Business Law & Compliance
Changing the internal mindset on GDPR from the inside, out
5 min read
23 May 2018
It can be easy to see 25 May as a finish line. This isn’t the case. True GDPR compliance is not measured in your alignment with the rules on the day it gets implemented, but more so your entire organisation’s alignment thereafter.
Earlier this year, we asked nearly 12,000 startups how they go about establishing the consent of their marketing recipients and provide them opt-out options. Staggeringly only 41% of respondents always ask their customers for their consent prior to contacting them. Worse yet, only 47% make it easy for customers to withdraw their consent.
These worrying numbers unfortunately reflect the fact that some brands seem to be overlooking the fact that GDPR is essentially concerned with the working ethics of an organisation, not its rulebook. The regulation is there to ensure that all businesses understand the importance of putting customers’ rights first.
It is now time for companies to roll up their sleeves and inform the way their teams think about personal data. Putting this part of the compliance programme on the back burner simply isn’t an option anymore.
Education, education, education
A good place to start is the senior management team. Whilst it is everybody’s responsibility no matter what level you are at, senior management needs to be setting a certain type of example to the rest of the company and position themselves as experts of GDPR. As you go through this process, it is important that the whole business is on-board with the appropriate collection and treatment of all customers’ data.
One sure-fire way to do this, is by senior management educating teams on the strict laws that are in place, what the law translates to for each department, and the implications if they are broken. Make it clear that if any single employee is not compliant the business will face fines of up to 4% of global revenues or €20 million – no one employee or team wants to have that number on their back.
Beyond the leadership team, it is also up to all employees to educate each other collectively. As mentioned it is no one person’s sole responsibility to be compliant, it needs to come from the whole business. Therefore something that should be highlighted regularly in team catch-ups and internal meetings is that under GDPR, customers will have the right to:
- Be forgotten; be informed; have personal data deleted; have a copy of their personal data (within a month, free of charge)
- Data portability – data electronically sent to them in a commonly used readable format
- Restrict automated decisions and profiling
- Object to a company having their data
- Why not encourage a business-wide pledge to have these customer rights at the forefront of the professional mind? Remind employees that they themselves are customers outside of work as well, therefore this regulation will protect them in their personal lives, so it is equally as important to be mindful of it in their professional lives. How would they like their data to be treated?
- If you come from a startup or SME background there are many GDPR-readiness tests online.
If you work for a bigger company, there are many unique packages larger employers can purchase for more complex companies.
Getting every single data-handling employee to take a test like this should allow employers and HR teams to outline who needs more training. From here personalised staff awareness programmes can be devised, however this shouldn’t just stop at compliance. It is an ongoing process that begins at induction and is reinforced regularly throughout the year and whenever staff-related data protection incidents occur.
Another important task to ensure you’re maintaining the way people think internally will be to outline when and how to implement Data Protection Impact Assessments in your organisation (note: exemptions exist for small businesses and low risk small-scale data users), to help you identify and minimise the data protection risks of a project.
This will determine whether you need to appoint or contract a Data Protection Officer (DPO) who will be responsible for reporting to the highest levels of management. The DPO can act as a lead in the change of mind-set across the whole business.
Raising awareness and changing mind-sets can certainly feel like a daunting task, not least because success in this field is so tricky to measure. While it might seem too late in the day to begin, simply setting the time aside to have these conversations internally can significantly lower the risk of fines and strengthen GDPR-readiness.
Judy Boniface is CMO of Mailjet