Today, the 25th of May 2017, we are exactly one year away from the enforcement of the GDPR. Since last year it has been hectic for many organizations when starting working on privacy programs in order to prepare adequately. We see organizations working on getting privacy impact assessment processes in place, integrating privacy in design of processes, positioning the data protection officer, but also getting the right governance structure in place to design the privacy processes and actively manage privacy risks. But what are the most common challenges and pitfalls?
This might sound contradictory as your starting point are the GDPR requirements. However, the GDPR is not just a legal question but a risk management question as well. If your privacy program is not tailored based on your business processes and the relevant privacy risks, you could be wasting valuable resources and time by just checking boxes on compliance. Focus on high risks first with the customer in mind and ensure your license to operate.
When assessing the gaps on GDPR requirements it is very tempting to focus on personal data in systems supporting business processes. However, around 80% of company data is held in unstructured content. It is very likely that your privacy problem is not going to be addressed by just focusing on the data in your systems. You should also consider e-mail, shared local and regional drives, collaboration tools such as Google Drive, (unstructured) big data solutions such as Hadoop, CCTV footage, and so on. Tools that scan unstructured data help you identify the size of this issue.
It is easy to create a lot of documentation regarding policies and procedures. However, with only documentation you are not actually going to be ready for the GDPR. You need to implement privacy controls and preferably automate as much as possible, so you do not bother the business with another set of controls. Besides, if no one is going to read all the policies, you should better focus your efforts on creating short and clear tailored guidelines for each different department on how to deal with privacy specific issues.
It is obvious that employees need training, but to change their way of working, privacy training needs to focus on key business processes and related privacy risks. For product development focus on privacy by design training for developers. For marketing focus on analytics and direct marketing, etc. Training employees and stimulating awareness has proven to be much more effective. In the end, your employees are probably the weakest link.
There are still organizations that consider the reporting of data breaches as a bad thing. They have the tendency to not report these breaches as they think this might impact their reputation.
Data breach notification aims to improve transparency, but it would be optimistic to think that all organizations have been reporting all discovered breaches. It is a common misunderstanding that reporting data breaches could result in fines. Actually it is the opposite: not reporting data breaches could result in fines up to €500.000 in the Netherlands. Most of the data breaches reported in Q1 2017, 2.317 in total, and investigated by the authorities ended with ‘just’ a warning.
While fines due to non-compliance may be scaring boards of directors, we see that the main driver in executing privacy programs shifts more and more towards ‘maintaining the organization’s reputation’. The question is whether you want to be ahead of competition and differentiate on privacy. Greater transparency and customers being more in control of their data will help in gaining trust, ultimately leading to a higher willingness of customers to share personal data.
KPMG can help you with preparing for the GDPR and making sure you avoid these pitfalls, by supporting you in the execution of your privacy program. With only one year left, let’s go!