Two weeks ago, Sysdoc’s Michael Clinch joined fellow panellists Jane Blanchard and Alex Anisie at the MCA GDPR discussion. He focussed on what GDPR meant for people within an organisation, and the importance of aligning it with process, systems and data.
From May 2018, the EU GDPR ruling mandates that every organisation takes appropriate care of personal data, and that systems and processes all operate in accordance with the new legislation. However, except for the ‘Processors’ and ‘Controllers’ of the data, the 88 page ruling document doesn’t mention anything regarding specific requirements for a typical employee.
This isn’t an omission. It’s not a pre-requisite of GDPR that employees all understand what the legislation says. Yet without a well-informed employee base, everything you do to prepare for GDPR can very easily be undermined. Even if you have fully cleansed your data, reviewed and updated your processes and remediated your systems, it only takes one updated process to not be followed, one illicit download to be stored, one ill-thought out marketing campaign to be executed, or one spreadsheet to be sent en-masse, for all of your effort and careful preparations to be undone. By contrast, even if your processes are somewhat open to interpretation, your systems not fully assessed and your data in need of a formal review, if your people fully understand GDPR and why compliance is critical, then your risk can be almost completely mitigated.
It is very easy to overlook the importance of your people when striving for GDPR compliance, but it is really quite straightforward to deliver an effective awareness programme that empowers employees and can mitigate a large chunk of the risk associated with GDPR. A comprehensive GDPR compliance programme that considers the people elements alongside the remediation of systems, processes and data is the most effective way to mitigate GDPR risk. If your people understand that data is not something to be horded for a rainy day, that CVs should be deleted after the recruitment process is over, and why any process that deals with Personally Identifiable Information must adhere to GDPR guidelines, then you are probably unlikely to encounter significant GDPR issues.
Sysdoc have a track record of managing change and delivering process excellence at some of the UK’s largest companies. For more information, or to arrange an initial discussion, please contact Simon.Niven@Sysdoc.co.uk.
You can read the other posts in the series here: