Employees across all parts of an organization touch personal data, but that doesn’t guarantee they know how to comply with data protection and privacy laws. Kim Lessley, Director of Solution Management at SAP SuccessFactors shares why organizations need to establish processes and properly train employees in order to adhere to compliance regulations.Â
Sometimes it’s the simplest things that can get an organization into compliance trouble. Like when the Australian government sold off old office equipment in a second-hand shop – not realizing the filing cabinets held ten years of top-secret cabinet discussionsOpens a new window between five governments.Â
Employees across organizations touch personal data – including data entry clerks, call center employees, marketing professionals, people managers, and HR to name a few. You can have the best technology in place, but that will not guarantee your organization is in compliance with data protection and privacy laws. You also need to establish processes and train employees on those processes. Imagine this scenario – you’ve spent between $1 million-$10 millionOpens a new window in getting ready for the General Data Protection Regulation (GDPR). You’ve done a technology audit, cataloged the different systems in use in your company and mapped where you store and process all personal data. You have gone through an exhaustive search and hired the perfect person to fill your Data Protection Officer role. IT and HR are working hand in glove to ensure employee data is secure in all systems and permissions are locked down so that only those people who need to see personal data can access it. You are ready, right? Think again.
Then you hire an intern to help manage your next big marketing campaign. She is eager to prove herself and takes the initiative of building her own global mailing list based on email addresses she collected from the sales team, extracted from lists of conference attendees stored on the team’s SharePoint site, etc. Chances are not all of those people gave your company explicit consent to send them marketing material. And suddenly you are out of compliance with the GDPR for direct marketing without consent. Or let’s say one of your top salespeople brings home her laptop to get some work done in the evening and forgets it on the train. The laptop contains information about customers and prospects, including personal information and notes. Not only is this a potential breach of the individuals’ information, but could also be a goldmine for the competition. Â
Culture of compliance
One of the trickiest aspects of compliance is the unpredictable human factor. People make mistakes; sometimes because they are careless, sometimes because they acting maliciously and sometimes because they simply don’t realize what they are doing is wrong. So what can you do to mitigate the risk to your organization?
Establishing a culture of complianceOpens a new window in an organization is critical to ensuring all of the process and technology work you put in to ensure compliance does not go to waste. **A true culture of compliance is an integral part of an organization’s ethics and is not simply a box that needs to be ticked confirming employees have completed an annual online compliance course**. Instead, compliance needs to be embedded into everyday activities.
Most people want to do the right thing. **Compliance expectations should be clearly communicated and reinforced and employees should be incentivized to behave accordingly**. A culture of compliance sets the foundation and expectations for individual behavior across an organization – and it should start at the top. If a company’s leaders are not taking compliance seriously, how can you expect the rest of the employee population to do so?
Back to the story of the filing cabinets in Australia. If that happened to a company housing data on European residents, that mistake could cost up to €20 million or 4% of annual global revenue in fines under the GDPR. People will make mistakes, but you can limit the frequency and severity of those mistakes by instilling a culture of compliance where employees understand and embrace compliance as the standard operating procedure, including always making sure filing cabinets are empty before selling them off.