Responsible for getting your business ready for the EU's General Data Protection Regulation? This is not something you can tackle all on your own. You need every employee to understand what the GDPR is, identify information security risks and use their expert knowledge to spot opportunities to improve data management practices.
However, a November 2017 survey found that buy-in, lack of interest, and engagement are among the main challenges GRC professionals face in preparing for the new regulation.
So how can you engage your leadership and your wider business with the GDPR? During a recent GDPR workshop, I shared three tips.
I've included the tips and some example tools to help you below.
1) The cost of doing something vs nothing
The fastest way to get your leadership team interested and invested in complying with the General Data Protection Regulation is to mention the potential fines. Businesses who fail to comply with the regulation will face fines of up to €20 million or 4% of annual turnover. That's significantly higher than previously, and that is scary for leadership teams.
2) Assign roles and responsibilities
Your job is to oversee compliance. It's not to think for people and do everything for them. Developing your communication plan is key. For this, you need:
Top down engagement: Technology and data are now so important, that data protection and cyber security needs to be on the board's agenda. There’s no point expecting employees to follow new rules if leadership doesn’t know what’s required and why. Leaders need to lead by example, while working together to ensure the message is communicated effectively across the whole business. In our organisation, we knew sales and marketing processes and controls a large majority of our data, so our MD set the sales and marketing team the task of doing a research project and presenting the findings to the rest of the business about the regulation.
Implement a data protection policy: Processes and procedures regarding data and security should be outlined in a clear and concise policy, which all employees should read and sign. The document should include key dos and don’ts regarding handling sensitive information, customers rights, as well as password security and how to detect and report any data concerns or suspicious activity.
Communication, training and development: The new regulations provide a good excuse to host regular training on data protection and cyber security issues. Here are some quizzes and workshops you could use:
Workshop example: Give the scenarios to your team to test their understanding of the regulation and discuss as a group.
Roles workshop: Get your team to fill out their roles and responsibilities to test their understanding of why.
3) Make it easy to be proactive
Give every employee a central system to manage training records, policies, risks, suppliers etc to encourage Privacy by Design. Privacy by Design needs to be embedded into the design and architecture of the system and business practices. It is not bolted on as an add-on.
What you should do now
Download our GDPR toolkit for more templates, quizzes, policy examples, tools, and tips.