Skip to main content

How to make it easier for employees to comply with GDPR

People are awesome! If you are a manager, your people are your most valuable asset. A good team can help you solve problems, stay innovative, and drive your competitive edge. But when it comes to GDPR compliance, they can also be your biggest liability. That’s because every time someone touches personal data you’ve collected about your customers and others, the risk of data leaks and breaches increases.

Handling people’s personal data is a normal part of business, and your team needs access to personal data to do their jobs. What can you do to help everyone understand how to comply with GDPR? Why is GDPR-compliant data processing so hard to do manually? How can you be sure they put your GDPR policies into practice daily? Privacy laws are relatively new, and old habits die hard. What was once an acceptable way of collecting and storing data may no longer be appropriate and may not comply with GDPR and all the new global regulations.

Here are some of the issues we’ve found with relying on people to comply with the GDPR:

  1. Proper data management is tedious and compliance tasks are not people-friendly
  2. Each person does things differently, which makes it hard to be consistently compliant
  3. People are busy and they may not see the importance of prioritizing privacy
  4. Monitoring and enforcing everyone’s GDPR compliance takes too much of your time
  5. Changing office culture is tough, but “Culture eats strategy for breakfast”

How can you get your team GDPR ready? Are there aspects of data privacy that people should not be left in charge of?

1. Proper data management is tedious and it is not people-friendly to comply with GDPR

All data is not created equal. Personal data in a whole range of risk levels and sensitivity may exist in multiple formats scattered throughout your systems. To demonstrate compliance with privacy laws you need to find, sort, and track all of it.

Data locations

The sensitive and personal data your company has collected can found be in many locations, including:

  1. Your team’s emails and email servers
  2. Computers and local drives
  3. Cloud storage and applications

Assigning someone to search through all of your company’s storage manually to find sensitive data is not practical, because the task would simply take too much time and would be almost impossible to complete thoroughly and accurately.

Structured vs. un-structured data

Data stored in applications that use a database structure is neatly organized (structured) by the software, with all changes tracked. Structured data is highly organized and easily decipherable by machine learning algorithms.

Examples: Excel files or SQL databases

Data stored in emails, computers and local drives is unstructured. Each user (that’s you and each of your colleagues) has to organize and manage their files. Deciding how to handle email attachments, how long to save documents and when to delete them, etc. Unstructured data, stored in its native format, requires specialized tools to search and manipulate.

Examples: Emails, text files, PDF documents, images, audio/video files, etc.

Compliance and structured vs. unstructured data

Let’s look at a practical example to see how the huge amount of structured and unstructured data you store may make it difficult for you and your team to comply with privacy laws.

A customer, Maria, asks you for access to all of their data, as is their right under the GDPR, CCPA, and most other privacy laws. This is called a Data Subject Access Request, or DSAR.

You assign one of your employees, Robert, to collect Maria’s data in response to the request.

Your company uses a CRM software like Salesforce, an ERP system like E-conomic, an email server like Outlook (Microsoft Exchange), and a shared network drive like X-drive as your file storage.

Robert starts by searching Maria’s name in Salesforce and pulls up a report showing all her data (correspondence, orders, etc.). Then he searches Maria’s name in E-conomic and extracts all her invoices and other data associated with her.

So far, so good. Now we get to the fun part. How will Robert find all emails to/from/about that person? He does not have access to all his colleagues’ mailboxes. Now he will need to ask everyone to search Maria’s name. The same goes for your company’s shared network drive and each person’s local drive. What if some of Maria’s information is in pdf attachments and does not show up in the searches?

Finally, all the information compiled must be sent securely to Maria. Is it complete and correct? Was it sent to the right person? How many people were involved and viewed her information unnecessarily or sent it around unprotected?

As you can see, relying on people to find and deliver structured and unstructured data in response to a DSAR is time-consuming and problematic. Was all the unstructured personal data hidden in thousands of emails and folders was located? How can you be sure that all your colleagues did their searches thoroughly? Could putting so many people’s eyes on Maria’s personal data do more harm than good? Was it the best use of everyone’s time, and might it have put the data at greater risk of leaks and breaches?

Multiply these issues by the number of DSARs you receive and you start to get an idea of the resources that could be wasted, the possible errors, and other risks involved when relying on people to collect and deliver data.

 

2. Each person does things differently, which makes it hard to be consistently compliant

Maybe you have already defined your GDPR strategy and implemented the processes, procedures and policies your company will need to comply with privacy laws.

Now, it is up to each person to adhere to your privacy policies. Unfortunately, people tend to find their own way of doing things. Even if you outline specific ways of handling personal data and have mandatory procedures in place, it is unlikely that every individual will consistently put them into practice in their daily working routine.

This is a normal part of being “human” and exercising our own way of thinking. Your staff are smart, creative people, and their ideas of what is a safe or “good enough” way to handle personal information might be just as good as yours, however, data regulators expect to see standardized company policies being followed consistently

At the end of the day, you are responsible for compliance and privacy. Recognizing human nature and the inconsistency that comes with it, try to automate data privacy as much as possible. Free up your team’s time and mental energy for the projects that make you money.

 

3. People are busy and they may not see the importance of prioritizing privacy, how can you change their mindset?

Flashback to early 2018 and the GDPR ball is rolling in your company. People understand what GDPR is and how to deal with it – broadly speaking. We’ve seen companies having extensive workshops, interviews, seminars, webinars, quizzes – you name it. And to be honest: we have seen this kill more than one organization before even getting started on actual compliance, i.e. doing something actively.

In the beginning, everyone was on the same page and wanted to incorporate compliance as a natural part of the workday. Then, time flies. It is business as usual and everyone is busy. People start forgetting what all the fuss about GDPR was really all about, along with all the rules and processes they need to adhere to. It’s not fresh in their memory anymore, and they still don’t have GDPR habits integrated in their way of working.

It’s alot like when you go to the dentist. You are told that you need to brush your teeth better to avoid cavities.  The next couple days you brush and floss your teeth carefully and tirelessly because you want to avoid cavities. But after a few weeks, you fall back into your old habits of brushing your teeth too hard and drop flossing altogether. Changing patterns takes time, and a burst of initial enthusiasm is no substitute for gradual improvement.

How can you get your people to continuously improve their privacy practices? Too many workshops, interviews, seminars, webinars, quizzes etc. may kill the overall effort. Rather, we suggest a “What you track, you improve strategy. Continuously monitoring your privacy practices and sharing the results with your team on occasion is a good way to keep everyone on the right track.

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    4. Enforcing people’s GDPR compliance is a hassle

    The GDPR requires you to implenent “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks” to protect people’s data and privacy.

    Then it states that you must have “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

    How can you test, assess and evaluate whether your policies are being followed?

    Does anyone keep customer data in their mailbox, or on their computers?

    Looking over everyone’s shoulder and pestering them to comply with company policies and procedures could create a very stressful office environment and eat up an enormous amount of your time.

    Automated data monitoring can help.

    5. Changing office culture is tough, but “Culture eats strategy for breakfast”

    Let’s assume that you have a great GDPR strategy in place. All policies and processes are in place, you have the necessary GDPR templates, and you have a plan set up to find and extract personal data when it is requested – it won’t be fast but it should work.

    Getting this far has been a tough journey, but you made it. Now you need to make all your efforts stick, so you don’t have to start all over in a few months.

    What makes your GDPR strategy stick? It needs to be socially engrained in your company culture. Otherwise, it will always be a losing struggle. Just think of the dentist example from before. You can have a great start but still lose your motivation with too many efforts. Culture eats strategy for breakfast. So turn your GDPR strategy into a privacy-first culture.

    Culture is made up of people’s beliefs, the habits they have formed, how they make decisions, respond to challenges, and how they distinguish between right and wrong.

    If your GDPR strategy is perceived as weird, incomprehensible or plain stupid, you’ll have a hard time maintaining compliance.

    We’ve seen examples where people were asked, as part of a company’s GDPR strategy, to manually go through their email inbox to detect and report all the personal data found. Yes, manually. This is NOT an efficient use of resources and it is a poor way to educate your employees about privacy. The person will come away from that task only learning that you do not value their time.

    A privacy-first culture places privacy as a top priority in your overall business strategy.

    1. Show your employees that you protect their personal data.
    2. Don’t ask too much. Expecting totally new habits/behaviours may come with some pushback.
    3. Try to align your GDPR initiatives with the way people do things already, if possible.
    4. Make sure that people can see the rationale behind changes.
    5. Consider getting tools/software to make data management easier.

    Can you make the transition to comply with privacy laws easier on your employees?

    A smarter way to comply with GDPR

    To sum up, relying on people to comply with privacy laws can be problematic because:

    1. Managing both structured and unstructured data is difficult to do manually
    2. People find their own way of interpreting rules and processes
    3. It is not easy for people to change their habits and make compliance a priority
    4. Supervising everyone to make sure they adhere to your policies is not easy
    5. Loading everyone up with irksome tasks is no substitute for a privacy-first culture

    The one service, product, or software that can fix all of these challenges does not exist. And do not let anyone convince you otherwise. You will always need a certain amount of support and cooperation from your team to keep your company’s personal data safe. But you can make it much easier and faster for your whole company to comply with the GDPR.

    • Use automation to eliminate slow, tedious, manual processes
    • Simplify your internal rules and processes to make them easily understandable
    • Focus on key risks. Do not leave too much room for individual interpretation.

    Simplify to succeed. Give people smart tools instead of rules.

    AI-powered data discovery can identify data in minutes, saving your teams valuable time and letting them focus on other tasks. Our RequestManager takes the stress out of responding to DSARs, and our easy-to-use add-in for Outlook gives people a simple way to share data safely.

    How we might help

    DataMapper – Find your sensitive data →

    RequestManager – Respond to DSARs →

    ShareSimple – Send and receive sensitive data safely →

    Sebastian Allerelli

    Governance, risk, and compliance specialist