Janine Chasmer, Executive consultant & MemberWise Ambassador
So, you’ve mapped out a personal data inventory, you’ve raised GDPR awareness in your organisation and maybe you’ve even appointed a data protection officer. You’re safe in the knowledge that once May 25th arrives, your organisation will be an air tight data fortress. But compliance success relies on you staying vigilant and keeping the regulation in mind henceforth. So how can you stay compliant after the deadline?
Simply put, you aren’t finished. Once the regulation comes into effect, expect compliance to become a full-time responsibility. It’s important to keep in mind that you have not simply undertaken a GDPR ‘project’ that can be forgotten about. You have made fundamental changes to the way that your organisation handles data, and it is your responsibility to maintain these changes indefinitely.
This necessary continued support for the project is part of the reason why Purple recommends appointing a Data Protection Officer (DPO), even if you are not obliged to by law. A DPO’s day to day responsibilities will include monitoring compliance, addressing privacy requirements and even defining contingencies in case of a data breach. It is important to make GDPR awareness company wide, but hiring a dedicated member of staff to look after data privacy is the surest way to avoid any pitfalls in maintaining your compliance.
Modern organisations are always evolving – new tech, new people, new systems, new processes. Beyond the 25th of May however, data privacy needs to be considered as part of growth. Does your new website capture unnecessary data? Is your new employee aware of the legislation? Could a new process give rise to a data breach? Any change that you make has an effect, and it’s up to your team to make sure these changes don’t compromise your compliance.
It’s also likely that with change and growth, your organisation may begin capturing larger amounts of personal data. Now you may have trimmed away excess during GDPR preparation but don’t be surprised if the amount of data you store/process begins to rise. Regularly reassess the data that you capture to determine what is truly necessary. These are the sort of responsibilities that can be delegated to a Data Protection Officer.
A DPO cannot be responsible for the actions or decisions made about data by their co-workers. For this reason, it’s of paramount importance to keep compliance fresh in the mind of all employees. This could be done by conducting data breach “drills”, setting aside some time for data security meetings or even simply having visual reminders; a poster for example. If your employees continue to understand the importance of the legislation, they will contribute to a more secure organisation.
However, integrating compliance into your company culture is best done positively. A lot of media surrounding the GDPR focuses on its harsh fines for non-compliance, but this should not be enforced as a threat to your employees. It should be a guideline, implemented into their tasks and responsibilities organically.
Lastly, make sure you can prove compliance! There’s a chance that you will need to demonstrate that your organisation is compliant. So, prepare to share the steps that you have taken. Consider even broadcasting your compliance efforts to your network – it could make for good PR to assure customers that their data is safe with you!
Purple are an independent management consultancy who work with membership organisations embarking on a change journey to support the delivery of business objectives with the correct use of people, processes and technology.