It’s been six months since the European Union hit the “starting now” button on enforcing the General Data Protection Regulation (GDPR). During that period, the GDPR has had a strong global impact on businesses and nations as other GDPR-like legislation is being introduced around the world. Role-based training on how to handle personal or customer data is a top directive for privacy officers worldwide.
6 Months of GDPR Enforcement
Although it was finalized in May 2016 by the European Union to better protect the privacy and personal information of EU residents and give them control over their data, enforcement of the GDPR didn’t come into play until May 25, 2018. That timeline gave any organization that touched the personal data of an EU resident – or that processed any personal data within the EU – two years to get its IT, security and data protection systems and processes aligned to support the regulation and address compliance.
However, a study released just one month before the enforcement date, showed that only 40 percent of respondents expected to be compliant by May 25, 2018, despite the two years to prepare and 60 percent of respondents saying the GDPR significantly changed their business.
Within 37 days following May 25 there were more than 3,800 claims among just 18 of the 28 EU member states. In the following months, the number of complaints has grown to tens of thousands. In addition, and more breaches have been reported which are either being appealed or still being investigated.
According to Laraine Weglarz, former Chief Information Security Officer for a multi-billion-dollar retail corporation and current CISO coach, consultant and GDPR expert at Terranova, fines under the GDPR will be effective in driving change for some businesses, but for others, it will be a mere slap on the wrist. “Larger organizations may opt to ‘self-insure’ when it comes to the GDPR and be willing to pay the fines,” Weglarz said. “Many businesses will continue to do the cost/benefit analysis. If you have an extremely large annual revenue, a 4% fine may not be such a big deal. Imposing EU sanctions in addition to GDPR fines might start to move the needle with those large businesses.”
Despite the lack of preparedness and the lack of fines being levied to date, the GDPR has been effective in giving the control of personal information back to the individual, and it has set a global example. Countries outside the EU, including China and India, have released their own privacy regulations, and 40 of 50 states in the U.S. have initiated privacy legislation.
That effectiveness also has had an impact on how businesses operate. For example, the GDPR has fundamentally changed how marketing teams collect, store and share (or don’t share) personal data. This article in MarTech Advisors outlines the GDPR-related challenges the marketing organization faces from consent and data collection, to data storage, records reporting and managing rogue employees with customer data stored on their laptops or other devices.
Next Step – Role-Based GDPR
Since the GDPR reaches every part of a business, organizations need to ensure employees are trained according to their specific roles.
“Every employee needs to be trained in the fundamentals of what the GDPR means for the business, and that’s where most organizations have started. A free trial of a course designed for most employees in an organization might be a good way to start. The next step is to make sure employees understand how the GDPR impacts them in their specific roles, and what they need to be doing when it comes to handling customer or personal data,” Weglarz said.
As you take the next step and implement role-based GDPR training, you can prioritize functions based on risk, need and impact. Here’s a suggested list of where to begin, with the understanding that every organization is at a different point in their GDPR preparedness.
IT and programmers / developers. These employees should be trained first because the GDPR mandates that developers build in “privacy by design & default.” They can also help business units to identify where personal data is stored, how it’s being processed, and who can access it (key steps in GDPR compliance). They also will be instrumental in updating marketing technology and other applications that must be modernized to allow more control on behalf of the individual.
Managers in General. Managers require a strong understanding of how the GDPR applies to their function and the business. They need to understand how they way they’re handling data affects the way another department works with that same information.
Human Resources. The HR team has access to the some of the most sensitive data. While they are trained to operate under the strictest confidence, adhering to the GDPR involves specifics in how to handle certain data types from their addition to removal from a system.
Sales and Marketing. Sales and marketing are regularly processing or gaining access to customer data through engagements in person or online. They are also often called upon to inform customers of policies and processes regarding how their data is handled. Ensuring this group of employees are well-informed and operating with GDPR policies in mind is a key component to GDPR compliance.
Procurement. Contracts and other legal documents as well as audit functions require that the procurement team understand the requirements for how to handle specific types of personal data. As contracts are written or services outsourced to a vendor, language to protect personal data and the business (in the case of outsourcing) must be incorporated.
Call Center Staff. Similar to sales and marketing, call center and support staff will have access to personal information, including credit card data, names, addresses, emails and more. These employees are often located all over the world for 24×7 support. Ensuring they know how to properly handle personal data is imperative to GDPR compliance.
As GDPR-like regulations expand beyond the EU, companies need to extend their understanding of how they handle an individual’s personal data. There are still grey areas within the regulations that will become clear as things proceed in the courts and fines are levied and paid. Continuous role-based training will keep your team informed and operating within regulatory guidance when it comes to handling private data.
Here is more information on what you and your team need to know, in order to protect people, personal data and your organization. Download your white paper and explore :
– The implications of the GDPR
– Why should organizations comply to GDPR,
– What does it mean for your organization
– The many benefits attached to it