An expert’s tips on how to collect data for Article 30
From safeguarding your company against GDPR fines to optimising consumer and client trust, Article 30 compliance comes with a long list of benefits.
We explored some of these benefits in our previous article, “Beyond compliance: 3 reasons why Article 30 isn’t just a GDPR concern”, demonstrating that understanding why and how your company processes data can have significant and far-reaching impacts on your entire organisation.
For our next Article 30 focus, we turn our attention to the more practical side of implementation, honing in on a process that’s not just instrumental to this specific GDPR article but all aspects of compliance: collecting company data.
Introducing your compliance expert: Christina Schak Møller
With six years of consultancy experience within compliance and two decades of working with organisations to optimise processes and implement structures and procedures, Christina Schak Møller is the person to go to when it comes to learning about effective data collection strategies.
Currently working as a Management Consultant at VENZO, we’ve seen Christina work her magic across numerous complex accounts, assisting clients in mapping out their data processes and instilling new ways of working to ensure continuous compliance for a variety of businesses, ranging from global finance enterprises to fast-moving AI disruptors.
Here, Christina shares some advice for those embarking on their data collection process, including navigating difficult conversations, where to start if the process feels overwhelming and what to expect if you decide to work with an external consultancy.
In compliance, why is thorough and best practice data collection so important for organisations?
I think one way of looking at it is as the backbone of compliance. It ensures that you have all the information you need so you can actually comply and follow the necessary processes, activities and regulations. For example, having data mapping in place allows you to swiftly reply to customer and DPO access requests or quickly produce an Article 30 report.
You can’t do any of this if you do not have up-to-date data mapping in place. So for me, it’s an essential step before you can start anything else. You may have all the procedures, processes and governance in place, but if you don’t have an overview of your activities, you can’t really achieve anything with these structures.
It’s also an ever-changing world – activities change, purposes change; you have new projects, new customers or new devices in your organisation. If you don’t have your data structured and hold a clear overview of the data you process, it’s really difficult to have an up-to-date understanding of what you need to do to stay compliant.
What are the main challenges businesses face when it comes to collecting data across the organisation?
Whether we’re talking to large companies or smaller organisations, a common issue we see is that they do not have a clear overview of their processing activities, making it quite difficult to know where to start or what to do first.
So it can be overwhelming to get that initial mapping in place, and sometimes it’s good to bring in someone external who can facilitate the process and show a business which questions need to be asked to get that information out in the open.
What does the start of a data collection process typically look like for your team?
We often start out with asking a data privacy manager (or the people in the company who engaged our services) to provide an overview of how the company is structured and which key stakeholders to talk to.
Then we typically invite them for an introduction session where we explain what is going to happen so they can start to think about what they’re doing and what we need to do.
Before the workshop, we’ll sometimes provide session attendees with a spreadsheet and say, “Okay, map everything you do – all of your activities”. Doing this before we meet means we can structure a bit of their work in advance. It allows us to identify repetitive processes and find the right level of detail required for data mapping.
Some companies prefer not to have this introductory step, so we just go straight to the workshop and spend the first hour or two drawing everything out on a whiteboard.
With either approach, we work together with the client to define the headlines for the processes and list out activities underneath. Once we have that in place, we can go to our tools and start data mapping.
Is there anything a business should do before a data collection workshop?
If you don’t have backup from the management team or if this exercise has not been approved by those at the highest level, you will often not succeed. Data collection and mapping processes can be time-consuming projects and communication from management gives your work emphasis, so I recommend you spend time getting this buy-in to make your task easier.
I’d also suggest having a story ready to support the value rather than relying on “We’re doing this to be compliant”. Everyone knows that they need to comply with certain regulations and laws, but it’s more effective if you can communicate the business advantages that the workshop or exercises will achieve.
Do you ever come across any resistance or negative attitudes in these workshops?
We do hear that GDPR and data privacy are boring topics – but people are always polite, especially if the management team has conveyed a message of why we’re doing what we’re doing.
Over the last few years, there has also been a lot of focus on cyber attacks and data privacy, so it’s my impression that people are now more open towards compliance than they were. We don’t see people sitting with their arms crossed, not wanting to participate anymore.
In fact, most of the team managers and process owners we work with give feedback that they’re pleasantly surprised by the data mapping experience. Particularly when working with large companies, a common response is, “Wow, I understand my company a lot better now”. They can see the side benefits of data mapping, such as optimising internal non-compliance activities or increasing productivity after identifying overlapping workflows.
You mentioned that GDPR could be seen as boring for some employees. Are there any particular approaches you use to increase engagement with disinterested groups?
I just try to meet people where they are. If you can feel that someone is busy or doesn’t really want to be there, then it’s important to have open communication and say, “It’s okay that you think GDPR is boring. We will do this as quickly as we can and not take much time away from your work”.
Sometimes that means we split our sessions up into a couple of workshops where we outline what we’ll cover and what we need them to do. Then we go away and do some work on the backend while they input information into a compliance tool. Afterwards, we can regroup and do a sort of validation session which is less time-consuming.
We prefer to do the full workshops together, but we know that sometimes it’s not possible, and we just try to make life easy for everyone involved.
In general, I also try to be positive and outgoing and crack a little joke here and there, so it doesn’t become too dry!
How do you navigate conversations if someone doesn’t want to take accountability and ownership?
Honestly, we don’t experience these conversations very often. Perhaps that’s because we work with different departments, so people may not know exactly what they need to do, but they know that they are responsible for the data they process.
However, if there are occasions where we identify some processes and nobody wants to own them, all we can do is flag this to management. As an external party, we can’t make a decision because the company needs to own that responsibility and someone needs to take charge.
We can advise and we can facilitate, but the responsibility lies with the client.
What are your go-to strategies for making the information you discuss at your workshops stick?
Organisational change management is key to succeeding with compliance goals – yet sometimes it’s something that companies forget to do or don’t focus on. They just want to collect the data and map it, so they live up to regulations.
But if you don’t ensure a continuous compliance approach and the people who are responsible for the processes and activities don’t understand what they need to do, the work you’ve done leading up to this is more or less lost. We’ve seen this happen with huge data mapping projects where companies skip the change management part. They end up calling us two years later for help, and we have to pretty much start over again as the data is now out of date and hasn’t been anchored anywhere.
It’s sad to see because organisational change management can be done at many price points. If there’s the budget, we’ll do cartoons and presentations – but that’s not always necessary. Sometimes you just need to have the key stakeholders involved and bought into what is expected of them.
When data is so fast-moving and ever-changing, how can a company ensure long-term Article 30 compliance?
It’s one thing having the policies in place and another if nobody reads or follows them, so you need to make sure it’s anchored in the organisation. Ways we’ve done this include creating tools such as e-learning training, presentations for all-hands meetings, data privacy sites and intranet content.
With all this activity, it’s important to have one place where you can collect information so employees can find what they need to do in terms of their individual responsibilities and also what to do in scenarios such as a data breach. You need to make it very simple for people to find out what is expected of them.
Policies need to be read and understood, so make sure your documents aren’t 50 pages long. Instead, you need to produce documents that are easy to digest, such as a three slide PowerPoint with FAQs that quickly convey your information.
We also advise setting up an annual activity wheel in your compliance software so you are prompted to do tasks on a regular basis. A system may also be able to trigger prompts that remind you to review your data privacy policies and privacy notices if you start a new project or buy a new system.
Even if you don’t have an automated trigger set up, your compliance tool will prompt you regularly to take certain actions and review your activity to ensure continuous compliance.
Would you say compliance technologies and systems are an important part of this continuous compliance approach?
Yes. It’s also important in the data mapping phase, as it’s extremely hard to map everything in a spreadsheet, from the types of data you process to who you share this information with and what systems you use. We see clients determined to use spreadsheets come back to us after half a year because there’s just too much data to manage and they need a tool.
You also can’t build in prompts or annual activity wheel functionality in Excel. Nor can you combine it with assessments, like transfer impact assessments. So getting a tool in place is key, especially if you have a fair amount of data to process.
You can follow Christina on LinkedIn here and sign up for our new Compliance newsletter to be the first to receive our latest interviews, articles and news.