TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance. This multi-part program provides both guidance on what to do, along with options for helping you get it done.
Step 2: Build Consensus
In Step 2 of Your Path to GDPR Compliance, we address the most common next question, “what do I need to do to secure stakeholder commitment and resources for execution?”
Building consensus up-front is critical to the success of any privacy program within an organization and is not specific to the GDPR. Fundamental leadership principles and organizational decision-making come into play.
Because the GDPR has such a substantial impact on organizations – with significantly increased obligations, a stepped up regulatory enforcement regime, and potential fines of up to 4% of annual worldwide turnover (or revenue) – a GDPR program merits its own organizational awareness campaign.
In fact, “Awareness” is at the top of the list on the UK ICO’s (“Information Commissioner’s Office”) recently released guidance “Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now.” ICO’s guidance states, “You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.”
The guidance goes on to recommend that companies “use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming”.
To do so, you’ll need to:
- marshal the evidence to support a compelling business case; and
- plan and execute your GDPR awareness campaign to secure stakeholder buy-in.
What Evidence Do I Need to Tell the Story and Support a Compelling Business Case for GDPR Compliance?
As the privacy champion, you will have to tap your inherent mastery of the art of persuasion. This means gathering as much ammunition as you need to generate a sense of urgency and persuade key stakeholders that the GDPR warrants a strong compliance program. Below are several key messages that are critical to tell a compelling story, along with a list of helpful evidence to support each proposition.
The GDPR Impacts the Company…Posing Threats and Opportunities
- An overview of the GDPR and what specific activity makes the company subject to the new regulation
- Key organizational risks, fines & penalties, regulatory trends and likely enforcement landscape
- Specific stories of privacy regulation violations and what that meant to the company and to the data subject who experienced the violation
- Reports illustrating consumer sentiment and impact to business when brand is damaged via privacy violations
- Benchmark reports and infographics to illustrate the GDPR risk and show that other companies are taking action in response
- Stories of companies that used its strong privacy posture as competitive advantage
The Company Has Compliance Gaps That Require Remediation
- The results of the initial GDPR Readiness Assessment to provide a Corporate Scorecard of where the company currently stands, with specifically identified gaps and risks
- Any internal metrics / reports providing privacy breach incidents in the organization, any past regulatory inquiries or enforcement against the organization, history of the organization’s privacy training
The GDPR Program Proposed and the Level of Effort Required
- Overview of the activities typically required to build a GDPR Response Program, including best practices and benchmark information from other companies
- Summary of what it would take to close the gaps, including a rough time and cost analysis of the level of effort (LOE) to make operational changes, including training, monitoring, measuring, tech / process for privacy impact assessments and product development, contract reviews, privacy policy reviews, etc.
- Proposed overview of how the GDPR program would operate, a rough timeline, methodology, and success metrics by which to measure progress
How Do I Plan and Execute an Effective GDPR Awareness Campaign?
Facilitate an internal kickoff and on-going planning sessions with relevant stakeholders across the organization. This initiative will be easier if you already have a designated privacy task force. If a committee is not already in place, you’ll need to start identifying and reaching out to stakeholders and key influencers. This should include senior leadership and, if possible, the CEO and Board Members. In addition, identify and invite colleagues with influence across functional areas from lines of business, legal, IT, InfoSec, HR, product development, engineering, marketing, and others.
Build and deliver a strong presentation leveraging all of the evidence gathered to tell the story. To be effective, this takes considerable preparation. Rather than go in with a dry recitation of the policy and regulatory requirements, experienced privacy practitioners recommend planning interactive and engaging sessions that may possibly even be considered a fun team-building exercise. Running your presentation by a subset of the group ahead of time to get feedback and tweak accordingly will help get stakeholders on your side before going into the kick-off meeting.
At the outset, it will be important to clearly state the following goals of the kick-off session:
- Formalize GDPR program team structure / roles / responsibilities
- Secure commitment that the GDPR program is a prioritized pillar / initiative aligned to the overall organization planning for the next couple years
- Agree on short, medium and long-term goals of the GDPR program
-
Set measurable objectives with success criteria, key milestones
-
Based on a rough estimate of the level of effort (LOE), secure budget and resources
Schedule on-going planning meetings with a regular cadence to then develop the full plan, implement all required operational changes, and provide a dashboard report on the GDPR program’s progress. These topics will be covered in our next blog post “Step 3: Develop Plan” and remaining steps in the TRUSTe “Your Path to GDPR Compliance” Education Series.
TRUSTe provides informational resources such as GDPR research and infographics that can serve as evidentiary assets in support of your efforts to build consensus. Some organizations may find that they could benefit from an outside consultant, with significant in-house experience building privacy programs such as the GDPR, to help successfully prepare for and guide the important kick-off sessions. TRUSTe provides the GDPR Response Workshop, which is a half to full day of on-site interactive session led by TRUSTe Privacy Consultants custom-tailored to your organization. For more information on TRUSTe On-Site Privacy Workshops, click here to learn more.