(Posted originally on LinkedIn, March 1 2017)
I have been traveling the past month or so, and delivering presentations on GDPR compliance as well as attending others’ presentations. I have been struck by how many organizations are still trying to get budget to deal with GDPR, when I was advising our clients last fall that they really needed to have budget established and concrete actions starting in early 2017.
What to make of this? I had thought – probably as most people in privacy had thought – that with the GDPR, all those resource challenges of the past were going to be eliminated, or at least reduced, as the threat of large fines and regulatory sanctions would help us make our business case. This was clearly optimistic.
Raising this in discussion with wiser heads than mine has not yielded an answer, though they agreed this was a common problem. It leads me to think that despite the imminent arrival of May 2018, that resource challenges still exist for a number of reasons:
- Many organizations are busily hiring for DPO roles, but not all are providing the DPO with the resources and support to really meet the requirements of the position, and may not be getting privacy professionals with the right experience into the role. This will admittedly be a challenge for many EU organizations given the lack of sufficient numbers of qualified privacy professionals to fill roles in EU organizations (or even the regulators). It is currently a sellers’ market. But it suggests two reasons why there is still inadequate resources – first, does an inexperienced DPO know what to ask for (staff, tools, technology)? And does the organization hiring such a person think that they are ‘done’ – now that they’ve hired a DPO?
- Organizations that do not have experience with building privacy programs are still approaching this as a ‘paper’ exercise. As James Leaton Gray said at the Future of Privacy Forum in November, when we shared the stage discussing accountability under the GDPR, privacy is not simply something that sits in the compliance or legal department. The GDPR requires accountability on the part of the whole organization. There is still, unfortunately, a tendency to regard privacy as just another compliance area, one that can be fixed with the right paperwork.
- It may also be that some privacy professionals are still having difficulty getting the message across about what privacy means in the context of the GDPR, that the EU views privacy as a fundamental right, and is more than’ just another compliance issue.’
What to do? I think addressing resource challenges for privacy professionals is a combination of education and governance. Privacy pros need to still attend to explaining why privacy is important, what it means in the EU versus elsewhere, and what it means for their organization to do well. It helps to draw from the experience of others, from benchmarks and statistics, because management needs this to understand that what we as privacy professionals are asking is not that odd or unusual, or that we are trying to build a privacy ’empire’ within the company.
It also requires privacy professionals to engage in ‘tough love.’ This means making very clear that since we cannot write the cheque to fund an activity, then the person who can, owns accountability for failing to resource it. No regulator is going to be fooled by an organization saying that the CPO/DPO is to blame for a privacy failure if the resourcing lies in someone else’s hands. We cannot compel the writing of the cheque – but we can make clear to the responsible part of management that this is their decision, and thus their accountability.
Finally, while I hate ‘selling on the negative,’ there is ultimately one question for management that may need to be asked: are you prepared to accept the risk that your fine for non-compliance is significantly greater than the investment for doing the right thing?