Beyond GDPR Compliance – what’s next?

I was energised by meeting new people, with similar interests and challenges. I had some great discussions that brought some fresh perspective to some old problems. Mostly I got to see my colleagues in data protection across Europe and across many different industries taking fresh approaches to understanding and implementing GDPR compliance in their businesses.

What struck me most was how compliance has moved on since I last attended an industry event in the flesh so to speak. Then – in late 2019/ early 2020 - companies were still grappling with basic compliance questions.  Now, companies that have engaged with the GDPR journey and embraced it in their businesses are using mature language to describe their compliance. It was particularly obvious in those industries where compliance required an all-in approach that there is an evolving maturity of approach and forward thinking.

It got me thinking – once you have a compliance programme in place, what comes next?

INFRASTRUCTURE – IMPLEMENTATION and then CULTURE

At the start of a compliance journey companies look at the standard tasks – have we got our privacy notices in place? What about our internal policies that set out our commitment and approach to GDPR compliance for the organisation? Can we identify, investigate, manage, and meet our reporting obligations regarding data breaches? Have we got the necessary tools to comply with Data Subject Access requests? Do we have the right people and are we overseeing this at the right level in the organisation? The need for a compliance infrastructure starts to emerge (and if you are a Fort Privacy client you will start to implement the Fort Privacy Framework).

The next step is to build out the processes and implement the key compliance activities. Companies in this phase are looking at imposing records retention policies across all their software systems. They are working on getting their supplier engagement processes in place or updated to ensure GDPR compliant contracts are in place and that they are carrying out due diligence checks and managing suppliers accordingly. They may be focusing on annual due diligence checks, internal and supplier audits, getting a change management process in place to ensure their article 30 Records of Processing Activities is kept up to date.

These are all elements of implementing and maturing a compliance programme.

What happens next is the interesting part – organisations whose core compliance activities are maturing are evolving to stage three. These organisations are building a culture of compliance.

What does this culture of compliance look like?

• One organisation talked about how they have started on a path to align the privacy strategy for the organisation with the business and product strategy. That sounds like a clear and straightforward objective but anyone who has tried to do this (especially if they have tried before the company is ready for this!) will know its easier said than done.
• Another organisation talked about Privacy becoming part of the value proposition. Again, not an easy task. It takes a lot of “managing upwards” to get any company, never mind a large corporate, to align its corporate values with a compliance activity which would always have been seen as a net cost of doing business.
• Another company talked about being on a journey to “make the business think differently”. This involved getting agreement on embedding data ethics into their compliance activities – going beyond compliance and making a commitment to ethical use of personal data.

This is all very powerful stuff and none of the companies were shying away from the inherent challenges.

Sitting in the audience listening to the various speakers there were common themes emerging. As we move into 2022 – and approach the fourth anniversary of GDPR – there is a maturity of approach and language.

Companies are no longer rolling out the trite “We are 100% GDPR compliant” line. The language of compliance is maturing to recognise that this is a big part of company strategy, in many cases a business differentiator. Businesses that go beyond narrow compliance thinking and embrace the culture of compliance are maturing – as we always hoped they would – to recognise that a culture of compliance will benefit everyone including the bottom line!