Creating A Culture Of Privacy
Since the General Data Protection Regulation (GDPR) entered into effect in 2018, companies across the world have made efforts to meet the requirements of the regulation. However, from the text of the law to the implementation, there is a big gap. Implementing the legal requirements of the GDPR means translating the legal obligation into practical steps, concrete objective and cost-effective business plans. There is also a huge gap between legal obligations and the realities of innovation and technology. While the law calls for risk assessment, vigilance and compliance, the customer asks for efficiency, agility and result.
The challenges of small organisations differ from those of the big ones. The resources are limited and it is harder to convince people to take privacy seriously when bigger players in the game ignore it. Nevertheless, our experience has proven that you do not need to be a big organization to start your privacy programme. In this article, our data privacy officer Nazanin Gifani shares with you our best tips and lessons learned from implementing a privacy programme.
Make privacy relevant
Kicking off a successful privacy programme requires collaboration between different stakeholders. Often it is hard to justify allocating a budget to a privacy programme when there are more pressing needs in the organisation. Therefore, the first step in a privacy programme is to get everybody in the organisation on board with the requirements of the law.
One of the advantages of SMEs is that, unlike many bigger companies which opt for online training, there is a chance for live training. At Euranova, we took live training as an opportunity to reach out to every employee and start a conversation between people on different projects. Our hands-on training made the legal obligations relevant to the everyday work of employees.
This being said, our experience showed us that one-time training is not sufficient in addressing all the ongoing issues. Therefore, privacy training should be seen as an ongoing project. It is essential to take various initiatives and seize every opportunity to talk about privacy. For example, we organized workshops with engineering teams, and we analysed different projects together. In the course of these workshops, we looked for the best solutions in mitigating the risks. In this way, we managed to work in harmony with different units and to integrate privacy into the processing lifecycle.
A bottom-up approach
To meet the requirements of the GDPR, a bottom-up approach will help you tailor your privacy programme to your organisation’s culture and needs. Here is what our experience has taught us:
- Setting realistic goals for the programme is crucial. Also, success stems from understanding the concerns of different teams, as well as the requirements of the customer and creating clear lines of communication.If you want the employees to adhere to data protection principles, make sure your administrative department understands and respects the employee’s privacy first. For example, we started with our internal privacy notice and an internal audit to our admin department.
- Delegate the task, train employees to develop an eye for privacy risk. Because whether you hire an in-house or outside data protection officer, he/she cannot be part of every detail of every project. At some point, you have to rely on employees to be aware of the risks and ask the right questions. Value employees’ input, involve them in the privacy risk assessment and together find the right solution for your specific problem.
- Avoid a common lawyer’s mistake of fear mongering. While it is very important for everyone to know the legal risks, in order to allow your privacy programme to grow organically, it is equally important to have a clear and unbiased picture of realities of the business.
Be ready to face the challenges
At the end of the day, the road to data protection compliance is not straightforward. The field is still under development. Because regulation moves much slower than technology, there will always be some questions to which the law does not have an answer. For example, at the moment there is some level of uncertainty, particularly when it comes to grey areas such as AI.
However, to use your data to its fullest potential, creating a culture of privacy cannot be overlooked. Our solution is to stay on top of new legal and judicial developments, academic research and authorities’ recommendations. More importantly, be ready to offer creative solutions and face difficult questions from the start.
Our data privacy experts can help you train your technical and business teams to understand the practical implications of the regulation and legal requirements of your organisation.
If you are interested in receiving hands-on and tailored training on GDPR and privacy by design for you and your employees, contact us.
Photo by Jason Dent on Unsplash