Sometimes it’s the simplest things that can get an organization into compliance trouble — like when the Australian government sold off old office equipment in a secondhand shop, not realizing the filing cabinets held 10 years of top secret cabinet discussions between five governments.
Employees across organizations touch personal data – including data entry clerks, call center employees, marketing professionals, people managers and HR to name a few. You can have the best technology in place, but that will not guarantee your organization is in compliance with data protection and privacy laws. You also need to establish processes and train employees on those processes. Imagine this scenario – you’ve spent between $1 million-$10 million in getting ready for the General Data Protection Regulation (GDPR). You’ve done a technology audit, cataloged the different systems in use in your company and mapped where you store and process all personal data. You have gone through an exhaustive search and hired the perfect person to fill your Data Protection Officer role. IT and HR are working hand in glove to ensure employee data is secure in all systems and permissions are locked down so that only those people who need to see personal data can access it. You are ready, right? Think again.
Then you hire an intern to help manage your next big marketing campaign. She is eager to prove herself and takes the initiative of building her own global mailing list based on email addresses she collected from the sales team, extracted from lists of conference attendees stored on the team’s SharePoint site, etc. Chances are not all of those people gave your company explicit consent to send them marketing material. And suddenly you are out of compliance with the GDPR for direct marketing without consent. Or let’s say one of your top salespeople brings home her laptop to get some work done in the evening and forgets it on the train. The laptop contains information about customers and prospects, including personal information and notes. Not only is this a potential breach of the individuals’ information, but could also be a goldmine for the competition.
Culture of Compliance
One of the trickiest aspects of compliance is the unpredictable human factor. People make mistakes; sometimes because they are careless, sometimes because they are acting maliciously and sometimes because they simply don’t realize what they are doing is wrong. So what can you do to mitigate the risk to your organization?
Establishing a culture of compliance in an organization is critical to ensuring all of the process and technology work you put in to ensure compliance does not go to waste. A true culture of compliance is an integral part of an organization’s ethics and is not simply a box that needs to be ticked confirming employees have completed an annual online compliance course. Instead, compliance needs to be embedded into everyday activities.
Most people want to do the right thing. Compliance expectations should be clearly communicated and reinforced and employees should be incentivized to behave accordingly. A culture of compliance sets the foundation and expectations for individual behavior across an organization – and it should start at the top. If a company’s leaders are not taking compliance seriously, how can you expect the rest of the employee population to do so?
Back to the story of the filing cabinets in Australia. If that happened to a company housing data on European residents, that mistake could cost up to €20 million or four percent of annual global revenue in fines under the GDPR. People will make mistakes, but you can limit the frequency and severity of those mistakes by instilling a culture of compliance where employees understand and embrace compliance as standard operating procedure, including always making sure filing cabinets are empty before selling them off.
Kim Lessley is director of Solution Management for Cloud Security at SAP SuccessFactors.