GDPR: It’s a cultural thing

European Leader, Cloud Infrastructure, IBM

In a series of blog posts, the ‘Coach’ offers recommendations on how to get businesses into shape so they can thrive in the new data era.

When did checking off boxes ever create long-term value?

To reap the business benefits of compliance with the EU’s General Data Protection Regulation (GDPR), a business must do far more than hire a data protection officer and install some new technology.

Instead, the entire organization, from the top down, needs a data-driven, privacy-by-design mentality. Only then can that organization enjoy the increased customer trust, cleaner data and better insights that GDPR is promising to deliver.

The Coach’s take: GDPR can’t be viewed as only a technology and processes issue. The people that handle data in a business need help to appreciate their new responsibility for customers’ personal data.

GDPR changes how organizations treat personal data

For too long, customers’ personal data has been handled without respect. The processes and workflows associated with the collection, storage and use of that data has focused on its utility or value to the business.

GDPR changes this by putting the rights of the individual front and center of all things data. This means that those well-entrenched business processes and workflows, as well as the associated habits and mindsets, should change also.

There is a lot of work to do here. Survey after survey indicates that many businesses don’t have a culture in place that prioritizes individuals’ data rights. In one study, only 26 percent of IT decision makers said their board of directors and upper management were involved in their GDPR program. In another, focused on the 72-hour breach reporting GDPR requirement, it took companies an average of 206 days to detect that an incident occurred and an average of 55 days to contain the incident. That gap must be closed quickly.

How does one go about creating a culture in which respect for personal data and privacy is embedded?

Invest in your people with GDPR training

IBM has been working on its own GDPR compliance for several years and has found that, in tandem with the right processes and technology, the way employees are trained is central to building this culture.

Employees need help to comprehend their and others’ new responsibilities when it comes to individuals’ personal data. They also need help to understand the risks and impact of improper data use.

The Coach’s take: Employees need to know it’s their responsibility to take action when they see the personal data rights of customers aren’t being honored.

Help them help themselves

Self-service materials such as content libraries, Q&A forums and knowledge base resources are a good start. A range of internal communication and training initiatives should also be set up. The HR portal, e-newsletters and regular email updates can be used to acknowledge challenges, share knowledge and showcase best practices.

The right GDPR partner can help here, but company leaders also have a big role to play. Town hall meetings and leadership lunches get leaders in front of people on a regular basis to reinforce key GDPR messages. It’s a good idea to include GDPR compliance on meeting agendas and performance reviews.

Culture eats strategy for breakfast

In business, culture is made up of the values, beliefs and behaviors shared by everyone in the organization. It’s what you do, not what you say. It’s a long journey to gradually build up a culture around data appropriate for the GDPR era.

How that looks will be different in every organization, but one common feature should be that no one ever has cause to say, “That’s not my job,” or “I didn’t think the rules applied here,” or “I’m not the only one,” or “I didn’t know; nobody told me.”

Wherever you are on your GDPR journey, use the experience of others to guide you. Discover how you can team up with IBM to benefit from IBM GDPR readiness work as well as its GDPR capabilities and offerings.

For more from the ‘Coach’ take a look at the rest of this GDPR series.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.