Adopting the GDPR Mindset: Why a Simple Process Change Won’t Cut It

GDPR is the acronym on everybody’s mind. Everywhere you turn you can find articles and conversations discussing the detail of the GDPR legislation, and with that you can also discover a plethora of different opinions.

Perhaps the most important – and difficult – aspect of GDPR is the necessity for a culture and mindset change within your organisation. Habits that are ingrained in your organisation, both gross and subtle, will need to be addressed.

A simple process change won’t cut it. The legislation demands change across all of your departments, from I.T and legal, to sales and marketing and beyond. It’s more than an I.T governance issue – it affects architecture and the entire user journey.

Old habits such as spreadsheets containing partner, publisher, customer or user data will need to be addressed, and in most cases deleted, due to the identifiable information they contain.

While an immediate cleanup of this type of activity will certainly be a requirement, it won’t help in the long term if employees simply continue with these practices.

The GDPR Mindset

Ask yourself…

• Do you know why your organisation is collecting the data?
• Why are you specifically collecting the data?
• Are you collecting data in order to sell it later? Perhaps to license it, optimise a process, or to profile the data in order to sell products?

Individuals are going to gain a truckload of automatic rights under GDPR and there will be just as many legal choices to make. The biggest landscape change over the coming months will be apparent, as companies implement their changes to data management and data processing, especially as compliance will now be expected as default.

GDPR is a long-term outlook to force companies into regulating the data they collect, process and analyse about consumers. If you can design the data management architecture and partner with companies who are already GDPR compliant (or who can offer genuine, legally sound advice on how to achieve that), then you will only have to do it once to be ready for the deadline later this month.

As accountability is at the core of GDPR it’s worth reviewing article 6 of the legislation which highlights six core principles of what should constitute personal data, how the data controller will be responsible and how to demonstrate compliance with all six principles:

Personal data shall be:

a. Processed lawfully, fairly and in a transparent manner in relation to the data subject;

b. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

c. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

d. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); 

e. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; 

f. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Do GDPR right the first time around

With everything mentioned already, and no doubt all of the advice you’ve already taken, it’s obvious that GDPR requires a much higher level of consent from consumers than the current regulation.

Ensuring that your staff fully understand their responsibilities will be paramount for companies looking to avoid the hefty fines that could be levied against them (it has been stated that fines of up to €20 million or 4% of global turnover, whichever is higher, could be enforced).

Every single department within your company needs to have access to information regarding the rights of customers and be fully committed to the 6 principles.

What to consider when gaining consent

• Opt-out consent is longer an option, a person has to opt-in
• Being able to prove that you have consent is critical
• A person has the right to withdraw their consent at any time
• Consent has to be freely given, for example a content download cannot be dependant on consent
• Consent must be specific and informed, what is the data going to be used for?
• Consent must be unambiguous, for example a clear consent form with binary options
• The best practice is to review consent every two years

One of the headline GDPR rulings is the introduction of ‘unambiguous consent’, previously a consumer’s personal or behavioural data could be used for marketing purposes, without explicit consent on those uses. It’s a strong foundation but unambiguous consent will give consumers the confidence to understand precisely what data is being collected, why, and what companies are going to use that data for.

Culture change, culture shock

As GDPR looms ever-closer, many organisations are using contractual change, penalties, rewards and educational pieces to help motivate culture change within their organisations, particularly to encourage a change in attitude from staff.

I think it’s going to be common practice to add contractual change to employees’ contracts of employment. Not only does it formalise the importance of GDPR in staff mindsets, but it’s also a great method for showcasing how seriously you take the new compliance within your organisation. But this alone won’t create a culture shift, the use of penalties (even disciplinary) will be important, as well as education pieces and rewards, especially in organisations where their size and public image will garner special attention towards how they meet the new regulations.

GDPR will likely be one of the most difficult cultural changes any organisation will face as it affects all employees, regardless of the position or job title. Several organisations have even created new departments and positions designed to promote GDPR compliance and cultural change from within, while others have used external assistance.

Businesses often take a drastic approach to the difficulties facing them with culture change, implementing far-reaching and extremely ambitious policies for staff to adhere to. The key to culture change, however, is a direct impact on a few key behaviours that have a disproportionate effect on success. It’s often a temptation to pile one process change on top of another, which often leads to each change undermining the others. Not to mention that this approach can sometimes produce efforts that are too esoteric, programmatic and overlook entirely how ingrained employees beliefs and habits are.

For example, three potential critical areas to focus might be:

• Organisational behaviours
• Existing cultural traits
• Informal leaders

The first point relates to any change that can become widespread quite easily (and without friction) but have a large impact on the overall cultural objective.

The second point highlights more of the emotional ebb and flow of the organisation and how it might be manipulated to assist in the overall goal.

The last point relates to individuals who are ‘authentic’ in their ability to motivate and influence others within an organisation, usually by what and how they do. The qualities to look for in these individuals are usually that their colleagues view them as credible, trustworthy and effective. These individuals are usually far more effective than the ‘change agents’ appointed by senior executives.

Closing comments

I think it’s fair to say that everyone will develop their own unique approach to tackling  GDPR, and that each company has its own mindset and culture that needs to be adapted. But there are definitely some best practices and “don’t do’s” that we all need to look out for, not to mention a solid understanding of the legislation itself.