execution in the middle, and employee and contractor implications at the other end.
Tone at the Top
It’s may sound like an obvious point, but unless there is executive sponsorship, a GDPR program will not reach deeply enough into the organisation to be effective. It’s surprising how many organisations continue to make this mistake. Executive sponsorship ensures that the necessary change management and training programs will get properly funded, be adequately deployed, and have the necessary on-going attention for a business as usual inclusion.
Sadly, a 2018 PwC study on the global state of information security found that less than a third of boards directly participate in a review of security and privacy risks. Without a solid understanding of the risks, boards are not well positioned to exercise their oversight responsibilities for data protection and privacy matters.
Put bluntly, without executive sponsorship GDPR programs are likely to become compliance tick-box programs, will not change how people behave, and are likely to ultimately fail.
Execution in the Middle
Having a host of corporate policies and mission statements is one thing, but ensuring named individuals are responsible for guaranteeing they are enforced across the business is another. Article 5 of the GDPR requires controllers to demonstrate how they comply with the accountability principles. Article 83 talks about intentional or negligent violations. It is as much about certifying as guaranteeing.
The Information Commissioner’s Office (ICO) talks about rolling out the GDPR as “… a framework that should be used to build a culture of privacy that pervades the entire organisation.” This requires middle management to push ‘the message’ down and throughout the organisation. People need to do this, not technology. People must take ownership of ensuring understanding and use of policies as standard operating procedures.
This also covers gap detection and escalation and mitigation and disciplinary activities. People need training to understand what is acceptable and unacceptable within the parameters of the corporate data privacy culture. There is frequently no single owner for developing a GDPR program. By virtue of its scope, GDPR is highly distributed and sits with for example legal, marketing, HR, procurement, customer support, analytics, R&D, and M&A.
Imbuing an organisation with the correct data privacy culture will reduce the risk of breaches and sanctions. And of course, people come and go, get promoted, take secondments and sabbaticals and holidays. The burden of ensuring that this is handled cost-effectively, consistently and safely, in a ‘business as usual way’ lies with the people involved. In other words, preventing people falling back on old habits and bad behaviour sits with management teams and business process owners.
This also provides the equally essential bottom-up feedback channel back into the change management program. And if this is recorded digitally (software exists for this), an auditable trail of evidence of actions can persist to ‘police the police’.
Employee and Contractor Impacts
People who are deeply engaged with personal data, or who have access to systems and processes that contain personal data, need awareness and procedural training – with refresh enablement because GDPR is not a once-off occasion.
Every internal process, policy, and workflow etc. all ends up with a human being at the end that’s required to perform an activity. Companies must ensure this ‘end user’ behaviour fits within the corporate data privacy culture. (It’s surprising how many organisations make this assumption without checking or don’t have process in place to confirm how well it is done).
Former U.S. Deputy Attorney General Paul McNulty is often quoted saying, “If you think compliance is expensive, try non-compliance”. He’s right. The Ponemon Institute estimates non-compliance costs 2.71 times the cost of maintaining or meeting compliance requirements. Non-compliance costs come from the costs associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.
With a little planning, GDPR doesn’t need to be “dangerous at both ends” nor “uncomfortable in the middle”. The ICO has a great training checklist for SME organisations. In your pursuit of GDPR compliance, I’d urge you to consider the human being in the middle of your processes, policies and technical requirements that will be on the receiving end of guaranteeing their adherence and enforcement.
Neil Patrick is Director of GRC and Centre of Excellence EMEA for SAP