This blog was originally published in the IBM Big Data & Analytics Hub on June 1, 2018.
In a series of blog posts, the ‘Coach’ offers recommendations on how to get businesses into shape so they can thrive in the new data era.
When did checking off boxes ever create long-term value?
To reap the business benefits of compliance with the EU’s General Data Protection Regulation (GDPR), a business must do far more than hire a data protection officer and install some new technology.
Instead, the entire organization, from the top down, needs a data-driven, privacy-by-design mentality. Only then can that organization enjoy the increased customer trust, cleaner data and better insights that GDPR is promising to deliver.
The Coach’s take: GDPR can’t be viewed as only a technology and processes issue. The people that handle data in a business need help to appreciate their new responsibility for customers’ personal data.
For too long, customers’ personal data has been handled without respect. The processes and workflows associated with the collection, storage and use of that data has focused on its utility or value to the business.
GDPR changes this by putting the rights of the individual front and center of all things data. This means that those well-entrenched business processes and workflows, as well as the associated habits and mindsets, should change also.
There is a lot of work to do here. Survey after survey indicates that many businesses don’t have a culture in place that prioritizes individuals’ data rights. In one study, only 26 percent of IT decision makers said their board of directors and upper management were involved in their GDPR program. In another, focused on the 72-hour breach reporting GDPR requirement, it took companies an average of 206 days to detect that an incident occurred and an average of 55 days to contain the incident. That gap must be closed quickly.
How does one go about creating a culture in which respect for personal data and privacy is embedded?
IBM has been working on its own GDPR compliance for several years and has found that, in tandem with the right processes and technology, the way employees are trained is central to building this culture.
Employees need help to comprehend their and others’ new responsibilities when it comes to individuals’ personal data. They also need help to understand the risks and impact of improper data use.
The Coach’s take: Employees need to know it’s their responsibility to take action when they see the personal data rights of customers aren’t being honored.
Self-service materials such as content libraries, Q&A forums and knowledge base resources are a good start. A range of internal communication and training initiatives should also be set up. The HR portal, e-newsletters and regular email updates can be used to acknowledge challenges, share knowledge and showcase best practices.
The right GDPR partner can help here, but company leaders also have a big role to play. Town hall meetings and leadership lunches get leaders in front of people on a regular basis to reinforce key GDPR messages. It’s a good idea to include GDPR compliance on meeting agendas and performance reviews.
In business, culture is made up of the values, beliefs and behaviors shared by everyone in the organization. It’s what you do, not what you say. It’s a long journey to gradually build up a culture around data appropriate for the GDPR era.
How that looks will be different in every organization, but one common feature should be that no one ever has cause to say, “That’s not my job,” or “I didn’t think the rules applied here,” or “I’m not the only one,” or “I didn’t know; nobody told me.”
GDPR Has Changed the World, but the Full Impact Hasn’t Been Felt
Not a member? Join the community
Already a member? Sign in
Become a CGOC Member and have access to resources, white papers, surveys, proceedings, and practice tools such as the Information Economic Process Assessment Kit. CGOC Members receive first priority to regional CGOC executive meetings around the world.
Asterisks (*) indicate fields required for registration