Earlier this year, data protection and privacy were huge topics as GDPR loomed on the horizon. As a Germany-based company that is directly affected by the regulation, we continue to see its ramifications and the ongoing struggle of companies as they try to deliver on data privacy promises. Both internally as we stay compliant with the regulation, as well as externally in working with our customers, we are observing various ways in which data privacy guidelines and activities impact all business units – and where we all need to make some improvements.
Whether your business is directly impacted by GDPR or you’re simply looking to protect your business and your customers, be aware of these three common data privacy mistakes.
Mistake 1: Not educating other LOBs about data privacy activities.
It’s pretty common to think “data” and immediately pair that with IT. IT manages the way in which data is transported throughout an organization and around the world. They are responsible for putting the tools and structure in place to identify threats and respond as needed. So, certainly, much of the responsibility for data privacy falls on the shoulders of your ITSM and information security teams.
But, it’s a huge mistake to hand off that responsibility to your IT organization and hope that it’s handled. Why? Two reasons: both budget and corporate culture play key roles in the success of data privacy efforts. And, both of these require the support of other LOBs.
Everyone involved in the budgeting process needs to become aware of the needs and requirements of GDPR and other applicable regulations. From monitoring and data processing, to audit protection and data removal, all aspects of protecting the business need to be addressed and budgeted for. Too often, I see companies shortchange data-related services only to find themselves scrambling when it’s time to demonstrate compliance.
It’s also critical that you build a culture of data awareness. From the top down, people need to understand how their devices connect to other people’s data, and the implications that it can have when said devices are lost, stolen or hacked. Training and ongoing education are key here. (And, don’t forget to tie that back to the budget comment above!)
People need to understand how their devices connect to other people’s data, and the implications that it can have when said devices are lost, stolen or hacked.
Mistake 2: Not investigating vendors.
One of the things that we see, particularly with small to mid-sized companies, is that they are aware of various regulations, but don’t quite understand the far-reaching responsibilities that they have when it comes to working with vendors. It’s important to understand how your data partners are processing and controlling data on their end too. Speaking specifically of GDPR, your business can be in jeopardy if your vendor mistreats a customer’s data.
In practical terms this means that, for all vendors, you should be checking:
- What processes are in place to address security breaches and notify customers of the situation?
- What encryption practices are in place?
- In what ways is customer data anonymized?
- Do they work with any other parties to store or process customer data? What steps have they taken to verify their own partners’ compliance?
- What are their procedures for data deletion?
- How often are their security practices audited, and how do they verify this?
- What happens to data when your contract expires?
It’s about demonstrating respect to our customers by treating their data with care and protecting the trust that they have placed in us
Mistake 3: Thinking that GDPR (or any other) compliance is the goal.
Looming fines and PR nightmares are what we, as leaders, seek to avoid; so it’s very easy to get caught up in trying to reach compliance with GDPR or any other industry regulation. As someone who has been through the process, I know that there are a pile of papers to prepare and discussions to be had in order to reach this milestone.
It’s tempting, when everything is signed and sealed, to stop thinking about data privacy and protection so that you can get back to other initiatives. But, as leaders, we need to keep in mind that the goal isn’t simply getting a gold star for compliance. It’s about demonstrating respect to our customers by treating their data with care and protecting the trust that they have placed in us. It’s about ensuring that there is ongoing action within the organization to review what’s happening on a regular basis so that it’s logical and makes sense in terms of privacy and data protection.
I don’t believe that any business wants to be known for mistreating their customers’ data. Why would they? But, without really involving the entire organization in this topic and approaching it as an ongoing, critical effort, the risk of something happening is there. So, take heed of these three lessons.
And, if you happen to be at FUSION18 in St. Louis at the end of the month, join me to talk in greater detail about the topic.