Since Friday is the big day that GDPR officially comes into force, I thought I’d ask my good friend Patrick O’Kane for tips on how to make GDPR less painful! Patrick is an in-house Data Protect Officer, and the author of the fabulous book, GDPR: Fix it Fast!
Click Here to buy GDPR: Fix it Fast on Amazon
As an in-house lawyer and Data Protection Officer for a Fortune 500 company, I have experience in trying to engage different departments such as HR, Marketing and Legal in the sometimes grim area of data protection. You are never going to be the most popular person at the office Christmas party when you hold my job but if you make your GDPR project practical and engaging you can get on the right side of the law, win the trust of your customers and avoid those much-hyped fines.
Running an effective GDPR compliance programme means you must change some of your processes and operations to align them with GDPR. You must also educate the people in your company all the way up to the boardroom on what they will have to do, and avoid doing, in order to avoid its mammoth fines.
Some of the GDPR tasks are going to be painful. Here are some tips on how to make them less painful.
Making data protection fun
Let me tell you a story; I once had to give a three-hour lecture on data protection to a group of millennials at my last company. They were looking forward to it about as much as one looks forward to root canal treatment. I came armed with 40 slides bursting with legal information but I had not made the effort to make my presentation in the least interesting. Just as I was about to be booed offstage it finally dawned on me that when you are preaching data protection you have to, first and foremost, make it engaging.
Make it practical and give examples to your colleagues about how data protection affects their day to day lives. And tailor the training to the audience. If you are speaking to the men in the grey suits then they are going to want to know how it affects the company’s bottom line. If you are speaking to the millennials (and trust me, they can be a tough audience) make it relevant to them in terms of how data privacy affects them in their everyday lives from their jobs to their social media usage.
Effective GDPR programmes demand that you educate colleagues about basic data protection rules, with more detailed sessions for colleagues that regularly manage data, such as Marketing, HR and Data Analytics.
Privacy notices that customers want to read
Can you remember when you last read a pop-up Privacy Notice before hitting ‘I accept’? Me neither. Privacy notices can hit you over the head with so much legalese that it can be difficult to summon the will to even begin to read them.
But GDPR expects more; it wants us to speak simply and clearly to customers about how you handle their information and this usually includes telling the customer where you get it, what you do with it and who you share it with.
You can build trust with your customers if you handle your Privacy Notices in the right way by being up front with them about what you are doing with their personal information. You should use the right tone as well. Draft your Privacy Notice in the tone of an honest guide not an airport security guard.
Mind those contracts
One of the toughest tasks is changing supplier contracts to align them with GDPR without annoying your suppliers too much.
GDPR says that when your company hands the personal data that it holds over to a supplier who is processing that data on its behalf it must make sure that it has appropriate data protection clauses in place in that contract.
These clauses set out what the supplier must do to keep your data safe. Although sorting out these clauses can be a painful bore there is a huge business benefit to this; these clauses can protect you if your suppliers ever do drop the ball with your data.
The time for talk about GDPR has passed. Now it the time for action. Take action today to tackle the GDPR tasks that you face so you can put your company on the right side of the law.
Patrick O’Kane is a lawyer and Data Protection Officer for a US Fortune 500 company and the author of GDPR: fix it fast