Two years with GDPR

On 25 May 2020, the General Data Protection Regulation (the GDPR) had been in force for exactly two years. At Implement, our main argument through these two years has been, and still is, that working with GDPR in the right way can ensure more than just compliance – it can drive significant business impact.

At this two-year mark, we take a look at our top-five list of the most expensive – but avoidable – mistakes that organisations make when working with GDPR. The list is based on experience from organisations we have worked with and experience from our DPO courses with Kammeradvokaten/Advokatfirmaet Poul Schmith (the Legal Adviser to the Danish Government).

The five mistakes are listed in random order and are of equal importance. At the end of the article, we will also list our five recommendations for succeeding with the GDPR implementation journey.

The five most expensive GDPR implementation mistakes

#1 “We just need the right documents”

The GDPR requires that certain documentation can be disclosed upon request. But equally important, the organisation must also show how they live up to the rules. And that is a quite different thing.

Compliance is not only a question of papers and documents but just as much a matter of people. Want to get compliant for real? Ignite the human firewall – to make your people the strongest link.

If your employees do not understand the “why” of documenting, there is a significant risk that they will not change their behaviour. Without behaviour change, all your time-consuming work of documenting processes and policies is more or less worthless.

This also applies to the need for continuously reviewing and updating your documentation. If the business does not perceive this as a crucial task, it will not be done, as this – for most people – is an extra and secondary task to their daily job. Hence, the documentation will quickly be outdated and therefore not compliant.

#2 “The people in legal/IT/DPO can just do it”

GDPR cuts across many functions in the organisation and relies on many stakeholders to work. Hence, relying on solely one function – no matter if it is Legal, IT or the DPO – it will be impossible for that function to handle all aspects of GDPR without extreme cost and low positive impact.

However, we have experienced organisations relying too heavily on just one function or role to drive GDPR compliance. This can lead not only to a lot of wasted time but also heavily frustrated employees due to bottlenecks and unanswered challenges. This time and energy could instead have been spent on developing the organisation and achieving true business impact.

It is important to understand that everyone has a crucial role in GDPR that only they can fulfil. Legal must handle all interpretations of the regulation, how to obtain a correct consent etc., but they cannot automatically be expected to know a lot about privacy by default or design or sufficient levels of security.

In fact, neither IT, Legal nor the DPO is responsible. The data controller is – and the organisation is the data controller. And to live up to that responsibility, the organisation must understand that an organisational focus on privacy is a necessity in a digital age with many incidents of unintended and intended disclosure of data.

#3 “That’s not my responsibility”

Because no single function can handle GDPR alone, it can be beneficial to set up a governance structure that appoints responsibility and provides mandates where needed. If the responsibility and accountability – yes, you need to dust off your RACI – are not appointed, you risk ending up in a situation where all tasks are passed on in an endless loop, as no one sees it as their job to get it done.

To be able to support technical and operational demands effectively, processes and information architecture must be known, managed, documented and controlled. This requires mature processes and governance. Maintenance of documentation and protection of information to comply with GDPR are not easy and can be costly if sufficient governance and process maturity are not in place.

In our experience, some organisations tend to overestimate their own process and governance maturity level. When the resources required to work with GDPR are estimated, this estimate is then based on wrong assumptions. Thus, the implementation ends up taking far longer and being more costly than was initially expected.

#4 “We need to get compliant right now!”

Over the past two years, we have met organisations that, in their eagerness to “get GDPR done and over with”, have started all processes and initiatives at the same time. At best, this is a challenging strategy for (at least) two reasons.

First, GDPR has a risk-based approach, and so it follows that an organisation needs to assess risks to understand which areas are most vulnerable and in need of attention. If this is not done, the organisation runs the risk (no pun intended!) of spending a lot of effort and money in the wrong places.

Second, the organisation can easily feel overrun with GDPR-related requests and tasks. This is a challenge, because the organisation needs to be on board with both understanding what is needed and helping to establish and ignite the human firewall as mentioned above. If there is no support amongst employees to do this, the GDPR initiatives are never going to gain momentum and get going.

It is essential for the organisation to apply the risk-based approach in two steps: get an overview of what needs to be done and then prioritise and divide the tasks into smaller pieces that will not strangle the organisation along the way.

#5 “We need to be 100% compliant”

Let’s just be frank: 100% compliance does not exist and aiming for that will get you nowhere. This might sound a bit provocative, but remember this:

The regulation is risk-based. Therefore, you need to focus on the most critical areas first and work your way through them. If your focus is 100% compliant, although an admirable goal, our experience tells us that you will get caught up in the details that only impede the implementation.

GDPR is like a highway being built while in use. You start by building the main road with crash barriers between the lanes to ensure that the cars have a safe road to drive on. Then you continue with the exits – some of these may even be built along with the main road if they are crucial. Then you will move on to placing crash barriers along the ditch, painting markings and setting up street signs and lights. Along the way, you may have to go back and fix a hole in the asphalt in the beginning of road. Consider if the contractor closed the highway for weeks or even months, just so they could set up signs, paint markings on the road and ensure that there were no holes in the asphalt. In the second example, the contractor would not get the next road construction job.

The same goes for GDPR. We cannot stop daily operations and pause the actual purpose of the organisation to set up GDPR. Instead, we need to implement it as we go along, getting the important things in place first, so we can continue to run the organisation as much within the regulation as possible. It is not easy, but it can be done.

Saying that 100% compliance is nearly impossible is not an excuse for doing nothing. Compliance is a never-ending story, so you need to consider how to utilise the resources to ensure progress and a sufficient level of compliance.

So where does this leave your organisation? Our top-five recommendations

We know that GDPR is a topic that can make most CXOs look annoyed and frustrated. However, we also know that organisations can utilise GDPR to drive significant positive business impact. In this article, we have listed the top-five most expensive GDPR implementation mistakes, and by reverse-engineering the mistakes, we can present our five recommendations for any organisation wishing to succeed on their GDPR journey.

• 1. “Ignite the human firewall”
  Go beyond documents and applications and answer the “why” – be clear in the communication and training in order to gain understanding from the employees to establish and ignite the human firewall.
• 2. “No single function or role can do this alone”
  No single function in the organisation can or should bear all responsibility – GDPR is a collaborative challenge that places tasks on all parts of the organisation.
• 3. “Agree on who does what”
  Dividing responsibility across functions is necessary but can lead to lack of decisions. Therefore, assign clear responsibilities, making sure that the vital things get done – but only get done once!
• 4. “Prioritise and go at a steady pace suitable for the organisation”
  Take the time to understand the risk approach and appetite of your organisation and set reasonable goals. That way you support sustainable progress.
• 5. “Focus on the big picture and make progress by not getting lost in detail”
  Although 100% compliance is an admirable goal, it can be blinding because the task grows too big and complex.

The first two years of GDPR have presented their share of trouble for organisations across Europe – but also a great deal of learning. We look forward to continuing supporting and helping organisations harvest the benefits and positive business impact that GDPR can bring along – if you avoid the mistakes – in the coming years.