Having clarified the requirements of the GDPR and what it is appropriate to do to be compliant, it is fair to ask who will be in charge of this compliance process, remember, included in a long-term project in line with business objectives. There is widespread agreement that GDPR is an issue that must involve all levels of corporate management, from senior executives to other positions in the organization. Indeed, cross-functional collaboration should be enabled if companies want to comply with regulatory changes by the deadline – May 25, 2018 – and implement an effective long-term transformation.
Companies that hold and use EU citizens’ personal data must involve most departments in the process and ask themselves some basic questions about how and why personal data is collected and used, while also focusing on the value to their respective business functions. So, preparing for GDPR is not just an IT project, nor is it something that only privacy or security managers are interested in – collaboration will be a cornerstone of compliance. Let’s take a very simple example: marketers will need to work side-by-side with legal departments and IT departments to transparently manage customers’ personal data, and IT teams need to work with legal to review agreements in the supply chain, amending contracts where necessary.
- Leadership Team. These are the first stakeholders called upon; their support is critical as is the appointment of an executive leader for compliance activities. The leader will then lead a dedicated project team that must be accountable to the board and receive instructions from the top. If the business organization is particularly well-rounded, multiple GDPR teams may also be formed, one for each business unit, which will report to the leader.
- Legal Department. There must also be a legal figure who knows the GDPR by heart and is ready to advise the rest of the company throughout the preparatory process. The attorney or legal team will then be involved in practical compliance activities, for example reviewing legal agreements with third parties, especially if the company has owner-processor relationships.
- IT and software development. The IT department’s contribution is critical to the success of GDPR implementation: IT teams are charged, for example, with access controls to personal data and with “ensuring on an ongoing basis the confidentiality, integrity, availability and resilience of processing systems and services.”
- Product Management. These are the owners of the products that are used to collect the data, i.e., the software. The functionality of their programs must be balanced with requirements such as security and privacy. Product management personnel become increasingly relevant as GDPR compliance is projected on a long-term perspective.
- GDPR brings with it many changes that affect organizations’ marketing activities, especially in the area of digital marketing. There will be a need to review and update the privacy policies of websites. Companies also need to make sure that consent management is adequate and working in all markets. When it comes to marketing automation and CRM, organizations need to make sure tool and service providers are GDPR compliant and have data usage rights. To achieve this, companies need to train employees and make them aware of the implications GDPR will have on their operations, especially in the case of organizations with global marketing teams.
- Cybersecurity. The IT security manager clearly has one of the most important roles in preparing for GDPR. The Chief Information Security Officer (CISO) is the top-level decision maker for cyber security and has a pivotal function in protecting the enterprise from attacks that result in data loss. The CISO and the entire Information Security team should be deeply involved in shaping GDPR plans, given their centrality to some of the regulatory changes in data breaches and data privacy.
In this rather rich picture, it is to be expected that a small to medium-sized business will not have qualified personnel in-house in all the areas called upon to be GDPR compliant. Depending on what the company’s mission is, it may not have legal or IT directly in-house and therefore will have to outsource compliance to external consultants. So don’t be surprised if you have to opt for the services offered by external professionals, even better if they are teams specifically created to achieve the required compliance.
To be continued…