The EU’s General Data Protection Regulation, which went into effect on May 25, imposes new data privacy obligations on all organizations that process the data of EU citizens, whether or not they are based in Europe themselves. The maximum penalties for noncompliance are hefty, so it is essential for businesses to ensure that their practices are GDPR-compliant if they haven’t already.
According to a survey on the eve of the regulation coming into effect, however, most organizations have not yet finished making the required changes, while many do not expect to be fully compliant by the end of this year. Much work still remains to be done to bring organizations into initial compliance with the regulation, and still more work to re-develop data collection, storage, and analytics programs in a compliant manner.
With every organization doing a huge amount of work for the first time and trying to get right with the GDPR as quickly as possible, this makes for a fertile environment for bad information to circulate and for opportunists to take advantage of organizations’ unfamiliarity with the new regulatory terrain. Organizational leaders need to be vigilant about which “experts” to trust for guidance on GDPR compliance, take advantage of the information provided directly by the European Commission, and bear in mind that different functions, particularly HR, face unique compliance challenges.
Step 1: Beware of Charlatans
The proliferation of bad advice and information is a simple matter of supply and demand. Demand for advice is high, both because of the global impact of the GDPR and because so many organizations were not proactive in planning for compliance are now scrambling to catch up. The supply of that advice is scarce and of uneven quality, with no historical track record of performance. Over the past few months, many companies have been assembling data protection functions and hiring data protection officers (DPOs), causing a run on the thin supply of qualified talent for these roles.
For businesses, this situation creates a higher-than-usual risk of hiring data protection experts who aren’t expert at all. Digiday’s Jessica Davies recently took a look at the tumultuous marketplace for GDPR expertise and the rash of “data protection charlatans” selling themselves as GDPR specialists on the basis of dubious credentials:
The issue is there are no official GDPR qualifications, unless you’re being hired as a data protection officer — a role defined by the ICO. Otherwise, it’s rather wooly what qualifies one as a GDPR expert. For example, do you need a law degree? Apparently not, according to John Mitchison, director of policy and compliance at the Direct Marketing Association, though it’s preferable.
“The formal certifications mentioned in the GDPR haven’t been created yet, so companies saying they are certified — by who? They can only be self-certified or have had a lawyer check it, but that’s not enough,” said Chad Wollen, chief marketing officer of ad tech vendor Smartpipe, who has worked on both the media owner and the advertiser side.
A little awareness goes a long way. Knowing that charlatans abound, organizations looking to hire data protection specialists to lead their GDPR compliance should be prepared; asking specific questions and demanding clear and precise answers will help you steer clear of them.
Step 2: Go to the Source
To figure out what questions to ask, educate yourself with credible information from the people who created the regulation in the first place: The European Commission has created an excellent collection of web resources for the non-lawyer. The resources, written in plain language, answer many of the questions businesses and citizens are most likely to ask, such as:
- How can I demonstrate that my organization is compliant with the GDPR?
- Does my organization need to have a DPO?
- Can someone else process data on my organization’s behalf?
Once you’ve gotten the answers from the source, make sure that the advice you are getting from other sources is consistent with what you read there.
Step 3: Get HR-Specific Advice
Most articles and white papers about GDPR focus on the rights of citizens in dealing with organizations that they might patronize (e.g., a bank, a hospital, or a car dealership). The application of the regulation to employee data is different in kind, due to the kind of data involved (pay stubs, performance records, work emails) and the power imbalance in the employee-employer relationship.
HR leaders need to ensure that the sources they rely on for advice are attentive to this difference. Legal firms and HR-specific professional associations are good sources for GDPR advice tailored to the needs of that function. For example, this brief guide at Lexology by Tom Mintern and Sam Rayner, attorneys with Bird & Bird in London, explains some of the GDPR compliance issues that HR in particular needs to be aware of.
The HR practice at CEB, now Gartner, has a range of resources available to help leaders navigate the challenges of the GDPR. CEB Corporate Leadership Council members can read more about the HR implications of the regulation in the latest issue of Talent Analytics Quarterly. Members can also read our research report and review the webinar we held in March to help HR professionals create action plans for GDPR compliance.