A warm welcome to the fifth and final post in the series 10 Steps to GDPR Compliance. In each post, we’ve covered two Steps to help you to become GDPR compliant. By following along and completing these 10 Steps, you’ve been building out the Privacy Framework that will power your ongoing Privacy Governance.
This series is brought to you by Keepabl, named to the RegTech100 for 2021 as one of the world’s most innovative RegTech companies that every financial institution needs to know about in 2021.
Congratulations! We’re into the last two Steps to put in place your Privacy Framework and then you’re into BAU (business as usual). Last week, in Steps seven and eight, we looked at key areas of Data Subject Rights and Processors.
This week, the two Steps we’re covering today continue building out your Privacy Framework:
- Step 9: Privacy Notices, and
- Step 10: Training & Awareness
And we have a surprise bonus Step 11 for you – Reaping the Rewards!
By the end of this post you will understand what Privacy Notices are, when you need them, the importance of training & awareness to building that culture of Privacy by Design and by Default, and how to quantify and capture the rewards from good compliance.
(We’ll use ‘GDPR’ for both the UK and EU GDPRs as the obligations here are almost identical.)
Step 9: Privacy Notices
Let’s get some terminology out of the way.
Both do the heavy lifting in providing the bulk of the required information to data subjects and you typically link to them in a layered manner, from your Data Collection Notice …
Data Collection Notice
Privacy Notices were there before GDPR, but it’s one of those areas that received a lot of focus since GDPR, particularly as they’re the primary way you ensure transparency in your processing by giving full information in a clear, intelligible way to individuals.
Privacy Notices are also the first thing people see, and easy to check for your prospects, investors etc. So, along with cookie notices, they were the focus of a frenzy of activity when GDPR came into force in May 2018.
And of course there’s the increased fines, which have been dished out for lack of transparency regularly – starting with the famous €50m fine on Google in January 2019.
As ever, your Data Map helps you draft your Privacy Notices, because it tells you the processing you do, about whom, who you share with, and more.
The Clarity Conundrum
The challenge with your Privacy Notices is to meet GDPR’s requirements of providing all relevant information across a range of topics while making the notice short, easily readable and understandable.
Keeping it Separate
Second, you can’t put your Privacy Notice in your Terms & Conditions, they have to be separate so people will easily see them.
And third, if you’re relying on consent, you need to separate out the consent for different purposes as appropriate. Which is why cookie policies post-GDPR have separated out cookies into categories such as Necessary, Functional, Performance and Marketing.
Step 10: Training & Awareness
Congratulations -you’ve arrived at Step 10! Over the last few weeks, you’ve:
- Identified your Key People
- Identified and used your Benchmark
- Created your personal data inventory, your Data Map
- Carried out projects all based on Remediation and Risk Management
- Chosen and implemented your Privacy Framework, including the following steps…
- Reviewed your Security and prepared for a Breach
- Enabled and prepared to respond to Data Subject Rights (DSRs)
- Reviewed and done due diligence on your Processors
- Used all this great work to draft your Privacy Notices so everyone knows what you’re doing with their personal data.
Now it’s the final step to make all this come alive: Training and Awareness – making sure this whole Privacy Framework gets put into into practice in the right way by the right people.
We should all have had that ‘all hands’ training on Data Protection and Security. There’s a very good reason: every single person in your organisation has an impact on your compliance.
Most personal data breaches are not CyberSecurity Incidents (or CSIs), they’re non-CSIs such as sending emails and mail to the wrong people.
And the UK ICO’s ‘Report a Breach’ form does ask: ‘did the people involved have data protection training in the last two years?’.
So you need to do those ‘all-hands’ training programs, on Privacy and on Security. We recommend the basic training is an annual event, with awareness and training refreshers along the way.
As to ‘who gets what training’, we suggest categorising everyone into 3 levels so you can train them appropriately:
Level 1 – everyone
Everyone gets the basics, so they know GDPR’s principles as they apply in practice, they can recognise a breach or DSR and they know who to go to for more information. Of course, this is the largest group to train.
Level 2 – those needing specialist training
The particular groups and extra training will vary depending on your organisation. However, for example:
- you’ll want to train Marketing, Investor Relations, and similar teams on cookies, on cold calling, cold emailing etc.
- IT and Security will need training on the specifics of personal data breach response.
- Customer Support needs training on recognising data subject rights.
Level 3 – those running the Privacy Framework
Those running the Framework will need a broad, and deep, understanding and so will need the most training. This will be the smallest group of people.
Awareness isn’t just about training, so you’ll use various methods to increase adoption and cultural change and do this throughout the year. You’ll likely have people with great experience on this, and you’ll consider using humour and gamification, in all your training and awareness activities.
Humorous posters, messaging or even interactive events to bring it home in a playful manner. ‘War-gaming’ or ‘table-top exercises’ (where you run through a DSR or breach with relevant teams, throwing in different challenges as you go) are usually well received and very effective.
Step 11: Reap the Rewards!
The benefits of GDPR compliance are now clear for all to see. For example, Capgemini’s study revealed that a whopping 81% of respondents who declared themselves compliant reported positive impacts on reputation and image.
While much of the activity may at first feel defensive in nature, GDPR compliance has been shown to deliver many positive benefits. As well as an average 1.9X ROI on privacy spend, Cisco’s study confirmed that two-thirds of respondents reported significant benefit in each of these 6 areas, all areas Finance are discussing at present in fields such as digitisation, challenger banks, and digital identity:
- reducing sales delays,
- mitigating losses from data breaches,
- enabling innovation,
- achieving operational efficiency,
- building trust with customers, and
- making their company more attractive.
We’re here to help!
Do refresh your knowledge on all things Privacy by subscribing to our Privacy Kitchen YouTube channel! For example, you can see our 10 steps to GDPR compliance video, summarising the 10 Steps in less than 10 minutes.
Contact us to see how we can turn GDPR into a revenue engine for you and, as always, good luck with your Privacy Framework!