8 GDPR Compliance Tips Explained Through Queen Songs
Last updated: 2021-01-06 (originally published on 2019-04-25) — by Tess Priester
Often the best way to tackle complicated matters is to make them fun. Because, the show must go on. Therefore, here are 8 essential tips to become and stay compliant with the GDPR if you don’t want to be the next one biting the dust.
1. Ay-oh – Get backing from the top
Ideally, you want the board to sing along with your privacy plans. Getting the support of, and back-up from the board is a prerequisite for an effective privacy compliance program within your organisation. Involve them from the very beginning and make clear what the specific risks are for the organisation. Bear in mind that the possible risks are more than just fines and penalties. They also consist of poor PR and ultimately loss of confidence in your organisation.
2. We Will Rock You – Think about and formulate the organisation’s privacy ambitions
How will you rock your privacy compliance programme? By formulating a clear vision on privacy. What do the board and you want to achieve from this programme? ‘Being compliant’ is not specific enough. Make sure to have a clear and specific privacy ambition. Questions to use are:
– How compliant do we need to be from 0-10?
– How compliant can we be from 0-10?
– How compliant do we want to be?
– What does privacy mean to our company?
– How do we value privacy on a personal level?
Having a clear and specific privacy ambition makes it much easier to maintain your backing from the top.
3. Bohemian Rhapsody – Know your obligations
Is this the real life? Is this just fantasy? Do not only read the provisions that are the most appealing to you in the GDPR. Start by getting acquainted with the GDPR, by reading the recitals and learn how the chapters divide the different provisions. Because, you don’t always have to assign a DPO and there is more than consent in this world. Furthermore, it is good to know when you need to perform a DPIA and that it is not necessary to notify all your clients if your colleague loses his laptop.
4. Somebody To Love – Know your organisation
It is important to know the insights of your organisational structure and the corresponding managers per department or establishment. You should know what is happening in the organisation. What are the different establishments and departments doing? What is their core activity? Use this information to get a good view on the organisations’ activities. It is mandatory for getting an overview of your privacy activities.
Next step is to know your people. Could the knowledge that you can use, already be found in-house? Perhaps there’s someone who can assist you in getting the personal data security policy up to speed or someone has a decade of experience in organising training sessions. So, find yourself somebody to love, or at least someone that can help you achieve your goals and provide you the necessary knowledge.
5. I Want It All – Inventory the use of personal data
I want it all! Or at least 80% of it. The well-known 80/20 rule is a good rule of thumb when you are busy inventorying activities. You can either start with inventorying which systems and databases or inventory the processing activities per department. If you start with the first one, get your information security officer on board, as it is very likely that she or he can provide you with a list of systems.
If you start with inventorying per department, make sure to prepare beforehand.
– Create a comfortable setting, this exercise is not to test the employees
– Explain what qualifies as personal data
– Prepare a list of questions
– Don’t be afraid to dig deep!
– Do it together
6. We Are The Champions – Divide and conquer
In order to pull off your privacy compliance program, it is necessary to get some eyes and ears in the organisation. Yes, a bit like Big Brother. You can assign local privacy champions within the organisation who can easily identify the privacy issues and practical obstacles per department. In this way it is much easier not only to detect possible non-compliance, but also to solve it quicker.
7. A Kind Of Magic – Use what you already have in place
Performing a privacy compliance program within your organisation will obviously lead to new procedures and policies. If you want a higher success rate of these new procedures, make sure to stick to what you already have in place. Works like magic. For example, when you want to introduce a new personal data security policy in the organisation, align this new procedure with the existing policies on information security. Not only will it be much easier for the employees to find and follow the procedure, you will also prevent a proliferation of separate procedures within the organisation.
8. Don’t Stop Me Now! – Privacy compliance is never done
Create awareness. You have probably heard this often before. Awareness. To prevent that your efforts and outcomes will become dusty and rusty, you need to keep your program alive. A privacy compliance program is not a one-off. It requires a change of culture within the organisation. Therefore, you need to create awareness amongst the employees. Traditional ways of achieving more awareness within the organisation are offering training sessions and sending e-mails that emphasise the importance of not losing your laptop on the train. Of course, these methods are effective, but there’s always some space to be more creative and try different methods. Privacy and personal data protection are topics that capture the imagination par excellence. While training the employees, handle a positive approach and avoid mentioning negative consequences like fines up to 20 million euros. Not only is it quite unlikely that your organisation will face a fine that high, employees are much more inclined to comply with your procedures if you approach it in a positive manner.
Tess Priester is a Data Protection Consultant at PrivacyPerfect, one of the first high-end privacy compliance software providers on the market. Tess has over five years of experience in advising a wide range of governmental bodies, healthcare providers, and multinational organisations on complex legal privacy matters.
This article does not constitute legal advice.