How do you create a GDPR culture?

So, you’ve read all the “Top 10 tips for GDPR” articles you can get your hands on, and you’ve invested in the latest GDPR-compliant tech, but how do you ensure your people don’t simply work around it and risk landing your organisation with a massive fine?

Imagine a situation where a company has invested in a system with all the required checks and balances in place. All data is understood, processing is defined, documented and frequently audited. They have nominated their Data Controllers and know who all their Data Processors are, and may even have a long-standing ISO27001 accreditation. So everything looks really healthy. But then, imagine a user, short on time and needing to produce some data wizardry for a management report, takes an export from that system and starts to manipulate it. They may add some functions in, append it with another dataset they have and then share it with some colleagues.

Are the alarm bells ringing? The action itself is innocent enough, but the consequences of this could be significant. This is now, according to the GDPR, an “unregistered data source,” because the processing of this data is unknown to the Data Controller; a very risky situation to be in. It would be nice to think that people don’t need spreadsheets to manipulate data that’s already held in a corporate system, but we all know it happens.

What can you do to avoid such scenarios, and how do you train your people to be GDPR compliant so that a “GDPR culture,” becomes engrained in daily working practices?

GDPR recap

The internet is already awash with articles explaining what the GDPR is, so I won’t dwell on it here. But to get us on the same page, The General Data Protection Regulations (GDPR) will be enforced from May 25th 2018 and will enhance the powers of the Information Commissioners Office (ICO) to fine companies for data breaches. Fundamentally, it means that the penalties for a data breach are going up significantly from a mere financial nuisance to a potentially business-destroying amount - up to €20 million or 4 per cent or annual global turnover (whichever is higher).

GDPR in a box?

There are many companies out there offering to ensure that your systems are compliant with GDPR, and that you have adequate tools in place to prevent a breach. Sure, you can buy in support and systems for all those technical areas, but no piece of software can protect you from the biggest threat to your business when it comes to GDPR compliance; your very own staff.

GDPR affects every company, large or small, and everyone in it. Let’s be clear: while you may have purchased a product that helps you show your homework and your workings, the real key to making sure a hefty fine and loss of reputation doesn’t happen is your own people. The GDPR has the human element running all the way through it, and before you even look at your business and your customers, you need to look at your organisation, its people and its culture.

GDPR compliance cannot simply be bought. It does not exist in a box you can buy off the shelf, plug in and forget about. The GDPR is about how you work. How individuals work within an organisation is largely defined by their working habits, which in turn are influenced by the organisation’s culture. GDPR best practice needs to be engrained into the working practices and mindset of everyone who works in the organisation. Only then can the required GDPR culture emerge.

The person of the hour; The Data Controller

While everyone in your organisation must be GDPR-compliant in the way they work, the responsibility for developing and cultivating the GDPR culture lies with the Data Controller. The Data Controller needs to ensure that your systems and people are compliant with GDPR. It is a good idea to initiate a governance framework, and to develop a risk register. They must audit the personal data you are storing, where it is stored (a data inventory), identify who are the data processors, and make sure that all your data is lawfully held. Undertake a data flow audit, check whether there are any gaps, and make sure all your privacy notices and processes are robust and legal. Make sure you have a record of your processing activity. As a bare minimum you should implement Cyber Essentials for your business from one of the accredited suppliers and implement the latest recommendations from the National Cyber Security Centre in their “10 steps to Cyber Security,” documentation. For added peace-of-mind you could also consider becoming ISO 27001 certified.

While no one wants to be a Data Controller, it is incumbent on every single business to have someone who can take this role, so it may even be you.

It’s about people; it’s always about people

The GDPR is intended to focus businesses on the privacy of the data they hold and the fines are intended to concentrate minds on the prevention of breaches. It aims to ensure that companies understand the risks that they create for others when handling their data and to ensure that steps are taken to mitigate those risks. Ultimately, the culture of the business has to change to reflect the greater responsibility placed upon them by the GDPR.

Have you considered your people? Who is identifying what personal data you hold, where is it, how is it stored and handled and by whom? Are you implementing a clear desk policy? Do your people understand that they are Data Processors and who is the Data Controller? Does the person even know that they are a Data Controller?

While GDPR compliance, like all regulations, is ultimately a Board level responsibility, the day-to-day responsibility (and risk) lies with everyone on the front line who handles customer data on a daily basis. As Adrian Davis, managing director for EMEA at (ISC)² pointed out, “Don’t view GDPR as a technology issue; making your people and processes GDPR-intelligent is just as important as the bits and bytes.”

Culturally significant

The culture of a business has to change to ensure that data is properly protected and risks are minimised. GDPR raises a lot of questions of your people, and no shiny new “GDPR Compliance System” will answer them for you or automatically tick every compliance box. To meet your obligations under the GDPR you must look deep into your organisational structure, working practices and culture. Don’t just rely solely on a piece of software or some consultants. Speak to your people, both internal and external. It’s all about them after all.

Romy Hughes, director, Brightman
Image source: Shutterstock/Wright Studio