7 insights from “Planning and managing risk scenarios” with White Label Consulting

Whether you work for a global enterprise that operates in a highly regulated industry or you’ve just launched your own start-up in the retail sector, risk management is a topic that will apply to you and is an area you simply cannot afford to ignore.

As it holds such universal importance and relevance, we decided to make risk management the next focus of our webinar series Compliance Best Practices and invited Magdalena Goralczyk to discuss the most effective ways to work with the process.

Magdalena is a partner at White Label Consultancy, a boutique consulting firm operating within privacy, data protection and, starting in January, security. Coming from a corporate and privacy background, Magdalena has a wealth of experience managing risk scenarios for large, highly regulated organisations. She’s also gained deep insights into the risks scene for smaller businesses after starting her own company, which has given her new learnings on the more holistic approaches required for some teams.

Having worked with companies of all sizes and sectors at various stages of what she playfully calls their “risk adventure”, Magdalena has a great overview of different types of risk management and processes. Kindly, she agreed to share her advice in our latest webinar, focusing in particular on her knowledge on reporting risk in a more valuable way and ensuring your risk results make a difference.

You can watch the full conversation hosted by Complyon’s Head of Customer Success, Alexandra N. B. Sigursteinsdóttir, via the link here or find our top seven insights below.

First up, what is risk management?

One of the first questions we posed to Magdalena was a common query among clients – how do you define risk management? 

While Magdalena was quick to point out that the answer will always vary slightly depending on your company size and what you do, she says risk management is about:

“Going back to the basics and actively approaching what can endanger your company and what can truly bring it to its knees.”

Although a quick Google search will probably tell you that risk management is about providing controls and mitigations to counteract potential threats, Magdalena suggests it’s more about asking yourself: “What’s the worst thing that can happen to us? “Can we do something about these risks? How do we prepare our company for these scenarios?” 

For large enterprises that handle massive risk scenarios, identifying these possible areas can be a lengthy and extensive undertaking. Whereas for some scale-ups with less to lose in terms of financial status and brand value, it may be a less intensive exercise. 

However, no matter your company size, it’s an essential process for any organisation that wants to protect itself from internal or external threats and unlock the many benefits and business opportunities that risk management can bring.

INSIGHT #1: WHEN IDENTIFYING RISK, START AT YOUR CORE

Whether you’re at the very beginning of your risk management journey or you’re revisiting existing measures to increase efficacy, you’ll know that the number of potential threats can seem overwhelming. 

Magdalena advises always starting with the question: “What does my company do at its core?”. For example, do you mainly work with IT solutions? Do you depend on a third-party service? Is data processing integral to the delivery of your product?

By establishing your core purpose and functions, you can then start identifying your core risks and move on to figure out what steps you need to take to counteract them. 

For instance, if you work at a large insurance company, your core risk is going to be losing your license. If you lose that, you can no longer operate as a business. So, you’d need to work out what situations could lead to this and what could prevent them from happening? What mitigations need to be in place to counteract these risks?

INSIGHT #2: RISK MANAGEMENT SHOULD PREPARE YOU FOR THE UNEXPECTED

It’s highly unlikely that any business will be able to pinpoint the exact nature of every risk that comes its way. 

COVID is a prime example. It’s unlikely that most companies had a global pandemic listed as one of their number one risk scenarios for 2020. The likelihood of the events that unfolded over the past year and a half would have been hard to imagine, let alone predict. 

However, Magdalena suggests that by starting at your core business purpose and risk, you can always use your risk management efforts to prepare for major disruption. “In principle, the whole risk management process should prepare you for the unexpected,” says Magdalena. 

For example, if you know your company is dependent on IT, then you’d put in place mitigations around what could happen if any software in your tech stack was disturbed. If you rely on a delivery chain, what can you do at each stage if there’s an issue in the flow? Or, if data protection is central to your operations, what would you do in the case of a data breach?

“Sit down with a piece of paper”, suggests Magdalena “, and start looking into what could happen to your company that would look really, really, really bad.”


INSIGHT #3: GO FOR BROADER DEFINITIONS OF RISK 

On the subject of defining risks, Magdalena advises that if this task becomes tricky, you should always spend more time discovering mitigations and less time defining risk. 

For instance, if we revisit the insurance company example, the most extreme risk they’d face is the loss of their license. While this is a generic, broad definition of their core risk, as we’re not saying it was lost because of specific actions, it allows the company to start working out how to mitigate this incident. Could there be issues of illicit activity within the company? Would there be a problem if there was a change in the regulatory environment?

Through discovering mitigations, you’re able to deepen your understanding of the risk in question. It’s also a more productive exercise, as mitigations should naturally improve your company, helping bring greater value to the business.  

Imagine your core risk is a ransomware attack. You can use this broad definition to look at your systems and locate any vulnerable IP stature. At the same time, you can use the same exercise as a chance to review how secure and relevant the different components of your tech stack are, providing immediate value to the company.


INSIGHT #4: CONSIDER ROLES, RESOURCES AND RISK PROFILES 

Once you’ve identified your core risks, the next three areas to look at are employees in your company, available resources for the project and your business’ unique risk profile.

When it comes to employees, you need to figure out who is responsible for your business as usual activities and who delivers your main services to clients. You then have to work out what could happen to them. 

HR will be particularly handy in this part of the process, providing insights into who carries out what tasks and what risks could interfere with their roles and responsibilities. In some companies, these risks could be physical. For others, it could be unsatisfactory remote working conditions that lead to high employee turnover due to incidents such as COVID.   

Magdalena raised the point that available resources, as always, will depend on your company. Not all companies will need a full-time risk manager or a dedicated team. Some businesses may have someone who spends 20% of their time driving and maintaining risk-based projects, with check-ins scheduled for bi-annual board meetings. Others, who are perhaps working with a more established risk management culture and history, along with sufficient budgets, will be able to put together an entire risk team who are in regular communication with stakeholders. 

When it comes to risk profiles, again, every company will be unique. However, some of the key questions Magdalena mentions that help her clients get a sense of where they are in the market include: “Are you a start-up and therefore potentially have less to lose financially and through your brand value?”, “Are you a regulated industry?”, and “What industry are you working in?”

She also suggests you should revisit the question: “What’s core to your business?”. This question, in particular, will ensure you don’t ignore major areas of business exposure. For example, if you rely on an external company to deliver your goods, you need to assess what might happen if they could no longer distribute your products. 

Rather than being overwhelmed by the number of potential risks, Magdalena advises starting small, stating: “I’d rather have a well-working process that is very minimal than a massive one with bells and whistles. Start with a simple scenario and just try to stack things up.”

INSIGHT #5: WEIGH UP THE LIKELIHOOD AND CONSEQUENCES

When identifying your risks, you’ll often end up with lots and lots of possible risks. At some point, however, you need to start some sort of evaluation of which risks are most likely to happen and what sorts of consequences they’ll have. That’s where the likelihood and consequences step comes in.

Analysing your risks in this way allows you to prioritise your strategies and ensures you’ll tackle any threats in the right order. 

On this topic, Magdalena offers up a top tip of focusing inwards, rather than spending too much time investigating your industry:

“You can, of course, look on the internet and find different scales. Instead, look into your company. Really examine the likelihoods and consequences for your company that fit with the systems, processes and financials you have in place. The consequences will be very different for a company that has a bigger or smaller budget than yours.” 

INSIGHT #6: LOOK BEYOND PURELY ECONOMIC RISKS

Although you could argue that everything eventually translates into economic impact, it’s best practice to look at different types of risk, not just obvious financial issues. Some of your risks may be regulatory; others could be related to your brand; some are dependent on compliance. 

Make sure you look into all the varied sources of business disturbance. Then, revisit your likelihood and consequence process, working out which risks are more relevant to you. 

Don’t get too hung up on assigning the precise financial implications to each risk, as this can be time-consuming and problematic, but use this exercise as a guide to measuring risks against each other so you can get prioritising. 

INSIGHT #7: RISK MAPS ARE ESSENTIAL TOOLS

When balancing up whether to tackle the most likely but low impact risks or the less likely but high impact risks, Magdalena recommends creating a trusty risk map.

For anyone new to risk maps, you start by establishing the likelihood of a risk occurring. We always recommend a four-tier labelling system of very low, low, high and very high to establish the level of impact that risk would have. With this information, you then map your risks onto a square heat map, helping you visualise where you need to direct your attention.

As a general rule, you should always try to mitigate the highest and most impactful risks. However, there could be some “low hanging fruit” in terms of easy solutions for highly likely, but low impact risks that you may want to take immediately.

Magdalena gives some handy questions to help you decide where your priorities are going to go. If you’re choosing between risks, ask yourself questions such as: “What would be the mitigations with this risk? Are they doable? Are we willing to invest time, innovation and money into handling this risk? Can we afford to ignore it?”

At this stage of decision-making, Magdalena raises the importance of having C-suite buy-in. By taking the time to focus on mitigations, you’re essentially taking away time from other business areas. You’ll need senior management involvement to ensure you’re given the time to carry out your mitigations and if you aren’t given the appropriate resources, accepting the risk lies with those making top company decisions.

We ended our webinar with a short demo on how risk management can be done easily in a compliance system. You can watch Alexandra’s demo here, and if you have any questions or would like to discuss how the Complyon team can help with your risk management process, get in touch

8 takeaways from “Ensuring effective impact assessments” with NNIT

In the latest instalment of our new webinar series Compliance Best Practices, we follow up on the topics of privacy program roles and responsibilities and how to maintain data mapping, with a closer look at impact assessments.

Joining us for our third episode are Bettina Kok and Mia Louise Bukholt from Danish IT and consulting firm NNIT. With their experience running a wide range of assessments, expert GDPR knowledge and backgrounds across a range of company sizes in both public and private sectors, Bettina and Mia were the ideal guests to give us insights and advice on improving efficacy in this area. 

When asked by host and Complyon’s Head of Customer Success, Alexandra N. B. Sigursteinsdóttir, why they’d agreed to contribute to our impact assessment webinar, Bettina replied, “Our immediate reaction was ‘Finally! Because we feel there must be more of a spotlight [on the subject]’”.

Bettina’s response reflects our observation that while impact assessments are essential components of any successful data protection plan, they can often be overlooked and under-resourced.

If you’re looking to persuade a client to take their impact assessments more seriously, or you want new tips for streamlining your process, you can watch the full webinar here.

Below, you’ll also find eight major takeaways from our discussion that explore the potential of impact assessments to transform businesses from reactive to proactive entities, helping keep their organisation’s data as safe as possible.

KEY TAKEAWAY #1: DO YOUR ASSESSMENTS AT THE RIGHT TIME

Timing is everything when it comes to impact assessments. Yet, as prioritisation of these assessments is typically low, businesses often fail to capitalise on the value of the process or only pick up on major issues when it’s too late. 

As emphasised by Bettina and Mia, you should always carry out your assessment prior to any form of implementation, especially regarding the DPIA. This initial screening process ensures that your timeline can continue as planned if you add a new system or subcontractor to your project. You won’t experience a stall waiting for your team to assess and approve the change, saving you time and money before entering into any contracts.

Carrying out your assessment at the right time in the project cycle also allows you to make more strategic, data-driven decisions, helping you realise the efficacy of a new solution or suitability of a third party at the start of a project rather than in the middle of it.

For instance, imagine you want to introduce a new project such as installing analytics software to track your new website metrics. Rather than picking a solution and conducting your assessment later down the line, you should carry out your DPIA beforehand.

Questions to consider would include ‘Is the purpose of the processing formally defined?’, ‘Will there be disclosed data to third countries?’ and ‘Are there high risks associated with processing personal data?’

If any of your replies are negative, it would be much less problematic to revise your plan if you haven’t already committed to or purchased your tracking software.  


KEY TAKEAWAY #2: GET YOUR STRUCTURE IN PLACE BEFORE YOU START 

Before you begin your assessment, you need to have visibility over the company’s data flow. Always break these flows down, whether using a spreadsheet or taking advantage of the advanced overviews and functionalities of purposely designed software.

Once you understand the data flow, you can then turn your attention to assigning ownership to areas of risk. You don’t need to allocate a risk per person; there can be one person in charge of several risks; just make sure you add accountability into your assessment to avoid any steps being missed. 

Software can also help you streamline the ownership process. Solutions such as Complyon give you access to features that allow you to easily assign responsibilities, keep track of a project’s progress and send colleagues deadline reminders directly within the system.

A lot of the manual effort is removed, it’s easier to keep everyone on track, and all your information is in one centralised and secure location. 

KEY TAKEAWAY #3: ASSESSMENTS SAFEGUARD YOU FROM HIDDEN OR MISIDENTIFIED RISKS

Speaking of her experience facilitating awareness, risk assessment and DPIA workshops, Mia highlighted the common issue of employees being sceptical of the need for assessments. “Why are we here? We don’t need this risk assessment” are words Mia has heard many times. 

However, in Mia’s experience, by asking the right questions, you often discover that risk scenarios have been either missed or understated. It’s not unusual for high-risk situations to emerge from processes that she was initially told contained no personal data.

Mia also brought up a common issue that many people are unaware of. Even if you don’t process data, if you have access to it or can see it, that still falls within the confines of GDPR.

For example, a company that produces clothes may feel that the only departments processing data are HR and IT (who deal with employee data) and Sales and marketing (who manage customer data). They’ll often consider those producing the clothes totally separate from anything that involves GDPR and compliance.

However, this isn’t correct. If those making the clothes send out emails, have a list of employee birthdays, upload photos to an internal HR portal or have access to a computer with consumer data on it, they are processing data or have the potential to process data. These all count as risky scenarios to consider for assessments.

Although you may be met with initial hesitation or scepticism around risk assessments, it’s important to remember that employees usually leave the process understanding more about their role and feeling a new sense of ownership over their workflow. So, while it may take some effort to change initial attitudes, keep in mind that in the end, everyone in the company benefits from the assessment. 

KEY TAKEAWAY #4: EVEN IF IT’S LOW RISK – DOCUMENT IT!

According to our panel, whenever you touch customer data, you should do some form of assessment. Even if it’s considered low-risk, when it comes to personal data, any risk is a threat to your company and needs to be taken seriously.

However, you don’t need to do a full-blown risk assessment for all low-risk activities. Simply document what you know and don’t know and be open and honest about how the process could potentially harm those behind the data.

Documenting low-risk scenarios helps you monitor their status, identifying if they increase in risk over time. These limited assessments can also help protect your business from fines if the situation escalates and is brought to the attention of a regulatory body.

When any organisational change occurs, it’s best practice to apply your basic GDPR questions such as: ‘What types of data are you processing?’ and ‘Is it generic, confidential or sensitive?’ 

Be sure to explain these words to the people you’re speaking to so that moving forward, they understand the risk attached to their actions and can take subsequent steps to remain compliant. 

If necessary, you can then move on to more complex areas such as customer segments or types of data subjects (e.g. individuals, employees, clients) and start digging deeper with more advanced questions. 

At this point, pre-defined templates or software are extremely useful in streamlining your process and assisting clients to become compliant at the best achievable level. 

KEY TAKEAWAY #5: GET TECHNICAL TO REDUCE RISK 

If the result of a risk assessment is that you discover medium or high-risk scenarios and part of what’s causing the risks are the systems being used,  Bettina and Mia recommend reviewing the technical setup alongside employees with technical knowledge such as an IT Solutions Architect or Delivery Manager.

Combining technical expertise with compliance knowledge allows you to really understand a system, find where you can reduce risk, and quickly execute those changes. 

Employees with more technical knowledge will also have a different mindset that is invaluable to the assessment. While those with a legal, compliance, information security or risk background will know what changes to make, they may not necessarily have the technical knowledge of how to implement the changes they want to make. For instance, encryption and setting up compliant storage solutions often require deep and specific technical expertise.  

An added bonus to working closely with the technical team is that you’re prompting them to take a closer look at their processes, giving them the chance to optimise workflows. For instance, through your assessment, you can help determine if a system is the right one to be using and if it’s set up correctly. 

KEY TAKEAWAY #6: CULTIVATE AN ENVIRONMENT OF PATIENCE AND HONESTY

Anyone who has done an impact assessment will know that not everyone shares our interest in and enthusiasm for the process. Employees are often very busy, so they can be easily agitated if someone is adding work to their immediate to-do list.

Wherever possible, bring some patience and empathy into your encounters to make the assessment as pain-free as possible and try your best to cultivate more positive feelings about the project. 

Honesty is another key approach to consider, as often people fear that assessments might disrupt or halt their workflow. Therefore, it can be tempting not to answer your questions correctly if it means they can continue working as they please. 

Encourage people to answer with total transparency, especially if something feels like it may be risky. Assure them that you’ll work to lower the risk, which means avoiding navigating negative outcomes further down the line. 

Facilitating honesty and weathering impatience can sometimes be trickier when assessments are carried out internally. If you know the road ahead could be slightly confrontational, consider hiring an external consultant who can be completely objective and ask the tough questions. 


KEY TAKEAWAY #7: ASSESSMENTS ARE “ORGANIC” 

Perhaps one of the most pressing messages from our talk with Bettina and Mia is that impact assessments should be regarded as ‘organic documents’ that are dynamic, ever-changing and always in need of regular updates.  

While at the time you conduct them, you’re doing so using the best current knowledge; you need to remember that things change – legislations change, employees change, clients change, products change. 

This inevitable change means that you must go back and revisit your assessments whenever it’s time to do something new, such as introducing new software, working with a third-party service, or optimising a workflow. Even if you are just updating documentation, these evaluations will ensure you’re always acting with maximum compliance and minimum risk.

KEY TAKEAWAY #8: SET UP ANNUAL COMPLIANCE WHEELS

With impact assessments being ‘organic’ rather than static, Bettina and Mia often work with businesses to create yearly compliance wheels, helping them keep track of their progress and better monitor risk.

Involving structured processes and, in most modern scenarios, dedicated software, this approach allows companies to go back and look at their documentation at the right time to confirm if a system or process is still valid following any changes. 

Without this structured approach, a business would have to start from scratch whenever they needed to conduct an assessment, leading to more work, an increase in resources and delayed timelines. 

Compliance wheels also allow people to be more productive, focusing on areas that are likely to change instead of spending time on irrelevant questions or reviewing parts of the process that have stayed the same.

Here’s where systems come in handy again. Many have the ability to notify when it’s time to do another risk assessment and which type it should be. It may be the case that very little has changed, but in revisiting your compliance wheel and ticking a box to determine risk levels haven’t changed, you can rest assured you’re keeping company data safe and can quickly move on to your next task. 

If you’ve found our webinar on impact assessments insightful and would like to learn more about how our team and software can help streamline your processes, get in touch with our team today.

Our next line-up of Compliance Best Practices webinars is now live on our website. You can check them out and sign up here.

How to set your privacy program up for success

Whether you’re about to embark on a new privacy program, or you’ve started and are struggling to see results, you’ll know that the work you do pre-implementation has the potential to make or break your plan. 

From securing buy-in from your C-suite to defining policies, creating lasting awareness in your workforce to risk-based planning, there are many steps ahead that need to be considered if you want to give your program the solid foundation it needs to succeed.

Working with a range of clients across numerous sectors and company sizes, our Head of Customer Success – Alexandra N. B. Sigursteinsdóttir, has a lot of experience observing common mistakes and smart actions that businesses take during the implementation phase. 

Here, she shares some of her insights along with seven key areas to turn your attention to before you begin implementation to ensure your organisation is setting itself up for long-term success. 

Learn how to communicate with your colleagues

One of the biggest questions I get asked by new clients is: “What’s the best way for us to do data mapping?” I often find that behind this question is, in fact, a different question and what they are usually trying to say is: “What’s the best way to approach the people I need to talk to?”

Anyone who hasn’t started the data mapping process yet or is trying to make sense of the work someone did a while ago knows that their job starts with collecting a load of information from various departments.

This task involves speaking to pretty high-level people, who are typically time poor and may not immediately see the value in prioritising your project over their many other deadlines. 

Every company is different, so while it’s hard to give generic advice around this topic, I’d say you need to find the fine line between demanding their attention but also being respectful of their time. This balance involves really thinking about how you’re going to structure your meeting, making sure what you say is relevant and interesting to these key figures.

Do your research on who you are talking to. Are they afraid of new systems and set in their ways, or are they more tech-savvy and up for innovation? Do they have digitalisation projects on the agenda that you know you can get them excited about? Are they driven by sales results, and therefore, you need to spend more time demonstrating the link between compliance and improved customer relations and subsequent revenue?

Rather than using a blanket approach to communicating with colleagues, shift your focus depending on who you’re speaking to. This more tailored approach will help you secure buy-in from as many people as possible. 

Make an effort to convert the sceptics

Before you host a workshop or walk into a meeting where you’ll be educating people on your plans, I also recommend taking a moment to think about how you’re going to be received. Will your prospective audience greet you openly, or are they going to be sceptical from the get-go?

If you expect to be met with a room of sceptics, there are two main things to think about. Firstly, how can you make learning about GDPR as interesting as possible? Compliance consultant Thorleif Gotved recently shared some amazing ideas for thinking outside the box when it comes to raising awareness in his guest blog post “Creative, fun and engaging: expert tips for GDPR training”.

Next, you need to find their pain points. In other words, why they should care about your privacy program, and why do you need their involvement to make it work? For some people, they’ll buy in to the concept that data protection is a human right, and they are playing a major role in upholding a value that feeds into a greater good.

For others, they may need to see the wider benefits that data mapping and complying with GDPR brings. For example, you could help them figure out if the systems they are using are still valid and giving them the best results. Or, you could uncover that your company is using several systems for the same purpose, and by merging them into one solution, you’re making financial cuts and freeing up larger budgets.

I find it’s also very effective to remind people that if they ever want to create something new such as introducing a new tool or revising their processes, that data mapping will always give them an advantage and help them start from a more favourable position. 

These changes involve data – particularly when adopting new software. Data mapping gives people one central place where they can access all of the most up-to-date information they need.

Whatever their goals, you can help them get there while being compliant and give them the overview they need to troubleshoot any issues, streamline their project, and avoid costly mistakes.  

Go beyond securing C-suite backing

Getting the support of your C-suite and senior data responsibles is a non-negotiable when it comes to the success of a privacy program. We’ve discussed this subject extensively on our blog and with other industry experts such as Clara Kromann, Attorney-at-law at PANDORA.

Without buy-in from the top, you’ll lack resources and have little chance of ensuring compliance is achieved throughout your enterprise. 

However, securing C-suite backing is one thing; how you communicate or use that support is another step that can be a hit or miss for the success of your project. 

If your organisation is hierarchical in its nature and orders from the top are definitely followed, that’s great news. Some companies, however, may have more resistance or push-back to top-level decisions. 

In these instances, you need to identify where possible risks are (e.g. the people who are likely to ignore or go against the steps you need them to take) and look to try a new approach. 

Can you make these individuals feel valued or tap into their motivation drivers? For instance, could you help them understand that by taking these steps, they’ll be more productive and shave off hours spent looking for information or having to respond to time-consuming data requests?

I’d always say frame GDPR in a positive light – so motivate rather than threaten. You want to work with as many compliance allies as possible rather than spend energy collaborating with colleagues who resent your program and could potentially jeopardise your hard work.

Consider how to make awareness land with your internal culture 

What many people fail to realise when implementing a privacy program is that GDPR is a culture change for most companies. 

Privacy programs that are executed well and have long-term success factor in how far along a business is with this cultural change and how people are currently thinking about GDPR in relation to their everyday work. 

Many companies will be in a place where most people have a basic awareness of GDPR, but awareness doesn’t equate to caring about GDPR or remembering to take daily steps to be compliant.

It’s rarely the case that a one-off workshop will bring about the huge shift needed to move a company from a non-compliant culture to a workforce of GDPR champions. People may show up to the workshop and listen to what has to be said, but more often than not, they’ll quickly resume their busy workday and forget about what they should and shouldn’t be doing.

Get creative with how you keep GDPR at the forefront of people’s minds. In one of our new webinar episodes with Bo Pyskow, CEO of Sixtus Compliance, Bo talks about helping a client create an animated GDPR cartoon displayed on the office coffee machine to serve up a fun, daily awareness reminder. 

As well as getting creative, if you know you’re embarking on a major culture shift, take small steps quickly and often if you want to keep compliance at the forefront of people’s minds. You don’t want to overload people with information or leave big time gaps between awareness sessions, so they forget what they need to do. 

Get your hierarchy of documentation in check

Ensuring your policies and procedures are watertight before you implement any stages of your privacy program is key.

Sit down and look at all relevant policies and really examine whether or not they contain your short and long term goals. Then make sure all procedures and corresponding documents that relate to these policies are up to date and written out for relevant parties to view.

It’s fundamental that this hierarchy of documents is checked and reflects your plan before asking people to start their new ways of working. It’s highly likely that whilst going through each stage of a new implementation process, you’ll find either missing or outdated documents that can cause confusion later down the line. 

For instance, I often hear from clients that once they start data mapping, they quickly run into issues around third parties. With departments using a host of different third-party services and software, getting hold of or creating new data protection agreements for all these external companies can become a nightmare. 

Having an internal procedure in place which precedes any third-party agreement with the signing of documents that guarantee everyone is acting in compliance with your privacy policies not only safeguards your business but saves a lot of future problem-solving.   

Make your internal documents easy to access and understand

Even if a company has their privacy procedures and policies written out for its staff to follow, another common problem is that people don’t have easy access to these files and find them difficult to understand or too boring to read. 

It’s not unusual for important data protection steps to be buried within a new starter pack that’s glanced at once on the first day of a job and then shoved away in a desk drawer. Or, it may be accessible via SharePoint, but no one has made it a compulsory step for people to read through the documents before taking on a particular task.

Internally, you need to ensure people are always directed to these documents whenever they need to take a step that could impact your programme (e.g. onboarding a third party). 

You need to ensure that these documents are written using engaging copy and speaking in your company’s brand voice, so you hold the reader’s attention and get your points across effectively. 

These employee-facing documents also need to be easy to digest. Although your IT and Legal professionals will fill your guides and files with all the right information, you need to guarantee that every single person in your company understands the language being used and that the content hasn’t become too technical or littered with industry terminology. 

Set deadlines

Deadlines are always important because if you give people a task without them, I can assure you that your project timeline will soon be compromised.

Keep in mind what a good deadline is. A good deadline is rarely two months from now. Unless you’re talking about a seriously big activity, having 60 days to complete one task is too long, and you should look at how that task can be broken down into smaller tasks and multiple deadlines.

At the same time, when setting deadlines for both yourself and others, you need to make sure they are realistic given current and upcoming workloads. While you don’t want to give people too much slack, you also don’t want to stress people out and set a deadline that is doomed from the start. 

Follow the deadlines you set closely, and a week before they’re due, send your colleagues a reminder of the upcoming date and expected work. People tend to be a lot more receptive to a gentle nudge in the lead up to a deadline than being chased afterwards.  


To find out more about how Alexandra and our GDPR specialists can assist you in your data mapping activities and privacy program implementation, get in touch with our team today.