The General Data Protection Regulation, GDPR, came into force five months ago, yet the expected flow of legal precedents and record fines has largely been absent, both in Sweden and in the rest of Europe. Why so? Dare we say that everything is right as rain? Or, are we blindly just about to hit the tip of the iceberg? As there is little in the way of existing research on the matter, Sofigate’s own GDPR professionals have during 2018 conducted a series of interviews with DPOs, CIOs and GDPR project managers from organisations in various industries to identify how they have implemented GDPR, and the focus areas within. Have these individuals, in their respective organisation, found benefits to reap or reasons to weep?
A big topic during the spring of 2018 was the implementation of GDPR. If you, as an organisation hadn’t taken the necessary actions to achieve compliance by the 25th of May, you were in deep trouble. However, many are well aware that companies have taken years to prepare for this. It has obviously been extremely resource demanding, both regarding data management and leverage of competences. Five months later and yet no sign of a global GDPR catastrophe. Sofigate wanted to investigate how organisations from different businesses are working with compliance after the GDPR eve. In our interviews there are four focus areas within GDPR which have been reoccurring in our investigation. These are:
- Governance and Risk Management
- Sourcing/Vendor Management
- Training and awareness
- External communication
Governance and Risk Management
Organisations are now transferring their GDPR projects into operational status. In managing and monitoring the maintenance of compliance, the DPO has an independent role, reporting to the top management. The DPO typically sets up a team consisting of coordinators for active cooperation. These coordinators mainly focus on privacy, and some companies have also introduced Privacy & Information Security Coordinator roles. Policy documentation (especially in larger companies) is the baseline and contains necessary guidelines. The purpose for this particular working model is to introduce GDPR compliance throughout the organisation.
In many ways, GDPR does not differ from any other regulation that organisations have to comply with and there is therefore a case for approaching GDPR compliance from a Risk Management point of view. This related to GDPR is considered important by most companies and may take the form of enhancing the Risk management process to prevent incidents.
GDPR dictates that DPIAs (Data Protection Impact Assessments) should be made for high risk processing. Many companies have taken it one step further and are producing DPIAs for all processing of personal data. The practice of following the rulebook of DPIAs has been met with heavy resistance from employees simply due to the additional work and documentation involved. However, DPIAs are necessary to boost maintenance of GDPR from a risk perspective.
As stated by one of the interviewees: “After years of preparations prior to the launch, it has become obvious that the upkeep of GDPR, including DPIAs, is a constant work in progress. Follow-ups are a perpetual theme on our agendas.”.
Sourcing is an area which many companies view as a particularly important aspect of GDPR compliance, with many risks involved. Central to managing such risk is the Data Processing Agreement, or DPA, which has led to substantial challenges related to interpretation of the law. Who is the controller and who’s DPA should be used? Regarding the latter, many companies have struggled when negotiating with a larger corporation. These corporations tend to get the last word, meaning their DPA template is the one that will be signed by both parties. Hence, this DPA is dictated one-sidedly by the strongest party.
Training and Awareness
Failure in offering proper GDPR trainings can lead to the highest fines for corporations, which is four percent of the organisation’s global revenue (or 20 million euro, whichever is the highest). Larger companies have enhanced their onboarding trainings with GDPR modules. GDPR compliance also demands several role-based training programmes. The education formats are varying with every organisation we have been examining. We have identified everything from general power point slides to e-learning packages. Even tailor-made courses based on your role and day-to-day working activities. Also, any incident must be followed-up and utilised as scenario in future educational programs to continuously develop the company’s compliance of GDPR. Concerning target groups for trainings, GDPR compliance should be seen as a responsibility of all players involved, including external consultants and suppliers.
In addition to the privacy policies published on the external websites of most companies, external communication from large companies has primarily taken the form of press releases, mainly to gain credibility and strengthen the company brand. Business-to-consumer companies have been restrained, largely sticking to emails to customers while waiting to see what action competitors take. However, the initial torrent of emails asking for consent from consumers on the 25th of May suggests that many might have acted without fully understanding the purpose of doing so. Business-to-business companies have seized the opportunity to apply marketing messages such as: ”We are good at this and we provide safe solutions. We are better than our competitors.”, using GDPR related communication as a venue for marketing. In external communication, frameworks are used to identify relevant target groups, with information produced in cooperation with law firms. Some companies have also integrated external communication in the recruiting process, informing all candidates about the management of personal data.
Overall, it is important to make a proper analysis of what communication to share with what stakeholder, rather than sending too much or too little. If done correctly, external communication regarding GDPR can be used as a vehicle for marketing efforts and branding, by building the image of an organisation which truly cares about the personal data of its customers, while less successful efforts can have the opposite effect.
Benefits/ added value gained after GDPR implementation
Contrary to the commonly held view of GDPR as a burden on companies, they have been able to realise a wide range of benefits from their efforts to achieve GDPR compliance. Information management has, in many organisations, previously not been prioritised, planned and/or understood. However, in seeking GDPR compliance, the central role of well-functioning information management is impossible to ignore, leading to benefits such as much improved order in what information is stored and where, a general understanding of the value of information among staff and a more questioning view of what personal information is needed and why. This has also resulted in an improved user experience for companies where information was previously collected in a disorganised way from their websites. Similar to information management, organisations have also had a reason to go through their internal processes thoroughly in connection to GDPR, leading to extensive streamlining and an overall increase in efficiency.
One of the most noteworthy changes from GDPR-related efforts is the increased attention directed towards information security. Not only has it become one of the most important areas for companies to consider when seeking GDPR compliance, leading to far-reaching changes in mentality and discourse, but companies are also seeing it as a potential source of competitive advantage. This is particularly important in business-to-business relations, where GDPR makes companies responsible for ensuring the data security of any third-party processing.
While most organisations have conducted work to reach GDPR compliance, a recently published study by The Swedish Data Protection Authority examined the adherence to the requirement for a DPO to be appointed and reported to the Authority. Out of the 400 organisations examined, 14 % exhibited shortcomings, with trade unions and telecom operators standing out as the least compliant groups.
Overall, as the initial shock imposed by GDPR is settling, organisations are starting to see and reap the benefits inherent in the work they are forced to conduct to abide by it, while also finding new opportunities to differentiate themselves and become more competitive. As this notion becomes more widespread, we are likely to see an even greater emphasis on information management and security in the future. For those who understand its implications, GDPR can be a brilliant opportunity for improved internal efficiency and external marketing, while for those who do not possess this understanding, it can lead to severe financial hardships from fines, as well as a tarnished brand reputation. Determining which path to take might seem easy, but the end result is ultimately dependent on how well the necessary changes can be implemented by and at all levels of the organisation and its operations – rather than being seen as a special and specific interest of the DPO.
About the authors
Founded in 2003, Sofigate is the leader of IT Management in the Nordics and pioneer of Business Technology management in Northern Europe. We help our customers succeed in leading digitalisation. We do it by providing expertise in Strategy Transformations, Technology Solutions and Management Power. Our GDPR offerings place an emphasis on how to successfully leverage GDPR related work to not only reach compliance, but also reap unexpected benefits in other areas.
Madeleine Tornard is a Certified GDPR Practitioner and she has an extensive background in Governance, identifying and realising business benefits.
Magnus Bälter is a Certified GDPR Practitioner with a focus on IT Security and GRC (Governance, Risk & Compliance).
Oscar Wiklund is specialised in the IT Operating Model. He is also working within the areas of GDPR & Strategy.
For more information on our GDPR offering, please contact Madeleine Tornard; email@example.com