Create a healthy GDPR culture

It’s hard to believe that this time five years ago, many of us would have been finalising documentation, training staff, and having conversations in the office about a new phenomenon called GDPR! Hopefully half a decade down the line, that new phenomenon is now considered an old friend (who, in the UK, changed their name to ‘UK GDPR’ due to Brexit).

How can you ensure that this old friend is an integral part of your company’s culture?

1. Appoint a passionate individual to lead on GDPR

Dependant on the processing activities your organisation undertakes, you might need to appoint a Data Protection Officer (DPO). Ensure that whomever you appoint to lead on GDPR (with or without the official DPO title) has an interest in the subject, is able to interpret the regulation for your business and can engage others to embed into the organisation.

2. Data protection by design and default

This is a good mantra for your organisation. Whenever considering a new business practice, product, service, or system, or when starting a new project involving personal data, have your team chant it while completing a Data Protection Impact Assessment (DPIA)!

3. Provide regular refresher training for all staff

With every member of staff acting on the company’s behalf, GDPR is everyone’s responsibility. The reality is that some people in a company will apply GDPR principles more frequently than others due to the nature of their job. Often, these people receive the most GDPR training.

However, it’s arguably those who less frequently apply GDPR principles that create your highest risk for compromising compliance. Without regular training, things get forgotten. Include GDPR training when onboarding all new starters and ensure that regular training is offered to the whole workforce with relevant documentation accessible to them. Check that learning has taken place with a test or survey, to assess confidence as well as knowledge. Consider how to address any gaps in learning with the individuals concerned.


4. Encourage healthy GDPR and data protection discussion

There is a significant amount of complexity and some uncertainty surrounding GDPR compliance. The Information Commission Office (ICO) gives very clear guidance but there is still an element of user interpretation and justification (for example, retention periods).

Through sharing and discussing GDPR related news items, questions and anecdotes, you encourage increased awareness and understanding of GDPR amongst your workforce as well as providing opportunity for the wider workforce to challenge the company’s GDPR position. It is this challenge which could identify a need to update your company’s GDPR documentation and/or associated processes and practices. By providing an environment that welcomes discussion and challenge from ‘the workforce’, you will ultimately improve aspects of your company’s GDPR position.

5. Accept that your GDPR documentation will never be ‘final’

Businesses don’t stand still for very long – changes to people, processes and technology will often result in required changes to company documentation, including GDPR documentation. Be prepared to update the documentation regularly and inform your workforce of any changes. An annual review of your overall GDPR policies and processes is sensible and whenever there is a change to existing technology or processes, ensure DPIAs are updated so that the effects of the change are considered.