Over the last few months I have been in touch with a number of CEOs of large organizations to check their awareness about the GDPR. It was right out shocking to learn that the majority of them were unaware of what had to be done or had been done by their staff to implement GDPR compliance measures. And they severely underestimated the consequences of not being compliant all together.
What are the consequences of such ignorance and how can CEOs become better prepared, are questions I aim to answer here
There are three main consequences that effect a CEO when an organization is not GDPR compliant:
the Data Protection Authorities can impose fines;
any Data Subject (clients, customers, employees, etc.) can file a complaint or sue the organization when they have legitimate concerns that their data is not dealt with correctly; and
when Data Breaches occur, even at related third parties, the organization can be held accountable.
When the GDPR became enforceable last May 25, the Data Protection Authorities were empowered to issue fines to organizations that failed to be GDPR compliant. In reality these Authorities will generally apply a certain lenience when they come across organizations who fail to meet requirements and they will advise them how to make the appropriate adaptations. However, if it is evident that no efforts have been made at all to comply with the GDPR, the Authorities may well decide to set an example and not only fine the organization, but publish their findings on their website too. Consequently, in addition to financial punishment, reputation damage will be caused.
Another way the Data Protection Authorities find out about failures to comply with the GDPR is through complaints by customers, clients, employees and other so called “Data Subjects”. If a Data Subject has a legitimate complaint about how their data is treated, they can not only file a complaint with the Authorities, they can also sue the organization through a court procedure and issue a claim for financial reimbursement. Here too reputation damage will occur in addition to the imposed fines.
Some security experts say it is only a matter of time before an organization’s IT system will be hacked and that when it happens most IT departments are not sufficiently prepared. Under the GDPR data privacy breaches are taken very seriously and when a breach occurs, organizations usually need to report these to the Authorities, even when it concerns a related third party supplier such as an organization’s hosting partner or marketing partner. In addition, just think of one of your employees losing their phone, tablet or laptop and your organization’s data may already be in jeopardy.
So how to cope with all these challenges, you may ask
There are various solutions to become and stay GDPR compliant. First of all, an organization needs to acquire GDPR knowledge or expertise by training its own staff and/or by engaging with external experts.
Depending on the complexity of the organization, one can choose to train a staff member and/or hire outside assistance, because all too easily the implementation of the GDPR is underestimated.
GDPR training comes in many shapes and forms. There are many two- or three-day courses to “certify” a student as a Privacy Officer, there are other institutions that provide lengthier training to become qualified as a Privacy Professional or Data Protection Officer. None of these trainings have been officially acknowledged as “certified” by the Data Protection Authorities yet. This official GDPR certification procedure is still a work in progress.
It is therefore advisable to use due diligence when deciding to train one’s own employees. Furthermore, this sort of training is only a basis to acquire initial GDPR knowledge and insights. The real GDPR expertise is developed in practice by applying the acquired knowledge in actual situations. Implementing the correct GDPR procedures is a learning by doing experience and organizations must wonder if they want to be their own guinea pig.
External expertise can be called in via GDPR specialized law firms, consulting companies (who usually come at a high price), outsourced DPO’s (Data Protection Officers) and software and services suppliers.
Law firms are usually best involved in the GDPR process in case of defining Service Level Agreements with an organization’s processors (such as a hosting or marketing company) and other high-end implementations of legal requirements.
Consulting firms can provide an inventory and status check of the current compliance situation and advise with a plan how to progress to become GDPR compliant. The challenge is that you need to remain compliant and for that a permanent privacy team needs to be put in place within the organization.
Engaging a full time or part time DPO (Data Protection Officer) is another sensible option to ensure ongoing compliance. Check the DPO’s practical and verifiable experience before hiring them and make sure they have industry experience that relates to your own organization, because implementing the GDPR in one environment may differ significantly from another environment.
There are also software-as-a-service (SaaS) solution providers who have designed workflow programs to facilitate organizations to become GDPR compliant by following the suggested, partly automated procedures. Some of those software suppliers combine their solutions with services to implement and execute their solutions, others depend on resellers who are qualified to deliver such additional service. In all cases an internal privacy team needs to be set up to maintain these SaaS procedures and external, part-time expertise may be required in addition to monitor the ongoing process.
The GDPR poses challenges and, simultaneously, opportunities as well. Customers, clients, employees and other data subjects will prefer to be associated with organizations which treat their data well, secure and in accordance with the GDPR. As such an organization can set itself apart from its competitors and even use their GDPR compliance as a marketing tool to promote their involvement in customer care.
Ultimately the Board holds the responsibility and the accountability for GDPR compliance, or any lack thereof, which consequently bestows additional responsibility on the CEO to ensure GDPR compliance.