Raising awareness of GDPR internally means making information ridiculously easy to find, organising compulsory training, and ensuring everyone absorbs and understands it.
The final piece of the puzzle is creating new processes so nothing is left to chance. Adding that level of automation, and scheduling recurring tasks, ensures compliance is maintained and significantly reduces the potential for human error.
1. Sharing information
Create policies that are stored within a document management system (DMS), viewable for all users, but that can be edited only by the compliance team. Use a policy manager tool to ratify with the compliance team the draft policies stored in the DMS, before distributing them to all members of the team.
But don’t leave to chance that these documents will be read and understood. If you have a company intranet or a digital workplace you can use the homepage to remind users to acknowledge they have seen the documents, and add a countdown to the 25 May deadline – or your own internal company deadline – to create a sense of urgency.
Such platforms can track who has opened documents and ask users to tick boxes showing they have read and understood them. Or else you can simply send a notification by email or instant message, and request a response once complete.
Some businesses are creating sites within their intranets that promote awareness of new data protection rules, and from here they can link to these important policies and procedures, and training videos, too.
Making sure employees have read and understood policy documents is one step. The next is to make clear how those new policies impact their jobs, and what changes they will need to make in order to be compliant.
For convenience and consistency – and its cost saving potential – online training is now a popular business tool, with learning paths that guide employees through bite-sized videos, policies or courses. Adding a layer of gamification, such as multiple choice quizzes, will make sure those watching are actually learning something and engaging.
GDPR is likely to have a huge impact on certain teams – marketing and customer services to name two obvious examples – with changes to daily operations, actions and behaviours. For that reason, good training is key.
In short, the impact of GDPR is such that your business is going to have to be run differently. New policies have to be supported by new processes such as Incident Reporting or Data Protection Impact Assessments (DPIA) which form a key part of GDPR.
Simple to use form builders can allow for these processes – such as how your organisation collects, manages and deletes data – to easily be created and followed by all members of the team.
New responsibilities will have to be assigned to different members of the team. For example, whose job will involve communicating with customers how their data is to be collected, stored or destroyed, and whose job will involve actually doing these things?
Technology that automates the new processes and actions, alerts those responsible to perform their tasks in the chain, confirms it has been done, and alerts the next person to perform theirs is now invaluable if not crucial for all but micro businesses.
A simple tool would be a project builder that can create a list of ordered tasks, which can be assigned to specific team members. This project can be replicated as a template for next time. Of course, GDPR isn’t just a one off task. Businesses should schedule recurring tasks within projects and calendars to ensure compliance is maintained, and new processes are followed to the letter.
Nigel Davies is the founder of digital workplace software Claromentis