Colleagues (and people in general) are awesome! If you are a manager, they are your most valuable asset and best case is that they drive your competitive edge. But if you are the GDPR responsible, they are also your biggest headache… That’s because they are building the content of your company but the content becomes the problem in a GDPR context. And you might have a hard time convincing them to do things differently. This is not due to the fact they don’t want to, but because they deem other things more important. This is especially the case with GDPR compliance. It’s everybody’s task but time is not an available resource, nor does everybody see GDPR as relevant.
We have reflected on what happens if you only rely on people to comply with GDPR. And the topics are:
- Handling data is not very user- and people-friendly
- People are different – and they end up doing things differently
- Changing people’s mindsets is tough one
- Enforcing people’s GDPR compliance is a hassle
- Culture eats strategy for breakfast – including your GDPR strategy
- How can you smoothen GDPR compliance and the transition to the GDPR era?
1. Handling data is not very user- and people-friendly
All data is not created equal – at least not when we’re talking about GDPR. Personal data exists in multiple forms and is divided into categories of sensitivity. And you need to be able to find all of it.
Basically, it is scattered all over the place. Besides residing in your business applications and -software such as Salesforce, SAP, Hubspot, E-conomic etc., the top three places where personal data is stored (according to research) are 1) e-mails and e-mail servers, 2) computers and network drives, and 3) Enterprise Content Management Systems (ECM).
Structured vs. unstructured data
Unlike Salesforce and the others who utilize a database setup, the two first of the top three locations listed are characterized as unstructured-human-governed locations. With a database structure, data is neatly organized by the software and keeps track of all changes – that’s basically the point of the existence. With the other places mentioned, you as a person (and your colleagues) are in sole control of how to organize and manage those data, i.e. how to handle e-mail attachments, save documents – and deleting these.
We therefore distinguish between the structured data (databases) and the un-structured (e-mails and files).
A practical example
To illustrate the difference in handling these, let’s use the example of a customer who exercises its right to access the data you as a company has on them – a “Subject Access Request”. For the example, we assume that the person in question is a customer. Also, you are using a CRM software like Salesforce, an ERP system like E-conomic, Outlook (Exchange) as your mail system and a shared network drive (e.g. a X-drive) as your file storage.
You look up the person in Salesforce and pull a report showing all data (correspondence, products etc.). Then you find the same person in E-conomic where you extract all invoices and other data registered on that person.
Now we get to the fun part – how do you find all emails with that person? You do not have access to all your colleagues’ mailboxes, so you need to ask everyone to do a search for that person. The same goes for your shared network drive – but hopefully, you have full access, so you can the searches yourself.
Then you compile all that information into an e-mail and send it to the customer making the request.
As you can see there are a couple of manual tasks which are time-consuming. Chances are when you do this, you end up not finding all personal data – because how can you be sure that all personal data that is hidden in your thousands of emails and folders are located? You honestly don’t have any chance of finding out whether all your colleagues did their searches.
AND WHAT IF YOU HAVE MULTIPLE SUBJECT ACCESS REQUESTS? We won’t get into that because you probably see the resources needed by now.
2. People are different – and they end up doing things differently
As a natural part of your GDPR strategy, you implement processes, procedures, and policies to comply with GDPR and you expect your company to adhere to them. Rightfully so. Unfortunately, people tend to find their own way of doing things. Why? This is the part about being “human” and exercising their own way of thinking. Even though you outline specific ways of handling personal data and have mandatory procedures in place, you can’t control how every individual will lead their daily working routine. This means that you can’t put the responsibility on your colleagues’ only. They are probably doing their best to comply but it’s part of human nature to use autonomy or find different ways of doing things.
3. Changing people’s mindsets is tough one
The GDPR ball is rolling in your company. People need to understand “what is GDPR” and how do I deal with it – broadly speaking. We’ve seen companies having extensive workshops, interviews, seminars, webinars, quizzes – you name it. From the get-go, people understand what GDPR is and how they need to incorporate it into their daily routines. And to be honest: we have seen this kill more than one organization before even getting started on actual compliance, i.e. doing something actively.
In the beginning, you’ll see that everyone is on the same page and wants to incorporate compliance as a natural part of the workday. Then, time flies. People start forgetting the fuzz about GDPR and all the rules and processes they need to adhere to. It’s not fresh in their memory and they don’t (yet) have a GDPR habit integrated into their way of working.
The issue can be explained as when you go to the dentist. You are being told that you need to brush your teeth better to avoid cavities. The coming weeks after the dentist, you brush your teeth tirelessly because you want to avoid cavities. But. After a few weeks, you fall back into your old habits of brushing teeth. It’s hard to change this pattern. Going back to GDPR, if people fail to integrate the habit of GDPR you are going to have a hard time being compliant. How do you keep GDPR fresh in peoples’ memories?
So, back to the first observation in this section – too many workshops, interviews, seminars, webinars, quizzes etc. may kill the overall effort. But you still need to do something, and you can’t just leave it up to each person in the company. It’s a tough balance to strike.
4. Enforcing people’s GDPR compliance is a hassle
If you rely only on people to follow policies and procedures, you need to make sure people are complying on a continuous basis. That said, controlling if each person is complying to these policies and procedures becomes an important task. The level of control requires a lot of time from the GDPR responsible. How do you control that everybody doesn’t have personal data in their mailbox, or on their computers? You have told them not to, but how do you actually make sure they don’t? You can’t watch over every person’s shoulder. We got a suggestion in the end – be patient.
5. Culture eats strategy for breakfast – including your GDPR strategy
Let’s assume that you have a great GDPR strategy in place. All policies and processes are in place, you have the necessary GDPR templates, and you have a good overview of where to find and extract personal data – might not be fast but it works. To get this far has without a doubt been a tough journey, but you made it. Now you need to make all your efforts stick, so you don’t have to start all over in a few months.
So, how to make your GDPR strategy stick? It needs to be socially constituted in your company culture. If this does not happen, you are most likely to repeat the all your efforts all over again. Just think of the dentist example from before – you could have a good start but (unknowingly) kill the motivation with too many efforts. Culture eats strategy for breakfast – especially something like a GDPR strategy.
Culture is about the habits people have formed, how they make decisions, respond to challenges, how they distinguish between right and wrong. So, if your GDPR strategy entails ways of doing things that are perceived as weird, incomprehensible or plain stupid, you’ll have a hard time maintaining compliance. We’ve seen examples where people were asked (as part of the GDPR strategy) to manually go through their e-mail inbox to detect and report all the personal data found. Yes – you did read manually… Without saying too much, this is NOT an efficient utilization of resources and we would not be able to enforce this in our company at least.
You need to be aware of what you are asking from your colleagues. If it’s new habits or behaviors, then you should expect pushback will be there. Assess the habits and behavior of your colleagues and make sure your GDPR initiatives are somewhat aligned with the way people do things already – or make sure that they can see the rationale behind changing this. Then you’ll get closer to including GDPR in your company culture.
6. How can you smoothen GDPR compliance and the transition to the GDPR era?
Summing up on why relying on people can be troublesome is:
- People are in charge of managing personal data that is unstructured
- Most will find their own way of interpreting rules and processes
- We are all creatures of habit and GDPR is far down the habit-priority list causing negligence
- Controlling that people adhere to GDPR takes up a lot of (non-productive) time
- Not building GDPR habits in your company culture hinder the transition to the GDPR era
The one service, product or software that should fix all of these challenges does not exist. And do not let anyone convince you otherwise.
What you should be focusing on is how can you make it as easy as possible for your company to comply with GDPR – not 100% but identifying key risks and doing something. There are many ways to do so – and we wrote a separate post on this here.
Manual tasks are a killer
One way is to remove the responsibility of having people manually go through their locations where data is unstructured as it imposes more tasks in their work routine and leads to people hating GDPR even more. Shorten your internal rules and processes to make them easily understandable and focus on key risks. Do not leave too much room for individual interpretation.
Give people smart tools instead of rules. This further reduces the need for controlling people to see if they adhere to the GDPR.
Ensure that the new tasks that is required by each person is not too alien to their existing tasks or habits. This will reduce the pushback and increase the chances of implementing GDPR in your company culture.
How we might help
Archii GDPR gets you part of the way by removing the tedious task of manually finding personal data in documents. This is documents located across human-governed locations such as e-mail and file locations. Instead of finding data manually, you can do it by the click of a button. This limits the amount of control management need to conduct, as each person need to click a button and the admin gets an automatic overview of where personal data in documents is located. Go check it out here.