A warm welcome to the second blog post from Keepabl and the first blog of their series 10 Steps to GDPR Compliance. In each post, Keepabl will cover Two Steps to help you to become GDPR compliant. By following along and completing these 10 Steps, you’ll be building out the Privacy Framework that will power your ongoing Privacy Governance.
Today Keepabl cover the first two steps:
- Step 1: the Key People who will help you become GDPR compliant, and
- Step 2: why you need a Benchmark, and how to make the choice..
By the end of this post you will know who your key people are and how they can make sure you are delivering on your privacy obligations, and the importance of a benchmark to show you where you are with your project and how you are progressing with GDPR compliance. Let’s get started!
Is it just GDPR?
The EU GDPR is the major data protection law in the European Economic Area (EEA), and contains the majority of European data protection rules that Financial Services organisations need to follow. For example, it’s the GDPR that imposes the obligation for every organisation in the EEA, including Financial Services, to have effective and demonstrable Privacy Governance in place.
There are of course other relevant laws depending on your location and your activities. For example, the main additional EU data protection law for the private sector is the e-Privacy Directive, which contains special rules on areas such as cookies and email marketing. It’s been implemented by EEA Member States into their national law; and the UK e-Privacy regs (often shortened to PECR) still apply post-Brexit, as a UK national law. And California’s CCPA and CPRA are introducing very GDPR-like rights and obligations.
For the purposes of these posts, we’ll assume the GDPR is your main law and we’ll use Privacy compliance and GDPR compliance interchangeably. We’ll also use GDPR for both UK and EU versions, as they’re generally identical apart from jurisdiction. But do ensure you include your other Privacy obligations as we go through the steps!
Step 1, Key People:
We’re starting with people as implementing GDPR compliance is a change project, and change happens through the people in an organisation.
You’ll likely need external advisors, particularly in the first phases of your project, but today we will be covering Privacy Champions and Senior Sponsors as we believe that these are key people when it comes to implementing and maintaining data protection compliance in your organisation.
Why you need a Senior Sponsor!
The crucial role of a Senior Sponsor for such projects is beyond doubt. For example, according to the Project Management Institute’s excellent Pulse of the Profession 2021:
‘The importance of active project sponsorship is hard to overstate; it was the number-one driver of project success globally. Highly engaged executive sponsors play a critical role in closing the gap between strategy and execution by facilitating communication and collaboration, boosting project success rates.’
There’s plenty of research and opinion backing up that statement, and confirming that the role includes real ownership of the change program.
For example, the UK Government’s 2010 Guidelines for Managing Programmes state that the Senior Responsible Owner, or SRO, will not only ‘define in outline the programme vision, objectives and benefits and record them in a Programme Brief which contains an outline business case’ but also be ‘accountable for delivery of the overall set of benefits for a programme’.
Senior management are the leaders in your organisation – and they need to be leading by example when it comes to GDPR not only because of the very high risk and profile, but because it affects each and every part of your organisation.
We all tend to follow what people do, not just what they say. So, your Senior Sponsor should not only rally the forces and sell the benefits of the program, they should be promoting the importance of GDPR compliance through their actions.
It’s very powerful for all in an organisation to see senior management are not just talking the talk but walking the walk, for example in adopting and following workplace policies that ensure GDPR compliance and calling out successes and benefits for the organisation.
And as above, there should always be a business case supporting your change programme. Senior Sponsors will identify and communicate the benefits of implementing your Privacy Governance. They’ll help convince others of the importance of the benefits from implementing your Privacy programme.
Don’t just take our word for it
If you need help getting opposing voices on board, Cisco’s 2021 Data Privacy Benchmark Study showed that the average ROI on Privacy spend was 1.9X and that 35% of businesses had a ROI over 2X their Privacy spend.
Cisco also reported that more than two-thirds enjoyed improvements such as:
- building trust in the company
- operational efficiency, and
- mitigating losses from data breaches
As to those losses, did you know that the maximum fine under GDPR is €20 million or 4% of annual global turnover, whichever is higher? This doesn’t include the business costs of the impact on customer relationships and the operational costs that flow from instances of compliance failure.
So your Senior Sponsor has plenty of ammunition to show colleagues that the benefits will certainly outweigh the costs!
Who is the Privacy Champion?
Think of a Privacy Champion as the person that people in your organisation can turn to with their privacy issues. They are essentially the face of Privacy and will be in charge of the Privacy programme in your organisation.
The Privacy Champion is separate to the Senior Sponsor, save for the smallest organisations. However, they should have sufficient standing and relationships in your organisation to work with your Senior Sponsor and broader teams, providing a bridge for the flow of information in both directions and embodying your organisation’s values on change and compliance.
Responsibilities of a Privacy Champion
The Privacy Champion is the person in charge of the day-to-day work on your Privacy Governance, and someone people are going to turn to with their questions and issues.
It’s therefore important that they understand and are able to communicate key data protection & Privacy regulations, your organisation’s Privacy programme, and how the two go hand in hand.
While your Privacy Champion needs to have essential training on GDPR and Privacy, for all but the larger organisations GDPR compliance is unlikely to be their sole responsibility. Any Privacy Champion will need support from:
- internal departmental champions, to move the project forward across the organisation and help with early detection of any issues,
- the specialists in Legal, Compliance, IT and Security that most Financial Services organisations have onboard, and
- external advisors when appropriate. This need will change as you move through the project and your internal team is upskilled.
Is the Privacy Champion our DPO?
This question always generates plenty of discussion! First, consider whether you need a DPO under GDPR (or, for example, national legislation in Spain and Germany) and, if you don’t, whether you want to appoint one voluntarily. If you don’t, then the question is moot.
If you do end up with a DPO, the bottom line is that, under GDPR, a DPO must carry out their GDPR tasks in an ‘independent manner’, without conflict due to any other task they may have.
We’ll come back to this in a later post. In the meantime, we’ve a great set of short videos on Do I need a DPO?, Who can be DPO?, and What does a DPO do? which should answer many of your questions on DPOs.
Step 2, Benchmark Your Readiness:
Now you’ve identified your key people, Step 2 is about understanding where you currently are on GDPR by benchmarking your readiness, which is vital because you can’t manage what you can’t measure!
Establishing a benchmark lets you understand where you are on GDPR, and where you need to focus next. Benchmarking is therefore a key step.
What do we mean by a Benchmark?
GDPR is of course the ultimate benchmark: it’s what you have to comply with at the end of the day. But it’s not exactly set out as a checklist. You’ll want to identify a benchmark that draws out and clarifies the requirements for GDPR compliance. It should let you score and visualise where you currently stand, so it’s easily reportable, and it should highlight how to progress.
Which Benchmark to use?
You’ll want to choose a benchmark that reflects your main Privacy obligations. If you’re only covered by GDPR, then a CCPA benchmark isn’t necessarily the one for you, and vice versa. But if you’re covered by the Privacy laws of several jurisdictions, you may decide to use a principles-based approach and align your Privacy programme primarily with GDPR, and deal with local differences separately. It will really depend on your particular obligations.
We’re here to help!
We understand that, for the person operationalising GDPR in most organisations, GDPR isn’t their day job. We also understand that this may leave you feeling swamped. Our award-winning SaaS solution makes GDPR compliance intuitive, rapid and easily reportable.
For example, Keepabl’s BenchMark tests your readiness at a strategic level for UK and EU GDPRs, and UK PECR. It gives you an overall score on your compliance – perfect for reporting to the board – and sub-scores in 16 areas to easily target gaps for your next phase of remediation.
Contact Keepabl to see why it had been named to the RegTech100 for 2021 as one of the world’s most innovative RegTech companies that every financial institution needs to know about in 2021, and see how it can make implementing your Privacy Framework for GDPR super intuitive.
Next week – Steps 3 and 4!
You now know about your Key People and Benchmarking! This sets you up really well for Step 3, which is your Personal Data Inventory. Keepabl will be covering this fundamental step in any Privacy Framework next week together with Step 4, which is all about Remediation and Risk Management, which you can only do when you’ve got your inventory in order.