It may seem somewhat ludicrous, given the news stories and focus the GPR has received over the past 12 months, but this is a legitimate question to ask as we get close to the 6 month anniversary.
At the best of times data protection can be seen as a pretty boring and annoying subject matter, in particular for those outside of the privacy team itself.
For many professionals in the data protection arena, a lot of focus will have gone into the various aspects of work required to get a privacy program up and running, not least of all documentation, assessments, logs and training, but for those outside and looking in, it can be a drain and an annoyance that upsets their daily habits and beliefs.
For many privacy programs now is the time where the rubber hits the road, and the months of work preparing and documenting the framework that will drive compliance into the future begins to become a reality on the ground. And it is at this point where things can become nastily unstuck.
Having spoken to dozens of DPOs and support staff, globally, we are starting to see a trend. There is clear resistance to change and direct interaction with the privacy team, which is resulting in increasing frustration and, ultimately, lethargy, at the point where changes are needed in the business itself.
Some privacy programs are simply stopped, stuck in a limbo between the hard work done by the privacy team, to date, and the need to drive on into the business itself, on the ground.
Not everyone is facing this problem, but enough are, and this is simply due to the inevitable challenge of mustering a grand force to move in the same direction, embrace this change, and make it work.
This is the main point of the GDPR. To drive changes in behaviour and understanding at the points where decisions are being made on personal data every day. Unfortunately, this is not in the Legal & Compliance department, but in every Marketing, HR, Finance and IT function across Europe and beyond.
So, what is the best way to deal with this?
Firstly, patience. Any privacy team has to embrace the reality that the pace of change has to map the business’ own appetite to take that change onboard and run with it. Patience is not unending, so a balance is clearly needed.
Secondly, focus. The privacy team needs to identify its top priorities and quick wins. Focus on what you can affect now, and in the mid-term, and get these done.
Thirdly, advocates. Whether this is senior management, or influencers within the business, getting the right people onside can help you greatly in motivating others to embrace the inevitable change. Getting a critical mass behind this will do you wonders, and when others recognise the value, then you are on to a winner.
Ultimately, a successful privacy program is one which has the maturity to demonstrate the value in working with it. No program can survive on its own. This means, and is something we speak about all the time in Sytorus, that you need to keep a clear eye on how you align the change management you need done with the business’ understanding of the value this brings. Fail to address this, and you will inevitably be ignored, diverted or simply shunned.
A last point, and one which always needs considering, is the concept of collaboration. As the outputs of a privacy program are ultimately manifested in the new ways an organisation deals with personal data, a question should always be asked as to how you intend to support and preserve this collaboration in the long run. Are the tools and capabilities you are leveraging now suitably external facing that they are not intimidating to non-privacy professionals? Can you be sure that you are providing your colleagues with the smartest and easiest means of interacting with you?
When asking yourself that question, take another look at our tool, PrivacyEngine, and talk to our professional business sales team about how we believe we can help you with this problem.