How to make the most painful GDPR tasks less painful

We know about the GDPR's €20m fines but what does a compliance programme involve? Data privacy expert Patrick O'Kane irons out possible bumps in the road.

by Patrick O’Kane
Last Updated: 03 May 2018

As an in-house lawyer and Data Protection Officer for a Fortune 500 company, I have experience in trying to engage departments such as HR, marketing and legal in the sometimes grim area of data protection. You are never going to be the most popular person at the office party with my job but if you make your GDPR project practical and engaging, you can get on the right side of the law, win your customers’ trust and avoid those much-hyped fines. 

Running an effective GDPR compliance programme means you must change some of your processes and operations to align with the regulation. You must also educate the people in your company, all the way up to the boardroom, on what they will have to do, and avoid doing, to avoid those mammoth fines.

Some GDPR tasks are going to be painful. Here are some of the toughest.

Making data protection fun

I once had to give a three-hour lecture on data protection to Millennial colleagues at my last company. They anticipated it with as much enthusiasm as an appointment for root canal treatment. I came armed with 40 slides bursting with legal information, but I had not made my presentation in the least interesting. Shortly before I was booed off, it dawned on me that when preaching data protection, you have to first and foremost, make it engaging.

Make it practical and give examples to your colleagues of how data protection affects their day-to-day lives. Tailor the training to the audience: the men in the grey suits want to know how it affects the bottom line. Explain to Millennials how data privacy affects them every day - from their jobs to their social media usage.

Effective GDPR programmes demand that you educate colleagues about basic data protection rules, with more detailed sessions for colleagues that regularly manage data, such as marketing, HR and data analytics. 

Privacy notices customers want to read 

Can you remember when you last read a pop-up privacy notice before hitting ‘I accept’?  Me neither. Privacy notices hit you with so much legalese you can barely summon the will to read them.

But GDPR expects more: it wants us to speak simply and clearly to customers about how you handle their information. This usually includes telling the customer where you get it, what you do with it and who you share it with.

You can build trust with your customers by handling your privacy notices in the right way by being up front with them about what you are doing with their personal information.  Use the right tone when draft your privacy notice: more honest guide than airport security guard.

Mind those contracts

One of the toughest tasks is changing supplier contracts to align them with GDPR without annoying your suppliers too much.

GDPR says that when your company hands personal data that it holds over to a supplier who is processing that data on its behalf, it must make sure it has appropriate data protection clauses in place in that contract.

These clauses outline what suppliers must do to keep your data safe. Sorting out these clauses can be a painful bore, there is a huge business benefit: these clauses can protect you if your suppliers ever do drop the ball with your data.

The time for talking has passed.  It’s time for action. Tackle GDPR tasks, especially these potential bumps in the road, and you will keep your company on the right side of the law.

Patrick O’Kane is a lawyer and Data Protection Officer for a US Fortune 500 company and the author of GDPR: fix it fast.

Image credit: Pixabay


Find this article useful?

Get more great articles like this in your inbox every lunchtime