Sofia Bruno, Kivra AB, on the General Data Protection Regulation
Culture: With the upcoming General Data Protection Regulation (GDPR), privacy will become a standard part of a company´s compliance responsibilities. Organisations should therefore already be working hard to value the importance of privacy in their company culture, and give it high(er) priority in the boardroom. Everyone in the organisation should be involved in the preparations with the aim of making the company culture reflect the new rules:
- Set up a company specific privacy management lifecycle. The company’s ‘privacy compliance tone’ must permeate every level of an organisation when processing personal data.
- Train and develop employees and recruit a Data Protection Officer if that´s needed for the organisation. Every employee should have a full understanding of the new rules, and also be in a position to give input on how the company can best meet the requirements of the GDPR.
- Make sure the organisation is compliant with current relevant rules and responsibilities and implement effective processes for following up and ensuring compliance over time. Also establish management processes for handling data breaches, reporting, personal requests from individuals for data erasure, continued risk evaluation and so on.
Code: If you have not yet done so, see how you can implement privacy in the code and design of your company’s services, by embedding privacy functions and thereby helping the organisation as a whole to comply with the new rules. Make sure that your IT systems and functions process personal data in a compliant manner. Increased awareness in this area will not only help you identify potential problems at an early stage, but will also have positive benefits for the entire organisation.
Customer Experience: It’s all about the customers, without them you’re nothing and their personal data can give you great value, right? So make them feel secure, updated – and never give them unpleasant surprises in terms of how you use their personal data. Hopefully they will then feel comfortable staying with you and providing you with their personal data while using your products and service – win win. If you’re relying on customer approval, make sure the customers know exactly what they are consenting to, and the implications of their consent. Be transparent, talk to the customers - in a language they easily understand, be especially accurate with information you give and what tone and vocabulary you use if your customers include children and other individuals with special needs.
Hey IT-lawyers – it´s time to up our game!
Us IT-lawyers must widen our perspectives and open our minds to the digital world. Try to understand as much as possible on how it works out there and see if we can improve our ways of reaching out with our legal advice. See if you can be a trainee for one day or more in your organisation’s IT/tech team, I've tried it myself and believe me – it is great fun. You'll be amazed how fast that can improve your way of giving well-suited legal advice and working together with other roles in the organisation in a more efficient way as you suddenly talk the same language (well hopefully you can at least use some cool legaltech words…). Tech teams, CEO’s, sellers and other fast working business roles must also change their way of working as personal data is now a cost and a risk. They must involve the legal team more closely and earlier in the business’s processes, as one step in the wrong direction can suddenly lead to major consequences in terms of fines and forfeited public trust. Brief legal reviews and agreement drafting without good knowledge of the current business situation is not enough. Lawyers must work together with other roles in the organisation with different functions, perspectives and knowledge in order for businesses to continue moving forward in this challenging and exciting GDPR era. Now who’s with me?