How to set your privacy program up for success
Whether you’re about to embark on a new privacy program, or you’ve started and are struggling to see results, you’ll know that the work you do pre-implementation has the potential to make or break your plan.
From securing buy-in from your C-suite to defining policies, creating lasting awareness in your workforce to risk-based planning, there are many steps ahead that need to be considered if you want to give your program the solid foundation it needs to succeed.
Working with a range of clients across numerous sectors and company sizes, our Head of Customer Success – Alexandra N. B. Sigursteinsdóttir, has a lot of experience observing common mistakes and smart actions that businesses take during the implementation phase.
Here, she shares some of her insights along with seven key areas to turn your attention to before you begin implementation to ensure your organisation is setting itself up for long-term success.
Learn how to communicate with your colleagues
One of the biggest questions I get asked by new clients is: “What’s the best way for us to do data mapping?” I often find that behind this question is, in fact, a different question and what they are usually trying to say is: “What’s the best way to approach the people I need to talk to?”
Anyone who hasn’t started the data mapping process yet or is trying to make sense of the work someone did a while ago knows that their job starts with collecting a load of information from various departments.
This task involves speaking to pretty high-level people, who are typically time poor and may not immediately see the value in prioritising your project over their many other deadlines.
Every company is different, so while it’s hard to give generic advice around this topic, I’d say you need to find the fine line between demanding their attention but also being respectful of their time. This balance involves really thinking about how you’re going to structure your meeting, making sure what you say is relevant and interesting to these key figures.
Do your research on who you are talking to. Are they afraid of new systems and set in their ways, or are they more tech-savvy and up for innovation? Do they have digitalisation projects on the agenda that you know you can get them excited about? Are they driven by sales results, and therefore, you need to spend more time demonstrating the link between compliance and improved customer relations and subsequent revenue?
Rather than using a blanket approach to communicating with colleagues, shift your focus depending on who you’re speaking to. This more tailored approach will help you secure buy-in from as many people as possible.
Make an effort to convert the sceptics
Before you host a workshop or walk into a meeting where you’ll be educating people on your plans, I also recommend taking a moment to think about how you’re going to be received. Will your prospective audience greet you openly, or are they going to be sceptical from the get-go?
If you expect to be met with a room of sceptics, there are two main things to think about. Firstly, how can you make learning about GDPR as interesting as possible? Compliance consultant Thorleif Gotved recently shared some amazing ideas for thinking outside the box when it comes to raising awareness in his guest blog post “Creative, fun and engaging: expert tips for GDPR training”.
Next, you need to find their pain points. In other words, why they should care about your privacy program, and why do you need their involvement to make it work? For some people, they’ll buy in to the concept that data protection is a human right, and they are playing a major role in upholding a value that feeds into a greater good.
For others, they may need to see the wider benefits that data mapping and complying with GDPR brings. For example, you could help them figure out if the systems they are using are still valid and giving them the best results. Or, you could uncover that your company is using several systems for the same purpose, and by merging them into one solution, you’re making financial cuts and freeing up larger budgets.
I find it’s also very effective to remind people that if they ever want to create something new such as introducing a new tool or revising their processes, that data mapping will always give them an advantage and help them start from a more favourable position.
These changes involve data – particularly when adopting new software. Data mapping gives people one central place where they can access all of the most up-to-date information they need.
Whatever their goals, you can help them get there while being compliant and give them the overview they need to troubleshoot any issues, streamline their project, and avoid costly mistakes.
Go beyond securing C-suite backing
Getting the support of your C-suite and senior data responsibles is a non-negotiable when it comes to the success of a privacy program. We’ve discussed this subject extensively on our blog and with other industry experts such as Clara Kromann, Attorney-at-law at PANDORA.
Without buy-in from the top, you’ll lack resources and have little chance of ensuring compliance is achieved throughout your enterprise.
However, securing C-suite backing is one thing; how you communicate or use that support is another step that can be a hit or miss for the success of your project.
If your organisation is hierarchical in its nature and orders from the top are definitely followed, that’s great news. Some companies, however, may have more resistance or push-back to top-level decisions.
In these instances, you need to identify where possible risks are (e.g. the people who are likely to ignore or go against the steps you need them to take) and look to try a new approach.
Can you make these individuals feel valued or tap into their motivation drivers? For instance, could you help them understand that by taking these steps, they’ll be more productive and shave off hours spent looking for information or having to respond to time-consuming data requests?
I’d always say frame GDPR in a positive light – so motivate rather than threaten. You want to work with as many compliance allies as possible rather than spend energy collaborating with colleagues who resent your program and could potentially jeopardise your hard work.
Consider how to make awareness land with your internal culture
What many people fail to realise when implementing a privacy program is that GDPR is a culture change for most companies.
Privacy programs that are executed well and have long-term success factor in how far along a business is with this cultural change and how people are currently thinking about GDPR in relation to their everyday work.
Many companies will be in a place where most people have a basic awareness of GDPR, but awareness doesn’t equate to caring about GDPR or remembering to take daily steps to be compliant.
It’s rarely the case that a one-off workshop will bring about the huge shift needed to move a company from a non-compliant culture to a workforce of GDPR champions. People may show up to the workshop and listen to what has to be said, but more often than not, they’ll quickly resume their busy workday and forget about what they should and shouldn’t be doing.
Get creative with how you keep GDPR at the forefront of people’s minds. In one of our new webinar episodes with Bo Pyskow, CEO of Sixtus Compliance, Bo talks about helping a client create an animated GDPR cartoon displayed on the office coffee machine to serve up a fun, daily awareness reminder.
As well as getting creative, if you know you’re embarking on a major culture shift, take small steps quickly and often if you want to keep compliance at the forefront of people’s minds. You don’t want to overload people with information or leave big time gaps between awareness sessions, so they forget what they need to do.
Get your hierarchy of documentation in check
Ensuring your policies and procedures are watertight before you implement any stages of your privacy program is key.
Sit down and look at all relevant policies and really examine whether or not they contain your short and long term goals. Then make sure all procedures and corresponding documents that relate to these policies are up to date and written out for relevant parties to view.
It’s fundamental that this hierarchy of documents is checked and reflects your plan before asking people to start their new ways of working. It’s highly likely that whilst going through each stage of a new implementation process, you’ll find either missing or outdated documents that can cause confusion later down the line.
For instance, I often hear from clients that once they start data mapping, they quickly run into issues around third parties. With departments using a host of different third-party services and software, getting hold of or creating new data protection agreements for all these external companies can become a nightmare.
Having an internal procedure in place which precedes any third-party agreement with the signing of documents that guarantee everyone is acting in compliance with your privacy policies not only safeguards your business but saves a lot of future problem-solving.
Make your internal documents easy to access and understand
Even if a company has their privacy procedures and policies written out for its staff to follow, another common problem is that people don’t have easy access to these files and find them difficult to understand or too boring to read.
It’s not unusual for important data protection steps to be buried within a new starter pack that’s glanced at once on the first day of a job and then shoved away in a desk drawer. Or, it may be accessible via SharePoint, but no one has made it a compulsory step for people to read through the documents before taking on a particular task.
Internally, you need to ensure people are always directed to these documents whenever they need to take a step that could impact your programme (e.g. onboarding a third party).
You need to ensure that these documents are written using engaging copy and speaking in your company’s brand voice, so you hold the reader’s attention and get your points across effectively.
These employee-facing documents also need to be easy to digest. Although your IT and Legal professionals will fill your guides and files with all the right information, you need to guarantee that every single person in your company understands the language being used and that the content hasn’t become too technical or littered with industry terminology.
Deadlines are always important because if you give people a task without them, I can assure you that your project timeline will soon be compromised.
Keep in mind what a good deadline is. A good deadline is rarely two months from now. Unless you’re talking about a seriously big activity, having 60 days to complete one task is too long, and you should look at how that task can be broken down into smaller tasks and multiple deadlines.
At the same time, when setting deadlines for both yourself and others, you need to make sure they are realistic given current and upcoming workloads. While you don’t want to give people too much slack, you also don’t want to stress people out and set a deadline that is doomed from the start.
Follow the deadlines you set closely, and a week before they’re due, send your colleagues a reminder of the upcoming date and expected work. People tend to be a lot more receptive to a gentle nudge in the lead up to a deadline than being chased afterwards.
To find out more about how Alexandra and our GDPR specialists can assist you in your data mapping activities and privacy program implementation, get in touch with our team today.