A year ago, the EU General Data Protection Regulation (GDPR) was enforced for all businesses, government, and public institutions either handling or coming into contact with European Union residents' personal data. It is needless to say that the GDPR had a dramatic effect on the way that organizations were going to deal with the data of customers, employees, and others. The enforcement of GDPR meant that the organization was forced to (re-)think their data management approaches to stay compliant and thereby avoid new fines and bad publicity.
Organizations of all sizes used a massive amount of effort to document processes and data, build governance programs, and ensure their compliance by May 25, 2018. A report from Dansk Erhverv states that Danish companies spent approx. DKK 8 billion on the GDPR, from hiring people or consultants to implementing new and necessary technology measures. However, it is also worth mentioning that working with personal data as a discipline was an immature process for many organizations, which is why most of them did just enough to become compliant by carrying out process mapping, creating procedures, and implementing awareness programs.
In March 2019, the first penalty fine under GDPR was issued by the police on behalf of The Danish Data Protection Agency (DPA). A taxi company was reported for the violation of the GDPR, for not deleting information when it was no longer necessary for the purpose it was collected for and was fined DKK 1.2 million. There are two main points to be taken notice of: Firstly, whether the taxi company had retention and deletion policies in place, and secondly, did the company comply with the policies internally. Even though the company had procedures for deletion and anonymization, it was not implemented technically good enough and there was severe criticism from the DPA regarding the lack of data anonymization, minimization, and legal basis for processing data. That issue might be due to either procedural mistakes and/or technical limitations. Unfortunately, this scenario may not only be applicable for the taxi company, but also many other companies can be in a similar position, which is why the DPA has announced its increased focus and supervision on the rights of data subjects and the reuse of data in organizations in 2019.
Since May 2018, more than 4,000 data breaches have been reported to the DPA and more than 5,500 incidents regarding Data Subject Rights (www.datatilsynet.dk). Interestingly, most of the data breach incidents have been due to 'human error' in case of wrong entries, lack of anonymization, copy/paste error, etc. That raises the question of whether the organizations have done enough to educate employees in personal data handling. The common training approach before the enforcement of the GDPR in May 2018 was to accomplish different types of basic awareness training, internal procedures updates, and communication plans often delivered with some gimmick (e.g. privacy screens, webcam filter etc.). However, the organizations need to ensure that the employees are reminded and tested regularly in the data privacy discipline and, furthermore, to ensure to share the benefits of staying in compliance and instill it into the culture.
The maturity of the GDPR journey can be divided into four steps: Diagnosis, Business Processes & IT Controls, Communication & Training, and Organizational Anchoring. The first three steps can be argued to be accomplished by organizations, but the fourth step, Organizational Anchoring, needs time to be implemented and must be anchored in the organization's culture, which leads to the Personal Awareness Journey.
The Personal Awareness Journey goes from general Awareness to Ownership, where it can be fair to say that most employees are still around step 3 and has not fully changed behavior (Accepted) or taken Ownership of the changes. This probably requires some reintroduction of the GDPR and informing of what benefits the organization has gained and plans for further advancement. One success criterion for true ownership could be to measure the number of improvement ideas both internally and customer facing.
Due to multiple regulatory requirements, the compliance work is still handled manually or includes heavy paperwork. However, grounded on prior challenges, it can be 'fruitful' to think of technology to avoid and minimize human errors. One use case could be the use of chatbots, which are normally utilized for simple queries. Chatbots are becoming very common in different settings and they have also been used as GDPR lexicons for employees by answering questions with pre-defined answers. The next step would be to integrate the chatbots into the IT infrastructure, and by enhancing with Natural Language Processing (NLP) and coupled with Robot Process Automation (RPA), they can handle more complex and time-consuming tasks, e.g. requests from Data Subjects. Another use case in digital GDPR compliance could be the use of Optical Character Recognition (OCR) coupled with RPA for transforming paper-based documentation to digital automatic document processing and archiving. The above could help the organization remove both trivial and complex time-consuming tasks from employees and thereby reduce the human error factor. In that way, freeing up time for more value-adding assignments and continuous improvement activities.
When considering Digital GDPR compliance:
Remember no technology is bulletproof and needs to be adjusted to the individual organization. Nonetheless, it also needs to be handled in the right manner through proper governance. See more on how to overcome the regulatory demands with digital innovation in the following article Regulatory Compliance vs. Digital Innovation: A challenge or a perfect match?
Mobeen Arif has more than 10 years of experience in digital transformation. He has worked with IT and business transformation across many industries such as finance, enterprise, and public sector. He advises clients on value creation through digital transformation.
Do you want to learn more about NNIT's Regulatory Compliance Solutions or share any thoughts about this topic? Please feel free to contact Mobeen Arif, Managing Consultant in NNIT on firstname.lastname@example.org