Embed privacy in your organisational culture – and improve your business
The magical date for enforcing the general data protection regulation (GDPR), 25th May 2018, has passed, and GDPR projects have been successfully finished. Organisations have conscientiously documented their personal data processing activities and updated their privacy notices to meet GDPR requirements. They have reviewed the correct procedures for data breaches and studied how to answer data subject requests in the required timeframe. And the data protection officer, whether internal or outsourced, takes care of the rest, right?
So all is quiet on the privacy front – or is it? Is there still something left to do? Has the organisation merely polished the facade, or has privacy really become rooted as a way of working in the organisation?
Let’s take data breaches as an example. Would it be possible to build the organisation’s operations so that data breaches don’t even take place? There has been a lot of discussion about the sanctions that can befall organisations that can’t manage data breaches properly. However, an even greater risk to organisations can be the reputational damage resulting from breaches. It is likely that a data breach would cause severe damage to the organisation’s image and its brands. On the other hand, well-executed data protection can even be a marketing asset, if it is communicated to customers in a way that builds trust.
Privacy in processes is non-negotiable
An organisation cannot fully achieve data protection if handling personal data in its processes is not in top order. The organisation should improve its fulfilment of privacy requirements in data processing – so privacy-proof its processes. Relevant are both the core processes specific to privacy as well as all business and support processes that use personal data. The organisation can improve its privacy maturity by privacy-proofing these processes.
The goal of privacy-proofing is to engage everyone in improving privacy in their day-to-day work.
Privacy core processes
The core processes are needed to meet specific requirements defined in the GDPR. These are, for example, fulfilling data subject rights such as requests to access or remove personal data, managing data breach cases, and when necessary, completing data protection impact assessments (DPIA). If the organisation didn’t have such privacy core processes before, those had to be created due to the GDPR. The first versions of the processes may, however, still have room for improvement or optimisation.
Privacy-proofing business and support processes
Business and support processes are about running the normal business of the organisation. Data protection must be realised in all operations, from customer service to cleaning staff and from business analytics to HR. You need to consider all the possible ways of processing personal data, whether the data is located in paper printouts, random Excels, or in the depths of huge systems and cloud services.
Often the organisations are not misusing personal data or being careless on purpose, but due to the GDPR, the bar is set higher. Organisations must follow the principles of the regulation, such as minimisation of personal data: only the necessary data should be used and stored. This may not have been a consideration at all when the personal data was initially gathered. Instead, data was saved just in case or for possible future needs.
When privacy-proofing your business processes, you analyse the current state in order to correct possible privacy findings and increase your privacy maturity.
If the IT systems do not fully support all the needs of the employees, people may end up saving personal data in their own documents and various paper archives. Actions like these may even increase the risk of data breaches.
It is important to go through processes, because due to the GDPR, organisations must not only know and document their personal data processing better than before, they must also ensure so called privacy by design and by default in all their operations.
According to the GDPR, privacy by design and by default can be achieved with ”technical and organisational measures”. Technical measures utilise technological solutions, for example, in applications and information security. With organisational measures, you ensure that employees have defined roles, responsibilities, processes, training, and guidance that make it possible to provide an adequate level of data protection.
When privacy-proofing your business processes, you analyse the current state in order to correct possible privacy findings and increase your privacy maturity, for example, by using the beforementioned technical and organisational measures.
Successful privacy implementation becomes the organisation’s pride and joy
Organisations should not treat privacy merely as the responsibility of the data protection officer or the data protection team. Successful privacy is built as a common cause in the organisation, a pride and joy for everyone. It is a way of working and an operational culture that reaches all those processes that handle personal data.
At the core of privacy is everybody’s attitude to treat other individuals’ personal data - their property - with care and respect. Privacy is a continuous activity that needs development and maintenance also after 25th May 2018. Now is the time to comb through the organisation’s processes and ways of working, and to develop a true privacy culture.
Authors
Tanja Koikkalainen (Loihde Advisory ex-worker)
Leea Koskinen